Closed oliverchang closed 4 months ago
The second case is definitely true. convert_ghsa.py
in ossf/osv-schema
doesn't support last_affected
.
From tools/ghsa/convert_ghsa.py:
if ghsa_range.upper:
if ghsa_range.upper.operator == '<=':
if first_patched:
current_events.append({'fixed': first_patched})
# OSV ranges only allow < and not <=. If there is no patch, then all
# versions from beginning of time are affected.
I will create a PR on that repo with a fix.
https://github.com/ossf/malicious-packages/blob/cb2451689cd5b89457d1e135c8bfe538d8252dc0/osv/malicious/npm/%40ledgerhq/connect-kit/MAL-2023-8697.json#L9 doesn't seem to have updated to reflect the new ranges on https://github.com/advisories/GHSA-g9hp-hq3h-h6hx, which now constrains the range to >= 1.1.5, <= 1.1.7.
It seems like either (or both):
last_affected
conversions.