Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict latest versions to stable highest releases only for all default repositories #2501

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

walterdeboer
Copy link

@walterdeboer walterdeboer commented Feb 17, 2023

Description

Added a regex to determine unstable releases. Every release in the repository metadata is examined and only stable releases are considered to determine the highest version number, instead of the latest by date.

Before:
image

After:
image

Addressed Issue

closes #2500, fixes #513, fixes #1374

Additional Details

Testing is a bit hard since curernt tests need actual HTTP calls. Extracted a few utility methods for verification.

Cargo and Go report highest stable versions. Updated the other repositories to use the utility methods. All repositories now return stable highest versions when found.

Fixed inaccurate published timestamp. It also got updated when a new lower or unstable version was pushed to the repo. The published timestamp is now set only when the latest version in the metadata equals the latest stable version found so we know for sure the published timestamp belongs to that version.

Centralized all version matching in ComponentVersion, added complex version matching to match semver as well as non-semver and different ecosystems, such as debian and ubuntu, that use epoch numbers in versions, or use labels with ''ubuntu" in it. (#1374)

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@sonatype-lift
Copy link
Contributor

sonatype-lift bot commented Feb 18, 2023

🛠 Lift Auto-fix

Some of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1

# Download the patch
curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2501.diff -o lift-autofixes.diff

# Apply the patch with git
git apply lift-autofixes.diff

# Review the changes
git diff

Want it all in a single command? Open a terminal in your project's directory and copy and paste the following command:

curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2501.diff | git apply

Once you're satisfied, commit and push your changes in your project.

Footnotes

  1. You can preview the patch by opening the patch URL in the browser.

@walterdeboer walterdeboer changed the title Restrict latest versions to stable releases only for maven repositories Restrict latest versions to stable releases only for Composer, Hex, Maven, NPM and NuGet repositories Feb 20, 2023
@walterdeboer walterdeboer changed the title Restrict latest versions to stable releases only for Composer, Hex, Maven, NPM and NuGet repositories Restrict latest versions to stable releases only for Composer, Hex, Maven, NPM, NuGet and PyPi repositories Feb 20, 2023
@walterdeboer walterdeboer changed the title Restrict latest versions to stable releases only for Composer, Hex, Maven, NPM, NuGet and PyPi repositories Restrict latest versions to stable releases only for all repositories Feb 20, 2023
@msymons
Copy link
Member

msymons commented Apr 27, 2023

@walterdeboer, following the release of v4.8.0, this PR now has conflicts that need to be resolved before it can be merged. Please can you fix things? Then the PR can be reviewed.

Copy link
Contributor

@melba-lopez melba-lopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much @walterdeboer for making these changes. Def helps to make the code more efficient/clean and 💟 the checking of stable versions aspect of it 😸

@melba-lopez
Copy link
Contributor

@nscuro there are no merge conflicts and it is updated with the latest changes of base branch.

@walterdeboer walterdeboer force-pushed the master branch 4 times, most recently from 53b816c to 30be928 Compare June 29, 2023 20:42
@melba-lopez melba-lopez added the enhancement New feature or request label Jul 28, 2023
@nscuro nscuro self-assigned this Aug 14, 2023
@melba-lopez
Copy link
Contributor

melba-lopez commented Aug 22, 2023

@walterdeboer can you help resolve the branch conflict?

Copy link
Contributor

@melba-lopez melba-lopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed extra changes since last approval. Thanks for additional tests @walterdeboer

@nscuro
Copy link
Member

nscuro commented Aug 22, 2023

@melba-lopez @walterdeboer The conflict just resolved itself after merging #2965 :)

@nscuro
Copy link
Member

nscuro commented Oct 16, 2023

Thanks again @walterdeboer for the effort here.

Upon further inspection, there are two major things that prevent us from merging this:

  • I had multiple orgs reach out indicating that they in fact want to see SNAPSHOT / pre-release versions to be considered as latest. This seems to be the case for primarily internal repositories, e.g. where developers should be notified when a newer SNAPSHOT version of an internal library is available. What this means is that at the very least, the feature implemented in this PR should be optional, potentially even configurable on a per-repository basis.
  • This PR touches a very central class, namely ComponentVersion. This class is not only used during repository meta analysis, but also during internal vulnerability analysis. Trying to deal with multiple versioning schemes (Debian, Ubuntu, RPM, etc.) in a single class is highly error-prone and hard to debug. What we're planning to do is to integrate vers (Add support for vers version ranges and ecosystem-specific version comparisons #2826), which includes implementations for ecosystem-specific version matching and comparisons. The plan is to adopt https://github.com/nscuro/versatile for this. Once added, it will be much easier to extend the comparison logic for more versioning schemes.

@nscuro nscuro removed this from the 4.9 milestone Oct 16, 2023
@walterdeboer
Copy link
Author

walterdeboer commented Oct 18, 2023

Thanks for the heads-up @nscuro I'll have a look how to add support for in/excluding pre-releases, i'll get back on that.
ComponentVersion definitely deserves a better foundation. Vers(atile) sounds good!

Walter de Boer and others added 7 commits October 19, 2023 01:39
- Compiling regex Patterns to save computational effort
- Documenation

Co-authored-by: Niklas <[email protected]>
Signed-off-by: Walter de Boer <[email protected]>
Signed-off-by: Walter de Boer <[email protected]>
…ersion matching to match different ecosystems

Signed-off-by: Walter de Boer <[email protected]>
Signed-off-by: Walter de Boer <[email protected]>
…d repository metadata

Signed-off-by: Walter de Boer <[email protected]>
Signed-off-by: Walter de Boer <[email protected]>
@undeadly
Copy link

This PR fixes my major complaint with Dependency Track. Please revive this PR and get it merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
5 participants