PG-2435 [view on issue tracker]

Bug

FIX: Multi-package GHSA Vulnerabilities may not have ranges parsed properly

7/20/2023 9:16:17 PM by Alana Tripp

8/4/2023 11:25:07 PM

An example package is System.Text.Encodings.Web version 4.6.0 (https://www.nuget.org/packages/System.Text.Encodings.Web/4.6.0). On nuget.org, this version is marked as vulnerable, but it isn't marked that way in our ProGet instance. The issue seems to be the way ranges are expressed: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-ghhp-997w-qr28/GHSA-ghhp-997w-qr28.json