Merge pull request #3468 from brentos99/master

Exclude pre-releases from NuGet latest version check
DependencyTrack · Sep 30, 2024 · 8c7d5a9 · 8c7d5a9
2 parents e746db0 + b198fb5
commit 8c7d5a9
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 5 deletions.
diff --git a/src/main/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzer.java
@@ -112,6 +112,7 @@ private boolean performVersionCheck(final MetaModel meta, final Component compon
                     String responseString = EntityUtils.toString(response.getEntity());
                     var jsonObject = new JSONObject(responseString);
                     final JSONArray versions = jsonObject.getJSONArray("versions");
+
                     final String latest = findLatestVersion(versions); // get the last version in the array
                     meta.setLatestVersion(latest);
                 }
@@ -127,15 +128,17 @@ private boolean performVersionCheck(final MetaModel meta, final Component compon
         return false;
     }
 
-    private String findLatestVersion(JSONArray versions) {
-        if (versions.length() < 1) {
+    private String findLatestVersion(JSONArray versions) { 
+        JSONArray filteredVersions = filterPreReleaseVersions(versions);
+
+        if (filteredVersions.length() < 1) {
             return null;
         }
 
-        ComparableVersion latestVersion = new ComparableVersion(versions.getString(0));
+        ComparableVersion latestVersion = new ComparableVersion(filteredVersions.getString(0));
 
-        for (int i = 1; i < versions.length(); i++) {
-            ComparableVersion version = new ComparableVersion(versions.getString(i));
+        for (int i = 1; i < filteredVersions.length(); i++) {
+            ComparableVersion version = new ComparableVersion(filteredVersions.getString(i));
             if (version.compareTo(latestVersion) > 0) {
                 latestVersion = version;
             }
@@ -144,6 +147,16 @@ private String findLatestVersion(JSONArray versions) {
         return latestVersion.toString();
     }
 
+    private JSONArray filterPreReleaseVersions(JSONArray versions) {
+        JSONArray filteredVersions = new JSONArray();
+        for (int i = 0; i < versions.length(); i++) {
+            if (!versions.getString(i).contains("-")) {
+                filteredVersions.put(versions.getString(i));
+            }
+        }
+        return filteredVersions;
+    } 
+
     private boolean performLastPublishedCheck(final MetaModel meta, final Component component) {
         final String url = String.format(registrationUrl, urlEncode(component.getPurl().getName().toLowerCase()), urlEncode(meta.getLatestVersion()));
         try (final CloseableHttpResponse response = processHttpRequest(url)) {

diff --git a/src/test/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzerTest.java b/src/test/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzerTest.java
@@ -69,6 +69,47 @@ public void testAnalyzer() throws Exception {
         Assert.assertNotNull(metaModel.getPublishedTimestamp());
     }
 
+
+    // This test is to check if the analyzer is excluding pre-release versions
+    // The test is transitent depending on the current version of the package 
+    // retrieved from the repository at the time of running. 
+    // When it was created, the latest release version was 9.0.0-preview.1.24080.9
+    @Test
+    public void testAnalyzerExcludingPreRelease() throws Exception {
+        Component component = new Component();
+        component.setPurl(new PackageURL("pkg:nuget/[email protected]"));
+        NugetMetaAnalyzer analyzer = new NugetMetaAnalyzer();
+
+        analyzer.setRepositoryBaseUrl("https://api.nuget.org");
+        MetaModel metaModel = analyzer.analyze(component);
+
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType());
+        Assert.assertNotNull(metaModel.getLatestVersion());
+
+        Assert.assertFalse(metaModel.getLatestVersion().contains("-"));
+    }
+
+    // This test is to check if the analyzer is including pre-release versions
+    // The test is transitent depending on the current version of the package 
+    // retrieved from the repository at the time of running. 
+    // When it was created, the latest release version was 9.0.0-preview.1.24080.9
+    @Test
+    public void testAnalyzerIncludingPreRelease() throws Exception {
+        Component component = new Component();
+        component.setPurl(new PackageURL("pkg:nuget/[email protected]"));
+        NugetMetaAnalyzer analyzer = new NugetMetaAnalyzer();
+
+        analyzer.setRepositoryBaseUrl("https://api.nuget.org");
+        MetaModel metaModel = analyzer.analyze(component);
+
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.NUGET, analyzer.supportedRepositoryType());
+        Assert.assertNotNull(metaModel.getLatestVersion());
+
+        Assert.assertFalse(metaModel.getLatestVersion().contains("-"));
+    }
+
     @Test
     public void testAnalyzerWithPrivatePackageRepository() throws Exception {
         String mockIndexResponse = readResourceFileToString("/unit/tasks/repositories/https---localhost-1080-v3-index.json");