fix(dotnet): prefer ProductVersion when it contains semantic metadata (#4017)#4891
fix(dotnet): prefer ProductVersion when it contains semantic metadata (#4017)#4891tjhub1983 wants to merge 2 commits into
Conversation
…anchore#4017) Signed-off-by: tjhub1983 <tjhub1983@users.noreply.github.com>
|
Hi maintainers! I've noticed this PR has been open since May 5th without any reviews yet. The fix is straightforward - prefer ProductVersion when it contains semantic version metadata. Is there anything I can do to help move this forward? Happy to address any feedback or make adjustments. Thank you! |
|
Sorry for the delay @tjhub1983 - just getting through a backlog of stuff ATM. I've kicked off the build checks for this PR and will give it a review right now. |
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
|
@spiffcs Thank you for the review and approval! I noticed the Unit tests are failing on the latest commit (c572ea1). Unfortunately I don't have local Go/Docker environment to investigate and fix the test failure directly. Could you help me understand:
If you have guidance on what needs to be fixed, I can try to address it or submit a follow-up PR. Thank you! |
|
@spiffcs Just checking in - is there anything else needed from my side to move this forward? Happy to make changes if you have feedback! |
|
This PR is approved but hasn't been merged yet. Could we get it merged? |
|
@spiffcs Thanks for the approval! Is there anything else needed from my side to get this PR merged? |
|
?? Hi @spiffcs! PR is approved but hasn't been merged yet. Is there anything else needed? Thanks for the review! |
|
?? Hi @spiffcs, I notice the Unit tests check is failing. Could you help me understand what's broken? I'd be happy to fix it. Thanks! |
|
?? Hi maintainers! Just checking in on this PR. Is there anything else needed? Thanks for your time! |
|
?? Hi @spiffcs! PR is approved but I notice Unit tests are failing. Is there anything specific I should fix? Happy to address any feedback. Thanks! |
|
This PR is not passing tests and has not had changes pushed to address the failure. |
Summary
Fixes #4017.
Root cause:
findVersionFromVersionResourcesuseskeepGreaterSemanticVersionto choose betweenProductVersionandFileVersion. For Microsoft PE files,FileVersionis often a CI build stamp (e.g.,8.0.324.11423) which semantically compares as greater than the trueProductVersion(e.g.,8.0.3+9f4b1f5d664afdfc80e1508ab7ed099dff210fbd) because324 > 3.Before: System.Text.Json → version
8.0.324.11423(FileVersion, a build stamp)After: System.Text.Json → version
8.0.3+9f4b1f5d664afdfc80e1508ab7ed099dff210fbd(ProductVersion, the real release)Fix: Added a check for
ProductVersioncontaining+(semantic metadata suffix) before the semantic comparison. When present,ProductVersionis always authoritative for Microsoft PE files.Changes
syft/pkg/cataloger/dotnet/package.go: Added check for+in ProductVersion before semantic comparisonTesting
Build a self-contained .NET application and compare syft output: