-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Composer version not always a string #1138
Comments
Can you name the package(s) with the erroring versions? My understanding is that composer requires versions to be semantic |
Thanks @G-Rath for the quick answer. The package name is |
Cool thanks - if you can, it would be good if you could provide a small but complete lock file reproducing the error but otherwise now that I've got the name I can look into it tomorrow morning :) |
@3asm could you speak more about how you generated this, including the composer version and json file? I suspect this is technically invalid (or maybe not natural?) - using this
Gives me a lockfile with that version but as a string rather than a number. In saying that if I edit the lockfile to be a number, composer doesn't seem to complain... It should be straightforward to support this case (we've having to do it in a couple of the other parsers), but interested in knowing more about it's real-world implications since this is the first time I've come across this |
@3asm Friendly ping on if you know how this file is generated? :) |
Sorry @another-rex I missed that. No, I don't, the file was collected during a vulnerability scan. |
composer.lock files may have a dependency package version as a number instead of a string (see: google/osv-scanner#1138). In that case `new PackageURL(...)` throws the following error: Error: Invalid purl: "versions" argument must be a string. Signed-off-by: Maxime Robert <[email protected]>
composer.lock files may have a dependency package version as a number instead of a string (see: google/osv-scanner#1138). In that case `new PackageURL(...)` throws the following error: Error: Invalid purl: "versions" argument must be a string. Signed-off-by: Maxime Robert <[email protected]>
While analyzer a
composer.lock
file we have the following error:(extracting as composer.lock) could not extract from /app/composer.lock: json: cannot unmarshal number into Go struct field ComposerPackage.packages.version of type string
The version in this case is not a string:
The text was updated successfully, but these errors were encountered: