There was a mass withdrawal event on Oct 2, almost all recent vulnerabilities in GIT are incorrectly withdrawn #2704
Description
On Oct 2 (two days after the blog post on data quality, which might be related), many vulnerabilities in the GIT ecosystem became incorrectly marked as withdrawn. I count 1,736 vulnerabilities that were marked as withdrawn on 2024-10-02, and only 19 vulnerabilities out of 1,612 since 2024-03-01 are not marked as withdrawn.
Steps to reproduce:
$ cd /tmp
$ wget https://osv-vulnerabilities.storage.googleapis.com/GIT/all.zip
$ unzip all.zip -d GIT
$ cd GIT
$ grep -r '"withdrawn": "2024-10-02' | wc -l
1736
$ # By the way, there was another mass withdrawal event on 2024-05-15, but I haven't looked into it:
$ grep -r '"withdrawn": "2024-05-15' | wc -l
1818A random example of a vulnerability marked as withdrawn in OSV but not in e.g. cvelistV5: CVE-2024-46978.
$ grep "withdrawn" CVE-2024-46978.json
"withdrawn": "2024-10-02T01:21:06.482138Z",The corresponding file on cvelistV5 hasn't been updated since September 20 and isn't marked as withdrawn.
This might be an issue with an upstream provider of data, but I don't know which one it is for GIT, so I'm reporting here.
The only 19 vulnerabilities since March 1st which aren't marked as withdrawn are: ['CURL-CVE-2024-7264', 'CURL-CVE-2024-2466', 'PSF-2024-10', 'CURL-CVE-2024-2379', 'PSF-2024-9', 'PSF-2024-11', 'PSF-2024-8', 'CURL-CVE-2024-8096', 'CURL-CVE-2024-6197', 'PSF-2024-4', 'PSF-2024-2', 'PSF-2024-7', 'CURL-CVE-2024-6874', 'CURL-CVE-2024-2004', 'CURL-CVE-2024-2398', 'PSF-2024-1', 'PSF-2024-3', 'PSF-2024-6', 'PSF-2024-5'] (no mention of CVE-*)
Personally, I won't be able to update the eyeballvul benchmark until this is fixed, since almost all recent vulnerabilities are now marked as withdrawn.
Do you know where this could be coming from?