Skip to content

refactor(lang): use MatchVersion instead of IsVulnerable for Comparer interface #9735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

refactor(lang): use MatchVersion instead of IsVulnerable for Comparer interface #9735

wants to merge 6 commits into from

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Oct 31, 2025

Description

Refactored the Comparer interface in the library detection system to use a cleaner MatchVersion function instead of IsVulnerable. This change simplifies version comparison logic by separating constraint matching from vulnerability
assessment.

Changes

  • Interface Refactoring: Changed Comparer interface from IsVulnerable(currentVersion, advisory) to MatchVersion(currentVersion, constraint)
  • Code Organization: Moved GenericComparer from pkg/detector/library/compare/ to pkg/detector/library/compare/generic/
  • Logic Separation: Extracted common IsVulnerable function into driver.go, centralizing vulnerability assessment logic
  • Test Updates: Updated all comparator tests to use the new MatchVersion interface and added proper error handling
  • Package Cleanup: Removed unused imports and simplified package dependencies across all comparator implementations

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 31, 2025
@github-actions
Copy link

github-actions bot commented Oct 31, 2025

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/detector/library/compare/maven
  Incompatible changes:
  - Comparer.IsVulnerable: removed
  Compatible changes:
  - Comparer.MatchVersion: added

github.com/aquasecurity/trivy/pkg/detector/library/compare/generic
  Compatible changes:
  - Comparer: added

github.com/aquasecurity/trivy/pkg/detector/library/compare/pep440
  Incompatible changes:
  - Comparer.IsVulnerable: removed
  Compatible changes:
  - Comparer.MatchVersion: added

github.com/aquasecurity/trivy/pkg/detector/library
  Compatible changes:
  - (*Driver).IsVulnerable: added

github.com/aquasecurity/trivy/pkg/detector/library/compare/bitnami
  Incompatible changes:
  - Comparer.IsVulnerable: removed
  Compatible changes:
  - Comparer.MatchVersion: added

github.com/aquasecurity/trivy/pkg/detector/library/compare/npm
  Incompatible changes:
  - Comparer.IsVulnerable: removed

github.com/aquasecurity/trivy/pkg/detector/library/compare
  Incompatible changes:
  - Comparer.IsVulnerable: removed
  - Comparer.MatchVersion: added
  - GenericComparer: removed
  - IsVulnerable: removed

github.com/aquasecurity/trivy/pkg/detector/library/compare/rubygems
  Incompatible changes:
  - Comparer.IsVulnerable: removed
  Compatible changes:
  - Comparer.MatchVersion: added

@aqua-bot aqua-bot requested a review from a team October 31, 2025 09:27
DmitriyLewen
DmitriyLewen commented Oct 31, 2025
View reviewed changes
pkg/detector/library/compare/npm/compare.go

// IsVulnerable checks if the package version is vulnerable to the advisory.
func (n Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return compare.IsVulnerable(ver, advisory, n.MatchVersion)
Copy link
Contributor Author

@DmitriyLewen DmitriyLewen Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here’s a more detailed description of the issue in #9427.
It’s related to an npm package.
Suppose we have a package with version 4.17.20+root.io.1 and an advisory:
• PatchedVersions: "4.17.20+root.io.5", "4.17.21"
• VulnerableVersions: "=4.17.20", ">4.17.20, <4.17.21"

When we check VulnerableVersions, the package is considered vulnerable.
But when we check PatchedVersions, 4.17.20+root.io.1 == 4.17.20+root.io.5 (because build metadata isn’t compared), so we don’t show this vulnerability.
Test for this case:
https://github.com/chait-slim/trivy/blob/790eaa7a430f9b95370d9a13695174b13c09b6d3/pkg/detector/library/rootio/rootio_test.go#L123-L154

@DmitriyLewen DmitriyLewen marked this pull request as ready for review October 31, 2025 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DmitriyLewen