Skip to content

Commit 941e504

Browse files
authored
feat: rewrite affected version parser to match composer and report warnings about invalid versions (#35)
This overhauls our version constraints parser to ensure we're performing almost in accordance with [composer](https://getcomposer.org/doc/articles/versions.md) and with support for surfacing warnings so that we can identify invalid versions to get addressed upstream. The primary difference in how we parse versions compared with `composer` is that we assume a lack of stability constraint means `stable` in all cases, instead of being [dependent on the operator](https://getcomposer.org/doc/articles/versions.md#stability-constraints) - ideally, the stability should be included as part of the constraint which might be something we can convince the upstream to do, but for now I've chosen to differ for a few key reasons: 1. Drupal security advisories generally only cover stable versions, so it's reasonable to assume whoever wrote the version constraints for a particular advisory was only thinking about stable versions 2. Being semantically correct would mean a _lot_ of changes to our advisories 3. Ideally we want to be referring versions that actually exist, which is most likely the case for the versions explicitly mentioned in particular version constraints (in part because of point 1.), whereas if we follow the spec we'd have to assume a lot of the time that there's a `-dev` version that probably won't exist I have done the implementation to first be spec-compliant, and then modified it to reflect the above, meaning we should be able to easily change back in future if needed by reviewing the last handful of commits on this branch. I've not actually wired anything up to use the warnings returned by the parser given the size of this patch already, but they are asserted by our new test suite. There's definitely some cleanup worth doing with the implementation, in particular I probably should have named the component properties `major`, `minor`, and `patch`, but I'm going to try tackle most of those as a follow-up since everything is working and renaming things might make it harder to review the individual commits, and this should be stable enough to let us progress to the next phase where we'll be engaging with the Drupal community to improve the advisory data which should feed back heavily into how robust this implementation actually needs to be
1 parent fde5857 commit 941e504

33 files changed

Lines changed: 895 additions & 41 deletions

.github/workflows/ci.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,21 @@ jobs:
4646
- run: pipx install poetry~=2.0
4747
- run: poetry install
4848
- run: poetry run mypy .
49+
pytest:
50+
permissions:
51+
contents: read # to fetch (actions/checkout)
52+
runs-on: ubuntu-latest
53+
timeout-minutes: 15
54+
steps:
55+
- uses: actions/checkout@v4
56+
with:
57+
persist-credentials: false
58+
- uses: actions/setup-python@v5
59+
with:
60+
python-version-file: '.python-version'
61+
- run: pipx install poetry~=2.0
62+
- run: poetry install
63+
- run: poetry run pytest
4964
prettier:
5065
permissions:
5166
contents: read # to fetch (actions/checkout)

CONTRIBUTING.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,14 @@
33
This codebase requires Python 3.13 and uses [Poetry](https://python-poetry.org/)
44
to manage dependencies.
55

6+
# Testing
7+
8+
We use `pytest` for testing, which can be run with:
9+
10+
```shell
11+
poetry run pytest
12+
```
13+
614
# Type checking
715

816
We use `mypy` to do strict type checking of Python scripts, which can be run

advisories/acquia_dam/osv-sa-contrib-2024-025.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
"type": "ECOSYSTEM",
3636
"events": [
3737
{
38-
"introduced": "1.1.0"
38+
"introduced": "1.1.0-dev"
3939
},
4040
{
4141
"fixed": "1.1.0-beta3"

advisories/admin_toolbar/osv-sa-contrib-2021-025.json

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@
3434
"events": [
3535
{
3636
"introduced": "3.0.0"
37+
},
38+
{
39+
"last_affected": "3.0.0"
3740
}
3841
],
3942
"database_specific": {
@@ -45,6 +48,9 @@
4548
"events": [
4649
{
4750
"introduced": "3.0.1"
51+
},
52+
{
53+
"last_affected": "3.0.1"
4854
}
4955
],
5056
"database_specific": {

advisories/ai/osv-sa-contrib-2025-003.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
"type": "ECOSYSTEM",
2222
"events": [
2323
{
24-
"introduced": "1.0.0"
24+
"introduced": "1.0.1"
2525
},
2626
{
2727
"fixed": "1.0.2"

advisories/core/osv-sa-core-2022-002.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,10 @@
1919
"type": "ECOSYSTEM",
2020
"events": [
2121
{
22-
"introduced": "7.0.0"
22+
"introduced": "7.0.1"
2323
},
2424
{
25-
"fixed": "7.86.0"
25+
"last_affected": "7.86.0"
2626
}
2727
],
2828
"database_specific": {

advisories/core/osv-sa-core-2023-005.json

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@
3636
"events": [
3737
{
3838
"introduced": "8.0.0"
39+
},
40+
{
41+
"fixed": "8.1.0"
3942
}
4043
],
4144
"database_specific": {
@@ -47,6 +50,9 @@
4750
"events": [
4851
{
4952
"introduced": "8.1.0"
53+
},
54+
{
55+
"fixed": "8.2.0"
5056
}
5157
],
5258
"database_specific": {
@@ -58,6 +64,9 @@
5864
"events": [
5965
{
6066
"introduced": "8.2.0"
67+
},
68+
{
69+
"fixed": "8.3.0"
6170
}
6271
],
6372
"database_specific": {
@@ -69,6 +78,9 @@
6978
"events": [
7079
{
7180
"introduced": "8.3.0"
81+
},
82+
{
83+
"fixed": "8.4.0"
7284
}
7385
],
7486
"database_specific": {
@@ -80,6 +92,9 @@
8092
"events": [
8193
{
8294
"introduced": "8.4.0"
95+
},
96+
{
97+
"fixed": "8.5.0"
8398
}
8499
],
85100
"database_specific": {
@@ -91,6 +106,9 @@
91106
"events": [
92107
{
93108
"introduced": "8.5.0"
109+
},
110+
{
111+
"fixed": "8.6.0"
94112
}
95113
],
96114
"database_specific": {
@@ -102,6 +120,9 @@
102120
"events": [
103121
{
104122
"introduced": "8.6.0"
123+
},
124+
{
125+
"fixed": "8.7.0"
105126
}
106127
],
107128
"database_specific": {
@@ -113,6 +134,9 @@
113134
"events": [
114135
{
115136
"introduced": "8.7.0"
137+
},
138+
{
139+
"fixed": "8.8.0"
116140
}
117141
],
118142
"database_specific": {
@@ -124,6 +148,9 @@
124148
"events": [
125149
{
126150
"introduced": "8.8.0"
151+
},
152+
{
153+
"fixed": "8.9.0"
127154
}
128155
],
129156
"database_specific": {
@@ -135,6 +162,9 @@
135162
"events": [
136163
{
137164
"introduced": "8.9.0"
165+
},
166+
{
167+
"fixed": "8.10.0"
138168
}
139169
],
140170
"database_specific": {
@@ -146,6 +176,9 @@
146176
"events": [
147177
{
148178
"introduced": "9.0.0"
179+
},
180+
{
181+
"fixed": "9.1.0"
149182
}
150183
],
151184
"database_specific": {
@@ -157,6 +190,9 @@
157190
"events": [
158191
{
159192
"introduced": "9.1.0"
193+
},
194+
{
195+
"fixed": "9.2.0"
160196
}
161197
],
162198
"database_specific": {
@@ -168,6 +204,9 @@
168204
"events": [
169205
{
170206
"introduced": "9.2.0"
207+
},
208+
{
209+
"fixed": "9.3.0"
171210
}
172211
],
173212
"database_specific": {
@@ -179,6 +218,9 @@
179218
"events": [
180219
{
181220
"introduced": "9.3.0"
221+
},
222+
{
223+
"fixed": "9.4.0"
182224
}
183225
],
184226
"database_specific": {

advisories/diff/osv-sa-contrib-2024-042.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
"type": "ECOSYSTEM",
3636
"events": [
3737
{
38-
"introduced": "2.0.0"
38+
"introduced": "2.0.0-dev"
3939
},
4040
{
4141
"fixed": "2.0.0-beta3"

advisories/domain_group/osv-sa-contrib-2021-037.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@
3434
"events": [
3535
{
3636
"introduced": "2.0.0"
37+
},
38+
{
39+
"last_affected": "2.0.0"
3740
}
3841
],
3942
"database_specific": {

advisories/eca/osv-sa-contrib-2025-031.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@
3636
"events": [
3737
{
3838
"introduced": "1.2.0"
39+
},
40+
{
41+
"fixed": "1.3.0"
3942
}
4043
],
4144
"database_specific": {

0 commit comments

Comments
 (0)