advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon pypa

Is 2025 data being used?

Open andrewpollock opened this issue 11 months ago • 2 comments

I was poking around a little to better understand how the sausage is made and the dependencies on OSV.dev vulnfeeds code, and noticed that https://github.com/pypa/advisory-database/blob/main/.github/workflows/auto_import.yaml has some 2024 hard coding in it, which may be resulting in suboptimal outcomes in 2025?

andrewpollock avatar Mar 17 '25 23:03 andrewpollock

It doesn't appear to be using 2025 data. @oliverchang was https://github.com/pypa/advisory-database/pull/210 meant to be a temporary solution that never got removed? There's clearly a 2025 data feed (I was able to pull it myself manually) but I don't understand the sources of any of this data? Is there a data feed that we should be using that includes all years?

sethmlarson avatar Apr 09 '25 16:04 sethmlarson

#210 is trying to address a separate issue. It avoids importing any advisories that don't have any fix information (i.e. unbounded), which are much more likely to be data quality issues rather than them actually being unfixed.

and thank you for https://github.com/pypa/advisory-database/pull/230 ! that will address the issue @andrewpollock pointed out -- the year was previously hardcoded and needed to be manually updated.

oliverchang avatar Apr 09 '25 19:04 oliverchang