the option --package_version not working as expected

[sebin-shajiphilip]

The flag exposed in vanir as "package_version" defined in vanir/detector_common_flags.py as:

One or more package versions your target code is under (e.g. for Android,
this can be "11", "12L", etc.). When given, signatures that are specific
to those versions will be used; signatures specific to other versions
will be ignored. If not given, no versions-specific signatures will be
used...

But when called with this flag( --package_version=10,11) as:

./bazel-bin/detector_runner --target_selection_strategy all_files offline_directory_scanner /srv/scratch/sipp/idcevo-samsung_v9x0-pu2511/Android/packages/services/Telephony/src/com/android/phone/settings/ --vulnerability_file_name ../CVE-2025-32346.json --package_version=10,11

, it still flags CVE-2025-32346 as unpatched (although the two "versions" in the "affected" entry of the OSV json file (downloaded from https://osv.dev/vulnerability/ASB-A-337785563) is defined as '16' and '16-next'). Which means the option --package_version is not working or not properly implemented

[doryiii]

Hi,

I think the documentation can be improved, but what it means is that only signatures that are specific to a version is used. As an example, if you look at https://osv.dev/vulnerability/ASB-A-119041698, signature "ASB-A-119041698-710eaeb5" has "match_only_versions": ["11"], which means that that particular signature will only be used when --package_version=11. All other signatures without "match_only_versions" will be used for all package_version options (or when no package_version is specificed).

The flag --package_version is used to indicate which version (of Android in this case) is being scanned, and not to filter out only signatures whose patches were specifically backported to that version.

We do this because the window of patch backport support for Android is limited, but we want to make sure vulns are still being matched in cases the same code was backported, or in the future when newer versions of Android comes out.

Regards,
Duy

[vkrikun-bmw]

hey @doryiii! thanks for the explanation. It seems that --package_version does not do what we need.

What we actually want to achieve is to ignore vulns which are relevant for later versions of AOSP than one we are using in our product. E.g. we are on Android 14 and vanir still marks "Android 16 only" CVEs as unpatched.

Is it intended behaviour? any tips how to change it?