Improved version matching logic

AppThreat · Jan 25, 2021 · ace0ca0 · ace0ca0
1 parent c769c84
commit ace0ca0
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="appthreat-vulnerability-db",
-    version="1.6.5",
+    version="1.6.6",
     author="Team AppThreat",
     author_email="cloud@appthreat.com",
     description="AppThreat's vulnerability database and package search library with a built-in file based storage. CVE, GitHub, npm are the primary sources of vulnerabilities.",

diff --git a/test/test_utils.py b/test/test_utils.py
@@ -177,6 +177,22 @@ def test_version_build_compare():
     res = utils.version_compare("1.3.0", "1.2.0-beta", "1.3.2.0")
     assert res
 
+def test_version_build_diff_compare():
+    res = utils.version_compare("7.0.0", "*", "*", None, "2020-04-23t00-58-49z")
+    assert not res
+    res = utils.version_compare("7.0.0", "*", "*", None, "2018-05-16t23-35-33z")
+    assert not res
+    res = utils.version_compare("7.0.0", "2018-05-16t23-35-33z", "2020-04-23t00-58-49z")
+    assert not res
+    res = utils.version_compare("7.0.0", None, "2020-04-23t00-58-49z", "2020-04-23t00-58-49z", None)
+    assert not res
+    res = utils.version_compare("7.0.0", None, "2018-05-16t23-35-33z", "2018-05-16t23-35-33z", None)
+    assert not res
+    res = utils.version_compare("7.0.0", "*", None, "2020-04-23t00-58-49z", None)
+    assert not res
+    res = utils.version_compare("7.0.0", "*", None, "2018-05-16t23-35-33z", None)
+    assert not res
+
 
 def test_parse_uri():
     vendor, package, version = utils.parse_cpe(

diff --git a/vdb/lib/utils.py b/vdb/lib/utils.py
@@ -340,6 +340,14 @@ def version_compare(
         is_max_exclude = True
     if not min_version:
         min_version = "0"
+    # If compare_ver is semver compatible and min_version is * then max_version should be semver compatible
+    if (
+        compare_ver
+        and VersionInfo.isvalid(compare_ver)
+        and (not min_version or min_version == "*")
+        and not VersionInfo.isvalid(max_version)
+    ):
+        return False
     # Perform semver match once we have all the required versions
     if compare_ver and min_version and max_version:
         if semver_compatible(compare_ver, min_version, max_version):