Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Change in affected versions for GHSA-5mg8-w23w-74h3 not picked up by OSV
See original GitHub issueFor Maven package com.google.guava:guava, the affected version range was changed from <= 30.0 to <= 29.0 both on GHSA as well as on NVD, but OSV did not update the list of affected versions.
It seems the change is registered in the Last affected field, but not in the list of affected versions.
See the following references:
Issue Analytics
- State:
- Created 9 months ago
- Comments:6
Top Results From Across the Web
google/osv.dev - Open Source Vulnerabilities - GitHub
dev additionally provides infrastructure to ensure affected versions are accurately represented in each vulnerability entry, through bisection and version ...
Read more >KB5008380—Authentication updates (CVE-2021-42287)
CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos ... If the user does not have the new PAC, no further action...
Read more >Open Source Vulnerability format - GitHub Pages
If no value is specified, it should be assumed to be 1.0.0 , matching version 1.0 of the OSV Schema. Clients can assume...
Read more >Launching OSV - Better vulnerability triage for open source
These challenges result in open source consumers not ... OSV looks up the set of vulnerabilities affecting that particular version and ...
Read more >Apache Log4j Security Vulnerabilities
We also list the versions of Apache Log4j the flaw is known to affect, and where a flaw has not been verified list...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
29.0 on its own does not exist for
com.google.guava:guava. Instead, the available versions for this package are 29.0-android and 29.0-jre according to https://deps.dev/maven/com.google.guava%3Aguava.Both of these sort after 29.0 according to the Maven spec, so
last_affecteddoes not capture these. If these 29.0-* versions are intended to be included, we’ll need to suggest the change to GitHub’s advisory entry to include them.@oliverchang Thanks for the clear explanation and the fix!