Skip to content

Data quality issue with PYSEC-2024-225 #5574

Description

@mgedmin

The CVE ID
https://osv.dev/vulnerability/PYSEC-2024-225 (alias of https://osv.dev/vulnerability/CVE-2024-26130).

Describe the data quality issue observed
The source lists affected versions as 38.0 through 42.0.3, but osv.dev lists every version from 0.1 to 42.0.3 as affected.

Suggested changes to record
TBH I'm not familiar enough with the semantics of the data format to decide whether the bug is in the source, or in the import logic.

The source enumerates the affected versions directly, and then also defines two ranges: one for ecosystem versions from 38, until 40.0.4, and another for git commits from "0" to 97d231672763cdb5959a3b191e692a362f1b9e55. I don't know if "0" means "unknown" or if it means "the very first commit, whatever it was".

I don't think the osv importer should even look at git commits when it's been given an explicit list of affected versions.

Additional context
The aliased CVE record shows correct version ranges, and a synthetic git commit range that points to commits corresponding to releases, rather than to the actual commits that introduced and then fixed the bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    data qualityIssues with data quality

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions