CVE-2020-36428 = OSV-2021-440 = https://oss-fuzz.com/testcase-detail/5668218489536512 is considered invalid. How can both CVE and OSV be marked as fixed?

@fyi @inferno-chromium

It's not fixed according to the OSV. https://osv.dev/vulnerability/OSV-2021-440 has an "introduced" event only, and no "fixed" event.

We also don't generate the CVE -- someone else is taking our entries and generating them.

Yes, I know, it is not marked as fixed in the yaml file. But I thought it is considered a false-positive issue and wondered how to deal with it.

Ah, I misunderstood your question. After your PR, https://osv.dev/vulnerability/OSV-2021-440 is marked as fixed, thanks!