[bug] Version range without qualifiers creates ambiguous dependency retrieval #965
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue was raised by @knrc
Today, Version ranges don’t have the ability to encode qualifiers, therefore, through a version range specified, it may be insufficient alone to retrieve the original package version used (with qualifiers and matching to hashes).
For example let's say we ingest SBOM 1 where
Artifact X1 --IsOccurrence--> Pkg X
Pkg X --IsDepedency { VersionRange: 1.3.0 }-> Pkg Y {Version 1.3.0, qualifiers: "OS=linux"} --IsOccurrence--> Artifact Y1
and we ingest SBOM 2 where
Artifact X2 --IsOccurrence--> Pkg X
Pkg X --IsDepedency { VersionRange: 1.3.0 }-> Pkg Y {Version 1.3.0, qualifiers: "OS=windows"} --IsOccurrence--> Artifact Y2
It would be impossible to be able to know just by retrieving and following the edges of Artifact X1 that it is using version 1.3.0 OS=linux instead of OS=windows. This introduces undifferentiatable ambiguity.
The text was updated successfully, but these errors were encountered: