Clarify the usage of "limit" and "fixed" in GIT ranges. #468
Description
The range events are not clear on how "limit" and "fixed" should be used in relation to each other (if they even should).
Lets say I have the following tree of commits:
A <- B <- C <- D
+ <- E
+ <- F <- G
I also have an OSV range with the following events for the above repo
[
{ "introduced": "A" },
{ "limit": "D" },
{ "fixed": "G" }
]
The schema is not clear on the correct way to interpret this range, or whether or not this is even acceptable. For example:
- Is the commit "F" considered vulnerable?
- What about "E"?
The enumeration code in https://github.com/google/osv.dev treats them mutually exclusively, with "limit" taking preference.
Please update the schema to make this usage clearer.
#169 may be related.