fix: account for N plus signs in rpm release string

Also, add more test cases from different distros.

Signed-off-by: Will Murphy <[email protected]>

Author: willmurphyscode

grype/version/rpm_version.go

@@ -116,16 +116,11 @@ func compareRpmReleases(a, b string) int {
 		return 0
 	}
 
-	aParts := strings.Split(a, "+")
-	bParts := strings.Split(b, "+")
-	if len(aParts) > 2 {
-		aParts = aParts[:len(aParts)-2]
-	}
-	if len(bParts) > 2 {
-		bParts = bParts[:len(bParts)-2]
-	}
-	trimmedA := strings.Join(aParts, "+")
-	trimmedB := strings.Join(bParts, "+")
+	a = strings.Replace(a, "module+el", "module_el", 1)
+	b = strings.Replace(b, "module+el", "module_el", 1)
+
+	trimmedA, _, _ := strings.Cut(a, "+")
+	trimmedB, _, _ := strings.Cut(b, "+")
 	return compareRpmVersions(trimmedA, trimmedB)
 }
 

grype/version/rpm_version_test.go

@@ -34,6 +34,13 @@ func TestVersionRpm(t *testing.T) {
 		// centos and rhel build numbers differ on same version of same package
 		// ensure these are equal.
 		{"3:10.3.28-1.module_el8.3.0+757+d382997d", "3:10.3.28-1.module+el8.3.0+10472+7adc332a", 0},
+		// some amazonlinux examples
+		{"2.13.0-2.amzn2023.0.2", "2.13.0-2.amzn2023.0.1", 1},
+		{"1.20.14-18.amzn2023.0.1", "1.20.14-18.amzn2023.0.2", -1},
+		// examples from oracle linux 8 for python38-tkinter ELSA-2021-9130
+		{"3.8.17-2.module+el8.9.0+90017+9913aa0c", "0:3.8.3-3.0.1.module+el8.3.0+el8+9681+09f2c1ca", 1},
+		// note that build number 9680 and 9681 are different, but that's not part of the version comparison
+		{"0:3.8.3-3.0.1.module+el8.3.0+el8+9680+09f2c1ca", "0:3.8.3-3.0.1.module+el8.3.0+el8+9681+09f2c1ca", 0},
 	}
 
 	for _, test := range tests {