From c98a4905c997426bd280e2c99e570382a7663b70 Mon Sep 17 00:00:00 2001 From: Sahiba Mittal Date: Fri, 22 Nov 2024 13:57:09 +0000 Subject: [PATCH] Exclude pre-releases from NuGet latest version check Co-Authored-By: Brent England Co-Authored-By: brentengland-scc <166790548+brentengland-scc@users.noreply.github.com> --- .../repositories/NugetMetaAnalyzer.java | 24 +++++++++---- .../repositories/NugetMetaAnalyzerTest.java | 36 +++++++++++++++++++ 2 files changed, 54 insertions(+), 6 deletions(-) diff --git a/repository-meta-analyzer/src/main/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzer.java b/repository-meta-analyzer/src/main/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzer.java index 2e9c611ec..cfd011c1d 100644 --- a/repository-meta-analyzer/src/main/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzer.java +++ b/repository-meta-analyzer/src/main/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzer.java @@ -22,10 +22,10 @@ import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.util.EntityUtils; import org.apache.maven.artifact.versioning.ComparableVersion; -import org.dependencytrack.repometaanalyzer.model.MetaAnalyzerException; -import org.dependencytrack.repometaanalyzer.model.MetaModel; import org.dependencytrack.persistence.model.Component; import org.dependencytrack.persistence.model.RepositoryType; +import org.dependencytrack.repometaanalyzer.model.MetaAnalyzerException; +import org.dependencytrack.repometaanalyzer.model.MetaModel; import org.json.JSONArray; import org.json.JSONObject; import org.slf4j.Logger; @@ -128,14 +128,16 @@ private boolean performVersionCheck(final MetaModel meta, final Component compon } private String findLatestVersion(JSONArray versions) { - if (versions.length() < 1) { + JSONArray filteredVersions = filterPreReleaseVersions(versions); + + if (filteredVersions.length() < 1) { return null; } - ComparableVersion latestVersion = new ComparableVersion(versions.getString(0)); + ComparableVersion latestVersion = new ComparableVersion(filteredVersions.getString(0)); - for (int i = 1; i < versions.length(); i++) { - ComparableVersion version = new ComparableVersion(versions.getString(i)); + for (int i = 1; i < filteredVersions.length(); i++) { + ComparableVersion version = new ComparableVersion(filteredVersions.getString(i)); if (version.compareTo(latestVersion) > 0) { latestVersion = version; } @@ -144,6 +146,16 @@ private String findLatestVersion(JSONArray versions) { return latestVersion.toString(); } + private JSONArray filterPreReleaseVersions(JSONArray versions) { + JSONArray filteredVersions = new JSONArray(); + for (int i = 0; i < versions.length(); i++) { + if (!versions.getString(i).contains("-")) { + filteredVersions.put(versions.getString(i)); + } + } + return filteredVersions; + } + private boolean performLastPublishedCheck(final MetaModel meta, final Component component) { final String url = String.format(registrationUrl, component.getPurl().getName().toLowerCase(), meta.getLatestVersion()); try (final CloseableHttpResponse response = processHttpRequest(url)) { diff --git a/repository-meta-analyzer/src/test/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzerTest.java b/repository-meta-analyzer/src/test/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzerTest.java index 05afa4397..f0f40b61a 100644 --- a/repository-meta-analyzer/src/test/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzerTest.java +++ b/repository-meta-analyzer/src/test/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzerTest.java @@ -187,4 +187,40 @@ void testPublishedDateTimeFormat() throws ParseException { private String readResourceFileToString(String fileName) throws Exception { return Files.readString(Paths.get(getClass().getResource(fileName).toURI())); } + + // This test is to check if the analyzer is excluding pre-release versions + // The test is transitent depending on the current version of the package + // retrieved from the repository at the time of running. + // When it was created, the latest release version was 9.0.0-preview.1.24080.9 + @Test + public void testAnalyzerExcludingPreRelease() throws Exception { + Component component = new Component(); + component.setPurl(new PackageURL("pkg:nuget/Microsoft.Extensions.DependencyInjection@8.0.0")); + + analyzer.setRepositoryBaseUrl("https://api.nuget.org"); + MetaModel metaModel = analyzer.analyze(component); + + Assertions.assertTrue(analyzer.isApplicable(component)); + Assertions.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType()); + Assertions.assertNotNull(metaModel.getLatestVersion()); + Assertions.assertFalse(metaModel.getLatestVersion().contains("-")); + } + + // This test is to check if the analyzer is including pre-release versions + // The test is transitent depending on the current version of the package + // retrieved from the repository at the time of running. + // When it was created, the latest release version was 9.0.0-preview.1.24080.9 + @Test + public void testAnalyzerIncludingPreRelease() throws Exception { + Component component = new Component(); + component.setPurl(new PackageURL("pkg:nuget/Microsoft.Extensions.DependencyInjection@8.0.0-beta.21301.5")); + + analyzer.setRepositoryBaseUrl("https://api.nuget.org"); + MetaModel metaModel = analyzer.analyze(component); + + Assertions.assertTrue(analyzer.isApplicable(component)); + Assertions.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType()); + Assertions.assertNotNull(metaModel.getLatestVersion()); + Assertions.assertFalse(metaModel.getLatestVersion().contains("-")); + } }