SEMVER version advisories appearing for ecosystems with non-semver versions #1834
Comments
|
This issue has not had any activity for 60 days and will be automatically closed in two weeks |
github-actions
bot
added
the
stale
|
We had shades of this problem recently with the Bitnami ecosystem in bitnami/vulndb#336, because it's also essentially an "aggregator" from multiple ecosystems with disparate versioning schemes. If I recall correctly, they managed to successfully converge on SEMVER for all of their versioning. Once #2401 is complete, this ecosystem could presumably just express ranges as ECOSYSTEM where necessary/appropriate and they wouldn't need to be coerced to SEMVER at import time? /cc @calebbrown |
github-actions
bot
removed
the
stale
|
This issue has not had any activity for 60 days and will be automatically closed in two weeks See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out. |
github-actions
bot
added
the
stale
oliverchang
added
backlog
Describe the bug
https://osv.dev/vulnerability/MAL-2023-8369 is an example of a SEMVER affected version range in PyPI, which is not a SemVer version.
To Reproduce
Try to query the telethon2 package with any version and it will not return that advisory
Expected behaviour
The advisory to be returned
Additional context
For malicious packages specifically, they generally get removed from the repositories, so we can't enumerate versions. We need some sort of wildcard version that matches all versions, for non-semver ecosystems.
The text was updated successfully, but these errors were encountered: