From c6035ef9615157f8acfa7ff59bc16e52cae2d1ee Mon Sep 17 00:00:00 2001 From: Ben Selwyn-Smith Date: Tue, 18 Mar 2025 11:15:28 +1000 Subject: [PATCH 1/3] fix: use 'isDefault' version from deps dev api Signed-off-by: Ben Selwyn-Smith --- src/macaron/repo_finder/repo_finder_deps_dev.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/macaron/repo_finder/repo_finder_deps_dev.py b/src/macaron/repo_finder/repo_finder_deps_dev.py index c64ff37aa..7939ee747 100644 --- a/src/macaron/repo_finder/repo_finder_deps_dev.py +++ b/src/macaron/repo_finder/repo_finder_deps_dev.py @@ -146,7 +146,13 @@ def get_latest_version(purl: PackageURL) -> tuple[PackageURL | None, RepoFinderI versions = json_extract(metadata, versions_keys, list) if not versions: return None, RepoFinderInfo.DDEV_JSON_INVALID - latest_version = json_extract(versions[-1], ["versionKey", "version"], str) + + latest_version = None + for index, version_result in enumerate(versions): + if version_result["isDefault"] or (index == (len(versions) - 1) and not latest_version): + latest_version = json_extract(version_result, ["versionKey", "version"], str) + break + if not latest_version: return None, RepoFinderInfo.DDEV_JSON_INVALID From 39c219b73f71c117b7cfa4cd4b8e284b71d0076f Mon Sep 17 00:00:00 2001 From: Ben Selwyn-Smith Date: Tue, 18 Mar 2025 14:07:52 +1000 Subject: [PATCH 2/3] chore: address PR feedback Signed-off-by: Ben Selwyn-Smith --- .../repo_finder/repo_finder_deps_dev.py | 6 ++++-- .../cases/google_guava_latest/policy.dl | 10 ++++++++++ .../cases/google_guava_latest/test.yaml | 20 +++++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 tests/integration/cases/google_guava_latest/policy.dl create mode 100644 tests/integration/cases/google_guava_latest/test.yaml diff --git a/src/macaron/repo_finder/repo_finder_deps_dev.py b/src/macaron/repo_finder/repo_finder_deps_dev.py index 7939ee747..35d257408 100644 --- a/src/macaron/repo_finder/repo_finder_deps_dev.py +++ b/src/macaron/repo_finder/repo_finder_deps_dev.py @@ -148,12 +148,14 @@ def get_latest_version(purl: PackageURL) -> tuple[PackageURL | None, RepoFinderI return None, RepoFinderInfo.DDEV_JSON_INVALID latest_version = None - for index, version_result in enumerate(versions): - if version_result["isDefault"] or (index == (len(versions) - 1) and not latest_version): + for version_result in reversed(versions): + if version_result["isDefault"]: + # Accept the version as the latest if it is marked with the "isDefault" property. latest_version = json_extract(version_result, ["versionKey", "version"], str) break if not latest_version: + logger.debug("No latest version found in version list: %s", len(versions)) return None, RepoFinderInfo.DDEV_JSON_INVALID namespace = purl.namespace + "/" if purl.namespace else "" diff --git a/tests/integration/cases/google_guava_latest/policy.dl b/tests/integration/cases/google_guava_latest/policy.dl new file mode 100644 index 000000000..fba7461e4 --- /dev/null +++ b/tests/integration/cases/google_guava_latest/policy.dl @@ -0,0 +1,10 @@ +/* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */ +/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */ + +#include "prelude.dl" + +Policy("test_policy", component_id, "") :- + check_passed(component_id, "mcn_version_control_system_1"). + +apply_policy_to("test_policy", component_id) :- + is_component(component_id, "pkg:maven/com.google.guava/guava@14.0.1?type=jar"). diff --git a/tests/integration/cases/google_guava_latest/test.yaml b/tests/integration/cases/google_guava_latest/test.yaml new file mode 100644 index 000000000..0f9858c82 --- /dev/null +++ b/tests/integration/cases/google_guava_latest/test.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +description: | + Analyzing a PURL that requires fetching the latest version, and the ordering of its versions is atypical + +tags: +- macaron-python-package + +steps: +- name: Run macaron analyze + kind: analyze + options: + command_args: + - -purl + - pkg:maven/com.google.guava/guava@14.0.1?type=jar +- name: Run macaron verify-policy to verify passed/failed checks + kind: verify + options: + policy: policy.dl From 4b460844e59baffb66e5125655556bae47758be6 Mon Sep 17 00:00:00 2001 From: Ben Selwyn-Smith Date: Tue, 18 Mar 2025 16:54:44 +1000 Subject: [PATCH 3/3] chore: include repo in verify policy Signed-off-by: Ben Selwyn-Smith --- tests/integration/cases/google_guava_latest/policy.dl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/integration/cases/google_guava_latest/policy.dl b/tests/integration/cases/google_guava_latest/policy.dl index fba7461e4..76922ed27 100644 --- a/tests/integration/cases/google_guava_latest/policy.dl +++ b/tests/integration/cases/google_guava_latest/policy.dl @@ -4,7 +4,8 @@ #include "prelude.dl" Policy("test_policy", component_id, "") :- - check_passed(component_id, "mcn_version_control_system_1"). + check_passed(component_id, "mcn_version_control_system_1"), + is_repo_url(component_id, "https://github.com/google/guava"). apply_policy_to("test_policy", component_id) :- is_component(component_id, "pkg:maven/com.google.guava/guava@14.0.1?type=jar").