Report only the "best" fixed version that has no vulnerabilities of its own?

[johnmhoran]

This is related to "Report only those fixed versions that are greater than the affected version" #1228.

The question:

Do we want to display/report the most relevant/best fixed by version -- however we define "relevant"/"best" -- or do we also want to check whether that version has any vulnerabilities of its own and display/report only a vulnerability-free fixed by version? The way we currently define fixed by and organize the data in the DB, there are instances where all of the fixed by versions have vulnerabilities of their own -- none has 0 vulnerabilities.

[vaibhav11123]

Hi @johnmhoran , I’d like to start looking into this area.

From what I understand: • #1252 is about choosing the best fixed version — ideally the lowest version that fixes the vulnerability and is itself not vulnerable. • #1253 highlights that URL-encoded Debian versions (%2B) cause issues in version comparison, and we already decode internally via PackageURL.from_string() or urllib.parse.unquote().

Before I start experimenting, a quick clarification:

Should the “best fixed version” logic always run on the decoded version string (e.g., 2.12.1-1+deb11u1), even if the stored PURL uses %2B? If yes, then the path is straightforward: • normalize versions at import time • run version ordering + univers comparisons on the decoded value • when reporting UI/API results, use the decoded version • keep the original PURL intact for lookup

This avoids univers errors and keeps fixed-version evaluation consistent across ecosystems (Debian especially).

If this direction looks right, I’ll put together a small proposal + initial patch.