dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Version Distance Policy Evaluation Cannot Deal With Letters

Open msymons opened this issue 2 years ago • 0 comments

Current Behavior

As a result of logging improvements introduced in v4.9.0 via Issue #2979, a Version Distance Policy that attempts to evaluate a component that contains a letter in the version (either existing version or latest version) will generate an informative WARN:

2023-11-22 02:27:01,522 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
2023-11-22 02:27:01,526 INFO [PolicyEngine] Evaluating 362 component(s) against applicable policies
2023-11-22 02:27:02,397 WARN [VersionDistancePolicyEvaluator] Failed to compute version distance for component pkg:maven/com.google.code.findbugs/[email protected]?type=jar (UUID: 9d582ebf-b3b8-4ab1-bd90-e109f7fa5218), between component version 2.0.1 and latest version 3.0.1u2; Skipping
java.lang.NumberFormatException: For input string: "1u"
	at java.base/java.lang.NumberFormatException.forInputString(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
	at org.dependencytrack.util.VersionDistance.parseVersion(VersionDistance.java:156)
	at org.dependencytrack.util.VersionDistance.getVersionDistance(VersionDistance.java:331)
	at org.dependencytrack.policy.VersionDistancePolicyEvaluator.evaluate(VersionDistancePolicyEvaluator.java:93)
	at org.dependencytrack.policy.PolicyEngine.evaluate(PolicyEngine.java:89)
	at org.dependencytrack.policy.PolicyEngine.evaluate(PolicyEngine.java:71)
	at org.dependencytrack.tasks.PolicyEvaluationTask.performPolicyEvaluation(PolicyEvaluationTask.java:55)
	at org.dependencytrack.tasks.PolicyEvaluationTask.inform(PolicyEvaluationTask.java:44)
	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
2023-11-22 02:27:02,580 WARN [VersionDistancePolicyEvaluator] Failed to compute version distance for component pkg:maven/org.apache-extras.beanshell/[email protected]?type=jar (UUID: c12140e6-4959-4f4b-9710-5f5235ceca09), between component version 2.0b6 and latest version 2.0b6; Skipping
java.lang.NumberFormatException: For input string: "0b"
	at java.base/java.lang.NumberFormatException.forInputString(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
        ...
2023-11-22 02:27:02,607 WARN [VersionDistancePolicyEvaluator] Failed to compute version distance for component pkg:maven/com.google.code.findbugs/[email protected]?type=jar (UUID: 4ff12922-f19b-413f-b776-b2cfbcd25f11), between component version 3.0.1 and latest version 3.0.1u2; Skipping
java.lang.NumberFormatException: For input string: "1u"
	at java.base/java.lang.NumberFormatException.forInputString(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
        ...

Steps to Reproduce

  1. Create version distance policy. This was the policy that gave rise to exceptions reported above but a better test would be to have version value as 1 rather than 2.

version-policy

  1. Upload BOM containing following components.... pkg:maven/jakarta.annotation/[email protected]?type=jar pkg:maven/org.apache-extras.beanshell/[email protected]?type=jar

Expected Behavior

  1. No WARN exceptions logged per current behaviour.
  2. Assuming policy distance is 1, a policy violation for pkg:maven/com.google.code.findbugs/[email protected]?type=jar as this is one major version behind latest version
  3. Valid policy violations for any other component in project that is more than one version out of date. Currently I am not seeing any Version Distance policy violations for the project under test... but have not tested against a project that contain NO components that would give the WARN exception.

Dependency-Track Version

4.10.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

msymons avatar Nov 24 '23 16:11 msymons