[GHSA-m494-w24q-6f7w] JDBC Driver for SQL Server has improper input validation issue

[gdsmith]

Updates

• Affected products

Comments
Seems MS has released a 12.2.1 version that is causing false positives

[shelbyc]

Hi @gdsmith, I read aquasecurity/trivy#9745 to get an idea of what's going on, but BLUF: I can't change the patched version to 12.2.1 because there is no version 12.2.1 of https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc/versions, only 12.2.1.jre8 and 12.2.1.jre11.

For more detail:

• I set the fixed versions of advisories to have the .jre11 suffix because, per GitHub Advisory Database vulnerable version range (VVR) logic: Any letters that come after a number are considered part of a prerelease, so any versions with letters after the numbers are earlier versions than numbers without letters in the version number..
• In [GHSA-m494-w24q-6f7w] JDBC Driver for SQL Server has improper input validation issue #6386, I set the suffix to .jre11 instead of .jre8 because the VVR logic interpreted the number 1 as coming before the number 8, and therefore .jre11 being a lower version than .jre8.

I'm not sure why people in aquasecurity/trivy#9745 are having issues with 12.2.1 being incorrectly marked as vulnerable, but if I had to guess, it may have something to do with 12.2.1 with no suffix not existing in Maven.