OSV vulnerabilities with invalid semver version

crates.io.json

{"id":"GHSA-jq65-29v4-4x35","summary":"Null pointer deference in openssl-src ","details":"Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).","aliases":["CVE-2020-1967"],"modified":"2021-08-19T21:21:21Z","published":"2021-08-25T20:45:15Z","database_specific":{"nvd_published_at":"2020-04-21T14:15:00Z","cwe_ids":["CWE-476"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2021-08-19T21:21:21Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1967"},{"type":"WEB","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1"},{"type":"WEB","url":"https://github.com/irsl/CVE-2020-1967"},{"type":"WEB","url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2020-0015.html"},{"type":"WEB","url":"https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202004-10"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20200424-0003/"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20200717-0004/"},{"type":"WEB","url":"https://www.debian.org/security/2020/dsa-4661"},{"type":"WEB","url":"https://www.openssl.org/news/secadv/20200421.txt"},{"type":"WEB","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"WEB","url":"https://www.synology.com/security/advisory/Synology_SA_20_05"},{"type":"WEB","url":"https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL"},{"type":"WEB","url":"https://www.tenable.com/security/tns-2020-03"},{"type":"WEB","url":"https://www.tenable.com/security/tns-2020-04"},{"type":"WEB","url":"https://www.tenable.com/security/tns-2020-11"},{"type":"WEB","url":"https://www.tenable.com/security/tns-2021-10"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html"},{"type":"WEB","url":"http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2020/May/5"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2020/04/22/2"}],"affected":[{"package":{"name":"openssl-src","ecosystem":"crates.io","purl":"pkg:cargo/openssl-src"},"ranges":[{"type":"SEMVER","events":[{"introduced":"111.6"},{"fixed":"111.9.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-jq65-29v4-4x35/GHSA-jq65-29v4-4x35.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"_id":"6Bah91LkX3xEt9RG"}

go.json

{"id":"GHSA-f7ff-xf87-f22q","summary":"Arbitrary command execution in Minidoc","details":"An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.","aliases":["CVE-2022-29637"],"modified":"2022-06-09T22:54:48Z","published":"2022-05-27T00:00:29Z","database_specific":{"nvd_published_at":"2022-05-26T20:15:00Z","github_reviewed_at":"2022-06-03T18:39:00Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-434"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29637"},{"type":"WEB","url":"https://github.com/mindoc-org/mindoc/issues/788"},{"type":"PACKAGE","url":"github.com/mindoc-org/mindoc"}],"affected":[{"package":{"name":"github.com/mindoc-org/mindoc","ecosystem":"Go","purl":"pkg:golang/github.com/mindoc-org/mindoc"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"2.1-beta.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f7ff-xf87-f22q/GHSA-f7ff-xf87-f22q.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"_id":"mfC6VPwj4HtkoSXU"}
{"id":"GHSA-jm34-xm8m-w958","summary":"Open Redirect in oauth2_proxy","details":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","aliases":["CVE-2017-1000070"],"modified":"2021-05-19T22:31:56Z","published":"2021-12-20T18:04:40Z","database_specific":{"nvd_published_at":null,"github_reviewed_at":"2021-05-19T22:31:56Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-601"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000070"},{"type":"WEB","url":"https://github.com/bitly/oauth2_proxy/issues/228"},{"type":"WEB","url":"https://github.com/bitly/oauth2_proxy/pull/359"},{"type":"WEB","url":"https://github.com/bitly/oauth2_proxy/commit/289a6ccf463a425c7606178c510fc5eeb9c8b050"},{"type":"WEB","url":"https://tools.ietf.org/html/rfc6819#section-5.2.3.5"},{"type":"WEB","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000070"}],"affected":[{"package":{"name":"github.com/bitly/oauth2_proxy","ecosystem":"Go","purl":"pkg:golang/github.com/bitly/oauth2_proxy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-jm34-xm8m-w958/GHSA-jm34-xm8m-w958.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"_id":"y8LUE5QhJMUoF7p0"}
{"id":"GHSA-mwwc-3jv2-62j3","summary":"AdGuardHome vulnerable to Cross-Site Request Forgery","details":"In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules.\n\nThe file that contains the vulnerable code is no longer present as of v0.108.0-b.16.","aliases":["CVE-2022-32175"],"modified":"2022-10-13T18:05:31Z","published":"2022-10-11T19:00:29Z","database_specific":{"nvd_published_at":"2022-10-11T15:15:00Z","github_reviewed_at":"2022-10-11T21:25:02Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-352"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32175"},{"type":"PACKAGE","url":"https://github.com/AdguardTeam/AdGuardHome"},{"type":"WEB","url":"https://github.com/AdguardTeam/AdGuardHome/blob/v0.108.0-b.13/internal/home/controlfiltering.go#L265"},{"type":"WEB","url":"https://github.com/AdguardTeam/AdGuardHome/blob/v0.108.0-b.15/internal/home/controlfiltering.go"},{"type":"WEB","url":"https://github.com/AdguardTeam/AdGuardHome/blob/v0.108.0-b.16/internal/home/controlfiltering.go"},{"type":"WEB","url":"https://www.mend.io/vulnerability-database/CVE-2022-32175"}],"affected":[{"package":{"name":"github.com/AdguardTeam/AdGuardHome","ecosystem":"Go","purl":"pkg:golang/github.com/AdguardTeam/AdGuardHome"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.95"},{"fixed":"0.108.0-b.16"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-mwwc-3jv2-62j3/GHSA-mwwc-3jv2-62j3.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"_id":"Gw5XvQau08CHSfcl"}
{"id":"GHSA-q76q-q8hw-hmpw","summary":"Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs","details":"### Impact\nHarbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call\n\n  GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs\n\nBy sending a request that attempts to read P2P preheat execution logs and specifying different job ids, malicious authenticatedusers could read all the job logs stored in the Harbor database.\n\n### Patches\nThis and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.\n\n### Workarounds\nThere are no workarounds available.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)\n\n### Credits\nThanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.\n","aliases":["CVE-2022-31671"],"modified":"2022-09-09T19:47:03Z","published":"2022-09-09T19:47:03Z","database_specific":{"nvd_published_at":null,"github_reviewed_at":"2022-09-09T19:47:03Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":[]},"references":[{"type":"WEB","url":"https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw"},{"type":"PACKAGE","url":"https://github.com/goharbor/harbor"}],"affected":[{"package":{"name":"github.com/goharbor/harbor","ecosystem":"Go","purl":"pkg:golang/github.com/goharbor/harbor"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0"},{"fixed":"1.10.13"}]}],"database_specific":{"last_known_affected_version_range":"<= 1.10.12","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-q76q-q8hw-hmpw/GHSA-q76q-q8hw-hmpw.json"}},{"package":{"name":"github.com/goharbor/harbor","ecosystem":"Go","purl":"pkg:golang/github.com/goharbor/harbor"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0"},{"fixed":"2.4.3"}]}],"database_specific":{"last_known_affected_version_range":"<= 2.4.2","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-q76q-q8hw-hmpw/GHSA-q76q-q8hw-hmpw.json"}},{"package":{"name":"github.com/goharbor/harbor","ecosystem":"Go","purl":"pkg:golang/github.com/goharbor/harbor"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.5"},{"fixed":"2.5.2"}]}],"database_specific":{"last_known_affected_version_range":"<= 2.5.1","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-q76q-q8hw-hmpw/GHSA-q76q-q8hw-hmpw.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}],"_id":"jm9PU2IzRrPPexsV"}
{"id":"GHSA-qrrc-ww9x-r43g","summary":"Improper Input Validation in Docker Engine","details":"An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.","aliases":["CVE-2020-13401"],"modified":"2023-03-02T20:00:40Z","published":"2022-02-15T01:57:18Z","database_specific":{"nvd_published_at":"2020-06-02T14:15:00Z","github_reviewed_at":"2021-05-14T16:27:26Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-20"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13401"},{"type":"WEB","url":"https://docs.docker.com/engine/release-notes/"},{"type":"WEB","url":"https://github.com/docker/docker-ce/releases/tag/v19.03.11"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DN4JQAOXBE3XUNK3FD423LHE3K74EMJT/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZLKRCOJMOGUIJI2AS27BOZS3RBEF3K/"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202008-15"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20200717-0002/"},{"type":"WEB","url":"https://www.debian.org/security/2020/dsa-4716"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00040.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2020/06/01/5"}],"affected":[{"package":{"name":"github.com/docker/docker-ce","ecosystem":"Go","purl":"pkg:golang/github.com/docker/docker-ce"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"19.03.11"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qrrc-ww9x-r43g/GHSA-qrrc-ww9x-r43g.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L"}],"_id":"m3sTZ1CLtZOdQmw9"}
{"id":"GHSA-rrm8-32g4-w8m3","summary":"Cross-site Request Forgery (CSRF)","details":"CSRF in Bitly oauth2_proxy 2.1 during authentication flow","aliases":["CVE-2017-1000069"],"modified":"2021-05-12T18:30:22Z","published":"2021-12-20T18:04:46Z","database_specific":{"nvd_published_at":null,"github_reviewed_at":"2021-05-12T18:30:22Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-352"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000069"},{"type":"WEB","url":"https://github.com/bitly/oauth2_proxy/pull/360"},{"type":"WEB","url":"https://github.com/bitly/oauth2_proxy/commit/55085d9697962668fd4e43e8e4644144fe83cd93"},{"type":"WEB","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000069"}],"affected":[{"package":{"name":"github.com/bitly/oauth2_proxy","ecosystem":"Go","purl":"pkg:golang/github.com/bitly/oauth2_proxy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-rrm8-32g4-w8m3/GHSA-rrm8-32g4-w8m3.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"_id":"BKH0TwBBFqjLJxoH"}
{"id":"GHSA-vfrj-fv6p-3cpf","summary":"Brook's tproxy server is vulnerable to a drive-by command injection.","details":"The `tproxy` server is vulnerable to a drive-by command injection. An attacker may fool a victim into visiting a malicious web page which will trigger requests to the local `tproxy` service leading to remote code execution.","aliases":["CVE-2023-33965"],"modified":"2023-06-06T01:38:11Z","published":"2023-06-06T01:38:11Z","database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-78"],"severity":"CRITICAL","github_reviewed":true,"github_reviewed_at":"2023-06-06T01:38:11Z"},"references":[{"type":"WEB","url":"https://github.com/txthinking/brook/security/advisories/GHSA-vfrj-fv6p-3cpf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33965"},{"type":"WEB","url":"https://github.com/txthinking/brook/commit/314d7070c37babf6c38a0fe1eada872bb74bf03e"},{"type":"PACKAGE","url":"https://github.com/txthinking/brook"}],"affected":[{"package":{"name":"github.com/txthinking/brook","ecosystem":"Go","purl":"pkg:golang/github.com/txthinking/brook"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"20230606"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-vfrj-fv6p-3cpf/GHSA-vfrj-fv6p-3cpf.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"_id":"d8VGUJtBPVgdJZ72"}
{"id":"GHSA-vrmr-f2qh-3hhf","summary":"Improper use of cryptographic key in wal-g","details":"WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because \"the user likely wanted to encrypt all file activity.\"","aliases":["CVE-2021-38599"],"modified":"2021-08-30T17:30:36Z","published":"2021-09-02T17:17:16Z","database_specific":{"nvd_published_at":"2021-08-12T16:15:00Z","github_reviewed_at":"2021-08-30T17:30:36Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-922"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38599"},{"type":"WEB","url":"https://github.com/wal-g/wal-g/pull/1062"},{"type":"WEB","url":"https://github.com/wal-g/wal-g/commit/cadf598e1c2a345915a21a44518c5a4d5401e2e3"},{"type":"PACKAGE","url":"https://github.com/wal-g/wal-g"},{"type":"WEB","url":"https://github.com/wal-g/wal-g/releases/tag/v1.1"}],"affected":[{"package":{"name":"github.com/wal-g/wal-g","ecosystem":"Go","purl":"pkg:golang/github.com/wal-g/wal-g"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-vrmr-f2qh-3hhf/GHSA-vrmr-f2qh-3hhf.json"}}],"schema_version":"1.4.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"_id":"Z5j67QMc9jWHtUuB"}

Hi, thanks for pulling this together. I've been having some side conversations with the GHSA folks about this, and was just spot checking things to try and determine if it's possible to suggest fixes to these records, or if we're dependent on GitHub fixing them directly.

I looked at GHSA-3wx7-46ch-7rq2 in the crates.io.json file, and I couldn't see anything obviously wrong with the ranges in there?

{
  "type": "SEMVER",
  "events": [
    {
      "introduced": "0"
    },
    {
      "fixed": "111.22"
    }
  ]
}
{
  "type": "SEMVER",
  "events": [
    {
      "introduced": "300.0.0"
    },
    {
      "fixed": "300.0.9"
    }
  ]
}
{
  "type": "SEMVER",
  "events": [
    {
      "introduced": "0"
    },
    {
      "fixed": "111.16"
    }
  ]
}

Can you elaborate on what the problem is with that record? I fed a couple of versions into https://jubianchi.github.io/semver-check/ and assuming I'm driving it correctly, things checked out.

Hi Andrew, thanks for following up on this! As far as I see, 111.16 is the culprit, since it lacks a patch version. I also see it missing on https://jubianchi.github.io/semver-check/#/version/111.16

Hi Andrew, thanks for following up on this! As far as I see, 111.16 is the culprit, since it lacks a patch version. I also see it missing on https://jubianchi.github.io/semver-check/#/version/111.16

Got it, I think I prematurely zeroed in on the green and thought it was okay (assuming the patch version must be treated as optional) but you're right.

So based on this, I think we can directly suggest fixes to the records, e.g. via https://github.com/advisories/GHSA-3wx7-46ch-7rq2/improve

I'm up for chipping away at this, are you interested in dividing and conquering? I might be able to mobilise the rest of the OSV team to have a fixit session as well. I don't think we need to centralise the problem directly with GitHub and block on them...

Sounds good to me. I've now submitted improvement PRs for all advisories in the npm ecosystem. I'd continue with go from either top or bottom but probably find no time for that before Friday this week.

Nice work! I've set aside some time with my colleagues on our Monday afternoon (Australia time) to collectively go through the list as well, so keep me posted on how many more you get through between now and then so we don't wind up doing double duty.

We've gone through all of the crates.io ones successfully. There's a few of the Go ones that are... not semver-compliant in their upstream sources. We're going to have to figure out a more durable solution here.

• GHSA-f7ff-xf87-f22q
• GHSA-jm34-xm8m-w958
• GHSA-mwwc-3jv2-62j3
• GHSA-q76q-q8hw-hmpw
• GHSA-qrrc-ww9x-r43g
• GHSA-rrm8-32g4-w8m3
• GHSA-vrmr-f2qh-3hhf

Thanks for the update. I have a few go-related updates pending:

• github/advisory-database#1918
• github/advisory-database#1919
• github/advisory-database#1920

@Churro this popped into my head again today, are you able to recheck the current state of things, out of interest?

Sure. I've updated the initial list with invalid semver findings as of today.

Yeah I think there's a good overlap between what's left for Go and what I'd flagged in https://gist.github.com/Churro/304facf9f87d7fba38ad9363eb2d3772?permalink_comment_id=4524671#gistcomment-4524671 and https://gist.github.com/Churro/304facf9f87d7fba38ad9363eb2d3772?permalink_comment_id=4524672#gistcomment-4524672