Release v2024.12.04: fix(api): allow Alpine queries without a release number (#2946) · google/osv.dev

v2024.12.04
91a0125
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Learn about vigilant mode
Compare

Choose a tag to compare

Loading

View all tags

v2024.12.04: fix(api): allow Alpine queries without a release number (#2946)

v2024.12.04
91a0125
Compare

Choose a tag to compare

Loading

View all tags
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Learn about vigilant mode

hogo6002 tagged this 03 Dec 05:25

The [OSV spec](https://ossf.github.io/osv-schema/#affectedpackage-field)
requires Alpine packages to have a `:v<RELEASE-NUMBER>` suffix.
Currently, our API has inconsistencies regarding Alpine queries:
- It returns a 400 status code with the error message "Invalid
ecosystem" for all Alpine package/ecosystem queries without a release
number.
- However, for Alpine PURL queries (e.g. 
`pkg:apk/alpine/postgresql14?arch=source`), it returns all matching
vulnerabilities across all releases.

Also we recently switched our PURL query from PURL string matching to
package/ecosystem matching
(https://github.com/google/osv.dev/pull/2900). This change causes all
Alpine-related PURL API queries to fail because PURL string doesn't
contain any release info and the PURL spec doesn't define how to include
release numbers.

Since OSV-generated Alpine PURLs (e.g. 
`pkg:apk/alpine/postgresql14?arch=source`) don't contain release
numbers, we should allow Alpine queries without a release number for
consistency. This change would return all matching vulnerabilities
across different releases when no release number is specified.

Assets 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly