Data quality issue with CVE-2024-3094

[katzj]

The CVE ID
https://osv.dev/vulnerability/ALPINE-CVE-2024-3094

Describe the data quality issue observed
introducedAt is 0 which isn't the case for this. It looks like this is true for all alpine ingested CVEs as introducedAt isn't set in the alpine converter

Suggested changes to record
Appropriate introducedAt fields

Additional context
Note that the Alpine security tracker (https://security.alpinelinux.org/vuln/CVE-2024-3094) has correct info here but it is combining info from secdb and NVD in a richer way than is currently done with the OSV importer

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[katzj]

I think this could be fixed in a pretty straight forward manner by updating the alpine converter to work more similarly to the alpine upstream security tracker.

When looping through, we already have access to the CVE object from NVD and could parse things from CPEs within. There's some CPE matching logic to handle the way alpine packages are named (https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/blob/master/secfixes_tracker/importers.py?ref_type=heads#L28) but that isn't hard to handle and have here as well.

Happy to contribute if there's agreement that this is a good path to help with this class of issue.

[cuixq]

@another-rex @jess-lowe could you help to answer this question?

[cuixq]

Hi @katzj we are aware of the issues we have regarding CVE conversion and currently working on that. We will keep you updated here. Thank you for your patience!

[katzj]

@cuixq I'm happy to help and contribute if yall provide signal of what you're thinking. The current situation makes osv basically unusable for alpine vulnerability mapping.