feat: package-revisions

[Johannestegner]

This pull request changes the parsing of package revisions (x.x.x.x) to instead of seeing it as a pre-release, see it as what it is:

1. The FormatPatchVersion in scanner/utils will no longer change a x.x.x.x value to x.x.x-x but rather x.x.x+x (sub to add).

2. The MatchVersion will now, in case the constraint fails, check if there is a Metadata value in the current version.
   In case there is, it will differ the Metadata (revision) version with the constraint values revision (which, if it does not exist, is 0), it will then create new constraint if needed and either add or sub 1 from the patch version of the currentVersion to allow for a clean constraint test.

Why is this needed?

Not all package managers uses a standard semver versioning scheme. A lot do, but some have a legacy version spec (nuget, ruby and possibly more), which use a 4 part versioning scheme instead.
This has been handled by changing the version to a pre-release instead of changing it to a revision version, which is actually is.

Merging this PR should fix issues such as #702 and also issues encountered during the implementation of #686

[codecov]

Codecov Report

Merging #705 into master will increase coverage by 0.09%.
The diff coverage is 70.96%.

@@            Coverage Diff             @@
##           master     #705      +/-   ##
==========================================
+ Coverage   63.64%   63.73%   +0.09%     
==========================================
  Files          48       48              
  Lines        2027     2057      +30     
==========================================
+ Hits         1290     1311      +21     
- Misses        605      610       +5     
- Partials      132      136       +4     

Impacted Files	Coverage Δ
pkg/scanner/utils/utils.go	70.66% <70.96%> (-0.45%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 793a1aa...8a7722d. Read the comment docs.

[knqyf263]

@Johannestegner Thanks for your contribution. I'm reviewing this PR, but some languages require pre-release since they have different conventions. Please be patient as we are working on the specifications for each language.

[Johannestegner]

@Johannestegner Thanks for your contribution. I'm reviewing this PR, but some languages require pre-release since they have different conventions. Please be patient as we are working on the specifications for each language.

Of course! As you probably know better than me, versioning is quite a complex thing! So I totally understand that the changes might not be perfect as of yet :)

[knqyf263]

Hi @Johannestegner, it was super complex, but we managed to develop the version library. Could you try this library with NuGet?
https://github.com/aquasecurity/go-version

[Johannestegner]

Hi @Johannestegner, it was super complex, but we managed to develop the version library. Could you try this library with NuGet?

Oh, that's great! Will take a look in the morning :)
I think this PR can be closed :)