Skip to content

SemverDialects: NoMethodError: undefined method `<=' for nil:NilClass

Summary

SemverDialects.version_sat? raises the following exception:

Failure/Error: return EmptyInterval.new if !(@start_cut <= other_interval.end_cut) || !(other_interval.start_cut <= @end_cut)
     
     NoMethodError:
       undefined method `<=' for nil:NilClass
     # ./lib/semver_dialects/semantic_version/version_interval.rb:21:in `intersect'
     # ./lib/semver_dialects/semantic_version/version_parser.rb:32:in `block in parse'
     # ./lib/semver_dialects/semantic_version/version_parser.rb:13:in `each'
     # ./lib/semver_dialects/semantic_version/version_parser.rb:13:in `parse'

This happens for pypi and nuget packages when given specific versions and version ranges. See https://gitlab.com/gitlab-org/vulnerability-research/foss/semver_dialects/-/merge_requests/21#note_1708836901

This occurs when going through the GitLab Advisory Database, and passing all the affected version ranges, and all versions of the affected packages.

  • Continuous Vulnerability Scanning's AdvisoryScanner might raise the exact same error even though this hasn't happened yet, it seems.
  • This prevents us from measuring the discrepancy rate b/w SemverDialects (used by CVS) and Gemnasium's vrange (used by Dependency Scanning CI jobs).

Further details

Version ranges that might trigger this exception are being discussed in #438859 (comment 1736097487).

Steps to reproduce

See https://gitlab.com/gitlab-org/vulnerability-research/foss/semver_dialects/-/merge_requests/21#note_1708836901

Example Project

What is the current bug behavior?

version_sat? fails.

What is the expected correct behavior?

version_sat? does not fail.

Relevant logs and/or screenshots

https://gitlab.com/gitlab-org/vulnerability-research/foss/semver_dialects/-/merge_requests/21#note_1708836901

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Fabien Catteau