Skip to content

Update semver_dialects gem to support rpm operating system package versions

Proposal

In order to fully support Continuous Vulnerability Scans for Container Scanning advisories, we need to be able to compare the package versions for the following operating system purl types: deb, apk, rpm. Support for these purl types will be implemented by the following issues:

  1. Update semver_dialects gem to support deb opera... (#427961 - closed) • Nick Ilieskou • 16.6 • On track
  2. Update semver_dialects gem to support apk opera... (#428703 - closed) • Shao Ming Tan • 17.2 • On track
  3. Update semver_dialects gem to support rpm opera... (#428941 - closed) • Shao Ming Tan • 17.2 • On track (this issue)

The purpose of this issue is to add initial support for comparing package versions for the rpm purl type to the semver_dialects gem.

Implementation Plan

As it's no longer viable to reuse the Maven logic, here's the updated implementation plan:

  1. Create a new class RpmVersion that inherits from Version.
  2. Implement the VersionParser.parse method to parse raw version strings using logic in go-rpm-version.
  3. Override the <=> method using logic in go-rpm-version.
  4. Override the to_s method using logic in go-rpm-version.
  5. Port over tests from go-rpm-version and ensure they are passing
  6. Port over rpm test cases
  7. Test if deb_version passes the rpm test cases and go-rpm-version test cases to
  8. Tested that the deb_version library does not parse rpm versions.
  9. Extracted rpmvercmp into it's own command to aid with testing.
  10. Update Add rpm support (gitlab-org/ruby/gems/semver_dialects!69 - merged) to reference the rpm implementation instead.
    •  Found a discrepancy with rpm implementation that ignores dot character. As such to_s method is unable to recreate version string after parsing.
    • Decided to defer caret support as too complicated and not widely used.
    • MR review
  11. Update the os_pkg_version_sat? method so that it handles the rpm PURL type using the version comparison.
  12. Once semver_dialects is released with version containing rpm support, create MR in rails monolith to add rpm to supported CS purl types and bump semver_dialects version.
  13. Update documentation to note support for rpm.

NOTE: Support for Red Hat advisory comparisons is out of scope and tracked in Add support for Red Hat advisory scans (#443720)

/cc @gonzoyumo @fcatteau @johncrowley

Edited by Shao Ming Tan