[Added] WinDirStat - App-Request

Tom

Generic detection and Specific Rules added. Version written as 1.1.2 as this is how it is done on the site and FossHub.

OLLI_S

WinDirStat is now detected by VulnDetect but the version number 1.1.2 is not correct.
If I go to Help -> About in WinDirStat then I see: 1.1.2.80 (Unicode).
Tell me if you need a screen shot.

---

Here the information extracted from the EXE file:

File name and path:     D:\PortableApps\PortableApps\WinDirStatPortable\App\WinDirStat\windirstat.exe
Product Name:           WinDirStat
Internal Name:          windirstat
Original Filename:      windirstat.exe

File Description:       Windows Directory Statistics
Company:                Seifert
Legal Copyright:        Copyright (C) 2003-2005 Bernhard Seifert
Legal Trademarks:       
Comments:               

File Version String:    1.1.2.80 (Unicode)
File Version:           1.1.2.80
Product Version String: 1.1.2.80 (Unicode)
Product Version:        1.1.2.80

---

So don't care what is written on web pages, show what is shown in the GUI.

Anselm

@OLLI_S @Tom maybe it is more complicated? Windows->Programs and Features: The name is WinDirStat 1.2.0
You can find a lot of programs there, which has version numbers in the name and additionally have a number in the version column

OLLI_S

Users normally look up the version information in the app because many apps store not the correct information in Windows.
For example the Oculus App, they store < 3 ( a symbol).
But most apps offer a Help -> About dialog where they show the correct version number.

Anselm

@OLLI_S I do not know, what a user normally do. Maybe he knows, which version he installed, because it is mentioned at the download site. Or the version number is in the name of the install file. Or a system administrator looks remote, which programs are installed - he will newer see the about box.

Tom

This is a complicated topic and there just isn't a perfect solution since vendors are pretty poor at being consistent with their versioning, this even includes vendors like Microsoft and Mozilla.

The purpose of VulnDetect is primarily to inform users about vulnerable software and to ensure that users can find the next non-vulnerable version. And secondarily we want to inform about new versions that are available.

Based on this it makes most sense to "translate" or map whatever version the software is, to what is shown on the vendor website, especially what is show on download pages, changelogs, security bulletins and support documentation.

In the case of WinDirStat it doesn't make much sense to refer to 1.1.2.80 (Unicode).

Consider the case where a user has got version 1.1.1 (or something) and VulnDetect recommends version 1.1.2.80 (Unicode), how is the user supposed to find out what to download when they visit the website?

The user will get confused and believe that the information we provide is bogus, since the latest version on the site is 1.1.2 and not 1.1.2.80.

I'm not saying this is perfect or that this covers all situations we will encounter. But it is what comes closest to helping the normal users who doesn't want to do download and install the application to find out if it indeed is the right version.

So, when the vendor provides version information on the website, that will be used (if and when we can map to that in a reliable way). And if that isn't feasible for one reason or another, then we will use what is in the files.

I would still appreciate to know what is shown in the UI as it helps create the correct mapping and understand if other factors are needed to determine the correct version.

Anselm

@Tom said in WinDirStat - App-Request:

The user will get confused and believe that the information we provide is bogus, since the latest version on the site is 1.1.2 and not 1.1.2.80.

But it might also be confusing, if the vendor provides minor versions and do not tell and name all of them 1.1.2

@Tom said in WinDirStat - App-Request:

I would still appreciate to know what is shown in the UI as it helps create the correct mapping and understand if other factors are needed to determine the correct version.

Tom

@Anselm said in WinDirStat - App-Request:

@Tom said in WinDirStat - App-Request:

The user will get confused and believe that the information we provide is bogus, since the latest version on the site is 1.1.2 and not 1.1.2.80.

But it might also be confusing, if the vendor provides minor versions and do not tell and name all of them 1.1.2

True, and when that is the case, please do alert me and we shall discuss it here on a case-by-case basis and find the best to display this to "normal" users.

OLLI_S

I know many examples where version info at the website differs to the information shown in Help -> About.
On the website they write shorter version numbers.

And I know some examples where vendors release for example 1.2. (in the app I see 1.2.0) and later on they release a 1.2.1 patch (that is also named 1.2 on the website).

OLLI_S

@Tom and @Anselm
I started a discussion about What Version Number to display.
Hopefully we get a solution there.

OLLI_S

@anselm WinDirStat is detected by VulnDetect.
For the version number you may open a separate forum posting.
So I mark the topic as Added and move it to the category Added App Requests.