Merge branch 'main' of https://github.com/intel/cve-bin-tool into librsvg

Author: yashugarg

README.md

@@ -24,6 +24,7 @@ For more details, see our [documentation](https://cve-bin-tool.readthedocs.io/en
 - [CVE Binary Tool quick start / README](#cve-binary-tool-quick-start--readme)
   - [Installing CVE Binary Tool](#installing-cve-binary-tool)
   - [Most popular usage options](#most-popular-usage-options)
+    - [Using the tool offline](#using-the-tool-offline)
     - [Finding known vulnerabilities using the binary scanner](#finding-known-vulnerabilities-using-the-binary-scanner)
     - [Finding known vulnerabilities in a list of components](#finding-known-vulnerabilities-in-a-list-of-components)
     - [Scanning an SBOM file for known vulnerabilities](#scanning-an-sbom-file-for-known-vulnerabilities)
@@ -50,6 +51,10 @@ You can also do `pip install --user -e .` to install a local copy which is usefu
 
 ## Most popular usage options
 
+## Using the tool offline
+
+Specifying the `--offline` option when running a scan ensures that cve-bin-tool doesn't attempt to download the latest database files or to check for a newer version of the tool.
+
 ### Finding known vulnerabilities using the binary scanner
 
 To run the binary scanner on a directory or file:
@@ -173,8 +178,6 @@ in the terminal and provide it as an input by running `cve-bin-tool -L pkg-list`
 You can use `--config` option to provide configuration file for the tool. You can still override options specified in config file with command line arguments. See our sample config files in the
 [test/config](https://github.com/intel/cve-bin-tool/blob/main/test/config/)
 
-Specifying the `--offline` option when running a scan ensures that cve-bin-tool doesn't attempt to download the latest database files or to check for a newer version of the tool.
-
 ## Using CVE Binary Tool in Github Actions
 
 If you want to integrate cve-bin-tool as a part of your github action pipeline.

cve_bin_tool/cve_scanner.py

@@ -8,9 +8,10 @@
 from collections import defaultdict
 from logging import Logger
 from string import ascii_lowercase
-from typing import DefaultDict, Dict, List
+from typing import DefaultDict, Dict, List, Tuple, Union
 
-from pkg_resources import parse_version
+from packaging.version import LegacyVersion, Version
+from packaging.version import parse as parse_version
 from rich.console import Console
 
 from cve_bin_tool.cvedb import DBNAME, DISK_LOCATION_DEFAULT
@@ -251,10 +252,14 @@ def openssl_convert(self, version: str) -> str:
             version = f"{version[:-1]}.{self.ALPHA_TO_NUM[last_char]}"
         return version
 
-    def canonical_convert(self, product_info: ProductInfo) -> str:
-        version_between = ""
+    VersionType = Union[Version, LegacyVersion]
+
+    def canonical_convert(
+        self, product_info: ProductInfo
+    ) -> Tuple[VersionType, VersionType]:
+        version_between = parse_version("")
         if product_info.version == "":
-            return product_info.version, version_between
+            return parse_version(product_info.version), version_between
         if product_info.product == "openssl":
             pv = re.search(r"\d[.\d]*[a-z]?", product_info.version)
             version_between = parse_version(self.openssl_convert(pv.group(0)))