question: how handle `affected[].ranges[].events` + `affectedversions-field`

[DmitriyLewen]

Description

Hello! Thanks for your work!

I found 1 confusing case:
GHSA-h4j7-5rxr-p4wc advisory contains affected[].ranges[].events + affectedversions-field:

    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.Build.Tasks.Core"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "17.13.9"
            },
            {
              "fixed": "17.14.8"
            }
          ]
        }
      ],
      "versions": [
        "17.13.9"
      ]
    }

OSV schema says:

affected[].versions field

The affected object’s versions field is a JSON array of strings. Each string is a single affected version in whatever version syntax is used by the given package ecosystem.
...
affected[].ranges[].events fields

The ranges object’s events field is a JSON array of objects. Each object describes a single version that either:

    Introduces a vulnerability: {"introduced": string}
    Fixes a vulnerability: {"fixed": string}

IIUC it means that affected versions are >=17.13.9 < 17.14.8 range + 17.13.9 version.
But this range contains 17.13.9 so it means that affected versions are >=17.13.9 < 17.14.8 range

GitHub UI shows the following versions:

This is correct for microsoft information - https://github.com/dotnet/msbuild/issues/118469
But this is not equal OSV file.

Can you help to understand this case?
Perhaps i am missing something.

Best Regards, Dmitriy

Related Issues:

• False Positive CVE-2025-26646 in msbuild aquasecurity/trivy-db#544

[taladrane]

hi @DmitriyLewen, thank you so much for bringing this to our attention! We're looking into this and will get back to you with more information.