Incorrectly flagged vulnerabilities with 4-digit version numbers

[tilo]

Description

Codeclimate runs bundler-audit to check for vulnerabilities
and I noticed that it incorrectly flags vulnerabilities.

e.g. when upgrading Rails from 6.0.4 to 6.0.4.6

these two vulnerabilities get flagged, although they already have the fix from 6.0.3.5 applied:

https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

Flagging this issue with Codeclimate as well, but wanted to give you guys a heads-up in case it is an issue in bundler-audit.

Perhaps the comparison of version numbers is not correctly done, and has trouble with 4-digit version numbers?

Steps To Reproduce

Steps to reproduce the bug:

1. $ bundle-audit ...
2. ???

Expected Behavior

should not flag these CVEs as an error

Actual Behavior

see image above

Environment

$ bundler-audit --version
...
$ bundle --version
...
$ ruby --version
...

[postmodern]

I cannot seem to reproduce this bug using the latest version of bundler-audit and ruby-advisory-db.

Vulnerable Gemfile

source 'https://rubygems.org/'

gem 'bundler-audit'
gem 'activerecord', '6.0.3.4'

$ bundle exec bundle-audit
Name: activerecord
Version: 6.0.3.4
CVE: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3.5, >= 6.1.2.1

Vulnerabilities found!

Secure Gemfile

source 'https://rubygems.org/'

gem 'bundler-audit'
gem 'activerecord', '6.0.3.5'

$ bundle exec bundle-audit
No vulnerabilities found

Could you post the Gemfile.lock or Gemfile and which specific CVEs that bundler-audit is detecting?