fix: don't panic if openSSH version cannot be parsed

Author: G-Rath

detector/cve/cve202338408/cve202338408.go

@@ -69,6 +69,16 @@ func (Detector) Requirements() *plugin.Capabilities {
 // RequiredExtractors returns an empty list as there are no dependencies.
 func (Detector) RequiredExtractors() []string { return []string{} }
 
+func isVersionWithinRange(openSSHVersion string, lower string, upper string) (bool, error) {
+	isWithinRange, err := versionLessEqual(lower, openSSHVersion)
+
+	if !isWithinRange || err != nil {
+		return false, err
+	}
+
+	return versionLessEqual(openSSHVersion, upper)
+}
+
 // Scan checks for the presence of the OpenSSH CVE-2023-38408 vulnerability on the filesystem.
 func (d Detector) Scan(ctx context.Context, scanRoot *scalibrfs.ScanRoot, ix *inventoryindex.InventoryIndex) ([]*detector.Finding, error) {
 	// 1. OpenSSH between and 5.5 and 9.3p1 (inclusive)
@@ -77,7 +87,12 @@ func (d Detector) Scan(ctx context.Context, scanRoot *scalibrfs.ScanRoot, ix *in
 		log.Debugf("No OpenSSH version found")
 		return nil, nil
 	}
-	isVulnVersion := versionLessEqual("5.5", openSSHVersion) && versionLessEqual(openSSHVersion, "9.3p1")
+	isVulnVersion, err := isVersionWithinRange(openSSHVersion, "5.5", "9.3p1")
+
+	if err != nil {
+		return nil, err
+	}
+
 	if !isVulnVersion {
 		log.Debugf("Version %q not vuln", openSSHVersion)
 		return nil, nil
@@ -232,15 +247,11 @@ type fileLocations struct {
 	LineNumbers []int
 }
 
-func versionLessEqual(lower, upper string) bool {
+func versionLessEqual(lower, upper string) (bool, error) {
 	// Version format looks like this: 3.7.1p2, 3.7, 3.2.3, 2.9p2
 	r, err := semantic.MustParse(lower, "Packagist").CompareStr(upper)
 
-	if err != nil {
-		panic(err)
-	}
-
-	return r <= 0
+	return r <= 0, err
 }
 
 func findHistoryFiles() []string {