Skip to content

rpm: add common version comparison function #1769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
github-actions merged 2 commits into from
Apr 3, 2026
Merged

rpm: add common version comparison function #1769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8155fa3
rpmver: add comparable error type
hdonnay Apr 3, 2026
0add6c8
rpm: add common version comparison function
hdonnay Jan 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions internal/rpm/matcher.go
View file
Open in desktop
Comment thread
hdonnay marked this conversation as resolved.
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
package rpm

import (
"context"
"fmt"

"github.com/quay/claircore"
"github.com/quay/claircore/internal/rpmver"
)

// MatchVulnerable is a function implementing "driver.Matcher.Vulnerable"
// in a common way.
Comment thread
hdonnay marked this conversation as resolved.
//
// Given a package version "P" and vulnerability "V":
//
// - If a fixed version "F" is specified in "V", "P < F" is reported.
// - If a package version "F" is specified in "V", "P <= F" is reported.
// - If no version is provided in "V", this function compares against an
// "infinite" version.
//
// In addition to this version comparison, the architectures are compared.
//
// Any other consideration (e.g. Repository, Distribution) must be handled by
// the caller.
func MatchVulnerable(ctx context.Context, rec *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
p, err := rpmver.Parse(rec.Package.Version)
if err != nil {
return false, fmt.Errorf("rpm: unable to parse package version: %w", err)
}

var v rpmver.Version
cmp := isLTE
switch {
case vuln.FixedInVersion != "":
v, err = rpmver.Parse(vuln.FixedInVersion)
cmp = isLT
case vuln.Package.Version != "":
v, err = rpmver.Parse(vuln.Package.Version)
default:
v, err = rpmver.Parse("65535:65535-65535")
}
if err != nil {
return false, fmt.Errorf("rpm: unable to parse vulnerability version: %w", err)
}

return cmp(rpmver.Compare(&p, &v)) && vuln.ArchOperation.Cmp(rec.Package.Arch, vuln.Package.Arch), nil
}

func isLTE(cmp int) bool { return cmp != 1 }
func isLT(cmp int) bool { return cmp == -1 }
80 changes: 80 additions & 0 deletions internal/rpm/matcher_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
package rpm

import (
"errors"
"testing"

"github.com/quay/claircore"
"github.com/quay/claircore/internal/rpmver"
)

func TestMatchVulnerable(t *testing.T) {
record := func(v string) *claircore.IndexRecord {
return &claircore.IndexRecord{Package: &claircore.Package{Version: v, Arch: "x86_64"}}
}
tcs := []struct {
Name string
Record *claircore.IndexRecord
Vulnerability *claircore.Vulnerability
Want bool
Err error
}{
{
Name: "Infinite",
Record: record("0:1.2.3-4"),
Vulnerability: &claircore.Vulnerability{Package: new(claircore.Package)},
Want: true,
},
{
Name: "InfiniteWrongArch",
Record: record("0:1.2.3-4"),
Vulnerability: &claircore.Vulnerability{
Package: &claircore.Package{Arch: "aarch64"},
ArchOperation: claircore.OpEquals,
},
Want: false,
},
{
Name: "BadRecordVersion",
Record: record("1.2.3"), // Not an EVR
Err: rpmver.ErrParse,
},
{
Name: "BadVulnerabilityVersion",
Record: record("1.2.3-4"),
Vulnerability: &claircore.Vulnerability{
FixedInVersion: "2.0",
},
Err: rpmver.ErrParse,
},
{
Name: "FixedIn",
Record: record("1.2.3-4"),
Vulnerability: &claircore.Vulnerability{
FixedInVersion: "1.2.3-4",
},
Want: false,
},
{
Name: "Package",
Record: record("1.2.3-4"),
Vulnerability: &claircore.Vulnerability{
Package: &claircore.Package{Version: "1.2.3-4"},
},
Want: true,
},
}

for _, tc := range tcs {
t.Run(tc.Name, func(t *testing.T) {
ctx := t.Context()
got, err := MatchVulnerable(ctx, tc.Record, tc.Vulnerability)
if !errors.Is(err, tc.Err) {
t.Errorf("unexpected error: %v", err)
}
if got != tc.Want {
t.Errorf("got: %v, want: %v", got, tc.Want)
}
})
}
}
26 changes: 25 additions & 1 deletion internal/rpmver/rpmver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package rpmver

import (
"errors"
"fmt"
"strings"
"unicode/utf8"
Expand Down Expand Up @@ -87,7 +88,7 @@ func Parse(v string) (Version, error) {
switch strings.Count(v, "-") {
case 0:
// Missing something: can't be `version-release`.
return Version{}, fmt.Errorf("rpmver: %s: missing separators", v)
return Version{}, &parseError{input: v, reason: "missing separators"}
Copy link
Copy Markdown
Contributor

@crozzy crozzy Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

case 1:
// `version-release(.arch)`
default:
Expand Down Expand Up @@ -122,6 +123,29 @@ func Parse(v string) (Version, error) {
return ret, nil
}

var _ error = (*parseError)(nil)

// ParseError is the concrete type of errors from [Parse].
//
// Callers can compare with [ErrParse].
type parseError struct {
input string
reason string
}

// Error implements [error].
func (p *parseError) Error() string {
return fmt.Sprintf("rpmver: %s: %s", p.input, p.reason)
}

// Is implements [errors.Is].
func (p *parseError) Is(tgt error) bool {
return tgt == ErrParse
}

// ErrParse is reported by [Parse].
var ErrParse = errors.New("rpmver: parse error")

// Architectures is known architecture strings.
//
// We need to just know these, as there's no good way to know what's an arch tag
Expand Down
Loading