Overview

Fixes #215

Added a check to detect when CVE data has invalid version ranges where the introduced version comes after the fixed version according to the validVersions ordering.

Details

Problem:

For PyPI vulnfeeds, there are cases of bad CVE data where introduced: 1.0 and fixed: 1.0b4. In Python versioning (PEP 440), 1.0b4 (beta) comes before 1.0 (final release), making this range logically impossible.

Visual Example of what I understood and assumed

❌ BAD DATA (triggers warning):
Version:    1.0a1   1.0a2   1.0b1   1.0b4   1.0rc1   1.0    1.1
Index:        0       1       2       3        4       5      6
                                      ↑               ↑
                                   fixed         introduced
                                   (idx 3)        (idx 5)

Problem: 5 >= 3 → introduced comes AFTER fixed (impossible!)

Solution:

Added a check in ExtractVersionInfo (vulnfeeds/cves/versions.go) that compares the positions of introduced and fixed versions in the validVersions slice. When introduced >= fixed, a warning is appended:

Result: Warning generated ⚠️

✅ GOOD DATA (no warning):

Version:    1.0a1   1.0a2   1.0b1   1.0b4   1.0rc1   1.0    1.1
Index:        0       1       2       3        4       5      6
              ↑                       ↑
         introduced                fixed
          (idx 0)                 (idx 3)

Result: 0 < 3 → Valid range ✅

Warning: introduced version 1.0 >= fixed version 1.0b4

Changes:

• File: vulnfeeds/cves/versions.go
• Lines added: 11
• Uses existing versionIndex() function
• Flow of code now:

Testing

• All existing tests pass (go test ./cves/)
• Verified manually with mock CVE data replicating the issue
• Verified no false positives for valid version ranges
• Verified graceful degradation when validVersions is empty