-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Normalization of VersionRange #108
Support Normalization of VersionRange #108
Conversation
97c2de4
to
e001ca7
Compare
1018732
to
b9664ca
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
LGTM overall! we have likely to find a bettr way than using the native intbitset of at least have a fallback to plain Python, I will review further later this WE!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could:
- extract Span as its own mini library also reused in ScanCode? May be this is overakill though
- have a fallback to a plain builtin set when intbitset is not installed... and have this also in SCTK
cda6c25
to
e387ecb
Compare
Added |
- support normalization of range expression from GitHub, Snyk, GitLab - Discrete range normalization for OSV, DEPS, VulerableCode Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
e387ecb
to
d88b80c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! See some/many comments for your consideration!
Signed-off-by: Omkar Phansopkar <omkarphansopkar@gmail.com>
Added docs server script, dark mode & copybutton for docs, tracking chmod in git
Reference: aboutcode-org/skeleton#84 Signed-off-by: John M. Horan <johnmhoran@gmail.com>
…rg#84 Reference: aboutcode-org/skeleton#84 Signed-off-by: John M. Horan <johnmhoran@gmail.com>
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Update CSS to widen page and handle mobile aboutcode-org#84
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Update CI runners and python version
Replace macos-11 runners with macos-14 runners. Reference: https://github.com/actions/runner-images?tab=readme-ov-file#available-images Reference: aboutcode-org/skeleton#89 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Replace deprecated macos CI runners
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
- Bug fix: GitLab advisory uses both comma and space as separator for composer range. Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
376110b
to
d2904b0
Compare
- Pairwise constraint evaluation misses the case when filtered constraints contains only one item - Fixes aboutcode-org#137 Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. See review comments.
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
f3bbf43
to
8f0d727
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank. Looking fine. There are a few nits for your review. And please merge then!
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
2114e7f
to
fe35a34
Compare
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
d32c35c
to
b12572d
Compare
Why Normalize VersionRange?
A
VersionRange
represents set of segments of package versions. Different VersionRange can represent the same set of segments.For example, consider the package
pkg:npm/foobar
with the following versions:["1.0", "2.1", "2.2", "3.0", "3.1", "5.0"]
.We can represent certain segments using the
vers
expressionvers:npm/<=2.2|>=3.0|<3.1|5.0
.This can also be represented as:
vers:npm/>=1.0|<3.0|>=3.0|<3.1|5.0
vers:npm/<3.1|5.0
vers:npm/>=1.0|<=2.2|>=3.0|<3.1|5.0
These different representations make it difficult to validate whether two different VersionRange represent the
same versions of a package.
To effectively compare these ranges, we need to normalize them. The idea is that all the
vers
referring tothe same set of package versions should normalize to an identical
VersionRange
.To achieve this, we take a
vers
along with all the versions of the package and generate a newvers
such that it contains not arbitrary version segments but only the longest contiguous segments of versions, leading to the same VersionRange expression which is identical for a particular set of versions.
If we apply this normalization to the above example of
pkg:npm/foobar
:vers:npm/<=2.2|>=3.0|<3.1|5.0
would normalize tovers:npm/>=1.0|<=3.0|5.0
The same normalization applies to other VersionRange since they all refer to the same set of versions,
they will all normalize to the exact same VersionRange:
vers:npm/>=1.0|<3.0|>=3.0|<3.1|5.0
=>vers:npm/>=1.0|<=3.0|5.0
vers:npm/<3.1|5.0
=>vers:npm/>=1.0|<=3.0|5.0
vers:npm/>=1.0|<=2.2|>=3.0|<3.1|5.0
=>vers:npm/>=1.0|<=3.0|5.0
from_gitlab_native
from_gitlab_native
can't properly parse range expressions for Composer, Maven and NuGet #136__contains__
resolution in VersionRange #137