prabhu
commented
11 months ago We have to test with container images as well to see how it looks
Closed cerrussell closed 11 months ago
prabhu
commented
11 months ago We have to test with container images as well to see how it looks
cerrussell
commented
11 months ago @prabhu I ran depscan on the container image you recommended with the current release of vdb and then with this branch.
The results matched except for two additional entries not included with the current release of vdb. At first, I thought these were false positives, but on investigation, it appears they should have appeared before. In both cases, the packages were flagged as a result of having a version of x.x.x rather than x.x.x-1. I am somewhat confused about why the fix version we have stored is x.x.x-1 rather than x.x.x given the CVEs (CVE-2017-12618, CVE-2020-35512) specify just the x.x.x versions as fixed. However, this is a separate issue that just happened to be revealed by the changes in this pr - I will create a separate issue to address it.
cerrussell
commented
11 months ago @prabhu A deep dive into the two CVEs I mentioned reveals this is not our issue but a mistake (I believe) in the arch linux data we pull from vuln-list. I think they should be specifying their fixed versions as x.x.x-0, not x.x.x-1. Unfortunately, we can't really do anything to address it since we have no way of automatically determining if the fixed version is correct or not.
prabhu
commented
11 months ago @cerrussell Every distro has its own version schemes with quirks, and no one follows semver in the os distro space. It proves our theory that the results will be different now compared to the previous version for container scans, so we have to find a way to tune down the false positives.
Closes #75
Changes logic for version_compare in utils to use the mie and mae when they are provided, even if min or max versions are also included. Adds additional tests to demonstrate why this is necessary.