Affected methods by a vulnerability

[NordCoderd]

Hello,

For many reasons, managing and resolving problems with projects that use vulnerable packages can be tricky. As a developer who consumes data about vulnerable packages, I wanted to know more about how the vulnerability could affect my project.
One of the metrics that could help me determine how it could affect me is knowing what vulnerable (affected) methods from the open-source library are used in my project directly or through transitive.

It would be nice to have information about the location of vulnerable (affected) methods in open-source libraries in normalized format. With that information, we could check the reachability of vulnerabilities in the project and prioritize issues by using it in projects.

I didn't find the same information in open-source, and it is probably the best place to request a feature or get some information on how we could achieve it.

[oliverchang]

Hi there,

We've found that this information is typically very ecosystem-specific, and so we've deferred the encoding of this to ecosystem_specific to be defined by every ecosystem. See e.g. https://osv.dev/vulnerability/GO-2024-2961.

Today, I believe Go is the only ecosystem where this information is provided comprehensively across the vuln DB.