errors when package version "0" or "9999" is passed

[mrl5]

affected commands

vulner scan and vulner cpe

precondition

$ vulner sync

steps to reproduce

$ vulner cpe '[{"name":"ethertypes","version":"0"}]'

or

$ vulner cpe '[{"name":"ethertypes","version":"9999"}]'

expected result

{} is returned

actual result

stdout flooded with feed contents (feed that was downloaded in precondidtion step)

additional info

with vulner scan it causes HTTP 400 errors flood:

[2022-07-23T13:08:39Z WARN  vulner::command::scan] found CVEs for net-misc/ethertypes-0 ...
[2022-07-23T13:09:28Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:gdprinfo:cookie_notice_\\&_consent_banner_for_gdpr_\\&_ccpa_compliance:1.2.0:*:*:*:*:wordpress:*:*&apiKey=REDACTED)
[2022-07-23T13:10:12Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:smartypantsplugins:sp_project_\\&_document_manager:2.6.4.5:*:*:*:*:wordpress:*:*&apiKey=REDACTED)
[2022-07-23T13:10:36Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:joomla:joomla\\!:3.9.4:rc1:*:*:*:*:*:*&apiKey=REDACTED)
[2022-07-23T13:11:15Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:acyba:acymailing:4.2.0:*:*:*:*:joomla\\!:*:*&apiKey=REDACTED)
[2022-07-23T13:11:20Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:o:cisco:aironet_access_point_firmware:8.5\\(131.0\\):*:*:*:*:*:*:*&apiKey=REDACTED)

[mrl5]

unfortunately this bug has additional impact, that is a subject of #55

[mrl5]

rootcause

in

vulner/crates/cpe-tag/python/integrator.py

Line 5 in c138690

def run(payload: list) -> str:

assert run([{"name":"ethertypes","version":"0"}]) == ''

this empty string then propagates here:

vulner/crates/cpe-tag/src/searchers.rs

Lines 19 to 20 in c138690

	pub fn grep(pattern: String, feed: &Path) -> Result<HashSet<String>, Box<dyn Error>> {
	let matcher = RegexMatcher::new_line_matcher(&pattern)?;

so that later every line in feed is matched ...

the best part is that it's expected behavior of ripgrep (according to this discussion: BurntSushi/ripgrep#2091)

and the same applies here:

vulner/crates/cpe-tag/src/searchers.rs

Line 44 in c138690

let re = Regex::new(re_pattern).unwrap();

for https://docs.rs/regex/latest/regex/struct.Regex.html - I wonder if it's expected behavior: rust-lang/regex#896