Skip to content

npm vulnerabilities seem flagged as ecosystem yet looking at detail of ranges appear to be semver  #36

Closed
@MikeMoore63

Description

@MikeMoore63

I have noticed recently the npm vulnerability affected ranges types changed from SEMVER to ECOSYSTEM but the way the impacted versions are described are described as if SEMVER using the introduced and fixed and no versions list is defined which is what the spec suggest should be done.

i am looking at the spec here https://ossf.github.io/osv-schema/#affectedrangestype-field

Any reason why this has changed as it did used to be correct ?

An example is GHSA-mf22-92pm-m8p8

"affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@awsui/components-react"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",                                        <= Should this be SEMVER ? As events below are in semver format?
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.367"
            }
          ]
        }
      ]
    }
  ],

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions