version_compare in utils returns incorrect result if min/max_version is included along with mie/mae

Question

version_compare in utils returns incorrect result if min/max_version is included along with mie/mae

cerrussell opened this issue a year ago · comments

The version_compare function does not take a specified mie into account when determining if a version falls within a given range.

Example
version_compare(compare_ver="2.0.0", min_version="2.0.0", max_version="3.0.0",mie="2.0.0",mae="3.0.0" returns True.

This is equivalent to 2.0.0<2.0.0 and should therefore be False.

@prabhu I have added a test to replicate this problem per your request on the linked branch. There is currently only one test line which includes an mie other than None in the existing tests on master and it appears to work as expected only because min_version is None in that case. This yields the expected results for that test as well as the above example. See test_version_compare1 where I have altered the test failing in test_version_compare to have a min_version of None rather than 2.0.0.

On further inspection, I see that the same scenario occurs for mae if max_version is not None. If this is how the function is intended to work - that not all available parameters should be included - we should add a couple lines to the beginning of version_compare to set the min or max versions to None if mie or mae are included.

prabhu · Answer 1 · Thu Nov 23 2023 07:06:28 GMT+0800 (China Standard Time)

@cerrussell Is there a CVE where this problem exists? It sounds like poor data quality as well.

Caroline Russell · Answer 2 · Thu Nov 23 2023 07:57:13 GMT+0800 (China Standard Time)

@prabhu I'm not sure I grasp where data quality comes into it, but there is certainly no shortage of CVEs with quality issues.

Caroline Russell · Answer 3 · Thu Nov 23 2023 08:55:17 GMT+0800 (China Standard Time)

@prabhu As far as CVEs with this issue, I noticed the incorrect results when matching reachables with the correct CSAF vulnerability objects. Errors in this scenario won't cause me to lose sleep at night given the incorrect results only give false positives in terms of a vulnerability being reachable, rather than the other way around. As is, CSAF vulnerabilities will not receive the flag intended if the found version is the same as a non-inclusive upper or lower limit version.

I don't know what impact there may be in other places this function is used, such as building the db. I expect it would take less time to just fix than to inspect the db as it is built to see what happens.

prabhu · Answer 4 · Thu Nov 23 2023 16:16:15 GMT+0800 (China Standard Time)

@cerrussell it appears like a bug in osv or somewhere since databases are unlikely to have such contradictory information.

So this could be multiple bugs.

Caroline Russell · Answer 5 · Fri Nov 24 2023 02:07:24 GMT+0800 (China Standard Time)

@prabhu What is the contradictory information? The version range data itself is fine. The issue is that the function is written to disregard exclude versions if there's a min or max version provided.

    # Semver compatible and including versions provided
    is_min_exclude = False
    is_max_exclude = False
    if (not min_version or min_version == "*") and mie:
        min_version = mie
        is_min_exclude = True
    if (not max_version or max_version == "*") and mae:
        max_version = mae
        is_max_exclude = True
    if not min_version:
        min_version = "0"