schema/v5.0: introduce computable version ranges #100
Conversation
|
I've posted this as supporting material for my latest draft schema in #87 (comment). Discussion is probably better there than on this PR. |
9959205 to
7aa7ad2
Compare
7aa7ad2 to
34e14be
Compare
|
Made suggested changes. Not sure whether the other two additionalProperties: false should be kept or deleted. |
|
I suggest deleting the other two |
19d2c94 to
83dfecd
Compare
|
Pushed a new commit that deletes the other two additionalProperties: false and also fixes an inverted comparison in the algorithm, pointed out by Oliver. |
41f8442 to
afc20fc
Compare
|
Based on Tuesday meeting discussion, pushed a new version and updated the comment at the top of this PR. |
c43ca8d to
ca1c1a6
Compare
|
Updated as requested. Also defined that default defaultStatus is unknown. And fixed bug where "limit" was still defined as the field instead of "lessThan" and "lessThanOrEqual", despite mentioning the new names everywhere else. |
ca1c1a6 to
1c10f5d
Compare
|
Changed to allow either defaultStatus or versions to be omitted, but not both. |
The shorthand version of this schema is:
defaultStatus: $status (default 'unknown')
versions: [{
version: $version
status: $status // unknown, affected, unaffected
versionType: string (‘semver’, ‘git’, ..., to define meaning of <)
repo: string (optional, intended for versionType ‘git’)
lessThan/lessThanOrEqual: $version (can use * for “infinity” aka "maxuint")
changes: [{
at: version where status changes
status: ...
}]
}]
An object in the versions list can be either:
- a simple {version: V, status: S},
which indicates the status of the single version V.
- a range {version: V, versionType: T, lessThan: L OR lessThanOrEqual: LE, status: S, changes: C},
which indicates the status of the half-open interval [V, L) or closed interval [V, LE].
The range starts with V having status S and then changes over time according to the events listed in C.
The algorithm for deciding the status of a particular version V is then:
for entry in product.versions {
if entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {
return entry.status
}
if (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or
(entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) {
status = entry.status
for change in entry.changes {
if change.at <= v {
status = change.status
}
}
return status
}
}
return product.defaultStatus
Versions or defaultStatus may be omitted, but not both,
Fixes CVEProject#87.
Fixes CVEProject#12.
Fixes CVEProject#77.
1c10f5d to
e3d43c6
Compare
|
Also updated to mention version 0 as the earliest possible start of a range. |
The shorthand version of this schema is:
An object in the versions list can be either:
which indicates the status of the single version V.
which indicates the status of the half-open interval [V, L) or closed interval [V, LE].
The range starts with V having status S and then changes over time according to the events listed in C.
The algorithm for deciding the status of a particular version V is then:
Fixes #87.
Fixes #12.
Fixes #77.