You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Querying by the commit referenced by the 1.0.0 tag: curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "commit":"9671420482a6e4c59c06f2d2d9e0605e941b1287"}' https://api.osv.dev/v1/query
This returns https://osv.dev/vulnerability/GHSA-6q4m-7476-932w - which I don't think impacts 1.0.0, and does not return https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q, which I think does.
I mostly don't understand the implications of this change. Actions may be referred to commit, tag (i.e. where semver would appear) or branch.
fwiw I asked GitHub about this a while ago when I was looking to support GHA in my CLI and the scanner (which I'll get back to one day 😅), and they said they expect them to be semver on their end
the originating records declaring their ranges as ECOSYSTEM not SEMVER (but if they get changed, that might make the first challenge less of a barrier)
If I recall correctly from Non-SemVer compliant versioning in OSV records bitnami/vulndb#336, changing OSV.dev's expectation overrides the range type, which would then not require any record changes at the source, but then takes us back to my first point here 😃
Is your feature request related to a problem? Please describe.
There are 16 entries for
ecosystem: GitHub Actions
currently in the database, https://osv.dev/list?ecosystem=GitHub+Actions&q=All entries provide semver-compatible entries
I know https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q exists.
I know https://github.com/rlespinasse/github-slug-action/releases/tag/1.0.0 exists, and is affected by the vulnerability.
But I can't query to match the two:
$ curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "version":"1.0.0"}' https://api.osv.dev/v1/query
Describe the solution you'd like
Treat the
GitHub Actions
ecosystem as (best effort?) SemVer:osv.dev/osv/ecosystems/_ecosystems.py
Line 51 in 46c25da
Describe alternatives you've considered
Querying by the commit referenced by the
1.0.0
tag:curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "commit":"9671420482a6e4c59c06f2d2d9e0605e941b1287"}' https://api.osv.dev/v1/query
This returns https://osv.dev/vulnerability/GHSA-6q4m-7476-932w - which I don't think impacts
1.0.0
, and does not return https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q, which I think does.I mostly don't understand the implications of this change. Actions may be referred to commit, tag (i.e. where semver would appear) or branch.
Additional context
The official versioning scheme for Actions is here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
Semver is implied/encouraged, but not enforced.
The text was updated successfully, but these errors were encountered: