Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect data #567

Closed
donchkat opened this issue Aug 1, 2022 · 6 comments
Closed

Incorrect data #567

donchkat opened this issue Aug 1, 2022 · 6 comments

Comments

@donchkat
Copy link

donchkat commented Aug 1, 2022

Found some incorrect data that was raising some questions and doubts about my script, I will appreciate if you can check it out:

  1. CVE: CVE-2022-2495 Why the package microweber/microweber is listed in the PyPI ecosystem? As of my understanding it has nothing to do with PyPI.

Screen Shot 2022-08-01 at 17 34 33

2. CVE: CVE-2019-9423 - Looks like the 'last known affected version' value is much lower and older than the affected range - the last affected range is 4.6.0.66 while the 'last known affected version' is 4.1.1.26

Screen Shot 2022-08-01 at 17 35 24

Thank you.

@donchkat donchkat changed the title Incorrect datat Incorrect data Aug 1, 2022
@oliverchang
Copy link
Collaborator

Thanks for filing this issue @donchkat!

Re 1. We take this from GitHub's security advisory database at https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-xg72-6c83-ghh4/GHSA-xg72-6c83-ghh4.json. Would you mind filing an issue there (or creating a PR?)

Re 2. https://github.com/advisories/GHSA-8849-5h85-98qw, this is intentional -- last_known_affected_version_range is more of a hint here. There is no known patch for this issue, so all subsequent versions are assumed to be affected.

@donchkat
Copy link
Author

donchkat commented Aug 2, 2022

Thanks for the quick answer.

Re 1. I opened an issue here
Re 2. In that case, shouldn't this field be updated according to the last known affected version that is available? Because now there are versions that were released after 4.1.1.26 and they don't belong to the range even though there is no fix so they are also assumed to be affected(4.4., 4.5...). Hope I get it right, but because of the name of this field it just doesn't feel right to have smaller range then it really is - <=4.6.0.66.

@oliverchang
Copy link
Collaborator

Thanks re 1. !

Re 2., there is an open issue on GitHub's side: github/advisory-database#470 to make use of an official OSV field to encode such cases. Please feel free to bump that issue :)

@taladrane
Copy link

crossposting here that the ecosystem has been fixed on the GHSA! thank you again for the feedback 🙌

@andrewpollock
Copy link
Contributor

@oliverchang is it fair to say there's nothing further actionable on this issue? Can we close it out?

@oliverchang
Copy link
Collaborator

@andrewpollock yep, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants