univers icon indicating copy to clipboard operation
univers copied to clipboard
verified publisher icon aboutcode-org

Add univers support for Conan

Open johnmhoran opened this issue 2 years ago • 5 comments

See also https://github.com/nexB/vulnerablecode/issues/1022.

johnmhoran avatar Feb 16 '23 16:02 johnmhoran

@TG1999 I've built some of my univers test code using the structure you showed me last week in a huddle screenshare. This is a relevant excerpt for an error that I just generated.

for index, native in enumerate(natives, 1):
    vers = GenericVersionRange.from_native(native)
    if vers.invert():
        test = dict(
            test_index=index,
            scheme=scheme,
            gitlab_native=native,
            expected_vers=str(vers),
            expected_vers_inverted=str(vers.invert()),
        )
    else:
        test = dict(
            test_index=index,
            scheme=scheme,
            gitlab_native=native,
            expected_vers=str(vers),
            expected_vers_inverted=None,
        )
    generic_test_cases.append(test)

My initial test used NpmVersionRange since that was an example we briefly looked at. Unsurprisingly, this threw an error on one of the affected_ranges values. I then tried it using GenericVersionRange, and got this error:

AttributeError                            Traceback (most recent call last)
/home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py in line 64
     [62](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=61) for index, native in enumerate(natives, 1):
     [63](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=62)     vers = GenericVersionRange.from_native(native)
---> [64](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=63)     if vers.invert():
     [65](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=64)         test = dict(
     [66](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=65)             test_index=index,
     [67](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=66)             scheme=scheme,
   (...)
     [70](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=69)             expected_vers_inverted=str(vers.invert()),
     [71](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=70)         )
     [72](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=71)     else:

AttributeError: type object 'NotImplementedError' has no attribute 'invert'

Does this mean that I should omit the if vers.invert() portion of my JSON test, or that I should use something other than GenericVersionRange, or perhaps some other error on my part?

johnmhoran avatar Feb 21 '23 19:02 johnmhoran

@TG1999 GH evidently won't allow me to upload my .py file, but here are 3 of the relevant data files I've generated.

conan_advisories.txt conan_affected_ranges.txt conan_files.txt

johnmhoran avatar Feb 21 '23 19:02 johnmhoran

@TG1999 Out of curiosity I've tested a number of other version range schemas, with these results:

# Errors:

# ApacheVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# ComposerVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# DebianVersionRange
# InvalidVersion: '5.1.0<=5.1.1' is not a valid <class 'univers.versions.DebianVersion'>

# GemVersionRange
# InvalidRequirementError: Illformed requirement {requirement!r}

# GenericVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# GolangVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# MavenVersionRange
# No error thrown but all JSON output entries look like this:
#   {
#     "test_index": 1,
#     "scheme": "maven",
#     "gitlab_native": ">=5.1.0 <=5.1.1",
#     "expected_vers": "vers:maven/None",
#     "expected_vers_inverted": "vers:maven/!=None"
#   },

# NpmVersionRange
# InvalidVersion: 'cci.20200203' is not a valid <class 'univers.versions.SemverVersion'>

# NugetVersionRange
# InvalidNuGetVersion: version does not contain any digit: None

# PypiVersionRange
# InvalidSpecifier: Invalid specifier: '>=5.1.0<=5.1.1'
# ^ This has deleted the space between the 2 values in the 1st entry

# RpmVersionRange
# ValueError: Unknown comparator in version requirement: ''

# VersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

johnmhoran avatar Feb 21 '23 21:02 johnmhoran

@TG1999 GH evidently won't allow me to upload my .py file, but here are 3 of the relevant data files I've generated.

conan_advisories.txt conan_affected_ranges.txt conan_files.txt

@johnmhoran thanks for getting all this data, please see if the way these ranges are stored in gitlab is the native way to represent these ranges ?

TG1999 avatar Feb 22 '23 15:02 TG1999

@TG1999 Before I do, as I noted above I tried to implement the code you showed me on the screen share last week -- what does that error mean, and how do I deal with it?

[Resolved -- thank you @TG1999 👍 🙂 ]

johnmhoran avatar Feb 22 '23 16:02 johnmhoran

This has been merged. Closing. See:

  • https://github.com/aboutcode-org/univers/issues/81

pombredanne avatar Oct 01 '24 15:10 pombredanne