When Vers.satisfies? raises during a range check, version_in_range? rescues and returns false:
rescue StandardError => e
warn "Warning: Failed to check version '#{version}' against constraints: #{e.message}"
falselib/brew/vulns/vulnerability.rb:178-181
Returning false means the vulnerability is treated as not affecting the installed version, so it gets filtered out at cli.rb:128. The warning goes to stderr, which is invisible when running with --json, --sarif, or --cyclonedx in CI.
Compare affects_version? at line 61, which returns true when affected is empty. That's the safer default for a scanner: when in doubt, include the finding.
Suggested change: return true from the rescue so a parse failure surfaces the vuln rather than hiding it. The user can then triage the false positive instead of missing a real one.
When
Vers.satisfies?raises during a range check,version_in_range?rescues and returnsfalse:lib/brew/vulns/vulnerability.rb:178-181
Returning
falsemeans the vulnerability is treated as not affecting the installed version, so it gets filtered out atcli.rb:128. The warning goes to stderr, which is invisible when running with--json,--sarif, or--cyclonedxin CI.Compare
affects_version?at line 61, which returnstruewhenaffectedis empty. That's the safer default for a scanner: when in doubt, include the finding.Suggested change: return
truefrom the rescue so a parse failure surfaces the vuln rather than hiding it. The user can then triage the false positive instead of missing a real one.