rhalar
commented
1 year ago Moved this to https://github.com/google/osv.dev/issues/1525
Closed rhalar closed 1 year ago
rhalar
commented
1 year ago Moved this to https://github.com/google/osv.dev/issues/1525
A few of the Debian advisories which get parsed end up with a nonsensical
<not-affected>fixed version in the affected range, e.g. https://osv.dev/vulnerability/DSA-226 https://osv.dev/vulnerability/DSA-177This seems to happen when a version of a distribution is, well, not affected but still seems to issue an advisory for it to explicitly state it is safe. These are all for very old distributions though. But perhaps some validation for the versions which end up in ranges and affected versions could be added? I'm not sure if it is strictly enforced but Debian does have a specification on how versions should be structured: https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
Furthermore, some of the
sourcelinks do not resolve; they return aNoSuchKeyerror. That is the case for the two DSAs linked above, but I haven't looked into others. Both end up in the data dumps though.