The vulnerabilities table currently only stores fixed_version. That isn't enough to answer "is version X affected by this advisory" because many advisories only affect a range like >=2.0.0 <2.3.1 and not earlier releases.
Add an affected_ranges column that stores the OSV ranges array as-is, populate it during the existing enrichment sync, and add a small package that can answer Matches(ecosystem, name, version) by walking those ranges with the right version comparator for each ecosystem (semver, PEP 440, Maven, etc).
This is data-layer only; nothing user-facing changes until other issues wire it into request handling.
The
vulnerabilitiestable currently only storesfixed_version. That isn't enough to answer "is version X affected by this advisory" because many advisories only affect a range like>=2.0.0 <2.3.1and not earlier releases.Add an
affected_rangescolumn that stores the OSVrangesarray as-is, populate it during the existing enrichment sync, and add a small package that can answerMatches(ecosystem, name, version)by walking those ranges with the right version comparator for each ecosystem (semver, PEP 440, Maven, etc).This is data-layer only; nothing user-facing changes until other issues wire it into request handling.