vulnfeeds: detect when version range has introduced > fixed

[oliverchang]

For PyPI vulnfeeds, there are some cases of bad data in the form of:

introduced: 1.0
fixed: 1.0b4

Encoded like so, this means that everything after and including 1.0 is affeted (because 1.0b4 comes before 1.0). This should instead be something like

introduced: 1.0a0
fixed: 1.0b4

We need to detect these cases in the vulnfeeds tool.

[oliverchang]

Another potential case to flag: pypa/advisory-database@b999607

[andrewpollock]

To help with prioritisation, does this code get used by anything currently?

[oliverchang]

Yes, this is used by the PyPI database for auto-ingestion.

[andrewpollock]

This is blocked on there being Go code to do Python version comparison

[oliverchang]

If we have that, then we'd add a check here:

osv.dev/vulnfeeds/cves/versions.go

Line 224 in 85e7db4

if introduced != "" && !hasVersion(validVersions, introduced) {

,

And append a note if we detect that introduced > fixed.