From 22958484dc72892335bd4aaa7be2701175b313cf Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fabrice.fontaine@orange.com>
Date: Thu, 29 Aug 2024 12:13:01 +0200
Subject: [PATCH] fix: update jq checker

Update jq pattern to avoid false positives with the following strings:

0.2
jqPzsA

Moreover, add a new pattern to detect jq 1.7.1

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
---
 cve_bin_tool/checkers/jq.py                      |   5 ++++-
 .../jq_1.7.1-3_arm64.deb.tar.gz                  | Bin 0 -> 3038 bytes
 test/test_data/jq.py                             |   9 ++++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 test/condensed-downloads/jq_1.7.1-3_arm64.deb.tar.gz

diff --git a/cve_bin_tool/checkers/jq.py b/cve_bin_tool/checkers/jq.py
index 7338a8f56c..d7c43f33c7 100644
--- a/cve_bin_tool/checkers/jq.py
+++ b/cve_bin_tool/checkers/jq.py
@@ -17,5 +17,8 @@
 class JqChecker(Checker):
     CONTAINS_PATTERNS: list[str] = []
     FILENAME_PATTERNS: list[str] = []
-    VERSION_PATTERNS = [r"([0-9]+\.[0-9]+)[a-zA-Z0-9:\-\r\n]*jq"]
+    VERSION_PATTERNS = [
+        r"jq-([0-9]+\.[0-9]+\.[0-9]+)",
+        r"([0-9]+\.[0-9]+)[a-zA-Z0-9:\-\r\n]*jq[ :]",
+    ]
     VENDOR_PRODUCT = [("jq_project", "jq"), ("jqlang", "jq")]
diff --git a/test/condensed-downloads/jq_1.7.1-3_arm64.deb.tar.gz b/test/condensed-downloads/jq_1.7.1-3_arm64.deb.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..4d60c783b75e039d4fae4ead21d54e7a493e62f0
GIT binary patch
literal 3038
zcmbux=OYx3!vOFz&fZjfjc_u~-mC1rb!S{iS!a(UWSoeTog7YNo|$!a&e?lqMr1}I
zE1QhpAMm_<KCeCx6DTN%0002-ox7jCq?o*zq^Pw0ON5u4jF^+NgIK^z1Yi&51^J=F
z6u7VQ8rg>)5#o+%cq7@np%;wf!Ae}**Aw&m(ojF;YL%ZJtwa3HWdHW+$r5PK{ejWZ
z+WyXt2}I<-)04%MlYnzqgS4P4^QkXw$Ri&QVORD)f3CH%L#x|uzhgSV7r*-ZM+6X?
zLlODuC1#3RDwlVjcftN)ho$1}7xkTxfc3JKI1+*64@cwX;PY7aKh^q67Jk8qF4cpr
z>#7G^w)DJ^t?TPOWDft8?Wv>aV;>0v<`kM|!MWPu41bRnq+0>Jted$j0%|ZV+=E9j
z*r9a^qR8Lx_0RIhR*pMbLrL*Po%p2q0(mKtLU6<I+Y>olI0PdF=D#Lc5+@&RUtcd5
znbwyO5F2geN9S`mPY9)aAR;_FZ2VnXBoZ&HKtn^I?__f?{USfrUq%GleAbr*Mrm!8
zeot)IbasEGFD!hrjAahDN@5f>&6A)odeab59xgWq-v;MauGmG-$xJ||p0(xmyLs<i
zGNFHSYU!{Q>E2*onGP%DGHZp^&uD3*`DI@##P$SAjtw#2GtCW7zEU~|h{I|WEFvH1
zNOoA`=iW*iSuo6?zUT;mOD>opo3%Y&Z%r%Hh}y8KD2U8xZ1D@__pwZv27G*_?t4F|
z`G)^gRj0@M{unx~en|9Z_<Klnu4)^TlNV8!dKTsT3(fR|iS?M5wjX(D@4Jaa37XF6
zO$)P-GIy}T7yk6HsJu~+S9IWvcSyw5@^l^7O5eD{lb~n{e9*hTPf?7_tp7l)e~2rg
zqrBHIP3S*UxKyOEGhX>o4N&PD-}-0;XHVzy5MR92^}t}Usq5*MH!{D!KMG`3y0F5c
z<ppu)q%8QhCdsG(>@w=Yh(=LmVe$OikJ&N(^S;)Wz~uyc)w90FYlEB!Ld<V++~o~w
z{`D#6U0Y4Z$Zp4+%@fI!1HfJ!VYzNTjV?D?;UF^1XP~bJ)EY{lQ?g%cCQh^f1X@nQ
zNM0D9h^aEJ0+pJtHNFy-sr_U_;%{r#oqg=XX7RgmHf=v_uksgGBMF}}SL-M@j3*Zt
zUpInU2~TjxI059}xjumi^XsQ7V{&~llShUiPI%c*Bb1xi7fp3TUUVX~yJ=EtY_Q!0
z2IzAYO(@97oMWP3iyE#YRWN3i)(Zy}gEwjgrRrzZ>yj;`e92c~XG?-WwaV6PU&!{1
z2IeTXewsOJvphu)h&=EK@aATrLcS?vs6S<CZLfh|a^Dft&8NPbTNyrYkhPn;;db%k
zh~-@qsaSgTOMTZcjsILoPx|0`Y-Ri_hC(wn)!@F{fAy2#;;vbfDET5-#=F(On0%*d
z^?;(ZcmX|aC~JZpx1c2-Qxmth`u3bt#*3~&+iWR*bi7D$I56y@vG+OY7vXXB7lr2c
zLHL=%{0h8?Pi(5G$4Bjj7n_|ak2Dzd<E_aGjda`?Vp8d_?Z>Yy4^Ix+U*>6othiRg
z(Z8Nmtm-^cVW?u&^yaCw5vdlN&E<KJS3o{r|LCJl?Bm^I<fLC;wzBq)Ph9EO;<MOt
z+lvzsqiMJeVzU`|DXjQOIM)D10u*8adCZ+vJa%8l)p=gE2%o_RnxoMsb%`&Bd6Q*_
zv5a0RWFbyxQB~PA4t8uQ%$@SR1%@1mSIS=jpG#gC0vGF3-X^?K^;Ij5#K~-II*FlL
zFfF6fii?<p_@4{L3?7hq2%@0VMDwE#@PhhMFVu-lWvJvx{W8XJscQ;aTha}yW<29e
zzHB{H`SoEg&=rwyNw5k{0nw;EWw&=;xVm|j#Y=>Q80QbUICrDMvLDY6WntGt5Pl*S
zdgJ36-dq0qSGFbQQZ*AjiSCW>^Y##o)4HNc;%2F8&ewt;(-h!uZZX8atoL*G9&+jr
zch^cbO%`<<&`ExCnfIA1?x%A~P=xO)4I;<Wxw6S<yZCx)eJyRo#JStc&)e;gXdC|!
zX`1a;DkVsKvsNUNlJ<^?Zis=-EE^TvQ1K^MpdIyW#0!@}p$Z>`<^29h{Vuj}1LsJo
ztWpDPWav&P8sUfC-*Ay_m2rmh-$-fok&N*tQRnqDxygpi7l<TKIhOc253pC_>L+UE
zC%a>YY2d${VmWNyjVrr|#{7_;V-qb(@7n5Up8m5s!BA3j@Dhfq^ez4PgqNkbYS0qO
zY4A>K*pO@LL#(w|>{Qi8#E&wi>SNlZxvUXXhGUBsU8dpj-^$>k@^uXr%3+LUZAnhP
zX`}Ab3}~`tVAUY?WlrQf6vu+6>nGAiN}(|a)HRn-=s5?Eu0t-LBf<ye%M|&U+nbG*
zZZ4&I{0X};?{ZFyqVZ?SE1`Aor-vE2o1Kj#wj@nL>UkdE{x~jc0ACZPEJYuTgl?92
zv8#tXmADxJ%Fzrz#|~X?okS%S#81hzQM@Mgg>`KU3jG^4+tQyOPAWSE`IQTgWL?ru
z+vrr2u`O<AGA5H_%vfoMe~@KR%4M1-^1vl90WG$fv&X1P;ADRK(f5EVe^NRNv#3gu
z`7+rKMgiZ1d^g*Q5eJfiHgoe)b=EUv`{I+w{zEZQ=MP($dQ&}GDUMIh^-Eh0R9n_h
zvk3`3qPUt5e4>1umF86P9QDr-!$V=o7~_qmT@6ZtMITO^<6gUrq0L3mL+}HAov~$J
zi)<~Uz~39#o8s>uX3g8pVepf3?))X`Q_DyUv`n~8xK9m3R<isdVL>}C0hgR)#Cc_)
z0cZc+LJ6y@>kD|Ev>)$^W_M`HXBs0F-rqEttYq(%F^$uI{veGBVl-kQ88=u+?=v(&
zoCTeS4$5WmnJRCx#Edyj(entpbsz`Z#k^(dM90DK0%MNvH8IA94*WrJ{p~Dgix4lj
z>(5SR6wSo(ivbmp<zwR%^5DGw?MLQ)`$FW&8yy2NsqQ8lq=pfl@-EtIy@zEiiF3q*
zM>9B$GpN}^V$uKZaKDcPRAK`Yd+cj<?qSvTN}J7><yU|)<mNz7i-L6=d0}dq!%X1m
z-@+@jq@IDE?k6stpv6y98;HpJ-&01^KzMJ}JEsBUA802~BmeE>Xui5#g)%_g`br|)
zHD{F?Ek1w>0HKq`!qhJQ(R~3@?{zu=EKds@H6wr0H%4ePIx0B~7RIFcTL8NJX7bVv
z^N<I|80g@L6PQk%wgjCZsIbjpAuQD!z&CMHaIf(MW2{<3Gn>|)bj)?Fn?>$PsEzP#
z3k`1Cdvg>(o6e-D?Hr*u-lS}_qRs<1J@3tOpfn+jSKzm+y?Z`u+&%|NaYUEh7BERX
za;_j!)d9ljAz%cu4(=Zi4Dw#IV(~;~>GoMG6(N%yL(*LFx9)FbpCIkZZy;^EVYcJ1
zavX){Gx-R>{#$&ItN{S8q)nO<^gNWjbm_S0Z62Y1I${4dd#@2l<e_|Rk=@*-jR2DA
z-#ZxkXKF&Ynf^IleX&;4<j+s{-hKD%Cm61Dc%B^kS~NE=FoiC~M5%g&8cDB_lbmwa
zieJhj1mS<Lm>v(@FAl3n)(MH0`oJJseDT-#e0S@lH#B_a9?0{{%!7m0(%7Y?W?7x0
z$7?x4g5*rGgoL7>a}$Rft6PVK_)t1I5uACtX`Qu<-qZ1S^t6^fCqijv72V2CjuKPV
z^}=U=7jH;9GHYh8`adEIzTH@@^<RDLxHTXw%x{r*Ef{XrAgk;>t5L(7gS@uV*c!YZ
zy%^_GYL6|Sb#wzZz{@u-imCx06rJ{;o~tKC2eY??$!M@sp0>B{4q!IyuLPOZ(`f6{
zx)$zKy(ux^^EFg(mo-)C)9zVKaV*0h+P7g>E<zQ`_e#qCy+{P5)0Ybc!??m7t*JxP
zqN-j$%5B(-s7T+t@d>?KT)t~M@A&`M%fn`I;agKvW0lwc?cL6qX_CT)J-`eA_#c(M
B3G@H}

literal 0
HcmV?d00001

diff --git a/test/test_data/jq.py b/test/test_data/jq.py
index 1545764e2a..9baf6ccfa9 100644
--- a/test/test_data/jq.py
+++ b/test/test_data/jq.py
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 mapping_test_data = [
-    {"product": "jq", "version": "1.5", "version_strings": ["1.5\njq:"]}
+    {"product": "jq", "version": "1.5", "version_strings": ["1.5\njq:"]},
+    {"product": "jq", "version": "1.7.1", "version_strings": ["jq-1.7.1"]},
 ]
 package_test_data = [
     {
@@ -17,6 +18,12 @@
         "product": "jq",
         "version": "1.5",
     },
+    {
+        "url": "http://ftp.fr.debian.org/debian/pool/main/j/jq/",
+        "package_name": "jq_1.7.1-3_arm64.deb",
+        "product": "jq",
+        "version": "1.7.1",
+    },
     {
         "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
         "package_name": "jq_1.6-1_x86_64.ipk",