Add univers support for Conan

[johnmhoran]

See also nexB/vulnerablecode#1022.

[johnmhoran]

@TG1999 I've built some of my univers test code using the structure you showed me last week in a huddle screenshare. This is a relevant excerpt for an error that I just generated.

for index, native in enumerate(natives, 1):
    vers = GenericVersionRange.from_native(native)
    if vers.invert():
        test = dict(
            test_index=index,
            scheme=scheme,
            gitlab_native=native,
            expected_vers=str(vers),
            expected_vers_inverted=str(vers.invert()),
        )
    else:
        test = dict(
            test_index=index,
            scheme=scheme,
            gitlab_native=native,
            expected_vers=str(vers),
            expected_vers_inverted=None,
        )
    generic_test_cases.append(test)

My initial test used NpmVersionRange since that was an example we briefly looked at. Unsurprisingly, this threw an error on one of the affected_ranges values. I then tried it using GenericVersionRange, and got this error:

AttributeError                            Traceback (most recent call last)
/home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py in line 64
     [62](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=61) for index, native in enumerate(natives, 1):
     [63](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=62)     vers = GenericVersionRange.from_native(native)
---> [64](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=63)     if vers.invert():
     [65](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=64)         test = dict(
     [66](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=65)             test_index=index,
     [67](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=66)             scheme=scheme,
   (...)
     [70](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=69)             expected_vers_inverted=str(vers.invert()),
     [71](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=70)         )
     [72](file:///home/jmh/dev/johnmhoran/spyder-substitute-pip-01/univers-01/scrape-cloned-gitlab-create-conan-json-01.py?line=71)     else:

AttributeError: type object 'NotImplementedError' has no attribute 'invert'

Does this mean that I should omit the if vers.invert() portion of my JSON test, or that I should use something other than GenericVersionRange, or perhaps some other error on my part?

[johnmhoran]

@TG1999 GH evidently won't allow me to upload my .py file, but here are 3 of the relevant data files I've generated.

conan_advisories.txt
conan_affected_ranges.txt
conan_files.txt

[johnmhoran]

@TG1999 Out of curiosity I've tested a number of other version range schemas, with these results:

# Errors:

# ApacheVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# ComposerVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# DebianVersionRange
# InvalidVersion: '5.1.0<=5.1.1' is not a valid <class 'univers.versions.DebianVersion'>

# GemVersionRange
# InvalidRequirementError: Illformed requirement {requirement!r}

# GenericVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# GolangVersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

# MavenVersionRange
# No error thrown but all JSON output entries look like this:
#   {
#     "test_index": 1,
#     "scheme": "maven",
#     "gitlab_native": ">=5.1.0 <=5.1.1",
#     "expected_vers": "vers:maven/None",
#     "expected_vers_inverted": "vers:maven/!=None"
#   },

# NpmVersionRange
# InvalidVersion: 'cci.20200203' is not a valid <class 'univers.versions.SemverVersion'>

# NugetVersionRange
# InvalidNuGetVersion: version does not contain any digit: None

# PypiVersionRange
# InvalidSpecifier: Invalid specifier: '>=5.1.0<=5.1.1'
# ^ This has deleted the space between the 2 values in the 1st entry

# RpmVersionRange
# ValueError: Unknown comparator in version requirement: ''

# VersionRange
# AttributeError: type object 'NotImplementedError' has no attribute 'invert'

[TG1999]

@TG1999 GH evidently won't allow me to upload my .py file, but here are 3 of the relevant data files I've generated.

conan_advisories.txt conan_affected_ranges.txt conan_files.txt

@johnmhoran thanks for getting all this data, please see if the way these ranges are stored in gitlab is the native way to represent these ranges ?

[johnmhoran]

@TG1999 Before I do, as I noted above I tried to implement the code you showed me on the screen share last week -- what does that error mean, and how do I deal with it?

[Resolved -- thank you @TG1999 👍 🙂 ]