From f75daa3e7c2239abf1a585c6cd336c96cc120400 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 16 Jul 2025 16:48:32 +0600 Subject: [PATCH 1/3] chore(deps): bump go-npm-version --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ffcd9f9c6054..7342573af387 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/apparentlymart/go-cidr v1.1.0 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce - github.com/aquasecurity/go-npm-version v0.0.1 + github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083 github.com/aquasecurity/go-pep440-version v0.0.1 github.com/aquasecurity/go-version v0.0.1 github.com/aquasecurity/iamgo v0.0.10 diff --git a/go.sum b/go.sum index 64716fca0a22..755b76600b12 100644 --- a/go.sum +++ b/go.sum @@ -810,8 +810,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s= -github.com/aquasecurity/go-npm-version v0.0.1 h1:2i/MM+A4KI8AJrqJa/Cwsa4qyljA8S/qngPyQiIVHcA= -github.com/aquasecurity/go-npm-version v0.0.1/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0= +github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083 h1:/x8/8BP79pW+8ZApxKuZjSXyWwSxxjbzuCh/599rexQ= +github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083/go.mod h1:DXyKqRe2yb83peANMjQr8dGDkHanEgoFv8BOQdWlSUQ= github.com/aquasecurity/go-pep440-version v0.0.1 h1:8VKKQtH2aV61+0hovZS3T//rUF+6GDn18paFTVS0h0M= github.com/aquasecurity/go-pep440-version v0.0.1/go.mod h1:3naPe+Bp6wi3n4l5iBFCZgS0JG8vY6FT0H4NGhFJ+i4= github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU= From c4f33ca0988b7c0b8d6c7f2e18dab263d9f54dd1 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 16 Jul 2025 16:49:06 +0600 Subject: [PATCH 2/3] fix(npm): use WithPreRelease: - Use WithPreRelease(true) for Constraints - Add test case --- pkg/detector/library/compare/npm/compare.go | 2 +- .../library/compare/npm/compare_test.go | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/pkg/detector/library/compare/npm/compare.go b/pkg/detector/library/compare/npm/compare.go index 13e14b3c19af..f3d5712e2cfa 100644 --- a/pkg/detector/library/compare/npm/compare.go +++ b/pkg/detector/library/compare/npm/compare.go @@ -23,7 +23,7 @@ func (n Comparer) MatchVersion(currentVersion, constraint string) (bool, error) return false, xerrors.Errorf("npm version error (%s): %s", currentVersion, err) } - c, err := npm.NewConstraints(constraint) + c, err := npm.NewConstraints(constraint, npm.WithPreRelease(true)) if err != nil { return false, xerrors.Errorf("npm constraint error (%s): %s", constraint, err) } diff --git a/pkg/detector/library/compare/npm/compare_test.go b/pkg/detector/library/compare/npm/compare_test.go index 1d232e051d7c..fab726e424f8 100644 --- a/pkg/detector/library/compare/npm/compare_test.go +++ b/pkg/detector/library/compare/npm/compare_test.go @@ -30,6 +30,17 @@ func TestNpmComparer_IsVulnerable(t *testing.T) { }, want: true, }, + { + name: "prerelease", + args: args{ + currentVersion: "1.45.1-lts.1", + advisory: dbTypes.Advisory{ + VulnerableVersions: []string{">=1.4.4-lts.1, <2.0.0"}, + PatchedVersions: []string{"2.0.0"}, + }, + }, + want: true, + }, { name: "no patch", args: args{ @@ -68,8 +79,12 @@ func TestNpmComparer_IsVulnerable(t *testing.T) { args: args{ currentVersion: "2.0.0", advisory: dbTypes.Advisory{ - VulnerableVersions: []string{">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7"}, - PatchedVersions: []string{">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0"}, + VulnerableVersions: []string{ + ">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7", + }, + PatchedVersions: []string{ + ">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0", + }, }, }, want: true, From 1fce1f3a1be1be7f719f250a68d7e4f21793950b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 17 Jul 2025 12:20:55 +0600 Subject: [PATCH 3/3] chore(deps): bump go-npm-version to v0.0.2 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7342573af387..87f430d9fde3 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/apparentlymart/go-cidr v1.1.0 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce - github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083 + github.com/aquasecurity/go-npm-version v0.0.2 github.com/aquasecurity/go-pep440-version v0.0.1 github.com/aquasecurity/go-version v0.0.1 github.com/aquasecurity/iamgo v0.0.10 diff --git a/go.sum b/go.sum index 755b76600b12..765e14b42dad 100644 --- a/go.sum +++ b/go.sum @@ -810,8 +810,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s= -github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083 h1:/x8/8BP79pW+8ZApxKuZjSXyWwSxxjbzuCh/599rexQ= -github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083/go.mod h1:DXyKqRe2yb83peANMjQr8dGDkHanEgoFv8BOQdWlSUQ= +github.com/aquasecurity/go-npm-version v0.0.2 h1:6sNIaeW4Hw8Xg51nPoD3VSo/5qmFSu0VL809iehEOvc= +github.com/aquasecurity/go-npm-version v0.0.2/go.mod h1:DXyKqRe2yb83peANMjQr8dGDkHanEgoFv8BOQdWlSUQ= github.com/aquasecurity/go-pep440-version v0.0.1 h1:8VKKQtH2aV61+0hovZS3T//rUF+6GDn18paFTVS0h0M= github.com/aquasecurity/go-pep440-version v0.0.1/go.mod h1:3naPe+Bp6wi3n4l5iBFCZgS0JG8vY6FT0H4NGhFJ+i4= github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=