Description
This is related to #1228 and #1252.
I noticed yesterday while working on #1228 that my tests using univers (https://github.com/nexB/univers) to compare affected and fixed by versions threw a univers.versions.InvalidVersion: '2.12.1-1%2Bdeb11u1' is not a valid <class 'univers.versions.DebianVersion'> error when I included pkg:deb/debian/[email protected]%2Bdeb11u1 in the test.
I eventually figured out that the culprit was the string %2B -- the URL-encoded + that debian.org uses for this jackson-databind package. (See, e.g., https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding.) Importing urllib.parse and using the unquote() function enabled me to complete the comparison without error, and is now part of my draft tests as well:
# Test the error
with pytest.raises(versions.InvalidVersion):
assert versions.DebianVersion("2.12.1-1%2Bdeb11u1") < versions.DebianVersion(
"2.13.1-1%2Bdeb11u1"
)
# Decode the version and test.
assert versions.DebianVersion(
urllib.parse.unquote("2.12.1-1%2Bdeb11u1")
) < versions.DebianVersion(urllib.parse.unquote("2.13.1-1%2Bdeb11u1"))
My question: do we want to continue this approach, or would we prefer instead to use non-URL-encoded versions in our PURLs?
If we search in vulnerablecode.io for pkg:deb/debian/[email protected]%2Bdeb11u1 and pkg:deb/debian/[email protected]+deb11u1, we get the same results -- displayed in the UI, for example like this
pkg:deb/debian/[email protected]%2Bdeb11u1
with these respective links
https://public.vulnerablecode.io/packages/pkg:deb/debian/[email protected]%252Bdeb11u1?search=pkg:deb/debian/[email protected]%2Bdeb11u1
https://public.vulnerablecode.io/packages/pkg:deb/debian/[email protected]%252Bdeb11u1?search=pkg:deb/debian/[email protected]+deb11u1
FWIW, debian.org displays the non-encoded version 2.12.1-1+deb11u1 with an underlying link to a details page. See https://tracker.debian.org/pkg/jackson-databind.