Merge pull request #6 from mam-dev/bug-fix

Fix bug creating impossible constraints
mam-dev · Nov 7, 2022 · 6e4f7b6 · 6e4f7b6
2 parents 474148c + 3878773
commit 6e4f7b6
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/src/security_constraints/main.py b/src/security_constraints/main.py
@@ -71,16 +71,25 @@ def get_safe_version_constraints(
 
     """
     safe_specs: List[str] = []
-    vulnerable_specs = [p.strip() for p in vulnerability.vulnerable_range.split(",")]
-    for vulnerable_spec in vulnerable_specs:
-        if vulnerable_spec.startswith("= "):
-            safe_specs.append(f"!={vulnerable_spec[2:]}")
-        elif vulnerable_spec.startswith("<= "):
-            safe_specs.append(f">{vulnerable_spec[3:]}")
-        elif vulnerable_spec.startswith("< "):
-            safe_specs.append(f">={vulnerable_spec[2:]}")
-        elif vulnerable_spec.startswith(">= "):
-            safe_specs.append(f"<{vulnerable_spec[3:]}")
+    vulnerable_spec: str
+    if "," in vulnerability.vulnerable_range:
+        # If there is a known min and max affected version, make the constraints
+        # just specify the minimum safe version, since min and max constraints cannot
+        # be met at the same time.
+        vulnerable_spec = [
+            p.strip() for p in vulnerability.vulnerable_range.split(",")
+        ][-1]
+    else:
+        vulnerable_spec = vulnerability.vulnerable_range.strip()
+
+    if vulnerable_spec.startswith("= "):
+        safe_specs.append(f"!={vulnerable_spec[2:]}")
+    elif vulnerable_spec.startswith("<= "):
+        safe_specs.append(f">{vulnerable_spec[3:]}")
+    elif vulnerable_spec.startswith("< "):
+        safe_specs.append(f">={vulnerable_spec[2:]}")
+    elif vulnerable_spec.startswith(">= "):
+        safe_specs.append(f"<{vulnerable_spec[3:]}")
     return PackageConstraints(
         package=vulnerability.package,
         specifiers=safe_specs,

diff --git a/test/test_main.py b/test/test_main.py
@@ -76,7 +76,7 @@ def test_get_security_vulnerability_database_apis(monkeypatch) -> None:
                 package="pystuff",
                 vulnerable_range=">= 4.3.0, < 4.3.5",
             ),
-            PackageConstraints(package="pystuff", specifiers=["<4.3.0", ">=4.3.5"]),
+            PackageConstraints(package="pystuff", specifiers=[">=4.3.5"]),
         ),
         (
             SecurityVulnerability(