Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rust package being reported on wrong crates.io entry due to package name reuse #2737

Closed
rhalar opened this issue Oct 15, 2024 · 5 comments
Closed
Labels
data quality Issues with data quality

Comments

@rhalar
Copy link

rhalar commented Oct 15, 2024

Describe the bug
I've erroneously reported this to
github/advisory-database#4902

but I think this is a more appropriate place for it. I'll copy the issue here:

So looking at https://osv.dev/vulnerability/GHSA-hw4v-5x4h-c3xm
it seems to point to a vulnerability in https://github.com/paritytech/frontier

However, when looking at
https://crates.io/crates/frontier

This does not seem to be the package in question, but rather
https://github.com/peterc-s/frontier

I have an older entry of the crates.io database dump, which does confirm that at one point pkg:crates.io/frontier did really point to the vulnerable package. It seems it has since been removed and the name claimed by a different author.
I'm not sure what the policy for this would be but I'm guessing it would potentially need to be withdrawn? In which case all of these display the same issue

GHSA-fcmm-54jp-7vf6
GHSA-v57h-6hmh-g2p4
GHSA-mjvm-mhgc-q4gp
GHSA-cjg2-2fjg-fph4
GHSA-vj62-g63v-f8mf
GHSA-hw4v-5x4h-c3xm

To Reproduce
N/A

Expected behaviour
I expect these would have to be withdrawn since the package is no longer available?

@michaelkedar
Copy link
Member

The description of some of these seem to refer to pallet-ethereum and pallet-evm, which both seem to come from that frontier repository.
I think the GHSA records need to be changed to point to the actual crates.

I have an older entry of the crates.io database dump, which does confirm that at one point pkg:crates.io/frontier did really point to the vulnerable package. It seems it has since been removed and the name claimed by a different author.

This seems very strange - the crates.io policies suggests that crates should practically never be deleted. I'm not sure how this happened.

@cuixq cuixq added the data quality Issues with data quality label Oct 15, 2024
Copy link

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

@rhalar
Copy link
Author

rhalar commented Oct 16, 2024

I also wasn't aware this is a possibility. The dump I am looking at dates to 2023-07-19. I have a couple more later ones from the same period but I haven't looked when the change happened.
The name is identical, but the crate ID is different though (215535 vs 1170076). And the older ID does not appear in newer dumps at all.

Interestingly enough, pallet-ethereum has 215536 as the ID.

@michaelkedar
Copy link
Member

Right now, I believe this issue is best resolved on the GHSA side.
The OSV records that GHSA are publishing use {"ecosystem": "crates.io", "name": "frontier"} as the affected package. Since the actual affected package isn't on crates.io (anymore), GHSA needs to correct the records.

In my opinion, they could do one (or both) of the following:

  • Change the affected packages to the corresponding pallet-* crates (that do exist) that the vulnerabilities actually impact.
  • Change the records to refer directly to the git repository, using GIT affected ranges.

I don't think we should mark them as withdrawn, since the vulnerabilities do still actually exist.

@rhalar If you could (re-)open the issue on GHSA (or directly submit the corrections for these records), that would be greatly appreciated.

As for the changing crates issue, there's not much on our end we can do about that. If an OSV record becomes no longer valid, it's mostly up to the source of the record to correct it.

@rhalar
Copy link
Author

rhalar commented Oct 24, 2024

@michaelkedar Thanks for the feedback. I'm not sure why I thought to open the issue here; I think I erroneously thought GHSA OSV entries were published by OSV instead of GHSA directly.

Reopening the issue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
data quality Issues with data quality
Projects
None yet
Development

No branches or pull requests

3 participants