SemverDialects hangs when parsing invalid version range starting with "<- "

Summary

As part of investigating a customer problem, we've identified an Advisory from Trivy-DB with unsupported value for affected range.

For instance, the affected_range value for several PackageMetadata::AffectedPackage records related to the CVE-2022-28391 advisory is invalid as it uses a syntax like <- ALPINE-13661.

It seems that the association of a dash followed by a space character is causing trouble in SemverDialects version parsing.

Steps to reproduce

From a gitlab rails console:

SemverDialects.parse_version('apk', '- ALPINE-13661')

Note that the leading < is removed from the value in this method call, as it's considered as an operator for the range. This matches how we use the library in the GitLab codebase: https://gitlab.com/gitlab-org/gitlab/-/blob/f85c0396a2005aee0d565edd27036aae44d12f34/ee/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher.rb#L170-171

Example Project

What is the current bug behavior?

SemverDialects.parse_version() method hangs

What is the expected correct behavior?

SemverDialects.parse_version() returns immediately and raises SemverDialects::InvalidVersionError

Implementation plan

semver_dialects: Fix token parser to have an else when encountering invalid characters when parsing the revision: https://gitlab.com/gitlab-org/ruby/gems/semver_dialects/-/blob/master/lib/semver_dialects/apk.rb?ref_type=heads#L227
- There needs to be an else clause for all other cases.
monolith: Bump the version of the semver_dialects gem.

Edited Oct 25, 2024 by Igor Frenkel