A vulnerability I reported has been made public as a repo-advisory GHSA-3jxr-9vmj-r5cp.
However, it is not available in the global GHSA despite having a CVE and being public on other lists.
Seems like osv.dev relies on GHSA for package attribution (google/osv.dev#4490 (comment)) and in this example the package has a TYPE value of git, so most scanners won't pick it up
Do repo-advisories enter a review queue for the global GHSA automatically? Do reporters/maintainers need to do something for that to happen?
A vulnerability I reported has been made public as a repo-advisory GHSA-3jxr-9vmj-r5cp.
However, it is not available in the global GHSA despite having a CVE and being public on other lists.
Seems like osv.dev relies on GHSA for package attribution (google/osv.dev#4490 (comment)) and in this example the package has a
TYPEvalue ofgit, so most scanners won't pick it upDo repo-advisories enter a review queue for the global GHSA automatically? Do reporters/maintainers need to do something for that to happen?