Skip to content

Version Distance Policy Evaluation Cannot Deal With Letters #3230

Open
Open
Version Distance Policy Evaluation Cannot Deal With Letters#3230
Labels
defectSomething isn't working
Milestone
5.x
@msymons

Description

@msymons
msymons
opened on Nov 24, 2023

Current Behavior

As a result of logging improvements introduced in v4.9.0 via Issue #2979, a Version Distance Policy that attempts to evaluate a component that contains a letter in the version (either existing version or latest version) will generate an informative WARN:

2023-11-22 02:27:01,522 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
2023-11-22 02:27:01,526 INFO [PolicyEngine] Evaluating 362 component(s) against applicable policies
2023-11-22 02:27:02,397 WARN [VersionDistancePolicyEvaluator] Failed to compute version distance for component pkg:maven/com.google.code.findbugs/annotations@2.0.1?type=jar (UUID: 9d582ebf-b3b8-4ab1-bd90-e109f7fa5218), between component version 2.0.1 and latest version 3.0.1u2; Skipping
java.lang.NumberFormatException: For input string: "1u"
	at java.base/java.lang.NumberFormatException.forInputString(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
	at org.dependencytrack.util.VersionDistance.parseVersion(VersionDistance.java:156)
	at org.dependencytrack.util.VersionDistance.getVersionDistance(VersionDistance.java:331)
	at org.dependencytrack.policy.VersionDistancePolicyEvaluator.evaluate(VersionDistancePolicyEvaluator.java:93)
	at org.dependencytrack.policy.PolicyEngine.evaluate(PolicyEngine.java:89)
	at org.dependencytrack.policy.PolicyEngine.evaluate(PolicyEngine.java:71)
	at org.dependencytrack.tasks.PolicyEvaluationTask.performPolicyEvaluation(PolicyEvaluationTask.java:55)
	at org.dependencytrack.tasks.PolicyEvaluationTask.inform(PolicyEvaluationTask.java:44)
	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
2023-11-22 02:27:02,580 WARN [VersionDistancePolicyEvaluator] Failed to compute version distance for component pkg:maven/org.apache-extras.beanshell/bsh@2.0b6?type=jar (UUID: c12140e6-4959-4f4b-9710-5f5235ceca09), between component version 2.0b6 and latest version 2.0b6; Skipping
java.lang.NumberFormatException: For input string: "0b"
	at java.base/java.lang.NumberFormatException.forInputString(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
        ...
2023-11-22 02:27:02,607 WARN [VersionDistancePolicyEvaluator] Failed to compute version distance for component pkg:maven/com.google.code.findbugs/annotations@3.0.1?type=jar (UUID: 4ff12922-f19b-413f-b776-b2cfbcd25f11), between component version 3.0.1 and latest version 3.0.1u2; Skipping
java.lang.NumberFormatException: For input string: "1u"
	at java.base/java.lang.NumberFormatException.forInputString(Unknown Source)
	at java.base/java.lang.Integer.parseInt(Unknown Source)
        ...

Steps to Reproduce

  1. Create version distance policy. This was the policy that gave rise to exceptions reported above but a better test would be to have version value as 1 rather than 2.

version-policy

  1. Upload BOM containing following components....
    pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5?type=jar
    pkg:maven/org.apache-extras.beanshell/bsh@2.0b6?type=jar

Expected Behavior

  1. No WARN exceptions logged per current behaviour.
  2. Assuming policy distance is 1, a policy violation for pkg:maven/com.google.code.findbugs/annotations@2.0.1?type=jar as this is one major version behind latest version
  3. Valid policy violations for any other component in project that is more than one version out of date. Currently I am not seeing any Version Distance policy violations for the project under test... but have not tested against a project that contain NO components that would give the WARN exception.

Dependency-Track Version

4.10.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions