Hey folks,
There's been a number of issues raised recently, like google/osv.dev#5574, google/osv.dev#5578, #331 (comment), #343 related to the Git commit ranges in PYSEC records.
These records are generated from an outdated NVD parsing logic that hasn't really been well cared for while I've been updating the logic of our CVE ingestion to handle CVE5 logic.
I believe there is a case for dropping the generation of GIT ranges in PYSEC records entirely - PYSEC generally is scoped to cover the PyPi ecosystem and effort is likely better spent on the versioning aspects than remediating fiddly logic for commit ranges that aren't all that useful unless you compute all the commits in between. OSV is already converting the same records with GIT ranges, so it seems somewhat redundant to also publish them in PYSEC records (unless people are exclusively pulling from only PYSEC data for Git data?)
Let me know your thoughts on this :)
Hey folks,
There's been a number of issues raised recently, like google/osv.dev#5574, google/osv.dev#5578, #331 (comment), #343 related to the Git commit ranges in PYSEC records.
These records are generated from an outdated NVD parsing logic that hasn't really been well cared for while I've been updating the logic of our CVE ingestion to handle CVE5 logic.
I believe there is a case for dropping the generation of GIT ranges in PYSEC records entirely - PYSEC generally is scoped to cover the PyPi ecosystem and effort is likely better spent on the versioning aspects than remediating fiddly logic for commit ranges that aren't all that useful unless you compute all the commits in between. OSV is already converting the same records with GIT ranges, so it seems somewhat redundant to also publish them in PYSEC records (unless people are exclusively pulling from only PYSEC data for Git data?)
Let me know your thoughts on this :)