What would you like to be added:
Grype have a dedicated RubyGems version comparator, instead of using the Semver comparator which is what is done today.
Why is this needed:
Some vulnerabilities, for example GHSA-3fhf-6939-qg8p, have version constraints with ruby-style prereleases instead of semver-style pre-releases, e.g. 1.6.1.a instead of 1.6.1-a (dot instead of hyphen). This can result in false negatives because grype won't be able to evaluate the version constraint (separate issue soon to fallback in this case, which will also mitigate this, but we should have a better rubygem version comparator anyway).
Additional context:
Some issues where this matters, useful for creating test cases:
What would you like to be added:
Grype have a dedicated RubyGems version comparator, instead of using the Semver comparator which is what is done today.
Why is this needed:
Some vulnerabilities, for example GHSA-3fhf-6939-qg8p, have version constraints with ruby-style prereleases instead of semver-style pre-releases, e.g.
1.6.1.ainstead of1.6.1-a(dot instead of hyphen). This can result in false negatives because grype won't be able to evaluate the version constraint (separate issue soon to fallback in this case, which will also mitigate this, but we should have a better rubygem version comparator anyway).Additional context:
grype/grype/version/constraint.go
Lines 16 to 17 in 2e20605
Some issues where this matters, useful for creating test cases: