CVEProject / cve-website

The new CVE website
67 stars 35 forks source link

!== 0 used to compare a version string of "0"? #1874

Open ElectricNroff opened 1 year ago

ElectricNroff commented 1 year ago

https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md says

"lessThan": "*", which denotes a range with no upper bound at all
...
"version": "0" means that the range has no lower bound

The first special case of an unbounded situation is handled here: https://github.com/CVEProject/cve-website/blob/6d957a8a761c633745430e9ba73e33532987f212/src/views/CVERecord/PublishedRecord.vue#L654-L656

The second special case of an unbounded situation is handled here: https://github.com/CVEProject/cve-website/blob/6d957a8a761c633745430e9ba73e33532987f212/src/views/CVERecord/PublishedRecord.vue#L522-L525

However, productVersion !== 0 is always true, because the input data must have a string (not an integer) such as "version": "0" shown above. Example: https://www.cve.org/CVERecord?id=CVE-2023-1580

Reference: https://github.com/CVEProject/cve-schema/blob/20a9e977d9020c12d7dce07eb7ef8de30bd61f64/schema/v5.0/CVE_JSON_5.0_schema.json#L82-L86

Should the code be changed to:

if (productVersion !== 'unspecified' && productVersion !== '0')

?

ElectricNroff commented 8 months ago

Also in: https://github.com/CVEProject/cve-website/blob/ce5432aaf4ca70cb1d82e69091d7996f6c985733/src/views/CVERecord/PublishedRecord.vue#L556 productVersion !== '*' seems unintended because https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/versions.md does not define the meaning of a * value for the version property.

productVersion !== '0' may have been intended instead of productVersion !== '*'