goss icon indicating copy to clipboard operation
goss copied to clipboard
verified publisher icon goss-org

Semver package check did not work with alpine packages

Open gimler opened this issue 1 year ago • 8 comments

Describe the bug Semver versions check for package doesn't work with alpine packages. The actual package version for curl is 8.5.0-r0

How To Reproduce

matching:
  curl:
    content:
      - 8.5.0-r0
    matches:
      and:
        - contain-element:
            semver-constraint: ">=8.5.0"

>=8.4.0 is green. it seams that -r0 is interpreted as release candidate

Expected Behavior valid

Actual Behavior error

Environment:

  • Version of goss 0.4.7
  • OS/Distribution version (if applicable) alpine

gimler avatar May 22 '24 14:05 gimler

Hello, thank you for filing this.

https://stackblitz.com/edit/node-semver-check-ocyv5l?file=index.js

Type node index.js in the terminal, isn't that behavior what's expected or am I misunderstanding the bug report?

aelsabbahy avatar May 22 '24 21:05 aelsabbahy

basically yes.

the r0 is a release suffix not a prerelease.

So the bug is in the semver lib right?

gimler avatar May 23 '24 06:05 gimler

So the bug is in the semver lib right?

The way I'm reading the semver spec, the behavior of the node and go libraries seem accurate. My guess is alpine doesn't strictly follow semver for their package versions.

https://semver.org/#spec-item-2 https://semver.org/#spec-item-9 https://semver.org/#spec-item-11

aelsabbahy avatar May 23 '24 14:05 aelsabbahy

The explanation of Alpine versioning. It follows not strictly semver: https://wiki.alpinelinux.org/wiki/Package_policies#Package_versions

dklimpel avatar May 30 '24 17:05 dklimpel

Right, goss doesn't support Alpine (or any other package format) versioning currently. The only one supported is semver.

aelsabbahy avatar Jun 04 '24 16:06 aelsabbahy

A little bit related to:

  • #334

dklimpel avatar Jun 04 '24 16:06 dklimpel

I'll create a new feature request for Goss to support version comparison for all supported package managers: alpine, rpm, deb, etc.

I'll close this ticket and #334 when I create the new comprehensive feature request.

This has been a gap in Goss for a long time now and should be addressed.. I think since I last looked at it, there may be more libraries that handle version comparisons of the different package types. Hopefully there's mature libraries for all, otherwise, Goss may have to implement some from hopefully well defined specs.

aelsabbahy avatar Jun 16 '24 15:06 aelsabbahy

There is a similar issue with an implementation: https://github.com/google/osv-scanner/issues/952 under Apache2 license.

dklimpel avatar Jun 16 '24 18:06 dklimpel