Open Vishnu-2810 opened 3 months ago
anthonyharrison
commented
3 months ago @Vishnu-2810 Component versions are very inconsistent. The approach was to enable vulnerability scanners to find the component in a vulnerability database. Including the pre-release component in the version component meant that potential vulnerabilities could be missed. Do you have an example of where the removal of the pre-release component has resulted in some incorrect results from a vulnerability scanner?
Vishnu-2810
commented
2 months ago @Vishnu-2810 Component versions are very inconsistent. The approach was to enable vulnerability scanners to find the component in a vulnerability database. Including the pre-release component in the version component meant that potential vulnerabilities could be missed. Do you have an example of where the removal of the pre-release component has resulted in some incorrect results from a vulnerability scanner?
We will also have pre-release versions vulnerabilities in the vulnerability database . Then how potential vulnerabilties could be missed . Can you please explain in detail @anthonyharrison ?
Thanks in advance
anthonyharrison
commented
2 months ago We will also have pre-release versions vulnerabilities in the vulnerability database . Then how potential vulnerabilties could be missed . Can you please explain in detail @anthonyharrison ?
I don't believe pre-release versions of components are in the vulnerability database. Can give me an example of a pre-release component which has a vulnerability which you are using?
nodet
commented
1 month ago @swagger-api/apidom-ast@1.0.0-alpha.1 appears in the Snyk database at https://security.snyk.io/package/npm/@swagger-api%2Fapidom-ast/1.0.0-alpha.1
Removing the -alpha.1 breaks our SBOM production pipeline: it prevents us from finding the information about that particular package to build our SBOM. We fetch https://registry.npmjs.org/@swagger-api/apidom-ast to retrieve the information we need, but can't find in the response any version named 1.0.0 because one doesn't exist yet.
The fact that there doesn't exist any package with a vulnerability in a pre-release version doesn't seem relevant to me: lib4sbom should not change anything it reads.
As per semantic versioning standards , pre release versions can contain hyphens but in lib4sbom we are changing the version by splitting the hyphens . Do we have any logical reason behind this like only major versions to be detected @anthonyharrison ?
Manipulation code
def _semantic_version(self, version): return version.split("-")[0] if "-" in version else version
Thanks in advance.