Confused about where the canonical source is

[andrewpollock]

Hello,

I'm doing work on Open Source vulnerabilities for OSV.dev, trying to convert relevant CVE records to OSV records (google/osv.dev#783 if you're curious).

I'm looking at CVE-2022-0271 in particular, because I wasn't able to successfully automatically map the fixed version 4.1.6 to a Git commit (from a (currently simplistic) inspection of the tags) in this repository.

When I did some manual investigation of that failure, I became confused about whether this was even the right repository to be looking at, which is why I'm here writing this.

The NVD's CPE Dictionary metadata is what led me to this repository in the first place, but from poking around at https://wordpress.org/plugins/learnpress/#developers I can see references to a Subversion repository, with more plausible looking tags mentioned, e.g. https://plugins.svn.wordpress.org/learnpress/tags/4.1.6/

If this repository didn't appear to have recent activity, I'd have just written this off as stale/invalid metadata in the CPE Dictionary, but given there appears to be activity here in parallel, I'm confused, and so I thought I'd drop you a line.

[tungnxt89]

Hi andrewpollock,

This source on GitHub is for development.

Source on the https://plugins.svn.wordpress.org/learnpress/tags/ is source Pushlish (release version)

So you can test on that. If LearnPress has any issues with Security, please feedback to us soon.

Thanks.

[andrewpollock]

Got it, thank you.

My question wasn't prompted by any specific security issue.