I came across the guava vulnerabilityGHSA-5mg8-w23w-74h3 for which GHSA declares the affected version range as<= 29.0.

In OSV however, this is represented as:

"ranges": [    {"type":"ECOSYSTEM","events": [            {"introduced":"0"            }        ]    }],"database_specific": {"last_known_affected_version_range":"<= 29.0"}

Given the constraint<= 29.0, I would've expected the following:

"ranges": [    {"type":"ECOSYSTEM","events": [            {"introduced":"0"            },            {"last_affected":"29.0"            }        ]    }]

The current situation makes automated processing unnecessarily hard. If I rely on theECOSYSTEM range, I'll trigger lots of false positives due to it indicating a>0 constraint.database_specific is not intended to influence vulnerability evaluation according tothe spec. This is also visible when inspecting the (auto-generated)Affected versions section on OSV's website:https://osv.dev/vulnerability/GHSA-5mg8-w23w-74h3

At the moment, there are about 1990 advisories affected by this:

$ rg -l'"last_known_affected_version_range"' advisory-database| wc -l1990

google/osv.dev#474 (comment) already hinted that GHSA currently does not support thelimit orlast_affected events. Is it planned to be addressed anytime soon?