-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rust package being reported on wrong crates.io entry due to package name reuse #2737
Comments
The description of some of these seem to refer to
This seems very strange - the crates.io policies suggests that crates should practically never be deleted. I'm not sure how this happened. |
✨ Thank you for your interest in OSV.dev's data quality! ✨ Please review our FAQ entry on how to most efficiently have this addressed. |
I also wasn't aware this is a possibility. The dump I am looking at dates to Interestingly enough, |
Right now, I believe this issue is best resolved on the GHSA side. In my opinion, they could do one (or both) of the following:
I don't think we should mark them as withdrawn, since the vulnerabilities do still actually exist. @rhalar If you could (re-)open the issue on GHSA (or directly submit the corrections for these records), that would be greatly appreciated. As for the changing crates issue, there's not much on our end we can do about that. If an OSV record becomes no longer valid, it's mostly up to the source of the record to correct it. |
@michaelkedar Thanks for the feedback. I'm not sure why I thought to open the issue here; I think I erroneously thought GHSA OSV entries were published by OSV instead of GHSA directly. Reopening the issue there. |
Describe the bug
I've erroneously reported this to
github/advisory-database#4902
but I think this is a more appropriate place for it. I'll copy the issue here:
So looking at https://osv.dev/vulnerability/GHSA-hw4v-5x4h-c3xm
it seems to point to a vulnerability in https://github.com/paritytech/frontier
However, when looking at
https://crates.io/crates/frontier
This does not seem to be the package in question, but rather
https://github.com/peterc-s/frontier
I have an older entry of the crates.io database dump, which does confirm that at one point pkg:crates.io/frontier did really point to the vulnerable package. It seems it has since been removed and the name claimed by a different author.
I'm not sure what the policy for this would be but I'm guessing it would potentially need to be withdrawn? In which case all of these display the same issue
GHSA-fcmm-54jp-7vf6
GHSA-v57h-6hmh-g2p4
GHSA-mjvm-mhgc-q4gp
GHSA-cjg2-2fjg-fph4
GHSA-vj62-g63v-f8mf
GHSA-hw4v-5x4h-c3xm
To Reproduce
N/A
Expected behaviour
I expect these would have to be withdrawn since the package is no longer available?
The text was updated successfully, but these errors were encountered: