False positives due to erroneous comparison of component versions

[lukas-braune]

Current Behavior

DT attributes CVE-2022-48174 to the component pkg:apk/alpine/[email protected]?arch=x86_64&distro=3.19.1 although the vulnerability has already been resolved in the earlier package version 1.36.1-r2:

https://osv.dev/vulnerability/CVE-2022-48174

The root cause of this issue appears to be DT's sorting methodology. Instead of a numerical sort, the application is performing a lexical sort on version identifiers, mistakenly interpreting the version 1.36.1-r18 as an earlier, and thus vulnerable, release compared to 1.36.1-r2.

Steps to Reproduce

1. Ensure that Google OSV advisory mirroring is enabled.
2. Create a new project.
3. In the newly created project, create a new component with the following purl: pkg:apk/alpine/[email protected]?arch=x86_64&distro=3.19.1.
4. Check whether CVE-2022-48174 has been attributed to the newly created component.

Expected Behavior

CVE-2022-48174 should not be attributed to the newly created component.

Dependency-Track Version

4.11.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.5

Browser

Microsoft Edge

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

Related: #2826

[nscuro]

Support for Alpine versions has been added to versatile: https://github.com/nscuro/versatile/pull/257

The implementation passes the comparison test suite of the vers specification.