fix: ensure canonical version numbers used in version comparison (#1437)

anthonyharrison · web-flow · commit 5b14b1bd431c · 2021-11-24T09:18:23.000-08:00
diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import os
+import re
 import sqlite3
 import sys
 from collections import defaultdict
@@ -72,7 +73,23 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
         """
         # Removing * from vendors that are guessed by the package list parser
         vendor = product_info.vendor.replace("*", "")
-        self.cursor.execute(query, [vendor, product_info.product, product_info.version])
+
+        # Need to manipulate version to ensure canonical form of version
+        if product_info.product == "openssl":
+            pv = re.search(r"\d[.\d]*[a-z]?", product_info.version)
+            parsed_version_between = parse_version(self.openssl_convert(pv.group(0)))
+        else:
+            # Ensure canonical form of version numbering
+            if ":" in product_info.version:
+                # Handle x:a.b<string> e.g. 2:7.4+23
+                components = product_info.version.split(":")
+                pv = re.search(r"\d[.\d]*", components[1])
+            else:
+                # Handle a.b.c<string> e.g. 1.20.9rel1
+                pv = re.search(r"\d[.\d]*", product_info.version)
+        parsed_version = parse_version(pv.group(0))
+
+        self.cursor.execute(query, [vendor, product_info.product, str(parsed_version)])
 
         cve_list = list(map(lambda x: x[0], self.cursor.fetchall()))
 
@@ -88,8 +105,6 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
         WHERE vendor=? AND product=? AND version=?
         """
 
-        # Removing * from vendors that are guessed by the package list parser
-        vendor = product_info.vendor.replace("*", "")
         self.cursor.execute(query, [vendor, product_info.product, "*"])
 
         for cve_range in self.cursor:
@@ -101,8 +116,6 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
                 version_end_excluding,
             ) = cve_range
 
-            parsed_version = parse_version(product_info.version)
-
             # pep-440 doesn't include versions of the type 1.1.0g used by openssl
             # so if this is openssl, convert the last letter to a .number
             if product_info.product == "openssl":
@@ -112,9 +125,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
                 version_start_excluding = self.openssl_convert(version_start_excluding)
                 version_end_including = self.openssl_convert(version_end_including)
                 version_end_excluding = self.openssl_convert(version_end_excluding)
-                parsed_version = parse_version(
-                    self.openssl_convert(product_info.version)
-                )
+                parsed_version = parsed_version_between
 
             # check the start range
             passes_start = False
