search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.7k stars 578 forks source link

Please exclude -alpha, -beta, -rc, -preview, -SNAPSHOT from possibly latest versions of a component #3579

Open markusmuellerusi opened 7 months ago

markusmuellerusi commented 7 months ago

Current Behavior

-alpha, -beta, -rc, -preview, -SNAPSHOT should never be displayed or handled as latest version. They are not stable.

Sample: image

Steps to Reproduce

  1. Upload and analyse an SBoM, where the latest available version in repository is a alpha, beta, rc, preview or snapshot
  2. Analyse the project component (done in step 1)
  3. Verify my succested code snippet.

Expected Behavior

Please skip these versions in function findLatestVersion.

Sample code:

private String findLatestVersion(JSONArray versions) {
    if (versions.length() < 1) {
        return null;
    }

    ComparableVersion latestVersion = null;
    for (int i = 0; i < versions.length(); i++) {

        String version = versions.getString(i);
        if (version == null || version.trim().length() == 0 ||
                version.trim().toLowerCase().contains("-alfa") ||
                version.trim().toLowerCase().contains("-alpha") ||
                version.trim().toLowerCase().contains("-beta") ||
                version.trim().toLowerCase().contains("-snapshot") ||
                version.trim().toLowerCase().contains("-rc") ||
                version.trim().toLowerCase().contains("-preview")) {
            continue;
        }

        ComparableVersion comparableVersion = new ComparableVersion(version);
        if (latestVersion == null) {
            latestVersion = comparableVersion;
        }
        else if (comparableVersion.compareTo(latestVersion) > 0) {
            latestVersion = comparableVersion;
        }
    }

    if (latestVersion == null) {
        return null;
    }

    return latestVersion.toString();
}

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Executable WAR

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Microsoft Edge

Checklist

markusmuellerusi commented 1 month ago

If this is solved in 4.12, please close the issue and give some feedback in this thread.