From 763f92e397ec05e6ad2cb868a6b6b48cb853ad9a Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Wed, 18 Mar 2026 22:39:07 +0000
Subject: [PATCH] Remove last affected if fixed exists.

---
 vulnfeeds/cmd/combine-to-osv/main.go | 30 ++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go
index 898dd6cc41f..e21a51a37f7 100644
--- a/vulnfeeds/cmd/combine-to-osv/main.go
+++ b/vulnfeeds/cmd/combine-to-osv/main.go
@@ -208,9 +208,39 @@ func combineIntoOSV(cve5osv map[models.CVEID]*osvschema.Vulnerability, nvdosv ma
 		osvRecords[cveID] = nvd
 	}
 
+	// Clean up last_affected events in ranges that have a fixed event
+	cleanLastAffectedIfFixedExists(osvRecords)
+
 	return osvRecords
 }
 
+// cleanLastAffectedIfFixedExists iterates through the ranges of all records,
+// and if a range contains a 'fixed' event, removes any 'last_affected' events.
+func cleanLastAffectedIfFixedExists(osvRecords map[models.CVEID]*osvschema.Vulnerability) {
+	for _, record := range osvRecords {
+		for _, affected := range record.GetAffected() {
+			for _, r := range affected.GetRanges() {
+				hasFixed := false
+				for _, e := range r.GetEvents() {
+					if e.GetFixed() != "" {
+						hasFixed = true
+						break
+					}
+				}
+				if hasFixed {
+					var newEvents []*osvschema.Event
+					for _, e := range r.GetEvents() {
+						if e.GetLastAffected() == "" {
+							newEvents = append(newEvents, e)
+						}
+					}
+					r.Events = newEvents
+				}
+			}
+		}
+	}
+}
+
 // combineTwoOSVRecords takes two osv records and combines them into one
 func combineTwoOSVRecords(cve5 *osvschema.Vulnerability, nvd *osvschema.Vulnerability) *osvschema.Vulnerability {
 	baseOSV := cve5