poutine icon indicating copy to clipboard operation
poutine copied to clipboard
verified publisher icon boostsecurityio

known_vulnerability semver matching issue

Open becojo opened this issue 1 year ago • 1 comments

Describe the bug

When hashicorp/go-version is given a GitHub Actions version "4", it pads the rest of the semver components with zeros making the effective version "4.0.0" https://github.com/hashicorp/go-version/blob/644291d14038339745c2d883a1a114488e30b702/version.go#L77-L82

This makes it so when trying to match version "4" against a vulnerable version range such as ">=4.0.0,<4.4.1", version "4.0.0" is considered part of the range. The expected result of this test case should be flipped:

diff --git a/opa/opa_test.go b/opa/opa_test.go
index 5ca7d5e..9f8979c 100644
--- a/opa/opa_test.go
+++ b/opa/opa_test.go
@@ -67,7 +67,7 @@ func TestSemverConstraintCheck(t *testing.T) {
 		{
 			constraint: ">=4.0.0,<4.4.1",
 			version:    "4",
-			expected:   true,
+			expected:   false,
 		},

becojo avatar May 03 '24 19:05 becojo

I guess this could be closed @Becojo

fproulx-boostsecurity avatar May 06 '24 16:05 fproulx-boostsecurity