Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Version matching / sorting fails for maven with string suffix

    Scheduled Pinned Locked Moved Support
    3 Posts 2 Posters 6 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      devops_8569
      last edited by

      Hi,
      for Versions, that have a string suffix, like "2.3.23.Final" the vulnerability matching doesn't work. Most probably the root cause is the failing sort. Regarding the improper sort, see attached screenshot.
      Example regarding vulnerability matching:
      PGV: https://security.inedo.com/vulnerability/details/PGV-2314320
      io.undertow:undertow-core ≥ 2.3.0 & < 2.3.5.Final, < 2.2.24.Final
      but even versions > 2.3.5.Final are still marked with severe (like the 2.3.23.Final).

      image (1).png

      Best regards

      1 Reply Last reply Reply Quote 0
      • dean-houstonD Offline
        dean-houston inedo-engineer
        last edited by

        Hi @devops_8569 ,

        I'm afraid this is a known limitation issue with Maven versions in ProGet for now.

        Long story short, ProGet followed these versioning specifications:
        https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN8855

        However, some packages did not follow those specifications but instead relied on undocumented quirks (bugs?) in the Maven version parsing. These are now somewhat documented: https://maven.apache.org/pom.html#version-order-specification

        It'd be nice to fix, but it would require a risky, non-trivial rewrite of our Maven version parsing to solve this. So far as we can tell, the only consequence is that a small number of vulnerabilities yield false positives. So, it's not a priority.

        In ProGet 2026, we are substantially changing vulnerability management so it's likely these false positives won't be an issue anymore. For example, PGV-2314320 would be rated as a PVRS Category 2 for most environments.

        We'll evaluate / explore this after getting feedback from users in ProGet 2026, and whether they think it's worth us investing the time/risk to address this limitation.

        -- Dean

        1 Reply Last reply Reply Quote 0
        • D Offline
          devops_8569
          last edited by

          Hi @dean-houston,
          thank you for the explanation. I understand, that you don't want to risk the implementation for these special version numbers.

          On dealing with these false positives, it would be great to ignore a vulnerability just for a specific version, therefore fixing just the version mismatch, rather than deactivating the vulnerability globally.

          But I'll gladly wait for ProGet 2026 and check out the changes done to the CV management.
          Best regards

          1 Reply Last reply Reply Quote 0

          Hello! It looks like you're interested in this conversation, but you don't have an account yet.

          Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

          With your input, this post could be even better 💗

          Register Login
          • 1 / 1
          • First post
            Last post
          Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation