Skip to content

osvcatalog: all-versions (range-only) MAL records are dropped — ~92% of npm malicious packages #64

Description

@adel-pplx

Running osvcatalog against the OSV per-ecosystem dumps, affected entries whose only version info is a range are skipped (v0.1 matching is exact-version only): that drops 197,180 of 215,070 npm malicious packages (~92%), 6,372 of 11,486 for PyPI, and all 18 for Go — nearly all of them introduced: "0", i.e. every version is malicious.

A schema bump that can express "any version" (e.g. versions: ["*"] or an all_versions flag) would let the import emit these; comparison-based introduced/fixed ranges (<900 records) could stay out of scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions