Generic Semantic Version matching
https://semver.org/ provides a Semantic Versioning Specification that provides a standardized semantic versioning scheme (syntax + semantics). Unfortunately many languages and package registries do not entirely comply with this specification by using their own semver flavour/dialect.
However, in the context of advisory generation (for dependency scanning), we have to be able to understand versions from various data sources and translate them into the dialect used by the respective PR/Language. For example, if NVD reports an advisory related to a python package available on pypi, we have to understand the version (ranges) reported by NVD, and translate them into the semver dialect used by pypi. Being able to understand different semantic version dialects helps us to automatically infer non-affected version ranges and generate consistent textual descriptions for version ranges that we use in our advisory generation process.
In this brown-bag, we would like to provide a short introduction into semantic versioning, provide an overview over different semantic version dialects and showcase our generic semver gem semver_dialects that helps to process semantic versions in a language/PR agnostic manner.
Agenda: https://docs.google.com/document/d/1tjYKsZmqC5lnzyTBHlSTMZnub7jjyxK9ZWjVdjqgLtk/edit
Video: https://www.youtube.com/watch?v=TYOYzVPMHD4&feature=youtu.be
SemverDialects Code: https://gitlab.com/gitlab-org/secure/vulnerability-research/advisories/semver_dialects