refactor: use go-version to detect sdk version

aquasecurity · Jun 3, 2024 · eb67467 · eb67467
1 parent 1aa02bb
commit eb67467
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 15 deletions.
diff --git a/go.mod b/go.mod
@@ -427,3 +427,5 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
+
+replace github.com/aquasecurity/go-version => github.com/DmitriyLewen/go-version v0.0.0-20240603080306-a895be09221a
diff --git a/go.sum b/go.sum
@@ -658,6 +658,8 @@ github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uY
 github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
 github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
+github.com/DmitriyLewen/go-version v0.0.0-20240603080306-a895be09221a h1:r48sShH7PUBg0QrL16CK87AetCkdll0Ev1GLBVd+rdY=
+github.com/DmitriyLewen/go-version v0.0.0-20240603080306-a895be09221a/go.mod h1:1cPOp4BaQZ1G2F5fnw4dFz6pkOyXJI9KTuak8ghIl3U=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
 github.com/Intevation/gval v1.3.0 h1:+Ze5sft5MmGbZrHj06NVUbcxCb67l9RaPTLMNr37mjw=
@@ -760,9 +762,6 @@ github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eve
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0=
 github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 h1:vmXNl+HDfqqXgr0uY1UgK1GAhps8nbAAtqHNBcgyf+4=
 github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.mod h1:olhPNdiiAAMiSujemd1O/sc6GcyePr23f/6uGKtthNg=
-github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
-github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI490FF0a7zuvxOxen52ddygCfNVjP0XOCMl+M=
-github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/loading v0.0.5 h1:2iq02sPSSMU+ULFPmk0v0lXnK/eZ2e0dRAj/Dl5TvuM=
 github.com/aquasecurity/loading v0.0.5/go.mod h1:NSHeeq1JTDTFuXAe87q4yQ2DX57pXiaQMqq8Zm9HCJA=
 github.com/aquasecurity/table v1.8.0 h1:9ntpSwrUfjrM6/YviArlx/ZBGd6ix8W+MtojQcM7tv0=

diff --git a/pkg/dependency/parser/dart/pub/parse.go b/pkg/dependency/parser/dart/pub/parse.go
@@ -1,11 +1,10 @@
 package pub
 
 import (
-	"strings"
-
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
+	goversion "github.com/aquasecurity/go-version/pkg/version"
 	"github.com/aquasecurity/trivy/pkg/dependency"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -58,7 +57,10 @@ func (p Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency
 		version := dep.Version
 		if version == "0.0.0" && dep.Source == "sdk" {
 			if constraint, ok := l.Sdks[string(dep.Description)]; ok {
-				if v := firstVersionOfConstrain(constraint); v != "" {
+				v, err := firstVersionOfConstrain(constraint)
+				if err != nil {
+					p.logger.Warn("unable to get sdk version from constraint: %w", err)
+				} else if v != "" {
 					p.logger.Info("The first version of the constraint from the sdk source was used.", log.String("dep", name), log.String("constraint", constraint))
 					version = v
 				}
@@ -93,17 +95,21 @@ func (p Parser) relationship(dep string) ftypes.Relationship {
 }
 
 // firstVersionOfConstrain returns the first acceptable version for constraint
-func firstVersionOfConstrain(constraint string) string {
+func firstVersionOfConstrain(constraint string) (string, error) {
+	css, err := goversion.NewConstraints(constraint)
+	if err != nil {
+		return "", xerrors.Errorf("unable to parse constraints: %w", err)
+	}
+
+	// Dart uses only `>=` and `^` operators:
 	// cf. https://dart.dev/tools/pub/dependencies#traditional-syntax
-	switch {
-	case strings.HasPrefix(constraint, ">="):
-		constraint = strings.TrimPrefix(constraint, ">=")
-		constraint, _, _ = strings.Cut(constraint, " ")
-		return constraint
-	case strings.HasPrefix(constraint, "^"):
-		return strings.TrimPrefix(constraint, "^")
+	constraints := css.List()
+	// We only need to get the first version from the range
+	if constraints[0][0].Operator() != ">=" && constraints[0][0].Operator() != "^" {
+		return "", nil
 	}
-	return ""
+
+	return constraints[0][0].Version(), nil
 }
 
 func (d *Description) UnmarshalYAML(value *yaml.Node) error {