Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(bitnami): use a different comparer for detecting vulnerabilities #5633

Merged
merged 9 commits into from
Dec 17, 2023
Merged

fix(bitnami): use a different comparer for detecting vulnerabilities #5633

merged 9 commits into from
Dec 17, 2023

Conversation

juan131
Copy link
Contributor

@juan131 juan131 commented Nov 22, 2023
edited
Loading

Description

As it's explained at #5622, Bitnami doesn't strictly follow semver versioning since a revision is added to versions using what semver spec consider "pre-releases". Sth similar is done by Debian, see:

This PR adds a new comparer on "detector" pkg for Bitnami based on Bitnami's go-version so Bitnami versions including revisions are properly managed.

Note: refer to "Reproduction Steps" in the original discussion for a "before" and "after" example.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@juan131 juan131 marked this pull request as ready for review November 27, 2023 07:08
@knqyf263
Copy link
Collaborator

knqyf263 commented Nov 28, 2023
edited
Loading

Oh, I completely forgot about the constraints. Thanks for the heads-up. I think that logic is too much in Trivy, then. Can we create a new repository, like go-bitnami-version? We can build it on top of go-deb-version. For example, go-npm-version uses go-version as it follows semver, and implements the constraints only as it is npm specific. go-deb-version would be the same. It uses go-deb-version for version comparison and implements the constraints.

We can do that in aquasecurity/go-bitnami-version or bitnami/go-bitnami-version (the repository name is up to you). Which do you prefer?

@juan131
Copy link
Contributor Author

juan131 commented Nov 28, 2023
edited
Loading

Let me create the bitnami/go-version repo and ping you back when it's ready.

@juan131
Copy link
Contributor Author

juan131 commented Nov 30, 2023

@knqyf263 the repository has been created and the PR has been adapted to use it:

@juan131
fix: run go tidy
4305122 
Signed-off-by: juan131 <[email protected]>
@juan131
Copy link
Contributor Author

juan131 commented Dec 11, 2023

Friendly reminder @knqyf263

@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 11, 2023
edited
Loading

I am currently on vacation due to moving to a new country. I hope to find some time to review, but I don't have much time available. I apologize for any inconvenience caused.

@DmitriyLewen Can you please take a look? If it looks good to you, I'll merge the PR.

DmitriyLewen
DmitriyLewen reviewed Dec 11, 2023
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Left 1 comment

@juan131 take a look, please

go.mod Outdated Show resolved Hide resolved
DmitriyLewen
DmitriyLewen approved these changes Dec 12, 2023
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@knqyf263 I think we can merge this PR.

@knqyf263 knqyf263 changed the title feat(bitnami): use a different comparer for detecting vulnerabilities fix(bitnami): use a different comparer for detecting vulnerabilities Dec 17, 2023
knqyf263
knqyf263 approved these changes Dec 17, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I changed it to a bug fix so we can include it in v0.48.1.

@knqyf263 knqyf263 added this pull request to the merge queue Dec 17, 2023
Merged via the queue into aquasecurity:main with commit abf227e Dec 17, 2023
13 checks passed
@juan131
Copy link
Contributor Author

juan131 commented Dec 18, 2023

Thanks so much!

@juan131 juan131 deleted the feat/bitnami-version-comparer branch December 18, 2023 07:16
juan131 added a commit to juan131/trivy that referenced this pull request Dec 19, 2023
@juan131
fix(bitnami): use a different comparer for detecting vulnerabilities (a…
bd0d54b 
…quasecurity#5633)

Signed-off-by: juan131 <[email protected]>
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juan131 @knqyf263 @DmitriyLewen