Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Normalization of VersionRange #108

Merged
merged 31 commits into from
Jul 24, 2024

Conversation

keshav-space
Copy link
Member

@keshav-space keshav-space commented Mar 14, 2023

Why Normalize VersionRange?

A VersionRange represents set of segments of package versions. Different VersionRange can represent the same set of segments.

For example, consider the package pkg:npm/foobar with the following versions: ["1.0", "2.1", "2.2", "3.0", "3.1", "5.0"].
We can represent certain segments using the vers expression vers:npm/<=2.2|>=3.0|<3.1|5.0.
This can also be represented as:

  • vers:npm/>=1.0|<3.0|>=3.0|<3.1|5.0
  • vers:npm/<3.1|5.0
  • vers:npm/>=1.0|<=2.2|>=3.0|<3.1|5.0

These different representations make it difficult to validate whether two different VersionRange represent the
same versions of a package.

To effectively compare these ranges, we need to normalize them. The idea is that all the vers referring to
the same set of package versions should normalize to an identical VersionRange.
To achieve this, we take a vers along with all the versions of the package and generate a new vers
such that it contains not arbitrary version segments but only the longest contiguous segments of versions, leading to the same VersionRange expression which is identical for a particular set of versions.

If we apply this normalization to the above example of pkg:npm/foobar:

  • vers:npm/<=2.2|>=3.0|<3.1|5.0 would normalize to vers:npm/>=1.0|<=3.0|5.0

The same normalization applies to other VersionRange since they all refer to the same set of versions,
they will all normalize to the exact same VersionRange:

  • vers:npm/>=1.0|<3.0|>=3.0|<3.1|5.0 => vers:npm/>=1.0|<=3.0|5.0
  • vers:npm/<3.1|5.0 => vers:npm/>=1.0|<=3.0|5.0
  • vers:npm/>=1.0|<=2.2|>=3.0|<3.1|5.0 => vers:npm/>=1.0|<=3.0|5.0

@keshav-space keshav-space marked this pull request as draft March 14, 2023 15:03
@keshav-space keshav-space marked this pull request as ready for review March 15, 2023 12:08
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks
LGTM overall! we have likely to find a bettr way than using the native intbitset of at least have a fallback to plain Python, I will review further later this WE!

Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could:

  1. extract Span as its own mini library also reused in ScanCode? May be this is overakill though
  2. have a fallback to a plain builtin set when intbitset is not installed... and have this also in SCTK

@keshav-space keshav-space force-pushed the range_normalization branch from cda6c25 to e387ecb Compare April 3, 2023 12:51
@keshav-space
Copy link
Member Author

I think we could:

  1. extract Span as its own mini library also reused in ScanCode? May be this is overakill though
  2. have a fallback to a plain builtin set when intbitset is not installed... and have this also in SCTK

Added fallback to builtin set

- support normalization of range expression from GitHub, Snyk, GitLab
- Discrete range normalization for OSV, DEPS, VulerableCode

Signed-off-by: Keshav Priyadarshi <[email protected]>
Signed-off-by: Keshav Priyadarshi <[email protected]>
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! See some/many comments for your consideration!

src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/normalized_range.py Outdated Show resolved Hide resolved
@keshav-space keshav-space marked this pull request as draft August 31, 2023 16:21
OmkarPh and others added 3 commits October 18, 2023 15:42
Added docs server script, dark mode & copybutton for docs, tracking chmod in git
@keshav-space keshav-space changed the title Add support for NormalizedVersionRanges [WIP] Add support for NormalizedVersionRanges Jan 9, 2024
- Bug fix: GitLab advisory uses both comma and space as separator for composer range.

Signed-off-by: Keshav Priyadarshi <[email protected]>
Signed-off-by: Keshav Priyadarshi <[email protected]>
@keshav-space keshav-space changed the title [WIP] Add support for NormalizedVersionRanges Add support for NormalizedVersionRanges Jul 23, 2024
@keshav-space keshav-space marked this pull request as ready for review July 23, 2024 19:02
@keshav-space keshav-space changed the title Add support for NormalizedVersionRanges Add support for NormalizedVersionRange Jul 23, 2024
@keshav-space keshav-space changed the title Add support for NormalizedVersionRange Support Normalization of VersionRange Jul 24, 2024
@keshav-space keshav-space force-pushed the range_normalization branch from 376110b to d2904b0 Compare July 24, 2024 10:00
- Pairwise constraint evaluation misses the case when filtered
 constraints contains only one item
- Fixes aboutcode-org#137

Signed-off-by: Keshav Priyadarshi <[email protected]>
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. See review comments.

src/univers/normalized_range.py Outdated Show resolved Hide resolved
src/univers/version_range.py Outdated Show resolved Hide resolved
tests/test_version_range.py Outdated Show resolved Hide resolved
@keshav-space keshav-space force-pushed the range_normalization branch from f3bbf43 to 8f0d727 Compare July 24, 2024 16:49
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank. Looking fine. There are a few nits for your review. And please merge then!

src/univers/version_range.py Show resolved Hide resolved
src/univers/version_range.py Outdated Show resolved Hide resolved
@keshav-space keshav-space force-pushed the range_normalization branch from 2114e7f to fe35a34 Compare July 24, 2024 19:02
@keshav-space keshav-space force-pushed the range_normalization branch from d32c35c to b12572d Compare July 24, 2024 19:56
@keshav-space keshav-space merged commit 00b2bcf into aboutcode-org:main Jul 24, 2024
10 checks passed
@keshav-space keshav-space self-assigned this Jul 31, 2024
@keshav-space keshav-space deleted the range_normalization branch August 9, 2024 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment