Add version matching edge cases to the semver_dialects gem

Problem to solve

For continuous scanning of dependencies to have parity with the gemnasium analyzer, the functionality to match advisories to dependencies has to be equivalent.

For several package manager the gemnasium analyzer delegates version matching to the package managers themselves by spawning a subprocess. That is not currently available via GitLab's rails architecture. Instead the semver_dialects gem provides most of what's needed to do this matching and can be used barring some edge cases.

In Assess accuracy of semver_dialects using gemnas... (#369238 - closed) we discovered where the gem's behavior is not the same as that of gemnasium (see results).

Also, in https://gitlab.com/gitlab-org/vulnerability-research/foss/semver_dialects/-/merge_requests/6/diffs#note_1382682793 we've discovered a bug in version matching.

In Add expectations to semver_dialects based on di... (#438860 - closed) we added expectations for the version_sat? method, and marked these as pending specs. Right now these specs fail. See overview shared in the issue:

  • The leading v should be ignored but it's not.
  • Prereleases aren't properly compared to final releases and other prereleases.
  • Unions (AKA disjunctions) of ranges aren't processed correctly.

Impact

Version comparison implemented in SemverDialects is used in the backend (Continuous Vulnerability Scanning and License Scanning) but not in ingestion tools maintained by groupvulnerability research; these tools only use SemverDialects to translate version ranges, to make it compatible with Gemnasium and the GitLab Advisory DB.

Proposal

Enable all the specs for version_sat? added in Add expectations to semver_dialects based on di... (#438860 - closed), and update the gem so that these specs pass. Right now these specs are marked as pending and they're skipped.

We're likely to change the SemanticVersion class since this is where version parsing and version comparison (segments included) is implemented.

Implementation plan

Make expectations for version_sat? pass for all package types.

  • gem
  • go
  • maven
  • npm
  • nuget
  • packagist
  • pypi
Edited by Fabien Catteau