From d4f94a41aad9b0c1f1edf65589d83de364cf7b6c Mon Sep 17 00:00:00 2001
From: MaineK00n <mainek00n.1229@gmail.com>
Date: Fri, 17 Sep 2021 08:26:46 +0900
Subject: [PATCH] feat(pacman): check if version is valid

---
 analyzer/pkg/pacman/pacman.go | 11 +++++++++--
 go.mod                        |  1 +
 go.sum                        |  2 ++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/analyzer/pkg/pacman/pacman.go b/analyzer/pkg/pacman/pacman.go
index 6c2c26822..27d0e3c87 100644
--- a/analyzer/pkg/pacman/pacman.go
+++ b/analyzer/pkg/pacman/pacman.go
@@ -3,11 +3,14 @@ package pacman
 import (
 	"bufio"
 	"bytes"
+	"log"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 
+	pacmanVersion "github.com/MaineK00n/go-pacman-version"
+
 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/types"
 	"golang.org/x/xerrors"
@@ -60,8 +63,12 @@ func (a pacmanAnalyzer) parsePacmanPkgDesc(scanner *bufio.Scanner) (types.Packag
 			}
 		} else if strings.HasPrefix(line, "%VERSION%") {
 			if scanner.Scan() {
-				var version string
-				splitted := strings.SplitN(scanner.Text(), ":", 2)
+				version := scanner.Text()
+				if !pacmanVersion.Valid(version) {
+					log.Printf("Invalid Version Found : OS %s, Package %s, Version %s", "arch", pkg.Name, version)
+					continue
+				}
+				splitted := strings.SplitN(version, ":", 2)
 				if len(splitted) == 1 {
 					pkg.Epoch = 0
 					version = splitted[0]
diff --git a/go.mod b/go.mod
index c4267d31d..7caa39c79 100644
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.16
 require (
 	github.com/BurntSushi/toml v0.4.1
 	github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0
+	github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184 // indirect
 	github.com/alicebob/miniredis/v2 v2.15.1
 	github.com/aquasecurity/go-dep-parser v0.0.0-20210905090655-b95c2c079bbb
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
diff --git a/go.sum b/go.sum
index 992795813..48e2d0cee 100644
--- a/go.sum
+++ b/go.sum
@@ -115,6 +115,8 @@ github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64=
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
 github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
+github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184 h1:enu2psM1AcUsNx36T+X13lcy2kmFFV4kwCMmL7i4yiQ=
+github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184/go.mod h1:iMNOZ59Aouwx++SN7zGEi8yB9JTd+ZwYufdnC02mjd4=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=