Debian version matching leads to a lot false positives

Currently, the version matching for Debian packages seems a bit off. The following problem were identified: 

SBOM to reproduce: [sbom.json](https://github.com/user-attachments/files/24497991/sbom.json)

- Debian version annotations `+deb11u1` or `~deb12u2` seems to be ignored. 
    - Example: https://security-tracker.debian.org/tracker/CVE-2025-27614 where fixed version `1:2.47.3-0+deb13u1` is installed
    - Example: https://security-tracker.debian.org/tracker/CVE-2023-23914 where fixes version `8.14.1-2+deb13u2` is installed

- Identical as fixed version seems to be seen as smaller
    - Example: https://security-tracker.debian.org/tracker/CVE-2024-8176 where fixed `2.7.1-2` is installed (no suffix)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Debian version matching leads to a lot false positives #1537

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Debian version matching leads to a lot false positives #1537

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions