Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHP composer version detection issues with leading v #1243

Closed
jkowalleck opened this issue Oct 26, 2021 · 2 comments · Fixed by #1254
Closed

PHP composer version detection issues with leading v #1243

jkowalleck opened this issue Oct 26, 2021 · 2 comments · Fixed by #1254
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release
Milestone
4.4

Comments

@jkowalleck
Copy link
Contributor

jkowalleck commented Oct 26, 2021
edited
Loading

Current Behavior:

if a PHP's composer component has a version with a leading v it is not handled properly:

  • detection of newer version fails if they have a leading v in them
  • detection of any version fails, if version does not match completely, including the leading v

Steps to Reproduce:

tested with component https://packagist.org/packages/typo3/class-alias-loader
which has versions with a leading v and some without a v.

to reproduce "detection of newer version fails if they have a leading v in them"

  1. create a project in a fresh DT setup
  2. upload this sbom to the new project:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" version="1">
  <components>
    <component type="library">
      <group><![CDATA[typo3]]></group>
      <name><![CDATA[class-alias-loader]]></name>
      <version><![CDATA[v1.1.3]]></version>
      <purl><![CDATA[pkg:composer/typo3/[email protected]]]></purl>
    </component>
  </components>
</bom>

to reproduce "detection of any version fails, if version does not match completely, including the leading v"

  1. create a project in a fresh DT setup
    this one is important: do NOT reuse the setup from the previous component SBOM
  2. upload this sbom to the new project:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" version="1">
  <components>
    <component type="library">
      <group><![CDATA[typo3]]></group>
      <name><![CDATA[class-alias-loader]]></name>
      <version><![CDATA[1.1.3]]></version>
      <purl><![CDATA[pkg:composer/typo3/[email protected]]]></purl>
    </component>
  </components>
</bom>

Expected Behavior:

for both reproducible examples:
for the component https://packagist.org/packages/typo3/class-alias-loader
the latest version is v1.1.3, so the version hint in DT should be green, mentioning that the latest version is used.

Environment:

  • Dependency-Track Version: v4.3.6
  • Distribution: Docker as of https://dependencytrack.org/docker-compose.yml
  • BOM Format & Version: CycloneDX 1.2 XML
  • Database Server: the one bundled in the docker image dependencytrack/apiserver
  • Browser: FireFox

Additional Details:

regarding PHP's composer versioning and the leading v:
composer heals itself. composer might add/remove the leading v whenever needed.
this means for composer components the v1.3.0 could be synonym to 1.3.0 and vice versa.

read more: https://getcomposer.org/doc/articles/versions.md
@jkowalleck
Copy link
Contributor Author

@Szasza FYI

@jkowalleck jkowalleck mentioned this issue Nov 3, 2021
Merged
@stevespringett stevespringett added defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk and removed in triage labels Nov 4, 2021
@stevespringett stevespringett added this to the 4.4 milestone Nov 4, 2021
@jkowalleck jkowalleck mentioned this issue Nov 4, 2021
Closed
3 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2021

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release
Projects
None yet
Milestone
4.4
Development

Successfully merging a pull request may close this issue.

fixed packagist.org meta data parser & version comparisson
2 participants
@jkowalleck @stevespringett