Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: narrow golang match comparison for pseudo versions #1810

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Apr 17, 2024

Summary

This PR attempts to narrow the golang_constraint Satisfied logic as a follow up to #1797

#1797 allows grype to proceed with matches when it encounters a package with a pseudo version. This PR limits those pseudo versions to only be compared against constraints that also contain pseudo versions.

This eliminates a case of FP where an incomplete pseudo version (which doesn't have the correct main module information) is compared against a valid semver constraint.

Example of this FP:

syft -o json ollama/ollama:0.1.32 | go run cmd/grype/main.go

...

github.com/ollama/ollama    v0.0.0-20240414223325-7027f264fbb3  0.1.29             go-module  GHSA-5jx5-hqx5-2vrj  High

In the above case v0.0.0-20240414223325-7027f264fbb3 is not < 0.1.29. Syft is unable to determine the main module version for ollama. By comparing the incomplete pseudo version to the semver constraint grype produces a FP.

This PR makes it so that packages with versions like v0.0.0-20240414223325-7027f264fbb3 should only be compared to constraints that also have a similar format.

spiffcs added 3 commits April 17, 2024 11:57
…rsion cannot be compared against a semver constraint

Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs changed the title feat: Narrow golang comparrison feat: narrow golang match comparison for pseudo versions Apr 17, 2024
@spiffcs
Copy link
Contributor Author

spiffcs commented Apr 17, 2024

Quality tests are now failing - let me go check the labels

Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs changed the title feat: narrow golang match comparison for pseudo versions WIP: narrow golang match comparison for pseudo versions Apr 18, 2024
@spiffcs spiffcs marked this pull request as draft April 18, 2024 18:27
@spiffcs spiffcs self-assigned this Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Stalled
Development

Successfully merging this pull request may close these issues.

2 participants