search

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.
https://www.fasten-project.eu/
Apache License 2.0
6 stars 3 forks source link

Package Version Comparison Failure #91

Closed elanzini closed 2 years ago

elanzini commented 3 years ago

Manually inspecting the parsing of CVE-2020-26261, I noticed that the producer was not able to find any vulnerable_purls for the vulnerability. The version range indicated as vulnerable in the advisory is <0.15. Although, the version was released as 0.15.0 on PyPI. Thus, the VersionRanger is not able to find it.

One quick solution is to find the version using a regex in the case of failure. In this case, looking for 0.15.*. Otherwise, to use an external library, such as https://github.com/zafarkhaja/jsemver but this assumes all projects use Semantic Versioning, which is unfortunately not the case.

MagielBruntink commented 2 years ago

The current version maps this vulnerability correctly.