Hello We're working on an open source tool to aggregate security advisories and build an open vulnerabilities database. (https://github.com/nexB/vulnerablecode/). This requires us to parse affected and fixed versions from nginx advisories published at https://nginx.org/en/security_advisories.html. Going through the page, I'm having a hard time understanding the plus (+) notation used to denote the version range. Please help me in this regard.
I'm assuming that the versions are in semver format. Given the following information: CVE-2021-23017 Not vulnerable: 1.21.0+, 1.20.1+ Vulnerable: 0.6.18-1.20.0 If I consider + to mean >= for versions, the bound 1.20.1+ should be enough for the "Not vulnerable" field. How does it make sense to have another 1.21.0+ ? Does the plus notation only apply for the patch field in semver (the number after the second dot) ? In this case, does it mean that the upcoming version 1.22.0 will be vulnerable as well ? To further clarify, I'll like to quote CVE-2019-9511 Not vulnerable: 1.17.3+, 1.16.1+ Vulnerable: 1.9.5-1.17.2 Here, if I take + as >=, 1.16.1+ means that versions >= 1.16.1 are fixed but this version clearly lies in the range 1.9.5-1.17.2, which is the vulnerable range. I'm assuming that this was done for a stable release of 1.16. This further favors the assumption that the plus operator only stands for the patch field in the semver. Thus making the not vulnerable range as >=1.16.1 AND < 1.17.0, using the same assumption for 1.17.3+ would mean >=1.17.3 AND <1.18.0. Would this again mean that future versions will be vulnerable ? This is highly unlikely. As per my current understanding I'd define the plus operator as: "If the version before it appears in the vulnerable range, the plus operator only denotes a >= range for the patch field in semver and <= the next minor version. Otherwise, it operates on the entire version string thus marking *all* the future versions" This definition is not perfect at all as it does not justify the first example where neither 1.21.0 nor 1.20.1 is in the vulnerable range thus making 1.21.0 totally redundant. However, if we ignore the redundancies, I hope that the definition could work. Please let me know if there's something wrong with my deduction, also it would be very helpful to define the plus operator as a footnote/topnote on the advisories page for future. -- Regards Hritik Vijay _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx