Semver package check did not work with alpine packages

goss-org / goss

Quick and Easy server testing/validation

https://goss.rocks

Apache License 2.0

5.5k stars 470 forks source link

Semver package check did not work with alpine packages #920

Open gimler opened 1 month ago

gimler commented 1 month ago

Describe the bug Semver versions check for package doesn't work with alpine packages. The actual package version for curl is 8.5.0-r0

How To Reproduce

matching:
  curl:
    content:
      - 8.5.0-r0
    matches:
      and:
        - contain-element:
            semver-constraint: ">=8.5.0"

>=8.4.0 is green. it seams that -r0 is interpreted as release candidate

Expected Behavior valid

Actual Behavior error

Environment:

Version of goss 0.4.7
OS/Distribution version (if applicable) alpine

aelsabbahy commented 1 month ago

Hello, thank you for filing this.

https://stackblitz.com/edit/node-semver-check-ocyv5l?file=index.js

Type node index.js in the terminal, isn't that behavior what's expected or am I misunderstanding the bug report?

gimler commented 1 month ago

basically yes.

the r0 is a release suffix not a prerelease.

So the bug is in the semver lib right?

aelsabbahy commented 1 month ago

So the bug is in the semver lib right?

The way I'm reading the semver spec, the behavior of the node and go libraries seem accurate. My guess is alpine doesn't strictly follow semver for their package versions.

https://semver.org/#spec-item-2 https://semver.org/#spec-item-9 https://semver.org/#spec-item-11

dklimpel commented 1 month ago

The explanation of Alpine versioning. It follows not strictly semver: https://wiki.alpinelinux.org/wiki/Package_policies#Package_versions

aelsabbahy commented 4 weeks ago

Right, goss doesn't support Alpine (or any other package format) versioning currently. The only one supported is semver.

dklimpel commented 4 weeks ago

A little bit related to:

aelsabbahy commented 2 weeks ago

I'll create a new feature request for Goss to support version comparison for all supported package managers: alpine, rpm, deb, etc.

I'll close this ticket and #334 when I create the new comprehensive feature request.

This has been a gap in Goss for a long time now and should be addressed.. I think since I last looked at it, there may be more libraries that handle version comparisons of the different package types. Hopefully there's mature libraries for all, otherwise, Goss may have to implement some from hopefully well defined specs.

dklimpel commented 2 weeks ago

There is a similar issue with an implementation: https://github.com/google/osv-scanner/issues/952 under Apache2 license.