Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Clojars for version enumeration #1226

Open
lkoskela opened this issue Apr 18, 2023 · 4 comments
Open

Support Clojars for version enumeration #1226

lkoskela opened this issue Apr 18, 2023 · 4 comments
Labels
backlog Important but currently unprioritized datasource Requests for new data sources documentation Improvements or additions to documentation

Comments

@lkoskela
Copy link

It looks like GHSA-cp4w-6x4w-v2h5 is not recognized by the OSV API for this request:

curl -X POST -d \
  '{"version": "1.13.95", "package": {"name": "lambdaisland:uri", "ecosystem": "Maven"}}' \
  "https://api.osv.dev/v1/query"

The OSV database contains introduced/fixed metadata that seems like the above curl should yield (at least) GHSA-cp4w-6x4w-v2h5 but instead I get back an empty object.

Screenshot 2023-04-18 at 10 05 13
@oliverchang
Copy link
Collaborator

Thanks for the report!

It looks like "lambdaisland:uri" lives in the Clojars repository, which we do not index. We only index Maven Central packages for serving query responses.

I'll reword this issue to reflect this.

@oliverchang oliverchang changed the title Vulnerability GHSA-cp4w-6x4w-v2h5 in Clojure/Maven library lambdaisland/uri not recognized Support Clojars for version enumeration Apr 18, 2023
@andrewpollock andrewpollock added the datasource Requests for new data sources label Apr 19, 2023
@marton-cf
Copy link

I've ran into the exact same issue. It's very confusing that a vulnerability that shows up in the metadata index is not returned by the API.

@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Jul 24, 2024
@andrewpollock andrewpollock added the documentation Improvements or additions to documentation label Jul 26, 2024
@github-actions github-actions bot removed the stale The issue or PR is stale and pending automated closure label Jul 30, 2024
@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Sep 28, 2024
@oliverchang oliverchang added backlog Important but currently unprioritized and removed stale The issue or PR is stale and pending automated closure labels Sep 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Important but currently unprioritized datasource Requests for new data sources documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lkoskela @oliverchang @andrewpollock @marton-cf