This repository was archived by the owner on Jan 7, 2026. It is now read-only.
Specify which distro package versions are affected in each advisory #287
Description
One of the vestigial aspects of our advisory data today that lingers from our beginning with the Alpine "secfixes" approach is that we don't actually enumerate a list or range of distro package versions affected by a given vulnerability, we only record the fixed version of the distro package.
As the advisory data continues to become more full-featured, we should encode the full set of affected package versions, using either ranges or discrete sets.
This will help scanners produce more reliable results, since they won't need to guess about whether an installed version less than the noted fixed version is affected.
Schema suggestions welcome!