Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Semver package check did not work with alpine packages #920

Open
gimler opened this issue May 22, 2024 · 8 comments
Open

Semver package check did not work with alpine packages #920

gimler opened this issue May 22, 2024 · 8 comments
Labels
bug

Comments

@gimler
Copy link

gimler commented May 22, 2024
edited
Loading

Describe the bug
Semver versions check for package doesn't work with alpine packages. The actual package version for curl is 8.5.0-r0

How To Reproduce

matching:
  curl:
    content:
      - 8.5.0-r0
    matches:
      and:
        - contain-element:
            semver-constraint: ">=8.5.0"

>=8.4.0 is green. it seams that -r0 is interpreted as release candidate

Expected Behavior
valid

Actual Behavior
error

Environment:

  • Version of goss 0.4.7
  • OS/Distribution version (if applicable) alpine
@gimler gimler added the bug label May 22, 2024
@aelsabbahy
Copy link
Member

aelsabbahy commented May 22, 2024
edited
Loading

Hello, thank you for filing this.

https://stackblitz.com/edit/node-semver-check-ocyv5l?file=index.js

Type node index.js in the terminal, isn't that behavior what's expected or am I misunderstanding the bug report?

@gimler
Copy link
Author

gimler commented May 23, 2024

basically yes.

the r0 is a release suffix not a prerelease.

So the bug is in the semver lib right?

@aelsabbahy
Copy link
Member

So the bug is in the semver lib right?

The way I'm reading the semver spec, the behavior of the node and go libraries seem accurate. My guess is alpine doesn't strictly follow semver for their package versions.

https://semver.org/#spec-item-2
https://semver.org/#spec-item-9
https://semver.org/#spec-item-11

@dklimpel
Copy link
Contributor

The explanation of Alpine versioning. It follows not strictly semver: https://wiki.alpinelinux.org/wiki/Package_policies#Package_versions

@aelsabbahy
Copy link
Member

Right, goss doesn't support Alpine (or any other package format) versioning currently. The only one supported is semver.

@dklimpel
Copy link
Contributor

dklimpel commented Jun 4, 2024

A little bit related to:

@aelsabbahy
Copy link
Member

I'll create a new feature request for Goss to support version comparison for all supported package managers: alpine, rpm, deb, etc.

I'll close this ticket and #334 when I create the new comprehensive feature request.

This has been a gap in Goss for a long time now and should be addressed.. I think since I last looked at it, there may be more libraries that handle version comparisons of the different package types. Hopefully there's mature libraries for all, otherwise, Goss may have to implement some from hopefully well defined specs.

@dklimpel
Copy link
Contributor

There is a similar issue with an implementation: google/osv-scanner#952 under Apache2 license.

@aelsabbahy aelsabbahy mentioned this issue Jun 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gimler @dklimpel @aelsabbahy