fix(cve_scanner): fix canonical_convert (fixes #1518) (#1519)

intel · Jan 13, 2022 · 9934aed · 9934aed
1 parent 7464205
commit 9934aed
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -8,9 +8,10 @@
 from collections import defaultdict
 from logging import Logger
 from string import ascii_lowercase
-from typing import DefaultDict, Dict, List
+from typing import DefaultDict, Dict, List, Tuple, Union
 
-from pkg_resources import parse_version
+from packaging.version import LegacyVersion, Version
+from packaging.version import parse as parse_version
 from rich.console import Console
 
 from cve_bin_tool.cvedb import DBNAME, DISK_LOCATION_DEFAULT
@@ -251,10 +252,14 @@ def openssl_convert(self, version: str) -> str:
             version = f"{version[:-1]}.{self.ALPHA_TO_NUM[last_char]}"
         return version
 
-    def canonical_convert(self, product_info: ProductInfo) -> str:
-        version_between = ""
+    VersionType = Union[Version, LegacyVersion]
+
+    def canonical_convert(
+        self, product_info: ProductInfo
+    ) -> Tuple[VersionType, VersionType]:
+        version_between = parse_version("")
         if product_info.version == "":
-            return product_info.version, version_between
+            return parse_version(product_info.version), version_between
         if product_info.product == "openssl":
             pv = re.search(r"\d[.\d]*[a-z]?", product_info.version)
             version_between = parse_version(self.openssl_convert(pv.group(0)))