Currently, for our cve-osv source, detect_cherrypicks is off. This means that when we enumerate affected git commits, we are only considering the branches that contain the referenced fix commits.
This occasionally lead to missed matches.
We should evaluate turning on cherrypick detection for cve-osv. This has some implications:
This will slow down record processing time.
Cherrypick detection is not perfect, which can lead to false positives if we don't correctly identify all cherrypicked fixes.
Currently, for our cve-osv source,
detect_cherrypicks
is off. This means that when we enumerate affected git commits, we are only considering the branches that contain the referenced fix commits.This occasionally lead to missed matches.
We should evaluate turning on cherrypick detection for cve-osv. This has some implications:
Related issues: https://github.com/google/osv.dev/issues/2576#issuecomment-2336875125 https://github.com/google/osv.dev/issues/1910#issuecomment-1885825603