1.8 KiB
1.8 KiB
Ecosystem-Specific Version Comparator Factory
Module
Scanner
Status
VERIFIED
Description
Factory providing ecosystem-specific version comparison logic for accurate vulnerability matching across different package ecosystems.
Implementation Details
- Version Comparators:
src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/ServiceVersionComparer.cs- Service-level version comparisonsrc/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/ServiceVulnerabilityMatcher.cs- Matches vulnerabilities using ecosystem-aware version comparison
- Per-Language Conflict Detection:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Conflicts/VersionConflictDetector.cs- Java version conflict detectionsrc/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Conflicts/VersionConflictDetector.cs- Python version conflict detection
- Evidence Models:
src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs- Evidence model for version comparisons
E2E Test Plan
- Scan an image with Java packages and verify Maven version semantics are used for vulnerability matching (e.g.,
1.0.0-SNAPSHOTvs1.0.0) - Scan an image with Python packages and verify PEP 440 version comparison is applied
- Verify version conflict detection flags incompatible version ranges in dependencies
- Verify ecosystem-specific version comparison produces correct vulnerability match/no-match decisions
- Verify version comparison evidence is included in scan results
Verification
| Check | Result |
|---|---|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |