Add version matching edge cases to the semver_dialects gem
Problem to solve
For continuous scanning of dependencies to have parity with the gemnasium analyzer, the functionality to match advisories to dependencies has to be equivalent.
For several package manager the gemnasium analyzer delegates version matching to the package managers themselves by spawning a subprocess. That is not currently available via GitLab's rails architecture. Instead the semver_dialects gem provides most of what's needed to do this matching and can be used barring some edge cases.
In Assess accuracy of semver_dialects using gemnas... (#369238 - closed) we discovered where the gem's behavior is not the same as that of gemnasium (see results).
Also, in https://gitlab.com/gitlab-org/vulnerability-research/foss/semver_dialects/-/merge_requests/6/diffs#note_1382682793 we've discovered a bug in version matching.
In Add expectations to semver_dialects based on di... (#438860 - closed) we added expectations for the version_sat?
method, and marked these as pending specs.
Right now these specs fail.
See overview
shared in the issue:
- The leading
v
should be ignored but it's not.- Prereleases aren't properly compared to final releases and other prereleases.
- Unions (AKA disjunctions) of ranges aren't processed correctly.
Impact
Version comparison implemented in SemverDialects
is used in the backend (Continuous Vulnerability Scanning and License Scanning) but not in ingestion tools maintained by groupvulnerability research;
these tools only use SemverDialects
to translate version ranges, to make it compatible with Gemnasium and the GitLab Advisory DB.
Proposal
Enable all the
specs for version_sat?
added in Add expectations to semver_dialects based on di... (#438860 - closed),
and update the gem so that these specs pass.
Right now these specs are marked as pending
and they're skipped.
We're likely to change the
SemanticVersion
class
since this is where version parsing and version comparison (segments included) is implemented.
Implementation plan
Make expectations for
version_sat?
pass for all package types.
-
gem -
go -
maven -
npm -
nuget -
packagist -
pypi