Raise version parsing error (!46) · Merge requests · GitLab.org / ruby / gems / semver_dialects · GitLab

Fabien Catteau requested to merge version-parsing-error into master Feb 22, 2024

What does this MR do?

Add version validation to SemanticVersion.new.

Raise InvalidVersionError if the string doesn't match the regexp.
Add validation to VersionParser.parse.

Raise InvalidConstraintError if the string doesn't match the regexp.
Add package type validation to SemverDialects.translate_version.

Raise UnsupportedPackageTypeError if package type isn't known.

These errors are propagated by SemverDialects.version_sat?.

It raises InvalidVersionError if the supplied version is invalid.
It raises InvalidConstraintError is invalid. In particular, this error is raised if the constraint contains invalid versions.

GitLab's Continuous Vulnerability Scanning can leverage these new errors to recover or fail during scans.

InvalidVersionError is specific to the dependency being scanned. It's recovered and the scan moves on to the next dependency.
InvalidConstraintError is triggered by the security advisory itself. It is NOT recovered.

What are the relevant issue numbers?

Version parsing errors not recovered during adv... (gitlab-org/gitlab#435452 - closed)

Does this MR meet the acceptance criteria?

Changelog entry added
Documentation created/updated for this project, if necessary
Tests added for this feature/bug
Conforms to the code review guidelines
Security reports checked/validated by reviewer

Edited Mar 13, 2024 by Fabien Catteau