search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.24k stars 464 forks source link

Version prediction Issue #3938

Open Vishnu-2810 opened 8 months ago

Vishnu-2810 commented 8 months ago

I'm trying to add a custom checker for Image Magick by the version patterns are ImageMagick-([\d]+.[\d]+.[\d]+-[\d]+) (ImageMagick-7.1.1-15) but after adding the checker class I'm getting the version as 7.1.1.15 why how -15 is changed to .15

The version is inconsistent in such ways ..How to resolve this issue @Error838 ?

Thanks In Advance

terriko commented 8 months ago

We currently change all delimeters to . internally to handle some hoary version representation cases (versions are the worst).

If you're just trying to practice making checkers, just tell it that it should be 7.1.1.15 for now and move on with life.

I'm not adverse to improving the way we handle delimiters, but that's a huge project that'll need to be run against a lot of data and it's not happening fast. Arbitrary version compare is just surprisingly hard in practice and we'd have to know a lot about "does - mean after? What about ~? Does it sometimes mean before?"

anthonyharrison commented 7 months ago

Component versions are a mess but if more components aligned with Semantic Versioning life would be easier. As @terriko remarked, it is a very difficult task - perhaps the greatest contribution would be to encourage maintainers to adopt semantic versioning as this COULD have a significant improvement in improving vulnerability management across the industry.