Skip vulnerability reports that are marked as "withdrawn" #385
Assignees
Labels
component:vuln-sources
Components that provide sources of vulnerability information
enhancement
New feature or request
Comments
|
This applies immediately to the OSV service backend, but may also apply to PyPI's vulnerability DB (which serves a functional subset of the OSV schema). I'll need to check what PyPI's updated does when a entry is marked as withdrawn. |
woodruffw
added
the
component:vuln-sources
|
(I identified this as part of looking into pytest-dev/py#287 -- we "correctly" report this spam vulnerability at the moment because it isn't marked as withdrawn yet, but we should skip it if/when it's correctly withdrawn.) |
|
#386 looks good to me but I think we should probably extend support for this to PyPI as well -- shall we create a separate issue for tracking that? |
|
Yeah, I think so -- I can create that in a moment. |
|
#388 is the continuation of this, for PyPI's vulnerability service. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The OSV format supports the
withdrawnfield, which indicates that a report has been withdrawn and is no longer valid.pip-auditshould respect that field and ignore any reports that contain it, so long as the field's timestamp is not after the current time.The text was updated successfully, but these errors were encountered: