-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve ruby comparison version check. #552
Conversation
It looks like Gem has a version with 3 dot such as
|
@knqyf263 Added logic to replace all occurrences of dots with "-" in patch version since it seems like Ruby having 3 dots is language-specific, all other languages put the dash in patch versioning. After it the code working fine for Ruby gems too, check tests |
go.mod
Outdated
@@ -3,6 +3,7 @@ module github.com/aquasecurity/trivy | |||
go 1.13 | |||
|
|||
require ( | |||
github.com/Masterminds/semver v1.5.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found this version was old. You have to import semver
as follows.
import "github.com/Masterminds/semver/v3"
pkg/scanner/utils/utils.go
Outdated
for _, p := range rangeVersions { | ||
c, err := version.NewConstraint(replacer.Replace(p)) | ||
func MatchVersions(currentVersion *semver.Version, rangeVersions []string) bool { | ||
for i := range rangeVersions { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there is no reason to overwrite rangeVersions
and it sometimes introduces a bug, so for _, v := range rangeVersions {
looks enough in this case.
pkg/scanner/utils/utils.go
Outdated
part := strings.Split(constraintParts[j], ".") | ||
if len(part) > 3 { | ||
constraintParts[j] = strings.Join(part[:2], ".") + "." + strings.Join(part[2:], "-") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you define this process as another function?
pkg/scanner/utils/utils.go
Outdated
for j := range constraintParts { | ||
part := strings.Split(constraintParts[j], ".") | ||
if len(part) > 3 { | ||
constraintParts[j] = strings.Join(part[:2], ".") + "." + strings.Join(part[2:], "-") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it doesn't work with a patch version including a dot such as `1.2.3-beta.1.
https://github.com/Masterminds/semver#working-with-prerelease-versions
It might work even if we replace valid dots, but I think we should keep the version in its original form as much as possible to avoid an unexpected bug.
The best way I think of at the moment is
1.2.3-beta -> 1.2.3-beta
1.2.3-beta.1 -> 1.2.3-beta.1
1.2.3.4 -> 1.2.3-4
1.2.3.4.5 -> 1.2.3-4.5
1.2.3.4-5 -> 1.2.3-4-5
Let me know your thought.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, as suggested, I think you are right, let's see if we get any other issues later
@knqyf263
pkg/scanner/utils/utils.go
Outdated
for _, m := range msgs { | ||
// re-validate after removing the patch version | ||
if strings.HasSuffix(m.Error(), "is a prerelease version and the constraint is only looking for release versions") { | ||
if v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())); err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it is wide, so what if we split the line?
if v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())); err == nil { | |
v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", | |
currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())) | |
if err == nil { |
pkg/scanner/utils/utils.go
Outdated
// re-validate after removing the patch version | ||
if strings.HasSuffix(m.Error(), "is a prerelease version and the constraint is only looking for release versions") { | ||
if v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())); err == nil { | ||
valid, msgs = c.Validate(v2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This msgs
will not be used, right? Or, does it affect the loop variable at line 37? If it is not used, we should make it easy to understand.
valid, msgs = c.Validate(v2) | |
valid, _ = c.Validate(v2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 Done
* Implemented ruby comparison version check. * Added semver package to validate and check version * Added more tests * Replaced go-version with semver * Removing go-version from dependency * Added check for ruby gem version format * Updated semver model and patch rewrite process * Refactoring
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Issue