You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, affected[].versions enumeration only occurs during the import of an OSV record.
#1987 has identified that it is conceivable that additional vulnerable versions may be released (for example, if the vulnerability was fixed in a backward-incompatible manner in a new major version branch) after the OSV record has been published (and imported by OSV.dev).
This means that it is possible for the OSV.dev API to return false negatives for new vulnerable versions released after the OSV record has been published and imported.
False negatives detract from OSV.dev's strategy to be a comprehensive, accurate and timely database of known vulnerabilities.
Proposed solution:
Periodically (interval TBD), reimport all of the records for a given source, causing the affected versions for each record to be re-enumerated, based on the facts available at that point in time.
How this reimport is triggered will vary between the different currently supported data sources:
GCS: Set ignore_last_import_time to true for the given source record in SourceRepository in Datastore
Git: Set last_synced_hash to null for the given source record in SourceRepository in Datastore
REST: Set ignore_last_import_time to true for the given source record in SourceRepository in Datastore
The text was updated successfully, but these errors were encountered:
Problem statement:
Today,
affected[].versions
enumeration only occurs during the import of an OSV record.#1987 has identified that it is conceivable that additional vulnerable versions may be released (for example, if the vulnerability was fixed in a backward-incompatible manner in a new major version branch) after the OSV record has been published (and imported by OSV.dev).
This means that it is possible for the OSV.dev API to return false negatives for new vulnerable versions released after the OSV record has been published and imported.
False negatives detract from OSV.dev's strategy to be a comprehensive, accurate and timely database of known vulnerabilities.
Proposed solution:
Periodically (interval TBD), reimport all of the records for a given source, causing the affected versions for each record to be re-enumerated, based on the facts available at that point in time.
How this reimport is triggered will vary between the different currently supported data sources:
GCS: Set
ignore_last_import_time
totrue
for the given source record inSourceRepository
in DatastoreGit: Set
last_synced_hash
to null for the given source record inSourceRepository
in DatastoreREST: Set
ignore_last_import_time
totrue
for the given source record inSourceRepository
in DatastoreThe text was updated successfully, but these errors were encountered: