Ensure consistency b/w semver_dialects and vrange when adding advisories
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
As we're adding security advisories to the advisory database,
we have to make sure that the backend using semver_dialects
always finds the same affected and non-affected versions as the legacy Dependency Scanning jobs using vrange.
Proposal
TBD
Add a CI job to the pipeline of gemnasium-db, and make that job fail when the affected and non-affected versions found by semver_dialects are the same as the ones found by vrange. The job is triggered when a YAML file changes, and does the following:
- Extract the
affected_rangeand package ref from new or updated YAML file. - Query package registry to list all versions of the affected package.
- Resolve affected versions using
semver_dialects. - Do the same using
vrange. - Fail if the affected versions don't match.
The CI job is allowed to fail so that it doesn't prevent new advisories from being added to gemnasium-db.
See #220286 (comment 1044076127)
This is a follow-up to Assess accuracy of semver_dialects using gemnas... (#369238 - closed).
The implementation might be similar to the one of Add version matching edge cases to the semver_d... (#386070 - closed).
/cc @julianthome @bwill