fix: c-ares, sqlite and zstd version parsing#308
Conversation
|
Workflow run with this branch: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29587905355 |
Now we get to further issues, this time with zstd: |
|
zstd parsing needs to be updated as well. Trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29589593474 |
|
|
Looks like the CPE vendor for zstd should be Trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29590267659 |
Nope. I think we may still have a version parsing issue (those |
This one looks more promising -- it has got to the stage of creating issues for found CVEs. |
The version parser for sqlite was only expecting a single space between the `#define SQLITE_VERSION` and the version string but the actual header has multiple spaces. Signed-off-by: Richard Lau <richard.lau@ibm.com>
The header file for zstd defines `ZSTD_VERSION_RELEASE` instead of `ZSTD_VERSION_PATCH`. Allow for multiple spaces is the definition. The CPE vendor for zstd is `facebook` and the product is `zstandard`. Signed-off-by: Richard Lau <richard.lau@ibm.com>
Newer versions of c-ares have multiple spaces in the definition of `ARES_VERSION_STR` that break the existing parsing. Signed-off-by: Richard Lau <richard.lau@ibm.com>
|
😢 (on main) https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29592007779/job/87927243998 Looks like newer c-ares has multiple spaces in the definition of |
#define SQLITE_VERSIONand the version string but the actual header has multiple spaces.ZSTD_VERSION_RELEASEinstead ofZSTD_VERSION_PATCH. Allow for multiple spaces is the definition. The CPE vendor for zstd isfacebookand the product iszstandard.ARES_VERSION_STRthat break the existing parsing.Fixes: #307