Closed cerrussell closed 11 months ago
@cerrussell Is there a CVE where this problem exists? It sounds like poor data quality as well.
@prabhu I'm not sure I grasp where data quality comes into it, but there is certainly no shortage of CVEs with quality issues.
@prabhu As far as CVEs with this issue, I noticed the incorrect results when matching reachables with the correct CSAF vulnerability objects. Errors in this scenario won't cause me to lose sleep at night given the incorrect results only give false positives in terms of a vulnerability being reachable, rather than the other way around. As is, CSAF vulnerabilities will not receive the flag intended if the found version is the same as a non-inclusive upper or lower limit version.
I don't know what impact there may be in other places this function is used, such as building the db. I expect it would take less time to just fix than to inspect the db as it is built to see what happens.
@cerrussell it appears like a bug in osv or somewhere since databases are unlikely to have such contradictory information.
So this could be multiple bugs.
@prabhu What is the contradictory information? The version range data itself is fine. The issue is that the function is written to disregard exclude versions if there's a min or max version provided.
# Semver compatible and including versions provided
is_min_exclude = False
is_max_exclude = False
if (not min_version or min_version == "*") and mie:
min_version = mie
is_min_exclude = True
if (not max_version or max_version == "*") and mae:
max_version = mae
is_max_exclude = True
if not min_version:
min_version = "0"
The
version_compare
function does not take a specified mie into account when determining if a version falls within a given range.Example
version_compare(compare_ver="2.0.0", min_version="2.0.0", max_version="3.0.0",mie="2.0.0",mae="3.0.0"
returnsTrue
.This is equivalent to 2.0.0<2.0.0 and should therefore be
False
.@prabhu I have added a test to replicate this problem per your request on the linked branch. There is currently only one test line which includes an mie other than None in the existing tests on master and it appears to work as expected only because min_version is None in that case. This yields the expected results for that test as well as the above example. See test_version_compare1 where I have altered the test failing in test_version_compare to have a min_version of None rather than 2.0.0.
On further inspection, I see that the same scenario occurs for mae if max_version is not None. If this is how the function is intended to work - that not all available parameters should be included - we should add a couple lines to the beginning of version_compare to set the min or max versions to None if mie or mae are included.