Added feature to NugetMetaAnalyzer to exclude pre-release versions.

DependencyTrack · Feb 15, 2024 · 8511bf2 · 8511bf2
1 parent b60040f
commit 8511bf2
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 6 deletions.
diff --git a/src/main/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzer.java
@@ -111,7 +111,10 @@ private boolean performVersionCheck(final MetaModel meta, final Component compon
                     String responseString = EntityUtils.toString(response.getEntity());
                     var jsonObject = new JSONObject(responseString);
                     final JSONArray versions = jsonObject.getJSONArray("versions");
-                    final String latest = findLatestVersion(versions); // get the last version in the array
+
+                    final boolean excludePreRelease = component.getPurl().getVersion() != null && component.getPurl().getVersion().contains("-") ==false;  // if the version is a pre-release version, we should not exclude pre-release versions
+
+                    final String latest = findLatestVersion(versions,excludePreRelease); // get the last version in the array
                     meta.setLatestVersion(latest);
                 }
                 return true;
@@ -126,15 +129,17 @@ private boolean performVersionCheck(final MetaModel meta, final Component compon
         return false;
     }
 
-    private String findLatestVersion(JSONArray versions) {
-        if (versions.length() < 1) {
+    private String findLatestVersion(JSONArray versions, boolean excludePreRelease) { 
+        JSONArray filteredVersions = excludePreRelease ? filterPreReleaseVersions(versions) : versions;
+
+        if (filteredVersions.length() < 1) {
             return null;
         }
 
-        ComparableVersion latestVersion = new ComparableVersion(versions.getString(0));
+        ComparableVersion latestVersion = new ComparableVersion(filteredVersions.getString(0));
 
-        for (int i = 1; i < versions.length(); i++) {
-            ComparableVersion version = new ComparableVersion(versions.getString(i));
+        for (int i = 1; i < filteredVersions.length(); i++) {
+            ComparableVersion version = new ComparableVersion(filteredVersions.getString(i));
             if (version.compareTo(latestVersion) > 0) {
                 latestVersion = version;
             }
@@ -143,6 +148,16 @@ private String findLatestVersion(JSONArray versions) {
         return latestVersion.toString();
     }
 
+    private JSONArray filterPreReleaseVersions(JSONArray versions) {
+        JSONArray filteredVersions = new JSONArray();
+        for (int i = 0; i < versions.length(); i++) {
+            if (!versions.getString(i).contains("-")) {
+                filteredVersions.put(versions.getString(i));
+            }
+        }
+        return filteredVersions;
+    } 
+
     private boolean performLastPublishedCheck(final MetaModel meta, final Component component) {
         final String url = String.format(registrationUrl, component.getPurl().getName().toLowerCase(), meta.getLatestVersion());
         try (final CloseableHttpResponse response = processHttpRequest(url)) {

diff --git a/src/test/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzerTest.java b/src/test/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzerTest.java
@@ -64,6 +64,47 @@ public void testAnalyzer() throws Exception {
         Assert.assertNotNull(metaModel.getPublishedTimestamp());
     }
 
+
+    // This test is to check if the analyzer is excluding pre-release versions
+    // The test is transitent depending on the current version of the package 
+    // retrieved from the repository at the time of running. 
+    // When it was created, the latest release version was 9.0.0-preview.1.24080.9
+    //@Test
+    public void testAnalyzerExcludingPreRelease() throws Exception {
+        Component component = new Component();
+        component.setPurl(new PackageURL("pkg:nuget/[email protected]"));
+        NugetMetaAnalyzer analyzer = new NugetMetaAnalyzer();
+
+        analyzer.setRepositoryBaseUrl("https://api.nuget.org");
+        MetaModel metaModel = analyzer.analyze(component);
+
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType());
+        Assert.assertNotNull(metaModel.getLatestVersion());
+
+        Assert.assertFalse(metaModel.getLatestVersion().contains("-"));
+    }
+
+    // This test is to check if the analyzer is including pre-release versions
+    // The test is transitent depending on the current version of the package 
+    // retrieved from the repository at the time of running. 
+    // When it was created, the latest release version was 9.0.0-preview.1.24080.9
+    //@Test
+    public void testAnalyzerIncludingPreRelease() throws Exception {
+        Component component = new Component();
+        component.setPurl(new PackageURL("pkg:nuget/[email protected]"));
+        NugetMetaAnalyzer analyzer = new NugetMetaAnalyzer();
+
+        analyzer.setRepositoryBaseUrl("https://api.nuget.org");
+        MetaModel metaModel = analyzer.analyze(component);
+
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType());
+        Assert.assertNotNull(metaModel.getLatestVersion());
+
+        Assert.assertTrue(metaModel.getLatestVersion().contains("-"));
+    }
+
     @Test
     public void testAnalyzerWithPrivatePackageRepository() throws Exception {
         String mockIndexResponse = readResourceFileToString("/unit/tasks/repositories/https---localhost-1080-v3-index.json");