1. Home
  2. Categories
  3. Support
  4. Version matching / sorting fails for maven with string suffix

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Version matching / sorting fails for maven with string suffix

  • D

    Hi,
    for Versions, that have a string suffix, like "2.3.23.Final" the vulnerability matching doesn't work. Most probably the root cause is the failing sort. Regarding the improper sort, see attached screenshot.
    Example regarding vulnerability matching:
    PGV: https://security.inedo.com/vulnerability/details/PGV-2314320
    io.undertow:undertow-core ≥ 2.3.0 & < 2.3.5.Final, < 2.2.24.Final
    but even versions > 2.3.5.Final are still marked with severe (like the 2.3.23.Final).

    image (1).png

    Best regards

    0
  • dean-houston
    inedo-engineer

    Hi @devops_8569 ,

    I'm afraid this is a known limitation issue with Maven versions in ProGet for now.

    Long story short, ProGet followed these versioning specifications:
    https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN8855

    However, some packages did not follow those specifications but instead relied on undocumented quirks (bugs?) in the Maven version parsing. These are now somewhat documented: https://maven.apache.org/pom.html#version-order-specification

    It'd be nice to fix, but it would require a risky, non-trivial rewrite of our Maven version parsing to solve this. So far as we can tell, the only consequence is that a small number of vulnerabilities yield false positives. So, it's not a priority.

    In ProGet 2026, we are substantially changing vulnerability management so it's likely these false positives won't be an issue anymore. For example, PGV-2314320 would be rated as a PVRS Category 2 for most environments.

    We'll evaluate / explore this after getting feedback from users in ProGet 2026, and whether they think it's worth us investing the time/risk to address this limitation.

    -- Dean

    0
  • D

    Hi @dean-houston,
    thank you for the explanation. I understand, that you don't want to risk the implementation for these special version numbers.

    On dealing with these false positives, it would be great to ignore a vulnerability just for a specific version, therefore fixing just the version mismatch, rather than deactivating the vulnerability globally.

    But I'll gladly wait for ProGet 2026 and check out the changes done to the CV management.
    Best regards

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation