Create repo purls for GIT ecosystem ranges

[bwt-sloanj]

The CVE ID
https://osv.dev/vulnerability/CVE-2019-25219

Describe the data quality issue observed
PURL entries are provided for the Debians. The Git repo could also have a PURL, in this case: pkg:generic/github.com/chriskohlhoff/asio@asio-x-y-z where the version comes from the tagging scheme used in that repo.

Suggested changes to record
Add a PURL for the Git repo. This supports the use case where the code is being packaged directly by the consumer, as opposed to installed via the Debian.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[jess-lowe]

Hi @bwt-sloanj, thanks for reporting! While we definitely agree that pURLs would be very useful, we are beholden to the data we get from upstream sources. In this case, the upstream source is the NVD, which do not provide pURLs currently.

We would love to accept a contribution for a reliable and scalable pURL converter for git repositories if anyone were willing to attempt it :)

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

[github-actions]

Automatically closing stale issue

[tsteenbe]

Within the OSS Review Toolkit (ORT) project we support using OSV to retrieve known vulnerabilities for detected packages. A user reported that when ZLib 1.2.11 is defined in SPDX (see the test asset: https://github.com/oss-review-toolkit/ort/blob/main/plugins/package-managers/spdx-document-file/src/funTest/assets/projects/synthetic/inline-packages/project-xyz.spdx.yml), ORT's OSV integration returns no vulnerabilities - even though OSV lists a vulnerability for this package (example: https://osv.dev/vulnerability/CVE-2026-27171).

@jess-lowe Could you please give us an update on this issue? I see @ashmod implemented #3953 months ago but you wrote "We're currently working on a refactor behind the scenes that is blocking this being merged - might take a couple of weeks, but we'll get back to it!" but that was last September.

For other people interested in this issue below some example of the type of OSV queries for Zlib that work and don't work.

Queries that return results

curl -d \
  '{"package": {"name": "https://github.com/madler/zlib.git", "ecosystem": "GIT"}, "version": "1.2.11"}' \
  "https://api.osv.dev/v1/query"
  
curl -d \
  '{"commit": "cacf7f1d4e3d44d871b605da3b647f07d718623f"}' \
  "https://api.osv.dev/v1/query"

Queries that return empty results

curl -d \
  '{"package": {"purl": "pkg:github/madler/zlib@cacf7f1d4e3d44d871b605da3b647f07d718623f"}}' \
  "https://api.osv.dev/v1/query"
  
curl -d \
  '{"package": {"purl": "pkg:generic/github.com/madler/zlib@cacf7f1d4e3d44d871b605da3b647f07d718623f"}}' \
  "https://api.osv.dev/v1/query"

curl -d \
  '{"package": {"purl": "pkg:github/madler/zlib@1.2.11"}}' \
  "https://api.osv.dev/v1/query"
  
curl -d \
  '{"package": {"purl": "pkg:generic/github.com/madler/zlib@1.2.11"}}' \
  "https://api.osv.dev/v1/query"

curl -sd '{"package": {"purl": "pkg:github/madler/zlib@1.2.11"}}' "https://api.osv.dev/v1/query" 

curl -sd '{"package": {"purl": "pkg:generic/github.com/madler/zlib@1.2.11"}}' "https://api.osv.dev/v1/query"