Merge pull request #1595 from DependencyTrack/port-exclude-pre-releas…

…es-from-NuGet-latest-version-check
DependencyTrack · Nov 22, 2024 · a4af29c · a4af29c
2 parents dba56d9 + c98a490
commit a4af29c
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 6 deletions.
diff --git a/...er/src/main/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzer.java b/...er/src/main/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzer.java
@@ -22,10 +22,10 @@
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.util.EntityUtils;
 import org.apache.maven.artifact.versioning.ComparableVersion;
-import org.dependencytrack.repometaanalyzer.model.MetaAnalyzerException;
-import org.dependencytrack.repometaanalyzer.model.MetaModel;
 import org.dependencytrack.persistence.model.Component;
 import org.dependencytrack.persistence.model.RepositoryType;
+import org.dependencytrack.repometaanalyzer.model.MetaAnalyzerException;
+import org.dependencytrack.repometaanalyzer.model.MetaModel;
 import org.json.JSONArray;
 import org.json.JSONObject;
 import org.slf4j.Logger;
@@ -128,14 +128,16 @@ private boolean performVersionCheck(final MetaModel meta, final Component compon
     }
 
     private String findLatestVersion(JSONArray versions) {
-        if (versions.length() < 1) {
+        JSONArray filteredVersions = filterPreReleaseVersions(versions);
+
+        if (filteredVersions.length() < 1) {
             return null;
         }
 
-        ComparableVersion latestVersion = new ComparableVersion(versions.getString(0));
+        ComparableVersion latestVersion = new ComparableVersion(filteredVersions.getString(0));
 
-        for (int i = 1; i < versions.length(); i++) {
-            ComparableVersion version = new ComparableVersion(versions.getString(i));
+        for (int i = 1; i < filteredVersions.length(); i++) {
+            ComparableVersion version = new ComparableVersion(filteredVersions.getString(i));
             if (version.compareTo(latestVersion) > 0) {
                 latestVersion = version;
             }
@@ -144,6 +146,16 @@ private String findLatestVersion(JSONArray versions) {
         return latestVersion.toString();
     }
 
+    private JSONArray filterPreReleaseVersions(JSONArray versions) {
+        JSONArray filteredVersions = new JSONArray();
+        for (int i = 0; i < versions.length(); i++) {
+            if (!versions.getString(i).contains("-")) {
+                filteredVersions.put(versions.getString(i));
+            }
+        }
+        return filteredVersions;
+    }
+
     private boolean performLastPublishedCheck(final MetaModel meta, final Component component) {
         final String url = String.format(registrationUrl, component.getPurl().getName().toLowerCase(), meta.getLatestVersion());
         try (final CloseableHttpResponse response = processHttpRequest(url)) {

diff --git a/...rc/test/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzerTest.java b/...rc/test/java/org/dependencytrack/repometaanalyzer/repositories/NugetMetaAnalyzerTest.java
@@ -187,4 +187,40 @@ void testPublishedDateTimeFormat() throws ParseException {
     private String readResourceFileToString(String fileName) throws Exception {
         return Files.readString(Paths.get(getClass().getResource(fileName).toURI()));
     }
+
+    // This test is to check if the analyzer is excluding pre-release versions
+    // The test is transitent depending on the current version of the package
+    // retrieved from the repository at the time of running.
+    // When it was created, the latest release version was 9.0.0-preview.1.24080.9
+    @Test
+    public void testAnalyzerExcludingPreRelease() throws Exception {
+        Component component = new Component();
+        component.setPurl(new PackageURL("pkg:nuget/Microsoft.Extensions.DependencyInjection@8.0.0"));
+
+        analyzer.setRepositoryBaseUrl("https://api.nuget.org");
+        MetaModel metaModel = analyzer.analyze(component);
+
+        Assertions.assertTrue(analyzer.isApplicable(component));
+        Assertions.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType());
+        Assertions.assertNotNull(metaModel.getLatestVersion());
+        Assertions.assertFalse(metaModel.getLatestVersion().contains("-"));
+    }
+
+    // This test is to check if the analyzer is including pre-release versions
+    // The test is transitent depending on the current version of the package
+    // retrieved from the repository at the time of running.
+    // When it was created, the latest release version was 9.0.0-preview.1.24080.9
+    @Test
+    public void testAnalyzerIncludingPreRelease() throws Exception {
+        Component component = new Component();
+        component.setPurl(new PackageURL("pkg:nuget/Microsoft.Extensions.DependencyInjection@8.0.0-beta.21301.5"));
+
+        analyzer.setRepositoryBaseUrl("https://api.nuget.org");
+        MetaModel metaModel = analyzer.analyze(component);
+
+        Assertions.assertTrue(analyzer.isApplicable(component));
+        Assertions.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType());
+        Assertions.assertNotNull(metaModel.getLatestVersion());
+        Assertions.assertFalse(metaModel.getLatestVersion().contains("-"));
+    }
 }