Open becojo opened 2 months ago
Describe the bug
When hashicorp/go-version is given a GitHub Actions version "4", it pads the rest of the semver components with zeros making the effective version "4.0.0" https://github.com/hashicorp/go-version/blob/644291d14038339745c2d883a1a114488e30b702/version.go#L77-L82
This makes it so when trying to match version "4" against a vulnerable version range such as ">=4.0.0,<4.4.1", version "4.0.0" is considered part of the range. The expected result of this test case should be flipped:
diff --git a/opa/opa_test.go b/opa/opa_test.go index 5ca7d5e..9f8979c 100644 --- a/opa/opa_test.go +++ b/opa/opa_test.go @@ -67,7 +67,7 @@ func TestSemverConstraintCheck(t *testing.T) { { constraint: ">=4.0.0,<4.4.1", version: "4", - expected: true, + expected: false, },
I guess this could be closed @Becojo
Describe the bug
When hashicorp/go-version is given a GitHub Actions version "4", it pads the rest of the semver components with zeros making the effective version "4.0.0" https://github.com/hashicorp/go-version/blob/644291d14038339745c2d883a1a114488e30b702/version.go#L77-L82
This makes it so when trying to match version "4" against a vulnerable version range such as ">=4.0.0,<4.4.1", version "4.0.0" is considered part of the range. The expected result of this test case should be flipped: