Multiple versions processing in 'is_vulnerable_version?' method

[ghost]

I knew that Rack had several vulnerabilities (http://www.cvedetails.com/vulnerability-list/vendor_id-12598/product_id-24629/Rack-Project-Rack.html), so I wanted to check for them. I created new CVE files based on your existing ones - completing the info as best I could (let me know if/how you want them added). I am using an older minor version (1.4.) and did not want to jump to the latest version (1.5.), but there is a fix for that version (1.4.5).

The problem I encountered is that the vulnerability check still flagged the gem even though I updated to one of the fix versions, just not the latest number. So I believe there is a flaw in your looping logic when multiple fix versions are available. Example list of fixes for Rack:

self.safe_dependencies = [{:name=>"rack", :version=>['1.1.6', '1.2.8', '1.3.10', '1.4.5', '1.5.2']}]

Perhaps you could sort the array of versions before processing the numbers. Then you may need to break out of the loop once a matching major + minor combo has been found, so it does not look for newer versions and report false positive.

          fixes.sort!.each do |fv|
            fixes_v_array = fv.split(".").map! { |n| n.to_i }
            # same major version
            if target_v_array[0] == fixes_v_array[0]
              # same minor version
              if target_v_array[1] == fixes_v_array[1]
                # previous patch version, so vulnerable
                if target_v_array[2] < fixes_v_array[2]
                  ret = true
                end
                # no need to look at other fix versions
                break
              end
              # same major but previous minor
              if target_v_array[1] < fixes_v_array[1]
                ret = true
              end
            end
          end

[thesp0nge]

This should really be fixed in new VersionCheck to be included in version 1.1.0