Skip to content

Implemented VERS approach for PURL version matching with VERSATILE.#5591

Merged
nscuro merged 2 commits intoDependencyTrack:masterfrom
ElenaStroebele:2826
Jan 1, 2026
Merged

Implemented VERS approach for PURL version matching with VERSATILE.#5591
nscuro merged 2 commits intoDependencyTrack:masterfrom
ElenaStroebele:2826

Conversation

@ElenaStroebele
Copy link
Copy Markdown
Contributor

@ElenaStroebele ElenaStroebele commented Dec 3, 2025

Description

Implemented the VERS approach for comparing versioning schemes more reliably using the versatile/versatile-core/src/main/java/io/github/nscuro/versatile at main · nscuro/versatile package.
Key implementations:

  • VulnerableSoftware.java now contains a vers field, building a comparable VERS for given constraints.
  • InternalAnalysisTask.java and AbstractVulnerableSoftwareAnalysisTask.java now differ between CPE and PURL matching of versions. In case a purl is given, the tasks now perform contains() based on Versions and VersionRanges based on versatile. The logic of CPE matching stayed the same.
  • Included Tests, in line with existing Cpe Matching Tests.
  • VersionPolicyEvaluator.java now includes condition matching based on PURL and on CPEs.

Open for discussions!

Addressed Issue

Addressed issue #2826.

Additional Details

Used ChatGPT and Copilot to understand existing codebase.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@owasp-dt-bot
Copy link
Copy Markdown

owasp-dt-bot commented Dec 3, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production
Copy link
Copy Markdown

codacy-production bot commented Dec 3, 2025
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.03% (target: -1.00%) 85.71% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (e822f43) 24092 19492 80.91%
Head commit (675f938) 24218 (+126) 19601 (+109) 80.94% (+0.03%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#5591) 140 120 85.71%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

@ElenaStroebele ElenaStroebele marked this pull request as ready for review December 3, 2025 12:54
nscuro
nscuro requested changes Dec 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@nscuro nscuro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you done any testing WRT the internal analysis using data from GitHub Advisories or OSV? It would be good to get an idea how this performs with real-world data.

@nscuro nscuro added this to the 4.14.0 milestone Dec 4, 2025
@nscuro nscuro added the enhancement New feature or request label Dec 4, 2025
@ElenaStroebele
Copy link
Copy Markdown
Contributor Author

ElenaStroebele commented Dec 4, 2025
edited
Loading

Have you done any testing WRT the internal analysis using data from GitHub Advisories or OSV? It would be good to get an idea how this performs with real-world data.

Yes, I simply added the components that Github Advisories had assigned vulnerabilities to to a test project on a random basis. Vulnerabilities were correctly identified. I did it for most of the already supported schemes of versatile and one or two non-supported ones (which should have resulted in generic then). Would you like further info about that?

@ElenaStroebele
Added suggested changes.
675f938 
Signed-off-by: ElenaStroebele <[email protected]>
@ElenaStroebele ElenaStroebele requested a review from nscuro December 4, 2025 14:50
@nscuro
Copy link
Copy Markdown
Member

nscuro commented Dec 4, 2025

Doing some testing as well now. I noticed there is a concurrency issue in versatile which I'll need to fix:

2025-12-04 16:28:30,781 ERROR [VulnerabilityAnalysisTask] Failed to analyze project [eventToken=2b9777f2-6c5c-43a4-8a32-5ffa61980fa7, projectName=apache/flink:1.18, vulnAnalysisLevel=BOM_UPLOAD_ANALYSIS, projectUuid=d35d2293-dd18-44e1-8828-861719424d8e, projectVersion=f6553722-66d2-4467-aa98-0964f8ee5493]
java.util.ConcurrentModificationException: null
	at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1230)
	at io.github.nscuro.versatile.VersionFactory.forScheme(VersionFactory.java:41)
	at org.dependencytrack.tasks.scanners.AbstractVulnerableSoftwareAnalysisTask.analyzePurlVersionRange(AbstractVulnerableSoftwareAnalysisTask.java:87)
	at org.dependencytrack.tasks.scanners.AbstractVulnerableSoftwareAnalysisTask.analyzeVersionRange(AbstractVulnerableSoftwareAnalysisTask.java:71)
	at org.dependencytrack.tasks.scanners.InternalAnalysisTask.versionRangeAnalysis(InternalAnalysisTask.java:156)
	at org.dependencytrack.tasks.scanners.InternalAnalysisTask.analyze(InternalAnalysisTask.java:91)
	at org.dependencytrack.tasks.scanners.InternalAnalysisTask.inform(InternalAnalysisTask.java:65)
	at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:288)

This was referenced Dec 4, 2025
Merged
Closed
@nscuro
Copy link
Copy Markdown
Member

nscuro commented Dec 4, 2025

Released versatile 0.14.0 which fixes the above and also adds support for Alpine and Python versions: https://github.com/nscuro/versatile/releases/tag/v0.14.0

This should then also resolve #3808

@ElenaStroebele
Copy link
Copy Markdown
Contributor Author

ElenaStroebele commented Dec 9, 2025
edited
Loading

Released versatile 0.14.0 which fixes the above and also adds support for Alpine and Python versions: https://github.com/nscuro/versatile/releases/tag/v0.14.0

This should then also resolve #3808

Thank you for adding this! I already deleted my PR fixing #3808 with the minimal change.

@nscuro nscuro merged commit 614b47d into DependencyTrack:master Jan 1, 2026
11 checks passed
@nscuro nscuro mentioned this pull request Jan 1, 2026
Closed
2 tasks
@ElenaStroebele ElenaStroebele deleted the 2826 branch January 13, 2026 17:34
@Andre-85 Andre-85 mentioned this pull request Jan 19, 2026
Open
3 tasks
@BrightKn1ght
Copy link
Copy Markdown

BrightKn1ght commented Jan 19, 2026

I think i found some issues with that change. I have create a bug ticket 5712

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 19, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nscuro nscuro nscuro approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

4.14.0

Development

Successfully merging this pull request may close these issues.

4 participants

@ElenaStroebele @owasp-dt-bot @nscuro @BrightKn1ght