vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Missing Affected Versions in Vulnerability Record

Open keshav-space opened this issue 1 year ago • 0 comments

The vulnerability https://public.vulnerablecode.io/vulnerabilities/VCID-aqmt-fmm5-aaad is missing the affected versions 0.7.1.fix1 and 0.7.4.svn.r2010. See the details here: https://github.com/pypa/advisory-database/blob/e56e7a79124764436c8b64e07d4ee7ab7f6b5605/vulns/ipython/PYSEC-2022-12.yaml.

Additionally, the vulnerability https://public.vulnerablecode.io/vulnerabilities/VCID-zdzp-uhzh-aaar also affects the jw.util package version -class.-jw.util.version.Version-, as stated here: https://github.com/pypa/advisory-database/blob/e56e7a79124764436c8b64e07d4ee7ab7f6b5605/vulns/jw.util/PYSEC-2020-341.yaml. This version does indeed exist upstream on PyPI: https://pypi.org/project/jw.util/-class.-jw.util.version.Version-/.

The issue arises when univers is unable to parse these unusual versions. IMO we should not discard an affected or fixed version just because it is unusual and cannot be parsed by univers. Instead, should we store these versions as strings if we fail to parse them?

keshav-space avatar Aug 22 '24 14:08 keshav-space