Non-SemVer compliant versioning in OSV records

[andrewpollock]

Title

CVE-2021-44528

What steps will reproduce the bug?

$ pipenv run python -m osv.analyze_tool --analyze_git=true --format=json /tmp/BIT-rails-2021-44528.json
INFO:root:Analyzing /tmp/BIT-rails-2021-44528.json
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/analyze_tool/__main__.py", line 19, in <module>
    main()
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/analyze_tool/__init__.py", line 88, in main
    analyze(path, args.checkout_path, args.key_path, analyze_git,
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/analyze_tool/__init__.py", line 101, in analyze
    result = impact.analyze(
             ^^^^^^^^^^^^^^^
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/impact.py", line 648, in analyze
    enumerate_versions(affected.package.name, ecosystem_helpers,
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/impact.py", line 490, in enumerate_versions
    sorted_events.sort(key=sort_key)
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/impact.py", line 482, in sort_key
    return ecosystem.sort_key(event.introduced)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/ecosystems/semver_ecosystem_helper.py", line 25, in sort_key
    return semver_index.parse(version)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/semver_index.py", line 104, in parse
    return semver.Version.parse(coerce(version))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/apollock/.local/share/virtualenvs/osv.dev-cTOZqQPe/lib/python3.11/site-packages/semver/version.py", line 646, in parse
    raise ValueError(f"{version} is not valid SemVer string")
ValueError: 6.0.4.2 is not valid SemVer string

What is the expected behavior?

The version used passes SemVer validation

What do you see instead?

The version does not pass SemVer validation

Additional information

I have not exhaustively reviewed the remaining records to see how widespread this problem is.

Either the versions should be SemVer compliant, or the ranges[].type should be ECOSYSTEM

[gongomgra]

Hi @andrewpollock,

Thanks for letting us know and for opening this issue. We are working on a fix.

[gongomgra]

Hi @andrewpollock,

Just a quick note to let you know we have updated our database fixing this issue. We are now distributing the affected ranges in SEMVER and ECOSYSTEM categories. You can get more information about the changes at PR/342.

Let us know if there is anything else we can help you with.

[andrewpollock]

Thanks for the quick action. Unfortunately I failed to appreciate that OSV.dev is expecting this ecosystem to be SemVer

I've cross referenced the contents of the source repo with what's missing from OSV.dev's export (so is therefore failing import), and these records are problematic as SemVer:

BIT-django-2023-46695.json
BIT-ejbca-2020-11626.json
BIT-ejbca-2020-11627.json
BIT-ejbca-2020-11628.json
BIT-ejbca-2020-11629.json
BIT-ejbca-2020-11630.json
BIT-ejbca-2020-11631.json
BIT-ejbca-2022-40711.json
BIT-envoy-2020-25018.json
BIT-kong-2021-27306.json
BIT-magento-2020-3715.json
BIT-magento-2020-3716.json
BIT-magento-2020-3717.json
BIT-magento-2020-3718.json
BIT-magento-2020-3719.json
BIT-magento-2020-3758.json
BIT-magento-2020-9576.json
BIT-magento-2020-9577.json
BIT-magento-2020-9578.json
BIT-magento-2020-9579.json
BIT-magento-2020-9580.json
BIT-magento-2020-9581.json
BIT-magento-2020-9582.json
BIT-magento-2020-9583.json
BIT-magento-2020-9584.json
BIT-magento-2020-9585.json
BIT-magento-2020-9587.json
BIT-magento-2020-9588.json
BIT-magento-2020-9591.json
BIT-magento-2020-9630.json
BIT-magento-2020-9631.json
BIT-magento-2020-9632.json
BIT-magento-2020-9664.json
BIT-magento-2020-9665.json
BIT-miniconda-2022-26526.json
BIT-neo4j-apoc-procedures-2021-42767.json
BIT-nginx-2022-41741.json
BIT-nginx-2022-41742.json
BIT-opencart-2020-10596.json
BIT-opencart-2020-13980.json
BIT-opencart-2020-20491.json
BIT-opencart-2020-28838.json
BIT-opencart-2020-29470.json
BIT-opencart-2020-29471.json
BIT-opencart-2021-37823.json
BIT-opencart-2023-2315.json
BIT-opencart-2023-40834.json
BIT-opencart-2023-47444.json
BIT-openfire-2023-32315.json
BIT-prestashop-2020-11074.json
BIT-prestashop-2020-15079.json
BIT-prestashop-2020-15080.json
BIT-prestashop-2020-15081.json
BIT-prestashop-2020-15082.json
BIT-prestashop-2020-15083.json
BIT-prestashop-2020-15160.json
BIT-prestashop-2020-15161.json
BIT-prestashop-2020-15162.json
BIT-prestashop-2020-21967.json
BIT-prestashop-2020-26224.json
BIT-prestashop-2020-4074.json
BIT-prestashop-2020-5250.json
BIT-prestashop-2020-5264.json
BIT-prestashop-2020-5265.json
BIT-prestashop-2020-5269.json
BIT-prestashop-2020-5270.json
BIT-prestashop-2020-5271.json
BIT-prestashop-2020-5272.json
BIT-prestashop-2020-5276.json
BIT-prestashop-2020-5278.json
BIT-prestashop-2020-5279.json
BIT-prestashop-2020-5285.json
BIT-prestashop-2020-5286.json
BIT-prestashop-2020-5287.json
BIT-prestashop-2020-5288.json
BIT-prestashop-2020-5293.json
BIT-prestashop-2020-6632.json
BIT-prestashop-2021-21302.json
BIT-prestashop-2021-21308.json
BIT-prestashop-2021-21398.json
BIT-prestashop-2021-3110.json
BIT-prestashop-2021-43789.json
BIT-prestashop-2022-21686.json
BIT-prestashop-2022-31181.json
BIT-prestashop-2022-46158.json
BIT-prestashop-2023-30545.json
BIT-prestashop-2023-30838.json
BIT-prestashop-2023-30839.json
BIT-prestashop-2023-39526.json
BIT-prestashop-2023-39527.json
BIT-prestashop-2024-21627.json
BIT-rails-2020-8162.json
BIT-rails-2020-8164.json
BIT-rails-2020-8165.json
BIT-rails-2020-8166.json
BIT-rails-2020-8167.json
BIT-rails-2020-8185.json
BIT-rails-2020-8264.json
BIT-rails-2021-22880.json
BIT-rails-2021-22881.json
BIT-rails-2021-22885.json
BIT-rails-2021-22902.json
BIT-rails-2021-22903.json
BIT-rails-2021-22904.json
BIT-rails-2021-22942.json
BIT-rails-2021-44528.json
BIT-rails-2022-23633.json
BIT-rails-2022-23634.json
BIT-rails-2023-22792.json
BIT-rails-2023-22795.json
BIT-rails-2023-22797.json

[gongomgra]

Hi @andrewpollock,

Thanks for your message. Unfortunately, we distribute third-party projects for which we don't have any control on their versioning system. Most of the times, and for most of the projects we distribute, upstream releases are named with valid SemVer schema, but from time to time they may release a version without honoring it.

Is it possible to update osv.dev backend to accept a mix of SEMVER and ECOSYSTEM categories for the Bitnami database? In case it is not possible, what would be the implications of permanently setting all affected.ranges[].type to ECOSYSTEM in osv.dev portal? I tested Trivy integration of our database and it properly detected CVEs for versions tagged with the ECOSYSTEM type.

[andrewpollock]

Hi @gongomgra, (/cc @oliverchang to keep me honest here)

I've got a better appreciation for what's happening here now, see below for what I think needs to happen. If you would like to have a meeting to talk through this, please let me know.

See https://google.github.io/osv.dev/faq/#what-does-osvdev-do-to-the-records-it-imports for additional background context.

When an OSV ecosystem (really an OSV.dev "source" in this context) is treated as SEMVER:

• no version enumeration is done when records are imported (so affected[].versions remains empty/absent)
• the expectation is strict SemVer rules apply when doing vulnerable version determination by OSV.dev's API
• the ranges type is coerced to SEMVER if it is ECOSYSTEM when returned by the API and exported to the GCS bucket

For ECOSYSTEM ranges, the expectation is that ecosystem-specific code exists to do the version enumeration, and that the affected[].versions field gets populated with every version that is enumerated by this code.

Given Bitnami's need for a mixed ecosystem (really an OSV.dev "source" in this context), I think the path forwards, to ensure the records mentioned in #336 (comment) can be successfully imported (and are usable), what is going to be needed is custom enumeration code for the Bitnami ecosystem that:

• for records that have the range type set to SEMVER, ignore them for the purposes of enumeration
• for records that have the range type set to ECOSYSTEM, perform per-package (by the looks of it?) enumeration behaviour analogous to how other non-SemVer ecosystems are treated by OSV.dev in _ecosystems.py, and leave the range type as ECOSYSTEM

Note that this is going to mean that for every new non-SemVer package that is added to Bitnami/has an OSV vulnerability record published, this custom version enumeration code is going to need to be extended in order for OSV records for that package to be successfully imported by OSV.dev

The above failures cluster by package:
42 prestashop
24 magento
20 rails
10 opencart
7 ejbca
2 nginx
1 openfire
1 neo4j
1 miniconda
1 kong
1 envoy
1 django

[oliverchang]

Is there documentation for how Bitnami treats version numbers and the algorithms/rules i follows? For instance, how does Bitnami determine if a particular version number is newer than another for the purposes of upgrading packages? Ideally osv.dev behaviour will match this exactly.

As @andrewpollock mentioned, our SEMVER ranges expect strict SemVer 2.0 compliance, with the benefit that it'll just work as is for our API queries without requiring version enumeration/explosion (which involves turning a range into the list of concrete versions). For ECOSYSTEM ranges, supporting them in our API responses requires this enumeration.

[gongomgra]

Hi @andrewpollock, @oliverchang,

Sorry for the delay. Almost all of our assets follow the semver specs to name their released versions. If one asset publishes a release with a non-semver tag (let's take a recent case I have found for rails: 7.0.7.2), our internal logic converts the version to 7.0.7-2 and, instead of considering it a pre-release of the 7.0.7 release, it is considered a release between 7.0.7 and 7.0.8 (7.0.7 < 7.0.7-2 < 7.0.8). Then we publish the module that will be installed into the containers as rails-7.0.7-2-X, where X indicates the internal revision of the module, and that will be bumped if we update something not related to the rails app itself (for example if we update default permissions to the rails binary). You can see the rest of the changes in the pull-request publishing the updated container at bitnami/containers/pr/45885.

Having the mentioned logic into account, would that work if we continue adding the non-semver versions into the affected.ranges[].type(ecosystem) array with our custom format (7.0.7-2 instead of 7.0.7.2), and update the osv.dev logic to compare those versions the way we consider them? Have you ever found this situation in the past? We would continue providing valid semver versions as part of the SEMVER type array. Unfortunately, we can't provide you with the list of versions in the range as we don't have the full releases history available for many of those projects on our side, nor we can ensure they are available upstream.

[andrewpollock]

Hi @gongomgra

As I mentioned previously in #336 (comment), if OSV.dev is to do anything outside of treating everything from Bitnami as SEMVER, there need to be custom version enumeration code written to implement that specific behaviour.

It seems feasible to me to have this code behave as I described in my earlier comment.

Have you ever found this situation in the past?

No, this is the first time we've had this sort of scenario, where an OSV.dev database is mixing version range types.

Unfortunately, we can't provide you with the list of versions in the range as we don't have the full releases history available for many of those projects on our side, nor we can ensure they are available upstream.

Just be aware that for an ECOSYSTEM range with incomplete enumeration (i.e. affected.versions[] is either incompletely enumerated or not at all) it limits the ability for OSV.dev API users to determine if a specific vulnerable version is actually vulnerable. At the moment, these records aren't even making it into OSV.dev due to the import failures that started this conversation.

[gongomgra]

Hi @andrewpollock, @oliverchang,

We are working on fixing the affected CVE files mentioned here and also others we have found on our side. We will keep you posted.

[gongomgra]

Hi @andrewpollock, @oliverchang,

We have fixed and/or removed (turned out some of them didn't affect our released assets) all affected CVEs in our database (see PR/369). Please let us know if the osv.dev ingestion is ok now.

[gongomgra]

Hi @andrewpollock, @oliverchang,

Do you have any update on this?

[andrewpollock]

Hi @gongomgra

I have cross-referenced the Git repository we're importing from with the contents of what we're exporting:

git clone https://github.com/bitnami/vulndb.git
gsutil cp gs://osv-vulnerabilities/Bitnami/all.zip .
find  data/ -type f -exec jq -r '.id' {} \; | sort > /tmp/bitnami_import
find  -type f -exec jq -r '.id' {} \; | sort > /tmp/bitnami_export
comm -23 /tmp/bitnami_import /tmp/bitnami_export  | wc -l
0

but, I see:

comm -13 /tmp/bitnami_import /tmp/bitnami_export  | wc -l
268

It looks like a number of previously published advisories have been subsequently deleted?

a) Is it conceivable that a Bitnami customer would have old (vulnerable) packages installed and be getting false negatives if this data was no longer present in OSV,.dev?
b) I would have expected our import process to flag these as withdrawn, but they are not, google/osv.dev#2101

These are what I'm seeing present in the export, but no longer in the source repo we're importing from:

BIT-abantecart-2021-42050
BIT-abantecart-2021-42051
BIT-abantecart-2022-26521
BIT-canvaslms-2020-5775
BIT-canvaslms-2021-36539
BIT-civicrm-2020-36388
BIT-civicrm-2020-36389
BIT-civicrm-2023-25440
BIT-codeigniter-2020-10793
BIT-codeigniter-2022-21647
BIT-codeigniter-2022-21715
BIT-codeigniter-2022-23556
BIT-codeigniter-2022-24711
BIT-codeigniter-2022-24712
BIT-codeigniter-2022-35943
BIT-codeigniter-2022-39284
BIT-codeigniter-2022-40824
BIT-codeigniter-2022-40825
BIT-codeigniter-2022-40826
BIT-codeigniter-2022-40827
BIT-codeigniter-2022-40828
BIT-codeigniter-2022-40829
BIT-codeigniter-2022-40830
BIT-codeigniter-2022-40831
BIT-codeigniter-2022-40832
BIT-codeigniter-2022-40833
BIT-codeigniter-2022-40834
BIT-codeigniter-2022-40835
BIT-codeigniter-2022-46170
BIT-codeigniter-2023-32692
BIT-codeigniter-2023-46240
BIT-discourse-2021-41082
BIT-dotnet-2020-1108
BIT-dotnet-2023-36038
BIT-dotnet-sdk-2020-1108
BIT-dotnet-sdk-2023-36038
BIT-haproxy-2023-0056
BIT-jasperreports-2020-9409
BIT-jasperreports-2020-9410
BIT-jasperreports-2021-35494
BIT-jasperreports-2021-35495
BIT-jasperreports-2021-35496
BIT-jasperreports-2022-22771
BIT-jasperreports-2022-22773
BIT-jasperreports-2022-41561
BIT-jasperreports-2022-41562
BIT-jasperreports-2022-41563
BIT-json-c-2021-32292
BIT-kong-2023-44487
BIT-liferay-2020-15839
BIT-liferay-2021-38263
BIT-liferay-2021-38265
BIT-liferay-2021-38266
BIT-liferay-2021-38267
BIT-liferay-2021-38268
BIT-liferay-2021-38269
BIT-liferay-2022-25146
BIT-liferay-2022-26593
BIT-liferay-2022-26595
BIT-liferay-2022-26596
BIT-liferay-2022-26597
BIT-liferay-2022-42123
BIT-liferay-2022-42124
BIT-liferay-2022-42125
BIT-liferay-2022-42126
BIT-liferay-2022-42127
BIT-liferay-2022-42128
BIT-liferay-2022-42129
BIT-liferay-2022-42130
BIT-liferay-2022-42131
BIT-liferay-2022-42132
BIT-liferay-2023-33937
BIT-liferay-2023-33938
BIT-liferay-2023-33939
BIT-liferay-2023-33940
BIT-liferay-2023-33941
BIT-liferay-2023-33942
BIT-liferay-2023-33943
BIT-liferay-2023-33944
BIT-liferay-2023-33945
BIT-liferay-2023-33946
BIT-liferay-2023-33947
BIT-liferay-2023-33948
BIT-liferay-2023-33949
BIT-liferay-2023-33950
BIT-liferay-2023-3426
BIT-liferay-2023-42497
BIT-liferay-2023-42627
BIT-liferay-2023-42628
BIT-liferay-2023-42629
BIT-liferay-2023-44309
BIT-liferay-2023-44310
BIT-liferay-2023-44311
BIT-mediawiki-2020-12051
BIT-miniconda-2021-42969
BIT-miniconda-2023-35845
BIT-modx-2020-25911
BIT-mxnet-2022-24294
BIT-mybb-2020-15139
BIT-mybb-2020-19048
BIT-mybb-2020-19049
BIT-mybb-2020-22612
BIT-mybb-2021-27279
BIT-mybb-2021-27889
BIT-mybb-2021-27890
BIT-mybb-2021-27946
BIT-mybb-2021-27947
BIT-mybb-2021-27948
BIT-mybb-2021-27949
BIT-mybb-2021-41866
BIT-mybb-2021-43281
BIT-mybb-2022-24734
BIT-mybb-2022-39265
BIT-mybb-2022-43707
BIT-mybb-2022-43708
BIT-mybb-2022-43709
BIT-mybb-2022-45867
BIT-mybb-2023-28467
BIT-mybb-2023-41362
BIT-mybb-2023-45556
BIT-mybb-2023-46251
BIT-neos-2022-30429
BIT-neos-2023-37611
BIT-nginx-ingress-controller-2021-23055
BIT-nginx-ingress-controller-2022-30535
BIT-nginx-ingress-controller-2022-41741
BIT-nginx-ingress-controller-2022-41742
BIT-nginx-ingress-controller-2022-41743
BIT-nginx-ingress-controller-2023-44487
BIT-openproject-2021-32763
BIT-openproject-2021-43830
BIT-openproject-2023-31140
BIT-openproject-2023-33960
BIT-percona-xtrabackup-2020-10997
BIT-percona-xtrabackup-2022-25834
BIT-percona-xtrabackup-2022-26944
BIT-percona-xtrabackup-binary-2020-10997
BIT-percona-xtrabackup-binary-2022-25834
BIT-percona-xtrabackup-binary-2022-26944
BIT-phplist-2020-12639
BIT-phplist-2020-13827
BIT-phplist-2020-15072
BIT-phplist-2020-15073
BIT-phplist-2020-22249
BIT-phplist-2020-22251
BIT-phplist-2020-23190
BIT-phplist-2020-23192
BIT-phplist-2020-23194
BIT-phplist-2020-23207
BIT-phplist-2020-23208
BIT-phplist-2020-23209
BIT-phplist-2020-23214
BIT-phplist-2020-23217
BIT-phplist-2020-23361
BIT-phplist-2020-35708
BIT-phplist-2020-36398
BIT-phplist-2020-36399
BIT-phplist-2020-8547
BIT-phplist-2021-3188
BIT-phplist-2023-27576
BIT-processmaker-2020-13525
BIT-processmaker-2020-13526
BIT-processmaker-2022-38577
BIT-rails-2022-3704
BIT-reviewboard-2021-31330
BIT-roundcube-2020-12625
BIT-roundcube-2020-12626
BIT-roundcube-2020-12640
BIT-roundcube-2020-12641
BIT-roundcube-2020-13964
BIT-roundcube-2020-13965
BIT-roundcube-2020-15562
BIT-roundcube-2020-16145
BIT-roundcube-2020-18670
BIT-roundcube-2020-18671
BIT-roundcube-2020-35730
BIT-roundcube-2021-26925
BIT-roundcube-2021-44025
BIT-roundcube-2021-44026
BIT-roundcube-2023-43770
BIT-roundcube-2023-47272
BIT-roundcube-2023-5631
BIT-seopanel-2020-35930
BIT-seopanel-2021-28417
BIT-seopanel-2021-28418
BIT-seopanel-2021-28419
BIT-seopanel-2021-28420
BIT-seopanel-2021-29008
BIT-seopanel-2021-29009
BIT-seopanel-2021-29010
BIT-seopanel-2021-3002
BIT-seopanel-2021-34117
BIT-seopanel-2021-39413
BIT-seopanel-2024-22643
BIT-seopanel-2024-22646
BIT-seopanel-2024-22647
BIT-seopanel-2024-22648
BIT-symfony-2020-15094
BIT-symfony-2020-5255
BIT-symfony-2020-5274
BIT-symfony-2020-5275
BIT-symfony-2021-21424
BIT-symfony-2021-32693
BIT-symfony-2021-41267
BIT-symfony-2021-41268
BIT-symfony-2021-41270
BIT-symfony-2022-23601
BIT-symfony-2022-24894
BIT-symfony-2022-24895
BIT-symfony-2023-46733
BIT-symfony-2023-46734
BIT-symfony-2023-46735
BIT-typo3-2020-11063
BIT-typo3-2020-11064
BIT-typo3-2020-11065
BIT-typo3-2020-11066
BIT-typo3-2020-11067
BIT-typo3-2020-11069
BIT-typo3-2020-15098
BIT-typo3-2020-15099
BIT-typo3-2020-15241
BIT-typo3-2020-26227
BIT-typo3-2020-26228
BIT-typo3-2020-26229
BIT-typo3-2020-8091
BIT-typo3-2021-21338
BIT-typo3-2021-21339
BIT-typo3-2021-21340
BIT-typo3-2021-21355
BIT-typo3-2021-21357
BIT-typo3-2021-21358
BIT-typo3-2021-21359
BIT-typo3-2021-21365
BIT-typo3-2021-21370
BIT-typo3-2021-32667
BIT-typo3-2021-32668
BIT-typo3-2021-32669
BIT-typo3-2021-32767
BIT-typo3-2021-32768
BIT-typo3-2021-41113
BIT-typo3-2021-41114
BIT-typo3-2022-23500
BIT-typo3-2022-23501
BIT-typo3-2022-23502
BIT-typo3-2022-23503
BIT-typo3-2022-23504
BIT-typo3-2022-31046
BIT-typo3-2022-31047
BIT-typo3-2022-31048
BIT-typo3-2022-31049
BIT-typo3-2022-31050
BIT-typo3-2022-36104
BIT-typo3-2022-36105
BIT-typo3-2022-36106
BIT-typo3-2022-36107
BIT-typo3-2022-36108
BIT-typo3-2023-24814
BIT-typo3-2023-30451
BIT-typo3-2023-38499
BIT-typo3-2023-47125
BIT-typo3-2023-47126
BIT-typo3-2023-47127
BIT-weblate-2022-23915
BIT-weblate-2022-24710
BIT-wordpress-2021-39202
BIT-wordpress-2021-39203
BIT-wordpress-multisite-2021-39202
BIT-wordpress-multisite-2021-39203

[andrewpollock]

I think this is all good now in terms of what's currently existent importing correctly, there's just the open question around whether the aforementioned records should really be deleted or not to be of maximum benefit to Bitnami users?

[gongomgra]

Hi @andrewpollock,

Thanks for your message. Yes, it is ok to remove old/non-supported data from OSV.dev as we do in Bitnami's VulnDB. Let me give you more information on this.

I have been checking the CVE files you mentioned and almost all of them belong to recently deprecated assets in our catalog that we no longer support. From time to time we deprecate one or more of our solutions due to different reasons, and in that situation, we keep its security information in our vulnerability database for a grace period of one month, as stated in our deprecation policy. Once that grace period is over, we remove the information from our database.

The rest of the mentioned files and not belonging to deprecated assets were removed because they don't actually apply. For instance, the CVEs mentioned for WordPress and WordPress Multisite assets don't apply because they affect beta versions only.

Hope this message helps to clarify our deprecation policy. Do not hesitate to ask any other questions you may have.

[gongomgra]

Hi @andrewpollock,

We are closing this ticket as solved. Thank you for reporting this issue on our database and for your help fixing it. Do not hesitate to open a new ticket with any other questions you may have or any other issues you may find.