From 4f98752f4e1ab263f0376e3a4e47b8f7835302b6 Mon Sep 17 00:00:00 2001
From: Philip Cunningham <pcunningham@gitlab.com>
Date: Wed, 8 May 2024 08:09:30 +0000
Subject: [PATCH] Revert "Merge branch 'upgrade-to-semver_dialects-3.0.0' into
'master'"
This reverts merge request !151761
---
Gemfile | 2 +-
Gemfile.checksum | 2 +-
Gemfile.lock | 4 +-
app/models/concerns/enums/sbom.rb | 4 +-
ee/app/models/package_metadata/package.rb | 18 +---
.../affected_version_range_matcher.rb | 2 +-
.../affected_version_range_matcher.rb | 2 +-
.../advisory_scanner_spec.rb | 2 +-
.../affected_version_range_matcher_spec.rb | 6 +-
.../affected_version_range_matcher_spec.rb | 93 ++++---------------
.../models/package_metadata/package_spec.rb | 31 -------
11 files changed, 32 insertions(+), 134 deletions(-)
diff --git a/Gemfile b/Gemfile
index 05bffb2379b2f4..dbcfa48c55d8dd 100644
--- a/Gemfile
+++ b/Gemfile
@@ -274,7 +274,7 @@ gem 're2', '2.7.0' # rubocop:todo Gemfile/MissingFeatureCategory
# Misc
-gem 'semver_dialects', '~> 3.0', feature_category: :software_composition_analysis
+gem 'semver_dialects', '~> 2.0', '>= 2.0.2', feature_category: :static_application_security_testing
gem 'version_sorter', '~> 2.3' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'csv_builder', path: 'gems/csv_builder' # rubocop:todo Gemfile/MissingFeatureCategory
diff --git a/Gemfile.checksum b/Gemfile.checksum
index 8274f9563da689..ebaa132507a814 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -620,7 +620,7 @@
{"name":"sd_notify","version":"0.1.1","platform":"ruby","checksum":"cbc7ac6caa7cedd26b30a72b5eeb6f36050dc0752df263452ea24fb5a4ad3131"},
{"name":"seed-fu","version":"2.3.7","platform":"ruby","checksum":"f19673443e9af799b730e3d4eca6a89b39e5a36825015dffd00d02ea3365cf74"},
{"name":"selenium-webdriver","version":"4.19.0","platform":"ruby","checksum":"4c8bd1d6016a456154b4ba71a3bb4d532a0ae185a38acf9cec0acbd38b4e5066"},
-{"name":"semver_dialects","version":"3.0.0","platform":"ruby","checksum":"daab2476c2a5d779e1c97ae9b92e59803757e679453692402dfbe364c3cf7b3e"},
+{"name":"semver_dialects","version":"2.0.2","platform":"ruby","checksum":"60059c9f416f931b5212d862fad2879d6b9affb8e0b9afb0d91b793639c116fe"},
{"name":"sentry-rails","version":"5.17.3","platform":"ruby","checksum":"017771c42d739c0ad2213a581ca9d005cf543227bc13662cd1ca9909f2429459"},
{"name":"sentry-ruby","version":"5.17.3","platform":"ruby","checksum":"61791a4b0bb0f95cd87aceeaa1efa6d4ab34d64236c9d5df820478adfe2fbbfc"},
{"name":"sentry-sidekiq","version":"5.17.3","platform":"ruby","checksum":"d0714a218999e41e38127d0c174e0ee62a32b069f92e85b544e0c2125eca2c58"},
diff --git a/Gemfile.lock b/Gemfile.lock
index ffd36555223e79..e8cc216b98dc91 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1652,7 +1652,7 @@ GEM
rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0)
- semver_dialects (3.0.0)
+ semver_dialects (2.0.2)
deb_version (~> 1.0.1)
pastel (~> 0.8.0)
thor (~> 1.3)
@@ -2209,7 +2209,7 @@ DEPENDENCIES
sd_notify (~> 0.1.0)
seed-fu (~> 2.3.7)
selenium-webdriver (~> 4.19)
- semver_dialects (~> 3.0)
+ semver_dialects (~> 2.0, >= 2.0.2)
sentry-rails (~> 5.17.3)
sentry-ruby (~> 5.17.3)
sentry-sidekiq (~> 5.17.3)
diff --git a/app/models/concerns/enums/sbom.rb b/app/models/concerns/enums/sbom.rb
index 3f573004a71d87..9ca24e61a61a09 100644
--- a/app/models/concerns/enums/sbom.rb
+++ b/app/models/concerns/enums/sbom.rb
@@ -7,10 +7,10 @@ class Sbom
}.with_indifferent_access.freeze
PURL_TYPES = {
- composer: 1, # refered to as `packagist` in gemnasium-db and semver_dialects
+ composer: 1, # refered to as `packagist` in gemnasium-db
conan: 2,
gem: 3,
- golang: 4, # refered to as `go` in gemnasium-db and semver_dialects
+ golang: 4, # refered to as `go` in gemnasium-db
maven: 5,
npm: 6,
nuget: 7,
diff --git a/ee/app/models/package_metadata/package.rb b/ee/app/models/package_metadata/package.rb
index 086929185a8ac2..806b166a47a662 100644
--- a/ee/app/models/package_metadata/package.rb
+++ b/ee/app/models/package_metadata/package.rb
@@ -87,23 +87,13 @@ def default_license_ids(version:)
end
def version_in_default_licenses_range?(input_version)
- type =
- case purl_type
- when 'golang'
- 'go'
- when 'composer'
- 'packagist'
- else
- purl_type
- end
-
# Remove 'v' from version string(if present) before comparison.
- interval = SemverDialects::IntervalParser.parse(type, "=#{input_version.delete_prefix('v')}")
+ interval = VersionParser.parse("=#{input_version.delete_prefix('v')}")
- range = SemverDialects::IntervalSet.new
- range.add(SemverDialects::IntervalParser.parse(type, "<#{lowest_version.delete_prefix('v')}")) if lowest_version
+ range = VersionRange.new
+ range.add(VersionParser.parse("<#{lowest_version.delete_prefix('v')}")) if lowest_version
- range.add(SemverDialects::IntervalParser.parse(type, ">#{highest_version.delete_prefix('v')}")) if highest_version
+ range.add(VersionParser.parse(">#{highest_version.delete_prefix('v')}")) if highest_version
!range.overlaps_with?(interval)
rescue SemverDialects::InvalidConstraintError => err
diff --git a/ee/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher.rb b/ee/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher.rb
index 232c241c9a39d4..db4d21c7e10631 100644
--- a/ee/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher.rb
+++ b/ee/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher.rb
@@ -20,7 +20,7 @@ def affected?
# a wildcard range means that all versions are affected
return true if range == '*'
- SemverDialects.version_satisfies?(purl_type, version, range)
+ SemverDialects::VersionChecker.version_sat?(purl_type, version, range)
end
private
diff --git a/ee/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher.rb b/ee/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher.rb
index bf43808eee8223..5aa548a37a4680 100644
--- a/ee/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher.rb
+++ b/ee/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher.rb
@@ -23,7 +23,7 @@ def affected?
purl_type
end
- SemverDialects.version_satisfies?(type, version, range)
+ SemverDialects::VersionChecker.version_sat?(type, version, range)
end
end
end
diff --git a/ee/spec/lib/gitlab/vulnerability_scanning/advisory_scanner_spec.rb b/ee/spec/lib/gitlab/vulnerability_scanning/advisory_scanner_spec.rb
index 5a40d2be309777..f0cf42ad4e7078 100644
--- a/ee/spec/lib/gitlab/vulnerability_scanning/advisory_scanner_spec.rb
+++ b/ee/spec/lib/gitlab/vulnerability_scanning/advisory_scanner_spec.rb
@@ -121,7 +121,7 @@
advisory = affected_package.advisory
pipeline = affected_pipeline
expect(Gitlab::ErrorTracking).to have_received(:track_exception)
- .with(a_kind_of(::SemverDialects::InvalidVersionError),
+ .with(an_instance_of(::SemverDialects::InvalidVersionError),
message: 'Cannot determine if component is affected',
purl_type: 'npm',
version: 'invalid-version',
diff --git a/ee/spec/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher_spec.rb b/ee/spec/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher_spec.rb
index e7977df3a7c628..ddf4ab7d55951e 100644
--- a/ee/spec/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher_spec.rb
+++ b/ee/spec/lib/gitlab/vulnerability_scanning/container_scanning/affected_version_range_matcher_spec.rb
@@ -7,7 +7,7 @@
describe 'affected?' do
before do
- allow(SemverDialects).to receive(:version_satisfies?).and_return true
+ allow(SemverDialects::VersionChecker).to receive(:version_sat?).and_return true
end
let_it_be(:purl_type) { 'deb' }
@@ -70,8 +70,8 @@
end
end
- it 'calls SemverDialects.version_satisfies? with the expected arguments' do
- expect(SemverDialects).to receive(:version_satisfies?).with(purl_type, version, range)
+ it 'calls SemverDialects::VersionChecker.version_sat? with the expected arguments' do
+ expect(SemverDialects::VersionChecker).to receive(:version_sat?).with(purl_type, version, range)
affected
end
diff --git a/ee/spec/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher_spec.rb b/ee/spec/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher_spec.rb
index 46df3f9a63a525..139726bb761281 100644
--- a/ee/spec/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher_spec.rb
+++ b/ee/spec/lib/gitlab/vulnerability_scanning/dependency_scanning/affected_version_range_matcher_spec.rb
@@ -5,87 +5,26 @@
RSpec.describe Gitlab::VulnerabilityScanning::DependencyScanning::AffectedVersionRangeMatcher, feature_category: :vulnerability_management do
using RSpec::Parameterized::TableSyntax
- subject(:affected) do
- described_class.new(
- purl_type: purl_type, range: range, version: version
- ).affected?
+ where(:purl_type, :range, :version, :expected_result) do
+ 'maven' | '[,2.5]' | '1.2' | true
+ 'pypi' | '<=1.11.0' | '1.11' | true
+ 'composer' | '<=2.2.1' | '2.2.0' | true
+ 'golang' | '<=1.11.0' | '1.11' | true
+ 'maven' | '[,2.5]' | '4.3' | false
+ 'pypi' | '<=1.11.0' | '2.13' | false
+ 'composer' | '<=2.2.1' | '2.4.0' | false
+ 'golang' | '<=1.11.0' | '2.11' | false
end
- context 'when version is in range' do
- where(:purl_type, :range, :version) do
- 'composer' | '<=2.2.1' | '2.2.1'
- 'conan' | '<=2.2.1' | '2.2.1'
- 'gem' | '<=2.2.1.pre' | '2.2.1.pre'
- 'golang' | '<=2.2.1' | '2.2.1'
- 'maven' | '[,2.5]' | '2.5'
- 'npm' | '<=2.2.1' | '2.2.1'
- 'nuget' | '[,1.2.3.0]' | '1.2.3.0'
- 'pypi' | '<=1.11.0' | '1.11'
+ with_them do
+ subject(:affected) do
+ described_class.new(
+ purl_type: purl_type, range: range, version: version
+ ).affected?
end
- with_them do
- specify do
- expect(affected).to be_truthy
- end
- end
- end
-
- context 'when version is not in range' do
- where(:purl_type, :range, :version) do
- 'composer' | '<=2.2.1' | '2.2.2'
- 'conan' | '<=2.2.1' | '2.2.2'
- 'gem' | '<=2.2.1.pre' | '2.2.1'
- 'golang' | '<=2.2.1' | '2.2.2'
- 'maven' | '[,2.5]' | '2.6'
- 'npm' | '<=2.2.1' | '2.2.2'
- 'nuget' | '[,1.2.3.0]' | '1.2.3.1'
- 'pypi' | '<=1.11.0' | '1.11.1'
- end
-
- with_them do
- specify do
- expect(affected).to be_falsey
- end
- end
- end
-
- context 'when version is invalid' do
- where(:purl_type, :range, :version) do
- 'composer' | '<1.0.0' | 'dev-master'
- 'conan' | '[,1.0.0]' | 'x'
- 'gem' | '<1.0.0' | '1.2.3.*'
- 'golang' | '<1.0.0' | '1.2.3x'
- 'maven' | '[,1.0.0]' | '?'
- 'npm' | '<1.0.0' | '1.2.3x'
- 'nuget' | '<1.0.0' | '1.2.3x'
- 'pypi' | '<1.0.0' | 'x'
- end
-
- with_them do
- specify do
- expect { affected }.to raise_error(SemverDialects::InvalidVersionError)
- end
- end
- end
-
- context 'when range is invalid' do
- let(:version) { '1.2.3' }
-
- where(:purl_type, :range) do
- 'composer' | '<dev-master'
- 'conan' | '-'
- 'gem' | '<1.2.3.*'
- 'golang' | '<1.2.3x'
- 'maven' | '-'
- 'npm' | '<1.2.3x'
- 'nuget' | '<1.2.3x'
- 'pypi' | '[,1.0.0]'
- end
-
- with_them do
- specify do
- expect { affected }.to raise_error(SemverDialects::InvalidConstraintError)
- end
+ specify do
+ expect(affected).to eq(expected_result)
end
end
end
diff --git a/ee/spec/models/package_metadata/package_spec.rb b/ee/spec/models/package_metadata/package_spec.rb
index d62621fe64634b..8bfeaace484e81 100644
--- a/ee/spec/models/package_metadata/package_spec.rb
+++ b/ee/spec/models/package_metadata/package_spec.rb
@@ -54,37 +54,6 @@
end
end
- context 'and the PURL type is supported' do
- context 'and the input version matches the default licenses' do
- let(:license_ids) { package.license_ids_for(version: input_version) }
-
- where(:purl_type, :input_version) do
- 'composer' | '2.2.2'
- 'conan' | '2.2.2'
- 'gem' | '2.2.1.rc.1'
- 'golang' | '2.2.2-alpha1'
- 'maven' | '2.6a1'
- 'npm' | '2.2.2-alpha1'
- 'nuget' | '2.2.2-alpha1'
- 'pypi' | '1.11-dev1'
- end
-
- with_them do
- let(:package) do
- build_stubbed(:pm_package, name: "cliui", purl_type: purl_type,
- licenses: [default, lowest, highest, other])
- end
-
- let(:lowest) { '0.0.0' }
- let(:highest) { input_version }
-
- subject(:license_ids) { package.license_ids_for(version: input_version) }
-
- specify { expect(license_ids).to eq(default) }
- end
- end
- end
-
context 'and the given version causes semver_dialects to raise an exception while parsing' do
let(:package) do
build_stubbed(:pm_package, name: "cliui", purl_type: "npm", licenses: [default, lowest, highest, other])
--
GitLab