Open jdstefaniak opened 1 week ago
@jdstefaniak Secvisogram is not authoritative over the standard itself - but as it is relying on the reference implementation csaf-validator-lib it should validate correctly. If it does not - we need to investigate whether:
The standard states the following pattern
:
^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$
As this is a JSON pattern, \
must be quoted which results in the \\
. To use Regex101, it must be converter to a JavaScript regex (replacing \\
with \
). The resulting regex is:
^((0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)$
If you use this regex, all examples validate, except for two:
1.0.0-x-y-z.–
1.0.0+21AF26D3—-117B344092BD
The original source has all those examples - however, for those two, the dashes are different:
1.0.0-x-y-z.--
1.0.0+21AF26D3----117B344092BD
So it looks like, the formatting was destroyed (or autocorrected) during the addition into the standard. As it is just an informational example, there is no need for an errata for CSAF 2.0 - we can fix that in CSAF 2.1.
3.5.0.1-2083289
is not a valid SemVer nor CSAF semantic version - it uses 4 parts, and both allow only 3: Major.Minor.Patch
and I am wondering how compliant this is with the CSAF standard expectation, while the Secvisogram validates this notation without error.
I just checked that in Secvisogram and it comes back with an error for me: Did you use a different field or get a different result?
A second linked question follows about section 3.1.11.2.8 and how it is ascertained that a SemVer notation containing a [dash|-] MAY denote a pre-release version.
Is this determined at the discretion of the publisher of the data ? or is it a definitive assertion by the CSAF standard that any SemVer notation that contains a [dash|-] IS de facto a pre-release version ?
A pre-release version MAY be denoted by the dash. That implies, there might be pre-release versions that are not using this notation but are still pre-release (as in document status draft
). However, if the dash is used, it is automatically a pre-release version. Does that answer your question?
During a recent review of some data, i had to take a closer read to section 3.1.11.2 and more specifically, the RegEx string attached to it and the examples shared, for context: the direct link
The RegEx in question: *^((0|[1-9]\d)\.(0|[1-9]\d)\.(0|[1-9]\d)(?:-((?:0|[1-9]\d|\d[a-zA-Z-][0-9a-zA-Z-])(?:\.(?:0|[1-9]\d|\d[a-zA-Z-][0-9a-zA-Z-]))))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)))?)$**
I am unable to generate a match for that RegEx and therefore unable to ascertain what is/are an acceptable match.
Even using a couple of popular online regex validator/tester (such as regex101.com) i was not able to trigger a match using the examples provided in the documentation:
1.0.0-0.3.7 1.0.0-alpha 1.0.0-alpha.1 1.0.0-x-y-z.– 1.0.0-x.7.z.92 1.0.0+20130313144700 1.0.0+21AF26D3—-117B344092BD 1.0.0-alpha+001 1.0.0-beta+exp.sha.5114f85
A second linked question follows about section 3.1.11.2.8 and how it is ascertained that a SemVer notation containing a [dash|-] MAY denote a pre-release version.
Is this determined at the discretion of the publisher of the data ? or is it a definitive assertion by the CSAF standard that any SemVer notation that contains a [dash|-] IS de facto a pre-release version ?
All of those questions are born of this example of SemVer: 3.5.0.1-2083289
and I am wondering how compliant this is with the CSAF standard expectation, while the Secvisogram validates this notation without error.
Finally, should the secvisogram validation be considered ultimately authoritative over any other data,documentation; meaning, if secvisogram validates a document; then conformity to the CSAF Standard specifications is guaranteed against the current revision of the standard ?
Thank you, Regard, JD Stefaniak
Cc: @tschmidtb51 , @mreedergithub