Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Distinctive difference between package name and version #76

Open
Hritik14 opened this issue Mar 19, 2021 · 5 comments
Open

Distinctive difference between package name and version #76

Hritik14 opened this issue Mar 19, 2021 · 5 comments

Comments

@Hritik14
Copy link

Hritik14 commented Mar 19, 2021

Hi
I'm writing a package url for the packages in the advisories and I would need the names and versions of packages explicitly. Currently, it appears that the pattern follows package_name version and package_name is also allowed to have spaces.
Though there is no validation to make sure this pattern follows.

Something like the following should be fine:

pkg.split(" ")[-1].replace('.','').isdigit()
@tomrittervg
Copy link
Collaborator

Sorry; what packages are you referring to? I'm afraid I don't fully understand what you're trying to do and what the problem is.

@Hritik14
Copy link
Author

Hritik14 commented Mar 19, 2021

I would try to clarify.
Let's say we have the following yaml

announced: April 29, 2014
fixed_in:
- Firefox 29
- Firefox ESR 24.5
- Thunderbird 24.5
- Seamonkey 2.26
impact: High

Now, I need to take out the fixed_in packages in a (package name, version) tuple. So, I'll end up with something like

(Firefox, 29)
(Firefox ESR, 24.5)
(Thunderbird, 24.5)
(Seamonkey, 2.26)

I could create the above tuples using

name=" ".join(fixed_in.split(" ")[0:-1])
version=fixed_in.split(" ")[-1]

(name, version)

But here I'm assuming that a version must follow at the end of the package name and would be separated by space. It could be a right assumption but there doesn't exist any validation currently for me to be sure of it.
For example, if there is an entry

fixed_in:
- Firefox-29

then my current code would not be able to figure out the version from the name. I was hoping to have a validation to make sure the package name follows a certain pattern.

Please let me know if it makes sense.

@mozfreddyb
Copy link
Collaborator

We treat it as a free fork text field in our own validation schema.
Our generated code uses hardcoded Firefox or Firefox ESR suffixed by the version number. Similar for Firefox for iOS.

All other products are usually copy&paste and manual work - unless @tomrittervg has made local changes to his repo, which aren't on GitHub yet. :)

@pmac
Copy link
Member

pmac commented Mar 22, 2021

The website also expects it to be in the <product name> <version> format. The code for that is here:

https://github.com/mozilla/bedrock/blob/bd0f50a1c0a7455115cc2bf9eb3ae9027586a024/bedrock/security/models.py#L28-L30

@Hritik14
Copy link
Author

Hritik14 commented Mar 22, 2021 via email

Hritik14 added a commit to Hritik14/vulnerablecode that referenced this issue Mar 26, 2021
Mozilla website uses rsplit to extract the name and version so it should
be better in any case.
https://github.com/mozilla/bedrock/blob/765a60450235d810cf941676e4a29f012a9eaaba/bedrock/security/models.py#L29
Based on discussion here
mozilla/foundation-security-advisories#76

Signed-off-by: Hritik Vijay <[email protected]>
Hritik14 added a commit to Hritik14/vulnerablecode that referenced this issue Mar 29, 2021
Mozilla website uses rsplit to extract the name and version so it should
be better in any case.
https://github.com/mozilla/bedrock/blob/765a60450235d810cf941676e4a29f012a9eaaba/bedrock/security/models.py#L29
Based on discussion here
mozilla/foundation-security-advisories#76

Signed-off-by: Hritik Vijay <[email protected]>
Hritik14 added a commit to Hritik14/vulnerablecode that referenced this issue Mar 30, 2021
Mozilla website uses rsplit to extract the name and version so it should
be better in any case.
https://github.com/mozilla/bedrock/blob/765a60450235d810cf941676e4a29f012a9eaaba/bedrock/security/models.py#L29
Based on discussion here
mozilla/foundation-security-advisories#76

Signed-off-by: Hritik Vijay <[email protected]>
Hritik14 added a commit to Hritik14/vulnerablecode that referenced this issue Apr 1, 2021
Mozilla website uses rsplit to extract the name and version so it should
be better in any case.
https://github.com/mozilla/bedrock/blob/765a60450235d810cf941676e4a29f012a9eaaba/bedrock/security/models.py#L29
Based on discussion here
mozilla/foundation-security-advisories#76

Signed-off-by: Hritik Vijay <[email protected]>
Hritik14 added a commit to Hritik14/vulnerablecode that referenced this issue Apr 1, 2021
Mozilla website uses rsplit to extract the name and version so it should
be better in any case.
https://github.com/mozilla/bedrock/blob/765a60450235d810cf941676e4a29f012a9eaaba/bedrock/security/models.py#L29
Based on discussion here
mozilla/foundation-security-advisories#76

Signed-off-by: Hritik Vijay <[email protected]>
Hritik14 added a commit to Hritik14/vulnerablecode that referenced this issue Apr 2, 2021
Mozilla website uses rsplit to extract the name and version so it should
be better in any case.
https://github.com/mozilla/bedrock/blob/765a60450235d810cf941676e4a29f012a9eaaba/bedrock/security/models.py#L29
Based on discussion here
mozilla/foundation-security-advisories#76

Signed-off-by: Hritik Vijay <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants