Skip to content

WIP: narrow golang match comparison for pseudo versions#1810

Closed
spiffcs wants to merge 4 commits intomainfrom
narrow-golang-comparrison
Closed

WIP: narrow golang match comparison for pseudo versions#1810
spiffcs wants to merge 4 commits intomainfrom
narrow-golang-comparrison

Conversation

@spiffcs
Copy link
Copy Markdown
Contributor

@spiffcs spiffcs commented Apr 17, 2024
edited
Loading

Summary

This PR attempts to narrow the golang_constraint Satisfied logic as a follow up to #1797

#1797 allows grype to proceed with matches when it encounters a package with a pseudo version. This PR limits those pseudo versions to only be compared against constraints that also contain pseudo versions.

This eliminates a case of FP where an incomplete pseudo version (which doesn't have the correct main module information) is compared against a valid semver constraint.

Example of this FP:

syft -o json ollama/ollama:0.1.32 | go run cmd/grype/main.go

...

github.com/ollama/ollama    v0.0.0-20240414223325-7027f264fbb3  0.1.29             go-module  GHSA-5jx5-hqx5-2vrj  High

In the above case v0.0.0-20240414223325-7027f264fbb3 is not < 0.1.29. Syft is unable to determine the main module version for ollama. By comparing the incomplete pseudo version to the semver constraint grype produces a FP.

This PR makes it so that packages with versions like v0.0.0-20240414223325-7027f264fbb3 should only be compared to constraints that also have a similar format.

spiffcs added 3 commits April 17, 2024 11:57
@spiffcs
feat: narrow golang match comparison where a package with a pseudo ve…
d6c3fe0 
…rsion cannot be compared against a semver constraint

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
test: add positive and negative cases for testing new match
aa5bdb4 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
unit: update unit tests with new check for pseudo version constraint
77263b8 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs changed the title feat: Narrow golang comparrison feat: narrow golang match comparison for pseudo versions Apr 17, 2024
kzantow
kzantow reviewed Apr 17, 2024
View reviewed changes
Comment thread grype/version/golang_constraint.go Outdated
@spiffcs
Copy link
Copy Markdown
Contributor Author

spiffcs commented Apr 17, 2024

Quality tests are now failing - let me go check the labels

@spiffcs
chore: compile once
c1a0869 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs mentioned this pull request Apr 18, 2024
Closed
@spiffcs spiffcs changed the title feat: narrow golang match comparison for pseudo versions WIP: narrow golang match comparison for pseudo versions Apr 18, 2024
@spiffcs spiffcs marked this pull request as draft April 18, 2024 18:27
@spiffcs spiffcs self-assigned this Oct 8, 2024
@spiffcs spiffcs closed this May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzantow kzantow kzantow left review comments

Assignees

@spiffcs spiffcs

Labels

None yet

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spiffcs @kzantow