clarification around "= version" conversions

[oliverchang]

It looks like currently, GHSA entries with affected versions using the "= X" operator without a patched version (e.g. GHSA-wxhq-pm8v-cw75), get converted to:

      "ranges": [                                                                                                                                                                                                                          
        {                                                                                                                                                                                                                                  
          "type": "ECOSYSTEM",                                                                                                                                                                                                             
          "events": [                                                                                                                                                                                                                      
            {                                                                                                                                                                                                                              
              "introduced": "X"                                                                                                                                                                                                       
            }                                                                                                                                                                                                                              
          ]                                                                                                                                                                                                                                
        }                                                                                                                                                                                                                                  
      ],                                                                                                                                                                                                                                   
      "versions": [                                                                                                                                                                                                                        
        "X"                                                                                                                                                                                                                           
      ]              

(example)

According to the OSV spec, this actually implies all versions after and including X are affected, because there is no corresponding "fixed" to end the affected range.

Would it be possible to encode such cases as just:

      "versions": [                                                                                                                                                                                                                        
        "X"                                                                                                                                                                                                                           
      ]              

Without the erroneous "range"?

[chrisbloom7]

@oliverchang Ah, yes, good catch. I can open an internal issue to address that going forward.

[chrisbloom7]

@oliverchang We have a fix for this in progress now

[chrisbloom7]

@oliverchang Fix has been deployed and I've pushed updated OSV files for all affected advisories. The original you linked to doesn't qualify anymore because all of the unfixed vulnerabilities were withdrawn, but you can see an example of the change in this diff.

Will you please verify that this has resolved the issue? If so I'll close this out.

Affected GHSA IDs

Affected GHSA IDs
GHSA-2j5v-fc74-j9q2
GHSA-2q6w-rxf3-4wc9
GHSA-333g-rpr4-7hxq
GHSA-3x83-p476-vv95
GHSA-4g4c-8gqh-m4vm
GHSA-4v2c-g2xc-47fv
GHSA-5h5r-ffc4-c455
GHSA-5q54-8p9j-x74j
GHSA-5rqg-jm4f-cqx7
GHSA-5w9c-rv96-fr7g
GHSA-6fjr-m7v6-fpg9
GHSA-6qh5-wx38-q92g
GHSA-73qr-pfmq-6rp8
GHSA-7jfh-2xc9-ccv7
GHSA-8gr3-2gjw-jj7g
GHSA-8qm2-24qc-c4qg
GHSA-8rxg-9g6f-vq9p
GHSA-92px-q4w8-hrr5
GHSA-9hx9-w2j6-rw76
GHSA-9pv8-q5rx-c8gq
GHSA-9x64-5r7x-2q53
GHSA-c82c-8pjw-6829
GHSA-c8h6-89q2-mgv8
GHSA-c9rj-pgxv-84jc
GHSA-cpp2-q66x-fq44
GHSA-fwx5-5fqj-jv98
GHSA-g2q5-5433-rhrf
GHSA-g982-9r8g-6qxw
GHSA-gm68-g349-gxgg
GHSA-gp82-xr77-88f4
GHSA-hfc6-79wv-5hpw
GHSA-j49g-mp79-5vm5
GHSA-m25q-fwg4-9v2p
GHSA-m6wh-m8m8-6xx5
GHSA-mc9x-v9xg-25pm
GHSA-p59g-6cqr-m73w
GHSA-pcm6-g2qp-9gw8
GHSA-qmxf-fxq7-w59f
GHSA-rhgq-vv9x-j4p5
GHSA-rqp5-pg7w-832p
GHSA-vjcj-5g2r-vxqc
GHSA-vp8g-53fw-r9f2
GHSA-vqcm-7f7f-r539
GHSA-w7q9-xr2x-wh7x
GHSA-w8hg-mxvh-9h57
GHSA-wg6j-r28m-7293
GHSA-ww4j-c2rq-47q8
GHSA-x3g3-334f-q6h4
GHSA-x65c-4fgj-5fc3
GHSA-x9gm-qxhh-rf75
GHSA-xp5m-4c9f-498q

[oliverchang]

Looks great! Thanks a lot @chrisbloom7 for fixing this!!