Skip to content

bug(ghsa): trivy-db incorrectly updates VulnerableVersions from last_known_affected_version_range #529

New issue
New issue
Closed
Bug
Closed
bug(ghsa): trivy-db incorrectly updates VulnerableVersions from last_known_affected_version_range#529
Bug
Assignees
DmitriyLewen
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on May 23, 2025

Description

Trivy-db updates VulnerableVersions only from first last_known_affected_version_range.
So for this case (https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-75v8-2h7p-7m2m/GHSA-75v8-2h7p-7m2m.json) trivy-db doesn't add `< 2.1.3:

"affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "formidable"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "3.1.1-canary.20211030"
            },
            {
              "fixed": "3.5.3"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "formidable"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "2.1.0"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "< 2.1.3"
      }
    }

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions