Match security advisories against Go pseudo-versions
Problem to solve
At the moment version information from the advisories is only based on the semantic versions mentioned in the advisories. Many go projects, however, do not use a semantic versioning scheme so that in the lockfile, pseudo-versions appear instead of semantic versions (see #196520 (closed) for more details). This is the fallback mechanism used by the go ECO system in the absence of proper semantic versions.
As gemnasium can only process semantic versions (instead of pseudo-versions) at the moment, for all go dependencies that use a non-semantic versioning scheme, we cannot detect potentially vulnerable dependencies possibly leading to false negatives.
The root cause for this issue is that we do not have a dedicate vrange tool for go in the gemnasium project that can cope with pseudo-versions.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
Having a dedicated vrange tool for go that leverages the native semantic version library would ensure that the version matching behaves the same on the analyzer side as it does for go and would help to move the complexity of properly matching semantic versions and pseudo versions out of the gemnasium project. We could use https://gitlab.com/gitlab-org/security-products/advisory-db-curation-tools/-/tree/master/adbcurate/vadapters/go as a starting point for that.
Implementation plan
-
update Gemnasium to support Go pseudo-versions gitlab-org/security-products/analyzers/gemnasium!115 (merged) - add a new version range resolver specific to Go
- introduce translate query functions, to translate version range queries prior to evaluation them
- implement a translate query function for Go, to handle pseudo-versions
- update scanner test
- release new version
-
update test project tests/go-modules to cover Go pseudo-versions gitlab-org/security-products/tests/go-modules!59 (merged)
Documentation
Since the current limitation isn't documented, there's no doc update for this change.
What does success look like, and how can we measure that?
A vrange tool that can successfully match semantic versions and pseudo versions.