normalize_tag returns "" for any input with no decimal digit, then _match_versions does "" in normalize_tags(vers) — true whenever vers contains a digit-free tag.
$ curl -s -X POST https://api.osv.dev/v1/querybatch \
-d '{"queries":[{"package":{"name":"https://github.com/unicode-org/icu","ecosystem":"GIT"},"version":"deadbeef"}]}' \
| jq '.results[0].vulns | length'
7
icu has a last-cvs-commit tag. normalize_tag("deadbeef") == normalize_tag("last-cvs-commit") == "", so "deadbeef" matches every CVE whose range encompasses that tag. "deadbeef0" returns 0.
Happy to send a PR — guard the check on normalize_tag(version) being non-empty?
normalize_tagreturns""for any input with no decimal digit, then_match_versionsdoes"" in normalize_tags(vers)— true wheneververscontains a digit-free tag.icu has a
last-cvs-committag.normalize_tag("deadbeef") == normalize_tag("last-cvs-commit") == "", so"deadbeef"matches every CVE whose range encompasses that tag."deadbeef0"returns 0.Happy to send a PR — guard the check on
normalize_tag(version)being non-empty?