sethmlarson
commented
3 weeks ago @MindaugasBernatavicius Thanks for the question, we pull from the NVD dataset but don't automatically update if more information is added to those records, perhaps the initial record didn't have the fixed version and that's why our record is "out of date". If you could submit a pull request fixing the issue I can review it, ping me on the PR.
We use some OSV tooling to sift through NVD for Python projects, maybe that tooling has improved to be able to automatically update records? I haven't been following OSV tooling very closely lately.
If that answers your question I can close this issue.
MindaugasBernatavicius
The vulnerability marked as PYSEC-2024-71 seems to be solved: https://github.com/advisories/GHSA-hxwh-jpp2-84pm . However https://osv.dev/vulnerability/PYSEC-2024-71 marked v5.0 as vulnerable as well. They said they are downstream from you guys in this comment: https://github.com/google/osv.dev/issues/2568 .
Question: what is your upstream for this vuln (not asking about NIST NVD but beyond that)? What is the source of truth to submit the update that this has been fixed? Is it the original report bug report: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d ?
P.S. This affects environments tracking "time to resolution" via pip-audit for regulatory purposes, so I'm willing to submit a PR either here or whichever upstream needs to be informed.