Release v2025.02.18: feat(vulnfeeds): better validate repos found in references (#3162) · google/osv.dev

v2025.02.18
6f66b0e
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified
Learn about vigilant mode
Compare

Choose a tag to compare

Loading

View all tags

v2025.02.18: feat(vulnfeeds): better validate repos found in references (#3162)

v2025.02.18
6f66b0e
Compare

Choose a tag to compare

Loading

View all tags
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified
Learn about vigilant mode

andrewpollock tagged this 17 Feb 05:12

This commit tightens up the repo validation to exclude repos that don't
have any usable tags, unless the reference URL is obviously a commit.

The primary benefit here is that useless repos don't cause CVEs to be
in-scope for attempting conversion that shouldn't, while not
disregarding CVEs that have a potential fix commit as a reference, but a
repo that is otherwise useless for version-to-commit mapping.

In other words, it improves the overall conversion metrics by firming up
the denominator some more.

Last staging run against 2025 NVD data:

```
nvdcve-2.0-2025.json Metrics: {TotalCVEs:2870 CVEsForApplications:205 CVEsForKnownRepos:420 OSVRecordsGenerated:188 Outcomes:map[]} 
```

Local regression test:

```
nvdcve-2.0-2025.json Metrics: {TotalCVEs:2876 CVEsForApplications:205 CVEsForKnownRepos:302 OSVRecordsGenerated:189 Outcomes:map[]}
```

This change reduces the CVEs in scope by 118, while increasing records
converted by 1. (There _are_ 6 more CVEs in the latest NVD snapshot)

Assets 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly