Skip to content

Fix: support Alpine-specific version formats rejected by the Gentoo regex (fixes #59)#186

Open
shivamtiwari3 wants to merge 1 commit intoaboutcode-org:mainfrom
shivamtiwari3:fix/alpine-unsupported-version-formats
Open

Fix: support Alpine-specific version formats rejected by the Gentoo regex (fixes #59)#186
shivamtiwari3 wants to merge 1 commit intoaboutcode-org:mainfrom
shivamtiwari3:fix/alpine-unsupported-version-formats

Conversation

@shivamtiwari3
Copy link

@shivamtiwari3 shivamtiwari3 commented Mar 13, 2026

Summary

Fixes #59.

AlpineLinuxVersion delegates validation to gentoo.is_valid(), whose regex only accepts the Gentoo version grammar. Alpine extends that grammar with several patterns that appear in real package databases (surfaced via VulnerableCode), causing InvalidVersion to be raised for valid Alpine packages.

Root Cause

In src/univers/versions.py, AlpineLinuxVersion.is_valid() calls gentoo.is_valid(string) directly. The Gentoo regex (^(?:\d+)(?:\.\d+)*[a-zA-Z]?(?:_(p(?:re)?|beta|alpha|rc)\d*)*$) rejects these real-world Alpine patterns:

Input Why it fails
1.9.5p2-r0 (OpenSSH portable) Letter+digit suffix p2 after dotted version; Gentoo only allows a bare letter
5.15.3_git20200401-r0 _git is not in Gentoo's allowed suffix words
1.11-20-r0, 57-1-r2 Dash used as numeric component separator
0.12.5.-r0 Spurious dot before the -r0 revision marker
0.8.21.r2 Revision written as .r2 instead of -r2

Solution

Override AlpineLinuxVersion.normalize() with a new _normalize_alpine_to_gentoo() helper that rewrites Alpine-specific patterns into their Gentoo-compatible equivalents before is_valid() and vercmp() see the string:

  • "1.9.5p2-r0""1.9.5_p2-r0" (insert _ before single-letter+digit suffix)
  • "5.15.3_git20200401-r0""5.15.3_alpha20200401-r0" (_git/_cvs/_svn snapshots treated as pre-releases)
  • "1.11-20-r0""1.11.20-r0" (dash-as-dot separator)
  • "0.12.5.-r0""0.12.5-r0" (strip spurious dot before revision)
  • "0.8.21.r2""0.8.21-r2" (normalise .rN-rN)

No changes to gentoo.py — Gentoo validation and comparison are unaffected.

Testing

  • Added test_alpine_extended_version_formats — verifies every version from issue Unsupported Alpine versions #59 parses and normalises to the expected Gentoo-compatible string.
  • Added test_alpine_extended_version_comparison — verifies correct ordering (e.g. p1 < p2, git snapshot < stable release).
  • All 748 existing Alpine tests still pass; the one pre-existing failure in test_enhanced_semantic_version is unrelated to this change (confirmed by reproducing on main before the patch).
  • Run with: pytest tests/test_alpine.py -v

Checklist

  • Fixes the root cause (normalisation, not just validation bypass)
  • New tests cover every failing version from the issue report
  • All existing tests pass
  • No unrelated changes
  • Code style matches project conventions

@shivamtiwari3
Fix: support Alpine-specific version formats that Gentoo regex rejects (
289d3a1 
fixes aboutcode-org#59)

Root cause: AlpineLinuxVersion.is_valid() delegates directly to gentoo.is_valid(),
which only accepts the Gentoo version grammar. Alpine extends that grammar with
extra patterns: a letter+digit portable-release suffix (e.g. "1.9.5p2"), the
_git/_cvs/_svn snapshot suffixes, dash as a numeric component separator
("1.11-20-r0"), and minor malformations found in real package databases
("0.12.5.-r0", "0.8.21.r2").

Fix: override AlpineLinuxVersion.normalize() with _normalize_alpine_to_gentoo(),
which rewrites these Alpine-only patterns into their Gentoo equivalents before
validation and comparison:
  "1.9.5p2-r0"            -> "1.9.5_p2-r0"
  "5.15.3_git20200401-r0" -> "5.15.3_alpha20200401-r0"
  "1.11-20-r0"            -> "1.11.20-r0"
  "0.12.5.-r0"            -> "0.12.5-r0"
  "0.8.21.r2"             -> "0.8.21-r2"

Signed-off-by: shivamtiwari3 <33183708+shivamtiwari3@users.noreply.github.com>
@shivamtiwari3 shivamtiwari3 force-pushed the fix/alpine-unsupported-version-formats branch from d652391 to 289d3a1 Compare March 13, 2026 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unsupported Alpine versions

1 participant

@shivamtiwari3