Issue w/ "beta" value check in version_between?

[n00ge]

Background

Brakeman version: 4.4.0
Rails version: 5.2.1.1
Ruby version: 2.5.1p57

Issue

sprockets 4.0.0.beta8 appears to be a safe version in CVE-2018-3760 which is the version I have in my Gemfile.lock
See the following as the code check to confirm versions:
https://github.com/presidentbeef/brakeman/pull/1241/files#diff-4620b984ac2f48fe9350181b4e7c1ca7R19

It should not show an error. Currently I am seeing:

Confidence: High
Category: Path Traversal
Check: SprocketsPathTraversal
Message: sprockets 4.0.0.beta8 has a path traversal vulnerability (CVE-2018-3760). Upgrade to sprockets 4.0.0.beta8 or newer

It appears to be an issue with the version_between? check and the "beta" text in the version. See the definition of version_between? here:

brakeman/lib/brakeman/tracker/config.rb

Line 121 in 2f31fbb

def version_between? low_version, high_version, current_version = nil

Splitting on "." and mapping :to_i for "beta8" produces a value of 0:

$ irb
irb(main):001:0> "beta8".to_i
=> 0

I assume alpha/beta values should be split out and mapped differently?

[presidentbeef]

Oops, I guess I didn't test that CVE warning very well!

Yes, non-integer versions need to be handled better.

Thank you for reporting this issue!