Possible commit range misreporting

[kikofernandez]

Hi there from Erlang OTP team.
We have been using OSV to do our vulnerability scanning using the REST API.
Some of the reporting seem to be incorrect.

This is the information we send using the https://api.osv.dev/v1/querybatch REST API

{
  "queries": [
    {
      "commit": "37d575ede5ade50ad95b857f22ed7f1be4b1f2df",
      "package": { "name": "github.com/microsoft/STL" }
    },
    {
      "commit": "4c0618b0e44f7ef027ebae05d2cc7812048f7c8f",
      "package": { "name": "github.com/ulfjack/ryu" }
    },
    {
      "commit": "5fe1940275d04432da841896bac0a66cc2375551",
      "package": { "name": "github.com/asmjit/asmjit" }
    },
    {
      "commit": "c9a9e5b10105ad850b6e4d1122c645c67767c341",
      "package": { "name": "github.com/openssl/openssl" }
    },
    {
      "commit": "da607da739fa6047df13e66a2af6b8bec7c2a498",
      "package": { "name": "github.com/madler/zlib" }
    },
    {
      "commit": "f454e231fe5006dd7ff8f4693fd2b8eb94333429",
      "package": { "name": "github.com/PCRE2Project/pcre2" }
    },
    {
      "commit": "f8745da6ff1ad1e7bab384bd1f9d742439278e99",
      "package": { "name": "github.com/facebook/zstd" }
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery"
      },
      "version": "4.0.0"
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery-migrate"
      },
      "version": "4.0.2"
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tablesorter"
      },
      "version": "2.32"
    }
  ]
}

and I would like to focus on pcre2

   {
      "commit": "f454e231fe5006dd7ff8f4693fd2b8eb94333429",
      "package": { "name": "github.com/PCRE2Project/pcre2" }

The response we get for pcre2 is that the following CVEs may affect us (please ignore the Erlang << and other stuff, the strings are the important parts

#{<<"results">> =>
      [...
       #{<<"vulns">> =>  ### PCRE2
             [#{<<"id">> => <<"CVE-2016-3191">>,
                <<"modified">> => <<"2026-04-01T23:41:22.026340Z">>},
              #{<<"id">> => <<"CVE-2017-7186">>,
                <<"modified">> => <<"2026-04-02T00:14:08.040982Z">>}]},
       #{},#{},#{},#{}]}

However, the description for CVE-2016-3191 says that one may be affected if using pcre2 previous to 10.22. The commit we submit is for pcre2 version 10.47, so I am wondering if we are not submitting correctly the information, or if OSV is incorrectly doing the range analysis scanning and reporting.

Thanks for any input.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[kikofernandez]

Hi! I have reviewed the FAQ and it is not clear to me if I can direct this issue to the Source.
I do not think so, because this is based on commit ranges (I think). If I am mistaken, please let me know :)

[cuixq]

Hi @kikofernandez, thank you for reporting this.

To clarify, we use the "data quality" label to track improvements like these, and our FAQ page provides some broader context on how we handle these issues.

Regarding this specific issue: it's tied to our ongoing work on gitter which does the affected commit graph walking. We are currently working on a fix that will address the issue that you've noted.

We appreciate you helping us improve the quality of our data!

[kikofernandez]

Hi! Thanks for looking into this.
In case of needed more examples to validate, we have the following openssl example as well (Job run), where we think we cannot be vulnerable:

Information sent to querybatch

{
  "queries": [
    ...,
    {
      "commit": "c9a9e5b10105ad850b6e4d1122c645c67767c341",  # Openssl 3.6
      "package": { "name": "github.com/openssl/openssl" }
    },
   ...
   ]
}

Response

Response that we got (formatted for ease of reading):

github.com/openssl/openssl: CVE-2016-0701,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,
                                               CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,
                                               CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,
                                               CVE-2016-2108,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,
                                               CVE-2016-2178,CVE-2016-2179,CVE-2016-2181,CVE-2016-2182,
                                               CVE-2016-2842,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,
                                              CVE-2016-6305,CVE-2016-6306,CVE-2016-6307,CVE-2016-6308,
                                              CVE-2016-6309,CVE-2016-7052,CVE-2016-7053,CVE-2016-7056,
                                              CVE-2016-8610,CVE-2017-3730,CVE-2017-3731,CVE-2017-3732,
                                              CVE-2017-3733,CVE-2017-3735,CVE-2017-3737,CVE-2017-3738,
                                              CVE-2018-0734,CVE-2018-0735,CVE-2018-5407

where CVE-2016-0701 cannot happen because it affects "OpenSSL 1.0.2 before 1.0.2f" and our openssl sha is for openssl 3.6. I believe all the other reported issues follow the same logic.

Thanks a lot for looking into this!

[Ly-Joey]

Hi @kikofernandez thank you for your patience, I can confirm the false positives that you were seeing have been fixed!