Range is missing its upper bound even though it's defined in GHSA

[nscuro]

I came across the guava vulnerability GHSA-5mg8-w23w-74h3 (https://osv.dev/vulnerability/GHSA-5mg8-w23w-74h3) for which GHSA declares the affected version range as <= 29.0.

In OSV, this is represented as:

"ranges": [
    {
        "type": "ECOSYSTEM",
        "events": [
            {
                "introduced": "0"
            }
        ]
    }
],
"database_specific": {
    "last_known_affected_version_range": "<= 29.0"
}

Given the constraint <= 29.0, I would've expected the following:

"ranges": [
    {
        "type": "ECOSYSTEM",
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "29.0"
            }
        ]
    }
]

The range currently advertised by OSV will raise lots of false positives, considering the latest guava version is 31.1.

[oliverchang]

Thanks for filing this! Could you please raise this issue in https://github.com/github/advisory-database ? We are getting the GHSA OSV entry from there and they currently do not yet support last_affected.

[nscuro]

@oliverchang Thanks for the pointer, I'll raise an issue in the GHSA repo later today. 👌🏻