search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.54k stars 188 forks source link

API & databases seem to lost a lot of OSVs #451

Closed G-Rath closed 2 years ago

G-Rath commented 2 years ago

I'm hoping you're already aware, but it seems like osv.dev is having some data issues:

osv-detector-t --cache-all-databases
  Loading OSV databases for the following ecosystems:
    npm (0 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:53:22 GMT)
    crates.io (394 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:59:03 GMT)
    RubyGems (0 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:53:21 GMT)
    Packagist (1 vulnerability, including withdrawn - last updated Thu, 09 Jun 2022 01:59:04 GMT)
    Go (156 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:59:04 GMT)
    Maven (3 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:59:05 GMT)
    PyPI (2070 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:54:28 GMT)
❯ osv-detector-t --use-api .
Gemfile.lock: found 230 packages
  Loading OSV databases for the following ecosystems:
    RubyGems (0 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:53:21 GMT)

  no known vulnerabilities found

yarn.lock: found 1164 packages
  Loading OSV databases for the following ecosystems:
    npm (0 vulnerabilities, including withdrawn - last updated Thu, 09 Jun 2022 01:53:22 GMT)

  no known vulnerabilities found

While I'm demonstrating with osv-detector, the vulnerability library on osv.dev and api are affected too, though the counts on the site are unaffected (I'm assuming they're cached or precomputed, which is good for showing something is wrong):

image

I was using it fine this morning.

oliverchang commented 2 years ago

Yep, this is an issue with the GitHub advisory repo. The automation cron seems to repeatedly delete entries at https://github.com/github/advisory-database/tree/main/advisories/github-reviewed/2022.

I've already raised this issue with them.

oliverchang commented 2 years ago

In the meantime I've forked the repo and reset it to its last known good state and pointed OSV to that. These should start coming back shortly.

oliverchang commented 2 years ago

The issues seem to be resolved. I've re linked OSV with the actual GitHub repo.