Skip to content

Add support for vers version ranges and ecosystem-specific version comparisons #2826

New issue
New issue
Closed
Closed
Add support for vers version ranges and ecosystem-specific version comparisons#2826
Labels
enhancementNew feature or requestp3Nice-to-have features
Milestone
4.14.0
@nscuro

Description

@nscuro
nscuro
opened on Jun 16, 2023

Current Behavior

The Package URL project has defined vers, a specification for version ranges that is capable of dealing with ecosystem-specific version notations.

Using an example from the spec document, the following vers range:

vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1

translates to:

affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0-beta1 - 1.7.5.

vers has been adopted by the CycloneDX project, where it is used to communicate version ranges affected by a given vulnerability.

The version comparison logic DT has today is generic and is struggling to deal with versioning schemes that are specific to certain ecosystems, like Debian (#1374, #2062). Our vulnerability matching logic would benefit greatly from being able to understand ecosystem-specific notations.

Further, supporting vers would allow DT to ingest vulnerable version ranges from CycloneDX Bill of Vulnerabilities into its database. But it will be of use for ingesting data from GitHub Advisories, OSV, and other sources as well, by converting between "native" (e.g. NPM range notation) and vers.

For policies, the Coordinates and Version conditions will be a lot more useful, as currently only a single version constraint can be provided, whereas vers supports multiple.

A well-known reference implementation of vers is univers by nexB. It's a Python library. There's no Java library at the time of writing.

Proposed Behavior

Implement support for vers. An initial implementation should at least support the semver and generic versioning schemes. Support for other schemes can be added in future iterations (community contributions will play a big part in this).

The implementation should support at least the following use-cases:

  • Checking whether a vers range contains a given version
  • Checking whether version A is lower, equal or lower, equal, equal or greater, or greater than version B
  • Converting between ecosystem-specific ranges (e.g. semver) and vers

The code should stay internal to DT at first, but as it matures, we should consider "donating" it to the Package URL organization to benefit the wider community.

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestp3Nice-to-have features

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions