Manually inspecting the parsing of CVE-2020-26261,
I noticed that the producer was not able to find any vulnerable_purls for the vulnerability. The version range indicated as vulnerable in the advisory is <0.15. Although, the version was released as 0.15.0 on PyPI. Thus, the VersionRanger is not able to find it.
One quick solution is to find the version using a regex in the case of failure. In this case, looking for 0.15.*. Otherwise, to use an external library, such as https://github.com/zafarkhaja/jsemver but this assumes all projects use Semantic Versioning, which is unfortunately not the case.
Manually inspecting the parsing of CVE-2020-26261, I noticed that the
producer
was not able to find anyvulnerable_purls
for the vulnerability. The version range indicated as vulnerable in the advisory is<0.15
. Although, the version was released as0.15.0
on PyPI. Thus, theVersionRanger
is not able to find it.One quick solution is to find the version using a regex in the case of failure. In this case, looking for
0.15.*
. Otherwise, to use an external library, such as https://github.com/zafarkhaja/jsemver but this assumes all projects use Semantic Versioning, which is unfortunately not the case.