Investigate why 1.x version range is duplicated here

mxr576 / ddqg-composer-audit

Drupal Dependency Quality Gate Composer Audit plugin

MIT License

8 stars 0 forks source link

Investigate why 1.x version range is duplicated here #10

Closed mxr576 closed 11 months ago

mxr576 commented 12 months ago

             {
                "advisoryId": "DDQG-insecure-drupal-apigee_edge",
                "packageName": "drupal/apigee_edge",
                "affectedVersions": ">=1.0.0,<1.27.0|>=1.0.0,<1.27.0|>=2.0.0,<2.0.8",
                "title": "The installed \"2.0.7.0\" version is insecure. (Reported by Drupal Dependency Quality Gate.)",
                "cve": "DDQG-insecure-drupal-apigee_edge",
                "link": "https://www.drupal.org/project/apigee_edge",
                "reportedAt": "2023-09-22T09:09:26+00:00",
                "sources": [
                    {
                        "name": "DDQG",
                        "remoteId": "DDQG-insecure-drupal-apigee_edge"
                    }
                ]
            },
        ],

mxr576 commented 11 months ago

This is a regression in the fixture dataset, could be fixed but nothing to see.

The original source had disjunctive version ranges after the fixture snapshot was extracted and before Apigee Edge 1.x 2.0.x moved from insecure to unsupported.

https://github.com/mxr576/ddqg/blob/cb8afd6797881a674aef8a2bc07e94c4106110eb/composer.json