-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support comparing Alpine versions #952
Labels
enhancement
New feature or request
Comments
another-rex
pushed a commit
that referenced
this issue
May 28, 2024
This introduces support for comparing Alpine versions locally using the same logic as the `apk` package manager, along with a generator for generating fixtures. There is a bit of fuzziness in the behaviour across different versions of `apk` - the `alpine:3.x` docker images all use `apk` v2.x, which is what the fixture generator uses too and at least `apk` v2.14 (which is used by `alpine:3.19`) and v2.10 pass; however the current latest upcoming version of `apk` technically fails on approximately 30 fixtures which I think is because it has fixed https://gitlab.alpinelinux.org/alpine/abuild/-/issues/10088. Beyond that I was able to find a handful of other edge cases where the comparison results between these versions was different, but they all seemed to be primarily around the handling of invalid versions which are not expected to be present in OSV data anyway and they look to be the result of bugfixes meaning we'd need special "anti" handling to support in a way that ensures valid versions are still compared correctly, so I think it's good enough to ship. Resolves #952
josieang
pushed a commit
to josieang/osv-scanner
that referenced
this issue
Jun 6, 2024
This introduces support for comparing Alpine versions locally using the same logic as the `apk` package manager, along with a generator for generating fixtures. There is a bit of fuzziness in the behaviour across different versions of `apk` - the `alpine:3.x` docker images all use `apk` v2.x, which is what the fixture generator uses too and at least `apk` v2.14 (which is used by `alpine:3.19`) and v2.10 pass; however the current latest upcoming version of `apk` technically fails on approximately 30 fixtures which I think is because it has fixed https://gitlab.alpinelinux.org/alpine/abuild/-/issues/10088. Beyond that I was able to find a handful of other edge cases where the comparison results between these versions was different, but they all seemed to be primarily around the handling of invalid versions which are not expected to be present in OSV data anyway and they look to be the result of bugfixes meaning we'd need special "anti" handling to support in a way that ensures valid versions are still compared correctly, so I think it's good enough to ship. Resolves google#952
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently
semantic
does not know how to compare versions for Alpine packages, which is required for local/offline mode - this blocks #769The text was updated successfully, but these errors were encountered: