Rust package being reported on wrong crates.io entry due to package name reuse

[rhalar]

Describe the bug
I've erroneously reported this to
github/advisory-database#4902

but I think this is a more appropriate place for it. I'll copy the issue here:

So looking at https://osv.dev/vulnerability/GHSA-hw4v-5x4h-c3xm
it seems to point to a vulnerability in https://github.com/paritytech/frontier

However, when looking at
https://crates.io/crates/frontier

This does not seem to be the package in question, but rather
https://github.com/peterc-s/frontier

I have an older entry of the crates.io database dump, which does confirm that at one point pkg:crates.io/frontier did really point to the vulnerable package. It seems it has since been removed and the name claimed by a different author.
I'm not sure what the policy for this would be but I'm guessing it would potentially need to be withdrawn? In which case all of these display the same issue

GHSA-fcmm-54jp-7vf6
GHSA-v57h-6hmh-g2p4
GHSA-mjvm-mhgc-q4gp
GHSA-cjg2-2fjg-fph4
GHSA-vj62-g63v-f8mf
GHSA-hw4v-5x4h-c3xm

To Reproduce
N/A

Expected behaviour
I expect these would have to be withdrawn since the package is no longer available?

[michaelkedar]

The description of some of these seem to refer to pallet-ethereum and pallet-evm, which both seem to come from that frontier repository.
I think the GHSA records need to be changed to point to the actual crates.

I have an older entry of the crates.io database dump, which does confirm that at one point pkg:crates.io/frontier did really point to the vulnerable package. It seems it has since been removed and the name claimed by a different author.

This seems very strange - the crates.io policies suggests that crates should practically never be deleted. I'm not sure how this happened.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[rhalar]

I also wasn't aware this is a possibility. The dump I am looking at dates to 2023-07-19. I have a couple more later ones from the same period but I haven't looked when the change happened.
The name is identical, but the crate ID is different though (215535 vs 1170076). And the older ID does not appear in newer dumps at all.

Interestingly enough, pallet-ethereum has 215536 as the ID.

[michaelkedar]

Right now, I believe this issue is best resolved on the GHSA side.
The OSV records that GHSA are publishing use {"ecosystem": "crates.io", "name": "frontier"} as the affected package. Since the actual affected package isn't on crates.io (anymore), GHSA needs to correct the records.

In my opinion, they could do one (or both) of the following:

• Change the affected packages to the corresponding pallet-* crates (that do exist) that the vulnerabilities actually impact.
• Change the records to refer directly to the git repository, using GIT affected ranges.

I don't think we should mark them as withdrawn, since the vulnerabilities do still actually exist.

@rhalar If you could (re-)open the issue on GHSA (or directly submit the corrections for these records), that would be greatly appreciated.

As for the changing crates issue, there's not much on our end we can do about that. If an OSV record becomes no longer valid, it's mostly up to the source of the record to correct it.

[rhalar]

@michaelkedar Thanks for the feedback. I'm not sure why I thought to open the issue here; I think I erroneously thought GHSA OSV entries were published by OSV instead of GHSA directly.

Reopening the issue there.