Not finding EOL'ed version of nginx in container image

Question

Not finding EOL'ed version of nginx in container image

bisbell-ngc opened this issue a year ago · 0 comments

What happened:
Not finding EOL'ed versions of nginx in official container images

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):
Scan nginx:1.23.3

Anything else we need to know?:
I was able to resolve the issue by updating the normalizeSemver() function in purl.go.
The package version for nginx is listed as: 1.23.3-1~bullseye

I can resolve by adding the following:

	// Handle packages with tilde (~) characters
	// Example: 1.23.3-1~bullseye
	tildeRe := regexp.MustCompile(`^(\d+\.\d+\.\d+)-\d+~\w+`)
	version = tildeRe.ReplaceAllString(version, "$1")

Side Note
Managing a list of regex's for all potential package version strings is likely to become really tedious.
Instead of hard coding all the regex's, perhaps expose this list in config.yaml as a way to append more patterns to the list in normalizeSemver().

match:
  packages:
    regex:
      - '^(\d+\.\d+\.\d+)p\d+'
      - '^(\d+\.\d+\.\d+)-\d+~\w+'

Environment:
Using container image noqcks/xeol:v0.9.10