oliverchang
commented
1 month ago Sorry for dropping the ball on this! @calebbrown can you help with answering this?
Open lukehinds opened 3 months ago
oliverchang
commented
1 month ago Sorry for dropping the ball on this! @calebbrown can you help with answering this?
calebbrown
commented
1 month ago Hi Luke,
This behavior is intentional. The Malicious Packages repository aggregates reports from multiple sources so it is has to account for the possibility that multiple sources include a report.
Any content below the -= Per source details. Do not edit below this line.=- marker is managed by the automation in the repository when there is a "source" data present (this is separate to the credits part of OSV).
For reports contributed by users in PRs, etc without "source" data the content above the marker is preserved.
A regexp is a reasonable approach for cleaning it up, but I'm happy to consider alternative approaches to the aggregation problem too.
Taking a look at the following https://osv.dev/vulnerability/MAL-2024-7462
Extra text has been added which is was not in the original report. Some of this seems to be markdown
##there is also a source added 'ghsa-malware' along with some generic text and-= Per source details. Do not edit below this line.=-This makes it difficult for us to use the details section of the payload, without getting into some sort of regex to clean things up.
Our current pattern of reporting is to submit to OSV.dev and then render the details section on our own API:
Other packages we have added, do not have the source delimiter https://osv.dev/vulnerability/MAL-2024-1199