Closed DmitriyLewen closed 1 day ago
We remove duplicates of packages. But there are cases when Packages uses same version, but one of package omits 0 patch version (e.g. 2.17.0 and 2.17).
0
2.17.0
2.17
Using go-mvn-version to compare version solves this problem.
go-mvn-version
before:
➜ trivy -q image apachepulsar/pulsar:3.3.0 --format cyclonedx | grep '"purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core' "purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.41", "purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.41.0",
after:
➜ trivy -q image apachepulsar/pulsar:3.3.0 --format cyclonedx | grep '"purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core' "purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.41",
Description
We remove duplicates of packages. But there are cases when Packages uses same version, but one of package omits
0
patch version (e.g.2.17.0
and2.17
).Using
go-mvn-version
to compare version solves this problem.before:
after:
Related issues
Checklist