fix: version compare can't handle ~ in version numbers

[perrinjerome]

very similar to #3552

CannotParseVersionException: version string = 1.1.0l.1~deb9u2

happens with https://storage.googleapis.com/debian-osv/dla-osv/DLA-3008-1.json

[terriko]

This one's interesting: even once we fix the ~ problem, it's still not going to know how to compare deb9u2. Is this pattern common enough that we should build this pattern into the version checker, or truncate it as I'm suggesting we do with the un-comparable hashes? This definitely looks more like something we could actually compare, but it's not clear to me if doing so makes things better or worse.

[terriko]

Also, now that I'm seeing some data (thank you so much for these bug reports!) it seems like it's probably worth going from individual character substitutions to something more like

s = re.sub('[^0-9a-zA-Z]+', '.', s)

And just subbing in anything that isn't alphanumeric. Need to do a bit of thinking or data crunching as to whether we need to support unicode here and have a slightly better regex to handle that, though.

[terriko]

I did some additional asking around and consensus is that ignoring the distro part is probably good enough as a first step.

There's room for more finesse to use this data, and we might want to point people at the available_fix tools https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/available_fix for some triage help. But for now I'm happy if the fix for #3556 handles the deb* part by truncating it.