Removing FP versions in three npm reports

[mgdcvetko]

We previously reported these three npm packages and their multiple versions as malicious:

• pap-sdk: MAL-2024-11062
• rollup-plugin-hotreload: MAL-2024-11081
• soybean-admin-tab: MAL-2024-11098

When doing our own research it was concluded that not all reported versions are actually malicious. We would like to update the status on the OSSF repo in accordance with the false positive guide, constitute with removing the non-malicious versions . However, the packages in question were removed from npm registry, and it seems it was either hijacked or a malicious actor got hold of it and published a few malicious versions. We'd like to make sure we're on the same page with keeping only the strictly malicious versions in the OSSF advisory, as opposed to leaving them all in. In this instance we are also not the only reporters, so we may not be able to remove anything at all since it would contradict the GHSA advisory?

Can you please advise us how to proceed?

[rhalar]

@calebbrown We're preparing a new push to the bucket, and this is blocking us a wee bit.

We'd like to withdraw these on our end, which shouldn't be too much of a problem, but we'd like to keep the history clean, and I was wondering if there could be a withdrawn field added to malicious-packages-origins?

[calebbrown]

There are two ways we could track this:

1. Add a "withdrawn_versions" field to the report. Arguably this could be added to the "affected" package database_specific section. Something like this is a new addition and would need to have at least some documentation.
2. Just depend on git to track the history.

The former is more transparent, observable, and useful.

I am happy if you propose an edit to docs/schema_additions.md to add this.