oliverchang
commented
8 months ago Thanks for the question!
limit came about due to feedback from some of our data providers. For instance, the https://github.com/cloudsecurityalliance/gsd-database folks wanted to issue separate OSV entries for each affected branch of a particular Linux vulnerability.
More generally, I do agree we should encourage more use of fixed. The challenge here comes from the fact that while false negatives are bad, users of vulnerability scanners are already grappling with floods of potential false positives in their reports for various reasons, and we don't want to make that particular problem worse either.
zacchiro
Hello, the semantics of limit events in the spec is very clear, but the logic behind it, and hence how to use it correctly in the real world, way less so. I haven't found it documented anywhere, so I'm asking here in the hope the answer will be useful to others as well.
Consider the canonical example in the specification, where
limitis used instead offixedin the following git history:A security bug is introduced in commit X and resolved in commit Y. How could it be possible that commits D, E, and F (letting cherry picks aside) are not vulnerable? Any change made in those commits might also fix the vulnerability as a side effect, but the most common case I can imagine in the real world is that those commits are vulnerable.
Encouraging the use of
limitoverfixedfor git range optimizes for the least plausible case, making spec implementations return false negatives, which seems undesirable (because dangerous).For what is worth, this is not marginal in the OSV.dev data: more than half of git ranges there use
limitevents instead offixed. Should they befixedinstead (aside from a few marginal cases), and should the spec strongly encourage favoringfixedoverlimit?Thanks for this great project!