OpenSSL's versions aren't being normalized very well, by the Go code or the Python code (unsurprising, given they're supposed to behave the same):
OpenSSL_1_1_1w winds up getting normalized to 1-1-1 and when there's OpenSSL_1_1_1a to OpenSSL_1_1_1w (as well as OpenSSL_1_1_1) they're all overwriting each other during normalization and the last one wins.
OpenSSL's versions aren't being normalized very well, by the Go code or the Python code (unsurprising, given they're supposed to behave the same):
OpenSSL_1_1_1w
winds up getting normalized to1-1-1
and when there'sOpenSSL_1_1_1a
toOpenSSL_1_1_1w
(as well asOpenSSL_1_1_1
) they're all overwriting each other during normalization and the last one wins.Originally posted by @andrewpollock in https://github.com/google/osv.dev/issues/1984#issuecomment-2063036937