fix: alpine versions <=/>= (#3978)

The alpine versions seem to be falling back to string comparisons for
`>=`/`<=`, which is wrong.
This issue is in the univers code we've vendored, which seems to be a
bit outdated, but it's [still present on their current
version](aboutcode-org/univers#172)

I've added tests to catch this in Alpine and other ecosystems, but APK
seems to have been the only ecosystem affected.

Author: michaelkedar

osv/ecosystems/alpine_test.py

@@ -75,6 +75,12 @@ def test_apk(self):
     self.assertLess(
         ecosystem.sort_key('13.0.14.5-r1'), ecosystem.sort_key('16.6-r0'))
 
+    # Check >= / <= methods: https://github.com/google/osv.dev/pull/3978
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1.10.0-r0'), ecosystem.sort_key('1.2.0-r0'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.2.0-r0'), ecosystem.sort_key('1.10.0-r0'))
+
   def test_apk_ecosystems(self):
     """Test apk-based ecosystems return an APK ecosystem."""
     ecos = [

osv/ecosystems/debian_test.py

@@ -72,6 +72,12 @@ def test_dpkg(self):
     self.assertLess(
         ecosystem.sort_key("13.0.14.5-e1"), ecosystem.sort_key("16.6-e0"))
 
+    # Check >= / <= methods
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1.10.0-1'), ecosystem.sort_key('1.2.0-1'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.2.0-1'), ecosystem.sort_key('1.10.0-1'))
+
   def test_dpkg_ecosystems(self):
     """Test dpkg-based ecosystems return a DPKG ecosystem."""
     ecos = [

osv/ecosystems/haskell_test.py

@@ -42,6 +42,12 @@ def test_sort_key(self):
     self.assertGreater(
         ecosystem.sort_key('1-20-0'), ecosystem.sort_key('1.20.0'))
 
+    # Check >= / <= methods
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1-20-0'), ecosystem.sort_key('1.20.0'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.20.0'), ecosystem.sort_key('1-20-0'))
+
 
 class GHCEcosystemTest(vcr.unittest.VCRTestCase):
   """GHC ecosystem helper tests."""

osv/ecosystems/maven_test.py

@@ -241,6 +241,13 @@ def test_version_zero(self):
     # actual case from com.graphql-java:graphql-java
     self.check_versions_order('0.0.0-2021-05-17T01-01-51-5ec03a8b', '20.0.0')
 
+  def test_version_ge_le(self):
+    """Test >= and <=."""
+    self.assertGreaterEqual(
+        maven.Version.from_string('1.10.0'), maven.Version.from_string('1.2.0'))
+    self.assertLessEqual(
+        maven.Version.from_string('1.2.0'), maven.Version.from_string('1.10.0'))
+
 
 class MavenEcosystemTest(vcr.unittest.VCRTestCase):
   """Maven ecosystem helper tests."""

osv/ecosystems/nuget_test.py

@@ -84,6 +84,11 @@ def test_less(self):
     self.check_order(self.assertLess, '1.0.0', '1.0.0.1-alpha')
     self.check_order(self.assertLess, '0.9.9.1', '1.0.0')
 
+  def test_ge_le(self):
+    """Test version >=/<=."""
+    self.check_order(self.assertGreaterEqual, '1.10.0', '1.2.0')
+    self.check_order(self.assertLessEqual, '1.2.0', '1.10.0')
+
 
 class NuGetEcosystemTest(vcr.unittest.VCRTestCase):
   """NuGet ecosystem helper tests."""

osv/ecosystems/packagist_test.py

@@ -39,6 +39,12 @@ def test_packagist(self):
     self.assertEqual(
         ecosystem.sort_key('1.0.0rc2'), ecosystem.sort_key('1.0.0.rc2'))
 
+    # Check >= / <= methods
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1.10-2RC1'), ecosystem.sort_key('1.2-2RC1'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.2-2RC1'), ecosystem.sort_key('1.10-2RC1'))
+
     enumerated_versions = ecosystem.enumerate_versions('neos/neos', '3.3.0',
                                                        '4.4.0')
     self.assertIn('4.3.19', enumerated_versions)

osv/ecosystems/pub_test.py

@@ -59,6 +59,13 @@ def check_version_equals(v1, v2):
     check_version_equals('1.2.3-01', '1.2.3-1')
     check_version_equals('1.2.3+01', '1.2.3+1')
 
+  def test_ge_le(self):
+    """Test version >=/<=."""
+    self.assertGreaterEqual(
+        pub.Version.from_string('1.10.0'), pub.Version.from_string('1.2.0'))
+    self.assertLessEqual(
+        pub.Version.from_string('1.2.0'), pub.Version.from_string('1.10.0'))
+
   def test_parse(self):
     """Test versions can be parsed."""
     pub.Version.from_string('0.0.0')

osv/ecosystems/pypi_test.py

@@ -39,3 +39,8 @@ def test_sort_key(self):
     ecosystem = ecosystems.get('PyPI')
     self.assertGreater(ecosystem.sort_key('2.0.0'), ecosystem.sort_key('1.0.0'))
     self.assertLess(ecosystem.sort_key('invalid'), ecosystem.sort_key('0'))
+    # Check >= / <= methods
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1.10.0'), ecosystem.sort_key('1.2.0'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.2.0'), ecosystem.sort_key('1.10.0'))

osv/ecosystems/redhat_test.py

@@ -111,6 +111,14 @@ def test_rpm(self):
     self.assertEqual(
         ecosystem.sort_key("2.0.8-4.8.2"), ecosystem.sort_key("2.0.8-4.8.2"))
 
+    # Check >= / <= methods
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1.10.2-1.oe2203'),
+        ecosystem.sort_key('1.2.2-1.oe2203'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.2.2-1.oe2203'),
+        ecosystem.sort_key('1.10.2-1.oe2203'))
+
   def test_rpm_ecosystems(self):
     """Test RPM-based ecosystems return an RPM ecosystem."""
     ecos = [

osv/ecosystems/rubygems_test.py

@@ -45,3 +45,8 @@ def test_sort_key(self):
         ecosystem.sort_key('invalid'), ecosystem.sort_key('4.0.0.rc1'))
     self.assertGreater(
         ecosystem.sort_key('v3.1.1'), ecosystem.sort_key('4.0.0.rc1'))
+    # Check >= / <= methods
+    self.assertGreaterEqual(
+        ecosystem.sort_key('1.10.0.rc1'), ecosystem.sort_key('1.2.0.rc1'))
+    self.assertLessEqual(
+        ecosystem.sort_key('1.2.0.rc1'), ecosystem.sort_key('1.10.0.rc1'))