- 
                Notifications
    You must be signed in to change notification settings 
- Fork 477
Description
I came across the guava vulnerability GHSA-5mg8-w23w-74h3 for which GHSA declares the affected version range as <= 29.0.
In OSV however, this is represented as:
"ranges": [
    {
        "type": "ECOSYSTEM",
        "events": [
            {
                "introduced": "0"
            }
        ]
    }
],
"database_specific": {
    "last_known_affected_version_range": "<= 29.0"
}Given the constraint <= 29.0, I would've expected the following:
"ranges": [
    {
        "type": "ECOSYSTEM",
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "29.0"
            }
        ]
    }
]The current situation makes automated processing unnecessarily hard. If I rely on the ECOSYSTEM range, I'll trigger lots of false positives due to it indicating a >0 constraint. database_specific is not intended to influence vulnerability evaluation according to the spec. This is also visible when inspecting the (auto-generated) Affected versions section on OSV's website: https://osv.dev/vulnerability/GHSA-5mg8-w23w-74h3
At the moment, there are about 1990 advisories affected by this:
$ rg -l '"last_known_affected_version_range"' advisory-database | wc -l
1990google/osv.dev#474 (comment) already hinted that GHSA currently does not support the limit or last_affected events. Is it planned to be addressed anytime soon?