go-version icon indicating copy to clipboard operation
go-version copied to clipboard
verified publisher icon aquasecurity

Adding underscore(_) to the regex, as when any version contains underscore in the database we're skipping this CVE for the resource.

Open manojkrishnanomula opened this issue 10 months ago • 3 comments

In aqua-db we've versions like 1.8.0_371 so for these CVE's even when there are other vulnerable versions while comparing whether it is vulnerable or we're failing and skipping the CVE.

manojkrishnanomula avatar Feb 24 '25 03:02 manojkrishnanomula

Which versioning convention supports underscores? We need to define how to handle underscores.

knqyf263 avatar Feb 24 '25 06:02 knqyf263

Which versioning convention supports underscores? We need to define how to handle underscores.

If any CVE has something like cpe:2.3:a:oracle:jdk:1.8.0:update371:* we treat it as 1.8.0_371 in aqua, so we're getting _ in the affected versions and this is failing so we're unable to detect these CVE's for other vulnerable versions as well.

Eg: https://nvd.nist.gov/vuln/detail/CVE-2023-22049 , https://nvd.nist.gov/vuln/detail/CVE-2023-22045

manojkrishnanomula avatar Mar 05 '25 03:03 manojkrishnanomula

Why don't you use - instead of _?

knqyf263 avatar Mar 05 '25 06:03 knqyf263