fix: version comparison (#740)

* feat: add comparer * refactor: rename lang with ecosystem * feat(bundler): add comparer * feat(node): add comparer * feat(bundler): integrate comparer * feat(cargo): integrate comparer * feat(composer): add comparer * feat(ghsa): integrate comparer * feat(node): integrate comparer * feat(python): integrate comparer * test(bundler): add tests * test(cargo): add tests * test(composer): add tests * test(ghsa): add tests * test(node): add tests * test(python): add tests * refactor(utils): remove unnecessary functions * test(utils): add tests * test: rename bucket prefixes * fix(detect): use string * chore: update dependencies * docs: add comments * fix(cargo): handle unpatched vulnerability * test(db): update trivy-db for integration tests * test(integration): update a golden file * test(cargo): Add a case for missing patched version Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(advisory): update comments * refactor(node/advisory): change the receiver * chore(mod): update dependencies * refactor(comparer): unexport MatchVersion * refactor: fix maligned structs * test(node): add empty value * refactor * refactor: sort imports * chore(mod): update trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
2025-12-22 23:26:39 -08:00 · 2020-11-17 18:38:58 +09:00
parent 9dfb0fe3a9
commit b6d5b82c48
45 changed files with 1455 additions and 473 deletions
--- a/pkg/detector/library/python/advisory.go
+++ b/pkg/detector/library/python/advisory.go
@@ -3,28 +3,30 @@ package python
 import (
 	"strings"

-	"github.com/Masterminds/semver/v3"
 	"golang.org/x/xerrors"

+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/python"
-	"github.com/aquasecurity/trivy/pkg/scanner/utils"
+	"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

 // Advisory encapsulates the python vulnerability scanner
 type Advisory struct {
-	vs python.VulnSrc
+	vs       python.VulnSrc
+	comparer comparer.Comparer
 }

-// NewAdvisory is the factory method to reutrn Python Advisory
+// NewAdvisory is the factory method to return Python Advisory
 func NewAdvisory() *Advisory {
 	return &Advisory{
-		vs: python.NewVulnSrc(),
+		vs:       python.NewVulnSrc(),
+		comparer: comparer.GenericComparer{},
 	}
 }

-// DetectVulnerabilities scans and returns pythin vulnerabilities
-func (s *Advisory) DetectVulnerabilities(pkgName string, pkgVer *semver.Version) ([]types.DetectedVulnerability, error) {
+// DetectVulnerabilities scans and returns python vulnerabilities
+func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
 	advisories, err := s.vs.Get(pkgName)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to get python advisories: %w", err)
@@ -32,14 +34,15 @@ func (s *Advisory) DetectVulnerabilities(pkgName string, pkgVer *semver.Version)

 	var vulns []types.DetectedVulnerability
 	for _, advisory := range advisories {
-		if !utils.MatchVersions(pkgVer, advisory.Specs) {
+		adv := dbTypes.Advisory{VulnerableVersions: advisory.Specs}
+		if !s.comparer.IsVulnerable(pkgVer, adv) {
 			continue
 		}

 		vuln := types.DetectedVulnerability{
 			VulnerabilityID:  advisory.VulnerabilityID,
 			PkgName:          pkgName,
-			InstalledVersion: pkgVer.String(),
+			InstalledVersion: pkgVer,
 			FixedVersion:     createFixedVersions(advisory.Specs),
 		}
 		vulns = append(vulns, vuln)