You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current version rule uses one regular expression that is too broad and doesn't differentiate between some version formats.
Some examples of cases not currently contemplated by the RE:
The use of "*" to convey upper limits are only attributed to the "lessThan" object according to the schema[1].
pre-releases[2] and build[3] metadata should be avoided in version ranges. (This is IMO, schema doesn't mention this)
"custom" versionType should be avoided. [4]
No correlation between versionType and the format is made (e.g. git commits has a strict format of 40 long string with sha-1 or sha-256 chars)
My proposal is to split the input json data input into a new struct and test against multiple RE strings, depending on the version category (range or single version) and version types (semver, git, rpm, maven, python).
I'd like to send a PR if it's ok (I'm still working on it).
The current version rule uses one regular expression that is too broad and doesn't differentiate between some version formats.
Some examples of cases not currently contemplated by the RE:
My proposal is to split the input json data input into a new struct and test against multiple RE strings, depending on the version category (range or single version) and version types (semver, git, rpm, maven, python).
I'd like to send a PR if it's ok (I'm still working on it).
[1] https://github.com/CVEProject/cve-schema/blob/a29f28e5d48383cc5e179f9c6655ac49e8ffe1f9/schema/docs/versions.md?plain=1#L507
[2] https://semver.org/#spec-item-9
[3] https://semver.org/#spec-item-10
[4] https://github.com/CVEProject/cve-schema/blob/a29f28e5d48383cc5e179f9c6655ac49e8ffe1f9/schema/docs/versions.md?plain=1#L248
The text was updated successfully, but these errors were encountered: