What happened:
Not finding EOL'ed versions of nginx in official container images
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Scan nginx:1.23.3
Anything else we need to know?:
I was able to resolve the issue by updating the normalizeSemver() function in purl.go.
The package version for nginx is listed as: 1.23.3-1~bullseye
I can resolve by adding the following:
// Handle packages with tilde (~) characters
// Example: 1.23.3-1~bullseye
tildeRe := regexp.MustCompile(`^(\d+\.\d+\.\d+)-\d+~\w+`)
version = tildeRe.ReplaceAllString(version, "$1")
Side Note
Managing a list of regex's for all potential package version strings is likely to become really tedious.
Instead of hard coding all the regex's, perhaps expose this list in config.yaml as a way to append more patterns to the list in normalizeSemver().
What happened: Not finding EOL'ed versions of nginx in official container images
What you expected to happen:
How to reproduce it (as minimally and precisely as possible): Scan nginx:1.23.3
Anything else we need to know?: I was able to resolve the issue by updating the normalizeSemver() function in purl.go. The package version for nginx is listed as: 1.23.3-1~bullseye
I can resolve by adding the following:
Side Note Managing a list of regex's for all potential package version strings is likely to become really tedious. Instead of hard coding all the regex's, perhaps expose this list in config.yaml as a way to append more patterns to the list in normalizeSemver().
Environment: Using container image noqcks/xeol:v0.9.10