Add leniancy to the version matching for debian to account for versio… #328
Conversation
26e9d11 to
9dbd270
Compare
scan/debian.go
Outdated
| @@ -592,19 +592,28 @@ func (o *debian) parseChangelog(changelog string, | |||
| cveRe := regexp.MustCompile(`(CVE-\d{4}-\d{4,})`) | |||
| stopRe := regexp.MustCompile(fmt.Sprintf(`\(%s\)`, regexp.QuoteMeta(versionOrLater))) | |||
| stopLineFound := false | |||
| leniantStopeLineFound := false | |||
There was a problem hiding this comment.
Should be leniantStopLineFound := false?
…ns without the "+" when package maintainers aren't using them.
9dbd270 to
9816315
Compare
|
Thanks, fixed. |
|
Applying this P / R may report a false positive of the detected vulnerability. https://readme.phys.ethz.ch/documentation/debian_version_numbers/ Note: The versions of dpkg and changelog do not matchExample:
In the current implementation, since it is detected by version complete match in changelog, Vuls does not detect it when the version of dpkg is not match the version in changelog. For this reason, there is no false positive in this case. After applying this P / R, since it matches the string before |
|
That is correct, which is why adding a configuration options for lenient version matching, and adding information to the output about lenient version matching are important. Keep in mind that this is only checked when version matching fails -- so the options are to either report no vulnerabilities when infact vulnerabilities may exist, or report potential false positives. I'd rather opt for the latter, personally. Alternatively, we can work with the package maintainers to resolve this issue directly and not add complexity to the vuls code. This may be a better option. |
|
I think that it is better to indicate in the JSON and Reporting that this vulnerability is not detected by accurate version matching. |
|
I will merge this P/R since additional implementation is complete. |
…ns without the "+" when package maintainers aren't using them.
#327