bug(pip): Trivy doesn’t trim the end-of-range suffix when using the `--detection-priority comprehensive` flag.

[DmitriyLewen]

Description

When the --detection-priority comprehensive flag is used, Trivy takes the minimum version for a package (see docs).

However, if the package version is specified as a range, Trivy doesn’t trim the end-of-range suffix.
e.g for requests>=2.31.0,<3:

• now: requests + 2.31.0,<3
• correct: requests + 2.31.0

Required changes:

Add logic to trim the end-of-range suffix.
We can rely on separators such as , , <, =.

Discussed in #9607

[raghur-orca]

@DmitriyLewen We need to tweak the split line function in the parse.go file from

func (p *Parser) splitLine(line string) []string {
	separators := []string{"~=", ">=", "=="}
	// Without useMinVersion check only `==`
	if !p.useMinVersion {
		separators = []string{"=="}
	}
	for _, sep := range separators {
		if result := strings.Split(line, sep); len(result) == 2 {
                       reutrn result
		}
	}
	return nil
}

to

func (p *Parser) splitLine(line string) []string {
	separators := []string{"~=", ">=", "=="}
	// Without useMinVersion check only `==`
	if !p.useMinVersion {
		separators = []string{"=="}
	}
	for _, sep := range separators {
		if result := strings.Split(line, sep); len(result) == 2 {
			version := strings.Split(result[1], ",")[0]
			return []string{result[0], version}
		}
	}
	return nil
}

Sorry, not sure on how to contribute. Submitting a first change to Trivy.

Can i create a PR with a change to address this issue.?

[DmitriyLewen]

yes, please. Open new PR (from your fork).
More info - https://trivy.dev/latest/community/contribute/pr/