Data quality issue with GHSA-4wrc-f8pq-fpqp

[Albertoimpl]

CVE-2016-1000027
https://osv.dev/vulnerability/CVE-2016-1000027

Missing releases
It is missing releases in a range that still contains vulnerabilities.
More precisely, reading https://osv.dev/vulnerability/GHSA-4wrc-f8pq-fpqp it states that it was fixed only after 6.0.0 but the range in, for example, affected versions ends in 5.3.27 when there are releases until 5.3.31 that are still vulnerable: https://mvnrepository.com/artifact/org.springframework/spring-web

Suggested changes to record
Update the affected versions to include all the missing releases.

Additional context
Thanks a lot!

[andrewpollock]

Hello @Albertoimpl thank you for bringing this to our attention.

To confirm, you're referring to the contents of affected[].versions for https://osv.dev/vulnerability/GHSA-4wrc-f8pq-fpqp? (the title of this issue implies you're referring to https://osv.dev/vulnerability/CVE-2016-1000027, but that does not appear to be the case).

Looking at https://api.osv.dev/v1/vulns/GHSA-4wrc-f8pq-fpqp I can confirm that the highest version present is 5.3.27.

Looking at https://deps.dev/maven/org.springframework%3Aspring-web/6.1.4/versions I can confirm that versions higher to 5.3.32 exist.

My current theory is that additional versions became enumerable after the original import-time enumeration was performed. I am testing this theory by reimporting GHSA-4wrc-f8pq-fpqp

[andrewpollock]

Update: It seems I was mistaken on how to trigger a reimport of a single record for a Git-based OSV.dev data source. I am still trying to get just this record to be reprocessed.

[Albertoimpl]

Thanks for taking a look @andrewpollock. I confirm I was referring to what you are specifying.

[andrewpollock]

I note that https://api.osv.dev/v1/vulns/GHSA-4wrc-f8pq-fpqp is now reporting the additional versions in affected[].versions. Thank you for bringing this class of problem to our attention.

[Albertoimpl]

Confirmed, thanks a lot @andrewpollock!