From fe96436b99bae3bbfc7498d2ad222d4acccdfcf1 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 17 Jul 2025 12:40:44 +0600 Subject: [PATCH] fix(nodejs): don't use prerelease logic for compare npm constraints (#9208) --- go.mod | 2 +- go.sum | 4 ++-- pkg/detector/library/compare/npm/compare.go | 2 +- .../library/compare/npm/compare_test.go | 19 +++++++++++++++++-- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index e75ecce798..c5914888ba 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/apparentlymart/go-cidr v1.1.0 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce - github.com/aquasecurity/go-npm-version v0.0.1 + github.com/aquasecurity/go-npm-version v0.0.2 github.com/aquasecurity/go-pep440-version v0.0.1 github.com/aquasecurity/go-version v0.0.1 github.com/aquasecurity/iamgo v0.0.10 diff --git a/go.sum b/go.sum index 2ae02568bf..a30366e261 100644 --- a/go.sum +++ b/go.sum @@ -810,8 +810,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s= -github.com/aquasecurity/go-npm-version v0.0.1 h1:2i/MM+A4KI8AJrqJa/Cwsa4qyljA8S/qngPyQiIVHcA= -github.com/aquasecurity/go-npm-version v0.0.1/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0= +github.com/aquasecurity/go-npm-version v0.0.2 h1:6sNIaeW4Hw8Xg51nPoD3VSo/5qmFSu0VL809iehEOvc= +github.com/aquasecurity/go-npm-version v0.0.2/go.mod h1:DXyKqRe2yb83peANMjQr8dGDkHanEgoFv8BOQdWlSUQ= github.com/aquasecurity/go-pep440-version v0.0.1 h1:8VKKQtH2aV61+0hovZS3T//rUF+6GDn18paFTVS0h0M= github.com/aquasecurity/go-pep440-version v0.0.1/go.mod h1:3naPe+Bp6wi3n4l5iBFCZgS0JG8vY6FT0H4NGhFJ+i4= github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU= diff --git a/pkg/detector/library/compare/npm/compare.go b/pkg/detector/library/compare/npm/compare.go index 13e14b3c19..f3d5712e2c 100644 --- a/pkg/detector/library/compare/npm/compare.go +++ b/pkg/detector/library/compare/npm/compare.go @@ -23,7 +23,7 @@ func (n Comparer) MatchVersion(currentVersion, constraint string) (bool, error) return false, xerrors.Errorf("npm version error (%s): %s", currentVersion, err) } - c, err := npm.NewConstraints(constraint) + c, err := npm.NewConstraints(constraint, npm.WithPreRelease(true)) if err != nil { return false, xerrors.Errorf("npm constraint error (%s): %s", constraint, err) } diff --git a/pkg/detector/library/compare/npm/compare_test.go b/pkg/detector/library/compare/npm/compare_test.go index 1d232e051d..fab726e424 100644 --- a/pkg/detector/library/compare/npm/compare_test.go +++ b/pkg/detector/library/compare/npm/compare_test.go @@ -30,6 +30,17 @@ func TestNpmComparer_IsVulnerable(t *testing.T) { }, want: true, }, + { + name: "prerelease", + args: args{ + currentVersion: "1.45.1-lts.1", + advisory: dbTypes.Advisory{ + VulnerableVersions: []string{">=1.4.4-lts.1, <2.0.0"}, + PatchedVersions: []string{"2.0.0"}, + }, + }, + want: true, + }, { name: "no patch", args: args{ @@ -68,8 +79,12 @@ func TestNpmComparer_IsVulnerable(t *testing.T) { args: args{ currentVersion: "2.0.0", advisory: dbTypes.Advisory{ - VulnerableVersions: []string{">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7"}, - PatchedVersions: []string{">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0"}, + VulnerableVersions: []string{ + ">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7", + }, + PatchedVersions: []string{ + ">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0", + }, }, }, want: true,