From 0e31b425944b71ca1cf970aa2b43ecb3b20a37f5 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Sun, 8 Feb 2026 22:27:57 +0000
Subject: [PATCH 1/2] fix issue where repo from commit in refs different from
 CPE cache, resulting in failed conversion

---
 vulnfeeds/conversion/nvd/converter.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/vulnfeeds/conversion/nvd/converter.go b/vulnfeeds/conversion/nvd/converter.go
index 54018585182..fea44cdb5ff 100644
--- a/vulnfeeds/conversion/nvd/converter.go
+++ b/vulnfeeds/conversion/nvd/converter.go
@@ -63,6 +63,14 @@ func CVEToOSV(cve models.NVDCVE, repos []string, cache *git.RepoTagsCache, direc
 				break
 			}
 		}
+		if !hasAnyFixedCommits {
+			for _, ac := range versions.AffectedCommits {
+				if ac.Fixed != "" {
+					hasAnyFixedCommits = true
+					break
+				}
+			}
+		}
 
 		if versions.HasFixedVersions() && !hasAnyFixedCommits {
 			metrics.AddNote("Failed to convert fixed version tags to commits: %+v", versions)

From 82f924ac8026c560ac02c0f769ed078164ba9daa Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Sun, 8 Feb 2026 23:26:02 +0000
Subject: [PATCH 2/2] remove unneeded block

---
 vulnfeeds/conversion/nvd/converter.go | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/vulnfeeds/conversion/nvd/converter.go b/vulnfeeds/conversion/nvd/converter.go
index fea44cdb5ff..5f7f7fa8e85 100644
--- a/vulnfeeds/conversion/nvd/converter.go
+++ b/vulnfeeds/conversion/nvd/converter.go
@@ -57,20 +57,12 @@ func CVEToOSV(cve models.NVDCVE, repos []string, cache *git.RepoTagsCache, direc
 			return fmt.Errorf("failed to convert version tags to commits: %+v %w", versions, err)
 		}
 		hasAnyFixedCommits := false
-		for _, repo := range repos {
-			if versions.HasFixedCommits(repo) {
+		for _, ac := range versions.AffectedCommits {
+			if ac.Fixed != "" {
 				hasAnyFixedCommits = true
 				break
 			}
 		}
-		if !hasAnyFixedCommits {
-			for _, ac := range versions.AffectedCommits {
-				if ac.Fixed != "" {
-					hasAnyFixedCommits = true
-					break
-				}
-			}
-		}
 
 		if versions.HasFixedVersions() && !hasAnyFixedCommits {
 			metrics.AddNote("Failed to convert fixed version tags to commits: %+v", versions)
@@ -78,8 +70,8 @@ func CVEToOSV(cve models.NVDCVE, repos []string, cache *git.RepoTagsCache, direc
 		}
 
 		hasAnyLastAffectedCommits := false
-		for _, repo := range repos {
-			if versions.HasLastAffectedCommits(repo) {
+		for _, ac := range versions.AffectedCommits {
+			if ac.LastAffected != "" {
 				hasAnyLastAffectedCommits = true
 				break
 			}