Grype suggesting to upgrade to a version already used.

[ChrisHolman]

What happened:
Grype suggested that the certifi component could be fixed by upgrading to the same version number.

Here is the output of Grype, note the Installed and Fixed-In columns:

NAME     INSTALLED   FIXED-IN    TYPE    VULNERABILITY        SEVERITY
busybox  1.35.0                  binary  CVE-2022-28391       High
busybox  1.35.0                  binary  CVE-2022-30065       High
certifi  2022.12.7   2022.12.07  python  GHSA-43fp-rhv2-5gv8  Medium
git      2.38.4-r1               apk     CVE-2022-41953       High
git      2.38.4-r1               apk     CVE-2023-22743       High
pip      23.0.1                  python  CVE-2018-20225       High
py3-pip  22.3.1-r1               apk     CVE-2018-20225       High
python   3.10.10                 binary  CVE-2007-4559        Medium
python   3.10.10                 binary  CVE-2023-24329       High
python3  3.10.10-r0              apk     CVE-2007-4559        Medium
python3  3.10.10-r0              apk     CVE-2023-24329       High

What you expected to happen:
The fixed-In column should not be populated if we're already using the latest version of the component.

How to reproduce it (as minimally and precisely as possible):
Without providing the SBOM to scan with, this can be re-produced by scanning a container which utilises the certifi component, version 2022.12.7.

Anything else we need to know?:
I don't think so. But do ask if you need anything extra.

Environment:
Grype V0.60.0

[kzantow]

As noted in slack, the reason for this appears to be the difference in the versions: 2022.12.7 and 2022.12.07 (note the .7 vs .07). We should be able to handle this type of thing.

[kzantow]

This ends up being a duplicate of #1034 (sorry, I wasn't sure on Slack) -- since this is the same package, I'm going to close it for now @ChrisHolman thank you very much for reporting it!