Provide the SEMVER "Affected ranges" in addition to the GIT "Affected ranges"

google / osv.dev

Open source vulnerability DB and triage service.

https://osv.dev

Apache License 2.0

1.5k stars 186 forks source link

Provide the SEMVER "Affected ranges" in addition to the GIT "Affected ranges" #472

Open VinodAnandan opened 2 years ago

VinodAnandan commented 2 years ago

https://osv.dev/vulnerability/GSD-2021-1000677

The "Affected versions" and the GIT "Affected ranges" range values are available. But providing the SEMVER "Afected ranges" too, will help with the enhanced affected component mapping.

oliverchang commented 2 years ago

This is technically feasible: we'd just need to correlate the introduced/fixed/limit git hashes to the closest git tags and add the additional ranges.

andrewpollock commented 2 months ago

For https://api.osv.dev/v1/vulns/GSD-2021-1000677

"ranges": [
        {
          "type": "GIT",
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/",
          "events": [
            {
              "introduced": "a7d42ddb3099727f58366fa006f850a219cce6c8"
            },
            {
              "limit": "c757c1f1e65d89429db1409429436cf40d47c008"
            }
          ]
        }
      ],

also include a

        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "3.19-rc6"
            },
            {
              "limit": "4.14.234"
            }
          ]
        }

For the Kernel, this might be difficult if the tag isn't valid SEMVER...

github-actions[bot] commented 3 weeks ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.