search

boostsecurityio / poutine

boostsecurityio/poutine
Apache License 2.0
180 stars 17 forks source link

known_vulnerability semver matching issue #57

Open becojo opened 2 months ago

becojo commented 2 months ago

Describe the bug

When hashicorp/go-version is given a GitHub Actions version "4", it pads the rest of the semver components with zeros making the effective version "4.0.0" https://github.com/hashicorp/go-version/blob/644291d14038339745c2d883a1a114488e30b702/version.go#L77-L82

This makes it so when trying to match version "4" against a vulnerable version range such as ">=4.0.0,<4.4.1", version "4.0.0" is considered part of the range. The expected result of this test case should be flipped:

diff --git a/opa/opa_test.go b/opa/opa_test.go
index 5ca7d5e..9f8979c 100644
--- a/opa/opa_test.go
+++ b/opa/opa_test.go
@@ -67,7 +67,7 @@ func TestSemverConstraintCheck(t *testing.T) {
        {
            constraint: ">=4.0.0,<4.4.1",
            version:    "4",
-           expected:   true,
+           expected:   false,
        },
fproulx-boostsecurity commented 2 months ago

I guess this could be closed @Becojo