{
  "repository": "https://github.com/apache/airflow",
  "commit_source": "git_tag_resolution",
  "commit_sha": "1438ea3587031417cc85d74323235cf087a058fb",
  "submitted_target": {
    "target_kind": "source_release",
    "commit_sha": "d148ae95df35042b4bfa5354ab9b5e21e388dc61",
    "version": "3.2.2",
    "ref": "refs/tags/3.2.2",
    "display": "Apache Airflow 3.2.2 (parent vulnerable version)"
  },
  "variant_target": {
    "target_kind": "source_release",
    "commit_sha": "1438ea3587031417cc85d74323235cf087a058fb",
    "version": "3.3.0",
    "ref": "refs/tags/3.3.0",
    "display": "Apache Airflow 3.3.0 (claimed fixed version, bypassed)"
  },
  "notes": "The packages were installed from wheels in the project cache; exact commit SHAs were resolved from the upstream Git tags using git ls-remote. The tag 3.3.0 object is f5f7953d949f61552c4feb8b3200be2a677a08c5, which points to commit 1438ea3587031417cc85d74323235cf087a058fb. The same airflow_exc_ser bypass was also observed in the main branch at 0d9dd822d3ac0cb44380836c455baecdf25e2eff at the time of testing."
}
