What to do about yanked versions? #21
Description
Yanked versions pose a bit of a problem with respect to OSV schema validation. Yanked versions are actually quite likely to be versions that are vulnerable — and we do want vuln scanners to pick up the fact that a vulnerable version is in a manifest, even if it's yanked.
But yanked versions do not appear as "available" versions according to the JSON served by JuliaHub, which is what OSV-linter uses. So, I quite rapidly encountered this on OpenSSL.
The OSV-linting failed on #18, because:
Run output=$(./osv-linter record lint packages 2>&1 || true)
packages/General/OpenSSL_jll/DONOTUSEJLSEC-2025-19.json:
* [PKG:002]: Failed to find ["1.1.18+0"] of "OpenSSL_jll" in "Julia" (have: ["3.5.2+0" "3.5.1+0" "3.5.0+0" "3.0.16+0" "3.0.15+3" "3.0.15+2" "3.0.15+1" "3.0.15+0" "3.0.14+0" "3.0.13+1" "3.0.13+0" "3.0.12+0" "3.0.11+0" "3.0.10+0" "3.0.9+0" "3.0.8+0" "1.1.23+1" "1.1.23+0" "1.1.22+0" "1.1.21+0" "1.1.20+0" "1.1.19+0" "1.1.17+0" "1.1.16+0" "1.1.14+0" "1.1.13+0" "1.1.10+0" "1.1.1+6" "1.1.1+5" "1.1.1+4" "1.1.1+3" "1.1.1+2" "1.1.1+1" "1.1.1+0"])
2025/08/27 01:38:56 found errorsWhen I manually yanked v1.1.18+0 from the version mappings (db3014f), this worked (cf #20). For this particular CVE and version range, it's ok — the version range generated happens to still include v1.1.18+0. But that won't always be the case.
We probably want OSV-lint to use an endpoint that includes yanked versions.