Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA tracker failure due to version comparision error #489

Open
gshanbhag525 opened this issue Jan 30, 2025 · 2 comments
Open

GHSA tracker failure due to version comparision error #489

gshanbhag525 opened this issue Jan 30, 2025 · 2 comments

Comments

@gshanbhag525
Copy link
Contributor

@knqyf263

Recently GHSa tracker has started failing due to comparison libs not able to analyze version.

eg. libs: go-mvn-version, go-version etc.

Stacktrace:

00:21:18.933  2025/01/27 11:02:18 Updating ghsa data...
00:21:18.933  2025/01/27 11:02:18 Walk `Cocoapods Specs` to convert Swift URLs to Cocoapods package names
00:30:20.588  2025-01-27T11:11:18Z	ERROR	Version comparison error	{"ecosystem": "Maven", "package": "org.jenkins-ci.plugins:credentials", "error": "failed to parse version constraint: improper constraint: >=1087.v16065d268466, <1087.1089.v2f1b_9a_b_040e4", "errorVerbose": "failed to parse version constraint:\n    github.com/aquasecurity/trivy-db/pkg/vulnsrc/osv.(*MavenVersionRange).Contains\n        /go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/vulnsrc/osv/range.go:186\n  - improper constraint: >=1087.v16065d268466, <1087.1089.v2f1b_9a_b_040e4:\n    github.com/masahiro331/go-mvn-version.NewConstraints\n        /go/pkg/mod/github.com/masahiro331/[email protected]/constraint.go:66"}
00:30:20.588  2025-01-27T11:11:19Z	ERROR	Version comparison error	{"ecosystem": "Go", "package": "github.com/canonical/lxd", "error": "failed to parse version: invalid semantic version", "errorVerbose": "failed to parse version:\n    github.com/aquasecurity/trivy-db/pkg/vulnsrc/osv.(*SemVerRange).Contains\n        /go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/vulnsrc/osv/range.go:119\n  - invalid semantic version:\n    github.com/aquasecurity/go-version/pkg/semver.init\n        <autogenerated>:1"}
00:30:20.589  2025-01-27T11:11:19Z	ERROR	Version comparison error	{"ecosystem": "npm", "package": "joplin", "error": "failed to parse version: invalid semantic version", "errorVerbose": "failed to parse version:\n    github.com/aquasecurity/trivy-db/pkg/vulnsrc/osv.(*NpmVersionRange).Contains\n        /go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/vulnsrc/osv/range.go:137\n  - invalid semantic version:\n    github.com/aquasecurity/go-version/pkg/semver.init\n        <autogenerated>:1"}

Initial analyis shows go-mvn-version doesnot support Underscore (_) in their regexp. ref: link

But not sure about go-version lib.
@gshanbhag525
Copy link
Contributor Author

#487

@knqyf263
Copy link
Collaborator

knqyf263 commented Jan 30, 2025
edited
Loading

As far as I know, v5.19 is not a valid version.
GHSA-x9qq-236j-gj97

The tag doesn't exist actually.
https://github.com/canonical/lxd

And 3.0 in npm is also an invalid version.
GHSA-hff8-hjwv-j9q7

const semver = require('semver')

console.log(semver.valid('3.0')) // null
console.log(semver.valid('3.0.0')) // 3.0.0

GHSA should fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knqyf263 @gshanbhag525