Leading zeros seen as difference in version numbers #1430
Assignees
Labels
Comments
kzantow
changed the title
kzantow
changed the title
|
Looking at GHSA-xqr8-7jwr-rhp7, you'll see that it does, in fact have the |
|
I've submitted and update to the advisory db which has been merged and the advisory how has But, as noted in the PR, tooling should handle this case correctly as it's stated as a valid format in PEP440: https://peps.python.org/pep-0440/#integer-normalization. I'm sure it won't be the last time the version has a leading 0 in it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for the nice tool. I am encountering an issue and am not 100 % sure if this is intended behavior or not. If this is intended behavior, it should be handled differently elsewhere.
What happened:
I got the report
❌ Linted [REPOSITORY] files with [grype]: Found 1 error(s) - (11.02s) (expand for details)
--Error detail:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2023.7.22 2023.07.22 python GHSA-xqr8-7jwr-rhp7 High
1 error occurred:
What you expected to happen:
No error because it is the version in which it is already fixed.
How to reproduce it (as minimally and precisely as possible):
Have
certifi==2023.7.22 ; python_version >= "3.10" and python_version < "3.13"
in the requirements.txt, install it and run grype.
Anything else we need to know?:
This may be intended behavior - I am not sure. In this case, whatever is used to check the version should properly output it in the format required for grype.
Environment:
grype version:v0.63.1
cat /etc/os-releaseor similar):MegaLinter image based on alpine linux.
The text was updated successfully, but these errors were encountered: