Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Normalization of VersionRange #108

Merged
merged 31 commits into from
Jul 24, 2024

Conversation

keshav-space
Copy link
Member

@keshav-space keshav-space commented Mar 14, 2023

Why Normalize VersionRange?

A VersionRange represents set of segments of package versions. Different VersionRange can represent the same set of segments.

For example, consider the package pkg:npm/foobar with the following versions: ["1.0", "2.1", "2.2", "3.0", "3.1", "5.0"].
We can represent certain segments using the vers expression vers:npm/<=2.2|>=3.0|<3.1|5.0.
This can also be represented as:

  • vers:npm/>=1.0|<3.0|>=3.0|<3.1|5.0
  • vers:npm/<3.1|5.0
  • vers:npm/>=1.0|<=2.2|>=3.0|<3.1|5.0

These different representations make it difficult to validate whether two different VersionRange represent the
same versions of a package.

To effectively compare these ranges, we need to normalize them. The idea is that all the vers referring to
the same set of package versions should normalize to an identical VersionRange.
To achieve this, we take a vers along with all the versions of the package and generate a new vers
such that it contains not arbitrary version segments but only the longest contiguous segments of versions, leading to the same VersionRange expression which is identical for a particular set of versions.

If we apply this normalization to the above example of pkg:npm/foobar:

  • vers:npm/<=2.2|>=3.0|<3.1|5.0 would normalize to vers:npm/>=1.0|<=3.0|5.0

The same normalization applies to other VersionRange since they all refer to the same set of versions,
they will all normalize to the exact same VersionRange:

  • vers:npm/>=1.0|<3.0|>=3.0|<3.1|5.0 => vers:npm/>=1.0|<=3.0|5.0
  • vers:npm/<3.1|5.0 => vers:npm/>=1.0|<=3.0|5.0
  • vers:npm/>=1.0|<=2.2|>=3.0|<3.1|5.0 => vers:npm/>=1.0|<=3.0|5.0

Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks
LGTM overall! we have likely to find a bettr way than using the native intbitset of at least have a fallback to plain Python, I will review further later this WE!

Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could:

  1. extract Span as its own mini library also reused in ScanCode? May be this is overakill though
  2. have a fallback to a plain builtin set when intbitset is not installed... and have this also in SCTK

@keshav-space
Copy link
Member Author

I think we could:

  1. extract Span as its own mini library also reused in ScanCode? May be this is overakill though
  2. have a fallback to a plain builtin set when intbitset is not installed... and have this also in SCTK

Added fallback to builtin set

- support normalization of range expression from GitHub, Snyk, GitLab
- Discrete range normalization for OSV, DEPS, VulerableCode

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! See some/many comments for your consideration!

src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
@keshav-space keshav-space marked this pull request as draft August 31, 2023 16:21
OmkarPh and others added 3 commits October 18, 2023 15:42
Signed-off-by: Omkar Phansopkar <omkarphansopkar@gmail.com>
Added docs server script, dark mode & copybutton for docs, tracking chmod in git
Reference: aboutcode-org/skeleton#84

Signed-off-by: John M. Horan <johnmhoran@gmail.com>
@keshav-space keshav-space changed the title Add support for NormalizedVersionRanges [WIP] Add support for NormalizedVersionRanges Jan 9, 2024
johnmhoran and others added 9 commits January 16, 2024 12:22
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Replace macos-11 runners with macos-14 runners.

Reference: https://github.com/actions/runner-images?tab=readme-ov-file#available-images
Reference: aboutcode-org/skeleton#89
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
- Bug fix: GitLab advisory uses both comma and space as separator for composer range.

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
@keshav-space keshav-space changed the title [WIP] Add support for NormalizedVersionRanges Add support for NormalizedVersionRanges Jul 23, 2024
@keshav-space keshav-space marked this pull request as ready for review July 23, 2024 19:02
@keshav-space keshav-space changed the title Add support for NormalizedVersionRanges Add support for NormalizedVersionRange Jul 23, 2024
@keshav-space keshav-space changed the title Add support for NormalizedVersionRange Support Normalization of VersionRange Jul 24, 2024
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
- Pairwise constraint evaluation misses the case when filtered
 constraints contains only one item
- Fixes aboutcode-org#137

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. See review comments.

src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/version_range.py Outdated Show resolved Hide resolved
tests/test_version_range.py Outdated Show resolved Hide resolved
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank. Looking fine. There are a few nits for your review. And please merge then!

src/univers/version_range.py Show resolved Hide resolved
src/univers/version_range.py Outdated Show resolved Hide resolved
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
@keshav-space keshav-space merged commit 00b2bcf into aboutcode-org:main Jul 24, 2024
10 checks passed
@keshav-space keshav-space self-assigned this Jul 31, 2024
@keshav-space keshav-space deleted the range_normalization branch August 9, 2024 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment