Withdrawn advisory should not affect any package

[keshav-space]

pkg:pypi/py@1.11.0 https://public2.vulnerablecode.io/packages/v2/pkg:pypi/py@1.11.0 is shown as affected in GitHub and GitLab advisories, but advisory has been withdrawn in both locations:

• GitHub https://github.com/github/advisory-database/blob/dc14b83d1a8bde9074284e995aeee1317044f799/advisories/github-reviewed/2022/10/GHSA-w596-4wvx-j9j6/GHSA-w596-4wvx-j9j6.json#L6
• GitLab https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/py/CVE-2022-42969.yml

[shivamshrma09]

Hi @keshav-space,

I looked into this issue and traced the root cause.

Root Cause:

The GitHub advisory GHSA-w596-4wvx-j9j6.json has a "withdrawn" field in its JSON:

{ "id": "GHSA-w596-4wvx-j9j6", "withdrawn": "2025-08-01T20:34:11Z", "summary": "Withdrawn Advisory: ReDoS in py library...", "affected": [{ "package": { "ecosystem": "PyPI", "name": "py" } }] }

But in vulnerabilities/importers/osv.py, the parse_advisory_data() function never checks for this field so withdrawn advisories get parsed and imported just like valid ones, causing pkg:pypi/py@1.11.0 to appear as affected.

# vulnerabilities/importers/osv.py :- line 51 def parse_advisory_data( raw_data: dict, supported_ecosystems, advisory_url: str ) -> Optional[AdvisoryData]: raw_id = raw_data.get("id") or "" summary = raw_data.get("summary") or "" # ← no withdrawn check here, so withdrawn advisories pass through ... return AdvisoryData()

My Approch:

Add a withdrawn check at the top of parse_advisory_data() in osv.py:

def parse_advisory_data( raw_data: dict, supported_ecosystems, advisory_url: str ) -> Optional[AdvisoryData]: if raw_data.get("withdrawn"): logger.info(f"Skipping withdrawn advisory: {raw_data.get('id')}") return None ...

And in github_osv.py, handle the None return:

advisory = parse_advisory_data(raw_data, supported_ecosystems, advisory_url) if advisory: yield advisory

This fix is in osv.py so it covers all importers that use it (github_osv.py, oss_fuzz.py).

Regarding already-imported data:
For the existing data in the DB, we would need a separate pipeline/improver step that:

1. Fetches all advisories from the GitHub advisory database
2. Checks if any have a "withdrawn" field
3. Removes the affected package relationships for those withdrawn advisories from the DB

i am not sure that same problem is with other imports like NVD or other do we need to cheak theme also

Would this approach be correct, or is there a preferred way to handle historical data cleanup in this codebase?
Would love to work on this please let me know if this approach looks good.