Skip to content

Generate affected_versions from affected_range

Julian Thome requested to merge jthome-gen-affected_version-from-affected_range into master

Generate affected_versions from affected_range.

This MR was automatically generated by the sanitisation function incorporated in the advisory database curation tool.

I would like to outline how the translation process works internally; I am using on of the implemented test-cases as an example: tc_version_parser.rb

The tool includes a version parser that parses the version string notations used by various package managers mvn, npm, etc. Parsing is basically a two step process:

  1. Translate version string into a normalised form by means of a VersionTranslator (see tc_version_parser.rb#L72 as an example)
  2. Parse version string and create a VersionInterval. This interval is a common representation of up to two semantic versions (for lower and upper bounds).

From the VersionInterval, it is also possible to generate version strings in different formats for the various package types such as npm, mvn, PyPI, etc (see version_interval.rb#L57 as an example how to generate a mvn version string).

Moreover, the VersionInterval also allows to generate a version description in natural language (see version_interval.rb#L43). This is the functionality which was used to generate the content of the affected_version field from the affected_range field.

You can find a corresponding test case here.

MR related to Advisory DB inconsistencies.

Edited by Julian Thome

Merge request reports