Nginx version notations

[Hritik14]

I contacted Nginx over their mailing list to clarify their version notations like 1.21.0+. We got the following reply:

The 1.21.0+ notation means "1.21.0 and newer", or, more
formally, "1.21.0 and derived versions".  This includes all
future nginx versions on the mainline branch, and all future
stable branches (which aren't yet created).

More: https://mailman.nginx.org/pipermail/nginx/2021-September/061039.html

Further, according to Nginx <https://www.nginx.com/blog/nginx-1-16-1-17-released/>_

- Mainline is the active development branch where the latest features and bug fixes get added. It is denoted by an odd number in the second part of the version number, for example 1.17.
- Stable receives fixes for high‑severity bugs, but is not updated with new features. It is denoted by an even number in the second part of the version number, for example 1.16.0.

These information need to be accounted for in the nginx importer.

via https://github.com/nexB/vulnerablecode/wiki/WeeklyMeetings#meeting-on-thursday-2021-09-14-at-1400-utc

[pombredanne]

Here are some notes:

We receive a vuln this way:

• Vulnerability ABC impacts nginx 1.1 and up and 2.1 and up.
• Vulnerability ABC is fixed in nginx 1.2 and 2.2.

We know that nginx has multiple version branches and we could use a qualifier in
the purl and break apart the ranges. Essentially, the stable branch and the
testing branch of nginx are like tow different packages. Or we may not know yet
there are multiple version branches (or may we can find sleek ways to infer there
are multiple branches, e.g. whenever an advisory refers to multiple impacted
versions)

Vulnerability ABC:

• affected:

• if we do not know yet that nginx has multiple live branches:
  - nginx and this version range spec: nginx:>=1.1,>=2.1

• later if we handle the branches 1 and 2:

  • nginx?branch=1 and this version range spec: nginx:>=1.1
  • nginx?branch=2 and this version range spec: nginx:>=2.1

[pombredanne]

We now have also nginx-specific code in https://github.com/nexB/univers/blob/83e4fa651da7868f5c6f7c05a006bfadaac8d1cd/src/univers/version_range.py#L687

See also the #525 PR for details of the implementation.

[Hritik14]

We got the final reply from nginx. This time it's perfect !

Note that it is generally trivial to find out if a version is
vulnerable or not from the information about a vulnerability,
without any knowledge about nginx branches. That is:

• Check if the version is in "Vulnerable" range. If it's not, the
  version is not vulnerable.

• If it is, check if the branch is explicitly listed in the "Not
  vulnerable". If it's not, the version is vulnerable. If it
  is, check the minor number: if it's greater or equal to the
  version listed as not vulnerable, the version is not vulnerable,
  else the version is vulnerable.

See: https://marc.info/?l=nginx&m=164070162912710&w=2