Re: Explicit listing of vulnerable versions

[Andrew Pollock]

Hey Martin!

I'm on my phone, so please excuse the brevity.

In a word: yes. See https://google.github.io/osv.dev/faq/#what-does-osvdev-do-to-the-records-it-imports for some further details.

Regards

Andrew

On Thu, 4 Apr 2024, 6:26 am Martin Prpič, <mpr...@redhat.com> wrote:

Hey Andrew,

Quick question, if I look at this vulnerability in OSV: https://api.osv.dev/v1/vulns/GHSA-f3jh-qvm4-mg39. It expands the information that is available in the GitHub advisory as `>= 5.8.0, < 5.8.11` to a full list of all versions between 5.8.0 to 5.8.10 (including). Does OSV resolve these versions by querying Maven Central for all existing versions and then pairs it down to the ones that fall within that range? Or is there some other data source where this data is present already?

Thanks!

--

Martin Prpič / Red Hat Product Security

[Martin Prpič]

Awesome! Exactly what I was looking for, thanks!

Martin