diff --git a/src/security_constraints/main.py b/src/security_constraints/main.py index 23b76f5..61951a9 100644 --- a/src/security_constraints/main.py +++ b/src/security_constraints/main.py @@ -71,16 +71,25 @@ def get_safe_version_constraints( """ safe_specs: List[str] = [] - vulnerable_specs = [p.strip() for p in vulnerability.vulnerable_range.split(",")] - for vulnerable_spec in vulnerable_specs: - if vulnerable_spec.startswith("= "): - safe_specs.append(f"!={vulnerable_spec[2:]}") - elif vulnerable_spec.startswith("<= "): - safe_specs.append(f">{vulnerable_spec[3:]}") - elif vulnerable_spec.startswith("< "): - safe_specs.append(f">={vulnerable_spec[2:]}") - elif vulnerable_spec.startswith(">= "): - safe_specs.append(f"<{vulnerable_spec[3:]}") + vulnerable_spec: str + if "," in vulnerability.vulnerable_range: + # If there is a known min and max affected version, make the constraints + # just specify the minimum safe version, since min and max constraints cannot + # be met at the same time. + vulnerable_spec = [ + p.strip() for p in vulnerability.vulnerable_range.split(",") + ][-1] + else: + vulnerable_spec = vulnerability.vulnerable_range.strip() + + if vulnerable_spec.startswith("= "): + safe_specs.append(f"!={vulnerable_spec[2:]}") + elif vulnerable_spec.startswith("<= "): + safe_specs.append(f">{vulnerable_spec[3:]}") + elif vulnerable_spec.startswith("< "): + safe_specs.append(f">={vulnerable_spec[2:]}") + elif vulnerable_spec.startswith(">= "): + safe_specs.append(f"<{vulnerable_spec[3:]}") return PackageConstraints( package=vulnerability.package, specifiers=safe_specs, diff --git a/test/test_main.py b/test/test_main.py index 6d72af0..ea8694d 100644 --- a/test/test_main.py +++ b/test/test_main.py @@ -76,7 +76,7 @@ def test_get_security_vulnerability_database_apis(monkeypatch) -> None: package="pystuff", vulnerable_range=">= 4.3.0, < 4.3.5", ), - PackageConstraints(package="pystuff", specifiers=["<4.3.0", ">=4.3.5"]), + PackageConstraints(package="pystuff", specifiers=[">=4.3.5"]), ), ( SecurityVulnerability(