Support for versions in all advisories

[rtfpessoa]

While querying the data in OSV I noticed that Packagist, Go, NPM and Crates.io have mostly affected ranges and no affected versions.

Is there a plan to support affected versions for these ecosystems?

[oliverchang]

Packagist support is tracked in #230.

Go, npm, and crates.io use SEMVER, where enumerating versions is not a requirement. To evaluate them, one can use the defined events instead according to the evaluation algorithm.

In particular for Go, because every commit can be mapped to a pseudoversion, it's not really feasible to do so.

May we understand your use case for these a bit more?

[rtfpessoa]

My current use case was trying to insert all versions in a database and do a live join between active versions and the advisory versions.
With the ranges it becomes impossible to do that.

[donchkat]

I have a database I maintain which lists per package and it's CVE all the affected versions, and having the versions in GO and npm will make the work much easier.
Maybe you can bring the affected versions data from NVD, the CPE section has a list of affected versions in the specified range.
For example CVE-2023-0742 in NVD has a list of affected versions:

Of course it won't cover all the pseudoversions of GO but it's better than nothing.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

[oliverchang]

We're moving away from enumeration for new ecosystems (see #2401), due to the difficulties we encountered in implementing this for Linux distros, as well as issues with freshness.