search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
143 stars 38 forks source link

3.1.11.2 Version Type - Semantic versioning #785

Open jdstefaniak opened 1 week ago

jdstefaniak commented 1 week ago

During a recent review of some data, i had to take a closer read to section 3.1.11.2 and more specifically, the RegEx string attached to it and the examples shared, for context: the direct link

The RegEx in question: *^((0|[1-9]\d)\.(0|[1-9]\d)\.(0|[1-9]\d)(?:-((?:0|[1-9]\d|\d[a-zA-Z-][0-9a-zA-Z-])(?:\.(?:0|[1-9]\d|\d[a-zA-Z-][0-9a-zA-Z-]))))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)))?)$**

I am unable to generate a match for that RegEx and therefore unable to ascertain what is/are an acceptable match.

Even using a couple of popular online regex validator/tester (such as regex101.com) i was not able to trigger a match using the examples provided in the documentation:

1.0.0-0.3.7 1.0.0-alpha 1.0.0-alpha.1 1.0.0-x-y-z.– 1.0.0-x.7.z.92 1.0.0+20130313144700 1.0.0+21AF26D3—-117B344092BD 1.0.0-alpha+001 1.0.0-beta+exp.sha.5114f85

A second linked question follows about section 3.1.11.2.8 and how it is ascertained that a SemVer notation containing a [dash|-] MAY denote a pre-release version.

Is this determined at the discretion of the publisher of the data ? or is it a definitive assertion by the CSAF standard that any SemVer notation that contains a [dash|-] IS de facto a pre-release version ?

All of those questions are born of this example of SemVer: 3.5.0.1-2083289

and I am wondering how compliant this is with the CSAF standard expectation, while the Secvisogram validates this notation without error.

Finally, should the secvisogram validation be considered ultimately authoritative over any other data,documentation; meaning, if secvisogram validates a document; then conformity to the CSAF Standard specifications is guaranteed against the current revision of the standard ?

Thank you, Regard, JD Stefaniak

Cc: @tschmidtb51 , @mreedergithub

tschmidtb51 commented 1 week ago

@jdstefaniak Secvisogram is not authoritative over the standard itself - but as it is relying on the reference implementation csaf-validator-lib it should validate correctly. If it does not - we need to investigate whether:

As a courtesy to the readers and our future selves

The standard states the following pattern:

^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$

As this is a JSON pattern, \ must be quoted which results in the \\. To use Regex101, it must be converter to a JavaScript regex (replacing \\ with \). The resulting regex is:

^((0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)$

If you use this regex, all examples validate, except for two:

1.0.0-x-y-z.–
1.0.0+21AF26D3—-117B344092BD

The original source has all those examples - however, for those two, the dashes are different:

1.0.0-x-y-z.--
1.0.0+21AF26D3----117B344092BD

So it looks like, the formatting was destroyed (or autocorrected) during the addition into the standard. As it is just an informational example, there is no need for an errata for CSAF 2.0 - we can fix that in CSAF 2.1.

Back to the issue

3.5.0.1-2083289 is not a valid SemVer nor CSAF semantic version - it uses 4 parts, and both allow only 3: Major.Minor.Patch

and I am wondering how compliant this is with the CSAF standard expectation, while the Secvisogram validates this notation without error.

I just checked that in Secvisogram and it comes back with an error for me: grafik Did you use a different field or get a different result?

A second linked question follows about section 3.1.11.2.8 and how it is ascertained that a SemVer notation containing a [dash|-] MAY denote a pre-release version.

Is this determined at the discretion of the publisher of the data ? or is it a definitive assertion by the CSAF standard that any SemVer notation that contains a [dash|-] IS de facto a pre-release version ?

A pre-release version MAY be denoted by the dash. That implies, there might be pre-release versions that are not using this notation but are still pre-release (as in document status draft). However, if the dash is used, it is automatically a pre-release version. Does that answer your question?