Merge pull request #5993 from nscuro/ecosystem-aware-latest-version-detection

Use ecosystem-aware version comparison for latest version detection

Author: nscuro

src/main/java/org/dependencytrack/tasks/repositories/ComposerMetaAnalyzer.java

@@ -22,11 +22,14 @@
 import com.github.benmanes.caffeine.cache.Cache;
 import com.github.benmanes.caffeine.cache.Caffeine;
 import com.github.packageurl.PackageURL;
+import io.github.nscuro.versatile.VersionFactory;
+import io.github.nscuro.versatile.spi.InvalidVersionException;
+import io.github.nscuro.versatile.spi.Version;
+import io.github.nscuro.versatile.version.KnownVersioningSchemes;
 import jakarta.ws.rs.core.UriBuilder;
 import org.apache.http.HttpStatus;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.util.EntityUtils;
-import org.apache.maven.artifact.versioning.ComparableVersion;
 import org.dependencytrack.exception.MetaAnalyzerException;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.RepositoryType;
@@ -52,9 +55,9 @@ public class ComposerMetaAnalyzer extends AbstractMetaAnalyzer {
 
     /**
      * @see <a href="https://packagist.org/apidoc#get-package-data">Packagist's API
-     *      doc for
-     *      "Getting package data - Using the Composer v1 metadata (DEPRECATED)"</a>
-     *      Example: https://repo.packagist.org/p/monolog/monolog.json
+     * doc for
+     * "Getting package data - Using the Composer v1 metadata (DEPRECATED)"</a>
+     * Example: https://repo.packagist.org/p/monolog/monolog.json
      */
     private static final String PACKAGE_META_DATA_PATH_PATTERN_V1 = "/p/%package%.json";
 
@@ -66,10 +69,10 @@ public class ComposerMetaAnalyzer extends AbstractMetaAnalyzer {
      * Some of the properties of the root package.json are documented at
      * https://github.com/composer/composer/blob/main/doc/05-repositories.md
      * Properties to investigate / implement:
-     *
+     * <p>
      * - security-advisories: very relevant, but only in a VulnerabilityAnalyzer (or
      * mirrored VulnerabilitySource) context
-     *
+     * <p>
      * - providers-lazy-url: old v1 construct for which I haven't seen any example,
      * in v2 the metadata-url is used for this. seems like it's not relevant for DT
      * - list: returns only package names, seems like repo.packagist.org (and .com?)
@@ -273,7 +276,7 @@ private void loadIncludedPackages(final JSONObject repoRoot, final JSONObject da
     }
 
     private MetaModel analyzeFromMetadataUrl(final MetaModel meta, final Component component,
-            final String packageMetaDataPathPattern) {
+                                             final String packageMetaDataPathPattern) {
         final String composerPackageMetadataFilename = packageMetaDataPathPattern.replaceAll("%package%",
                 getComposerPackageName(component));
         final String url;
@@ -307,7 +310,7 @@ private MetaModel analyzeFromMetadataUrl(final MetaModel meta, final Component c
             if (!responsePackages.has(expectedResponsePackage)) {
                 // the package no longer exists - for v2 there's no example (yet), v1 example
                 // https://repo.packagist.org/p/magento/adobe-ims.json
-                LOGGER.debug("%s: Package no longer exists in repository %s.". formatted(component.getPurl(), this.repositoryId));
+                LOGGER.debug("%s: Package no longer exists in repository %s.".formatted(component.getPurl(), this.repositoryId));
                 return meta;
             }
 
@@ -353,38 +356,40 @@ private JSONObject expandPackages(JSONObject packages) {
     }
 
     private MetaModel analyzePackageVersions(final MetaModel meta, Component component, JSONObject packageVersions) {
-        final ComparableVersion latestVersion = new ComparableVersion(stripLeadingV(component.getPurl().getVersion()));
+        Version latestVersion = null;
         final DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssXXX");
 
         LOGGER.debug("%s: analyzing package versions in %s: ".formatted(component.getPurl(), this.repositoryId));
-        packageVersions.keySet().forEach(item -> {
-            JSONObject packageVersion = packageVersions.getJSONObject((String) item);
+        for (final String item : packageVersions.keySet()) {
+            final JSONObject packageVersion = packageVersions.getJSONObject(item);
             // Sometimes the JSON key differs from the the version inside the JSON value. The latter is leading.
-            String version = packageVersion.getString("version");
-            if (version.startsWith("dev-") || version.endsWith("-dev")) {
-                // dev versions are excluded, since they are not pinned but a VCS-branch.
-                // this case doesn't seem to happen anymore with V2, as dev (untagged) releases
-                // are not part of the response anymore
-                return;
-            }
+            final String version = packageVersion.getString("version");
 
             // Some (old?) repositories like composer.amasty.com/enterprise do not include a
-            // 'version_normalized' field
-            // TODO Should we attempt to normalize ourselves? The PHP code uses something
-            // that results in 4 parts instead of 3, i.e. 2.3.8.0 instead of 2.3.8. Not sure
-            // if that works with Semver4j
-            String version_normalized = packageVersion.getString("version");
+            // 'version_normalized' field. versatile handles both 3- and 4-part version
+            // strings (e.g. 2.3.8 and 2.3.8.0) natively, so falling back to the raw version
+            // is safe.
+            String version_normalized = version;
             if (packageVersion.has("version_normalized")) {
                 version_normalized = packageVersion.getString("version_normalized");
             }
 
-            ComparableVersion currentComparableVersion = new ComparableVersion(version_normalized);
-            if (currentComparableVersion.compareTo(latestVersion) < 0) {
-                // smaller version can be skipped
-                return;
+            final Version currentVersion;
+            try {
+                currentVersion = VersionFactory.forScheme(KnownVersioningSchemes.SCHEME_COMPOSER, version_normalized);
+            } catch (InvalidVersionException e) {
+                LOGGER.debug("%s: Skipping unparseable Composer version %s in repository %s".formatted(component.getPurl(), version_normalized, this.repositoryId), e);
+                continue;
+            }
+            if (!currentVersion.isStable()) {
+                continue;
+            }
+
+            if (latestVersion != null && currentVersion.compareTo(latestVersion) < 0) {
+                continue;
             }
 
-            latestVersion.parseVersion(stripLeadingV(version_normalized));
+            latestVersion = currentVersion;
             meta.setLatestVersion(version);
 
             if (packageVersion.has("time")) {
@@ -401,16 +406,10 @@ private MetaModel analyzePackageVersions(final MetaModel meta, Component compone
                 // do not include the name field for a version, so print purl
                 LOGGER.warn("%s: Field 'time' not present in metadata in repository %s".formatted(component.getPurl(), this.repositoryId));
             }
-        });
+        }
         return meta;
     }
 
-    private static String stripLeadingV(String s) {
-        return s.startsWith("v") || s.startsWith("V")
-                ? s.substring(1)
-                : s;
-    }
-
     private static boolean isMinified(JSONObject data) {
         if (data.has("minified") && "composer/2.0".equals(data.getString("minified"))) {
             return true;