univers: mostly universal version and version ranges comparison and conversion
===============================================================================
|Build Status| |License| |Python 3.6+|
.. |Build Status| image:: https://api.travis-ci.com/sbs2001/univers.svg?branch=main&status=passed
.. |License| image:: https://img.shields.io/badge/License-Apache%202.0-blue.svg
:target: https://scancode-licensedb.aboutcode.org/apache-2.0.html
.. |Python 3.6+| image:: https://img.shields.io/badge/python-3.6+-blue.svg
:target: https://www.python.org/downloads/release/python-380/
**univers** was born out of the need for a mostly universal way to store version
ranges and to compare two software package versions in VulnerableCode.
Package version ranges and version constraints are useful and essential:
- When relating a known vulnerability or bug to a range of affected package
versions. For instance a statement such as "vulnerability 123 affects
package bar, version 3.1 and version 4.2 but not version 5" defines a
range of bar versions affected by a vulnerability.
- When resolving the dependencies of a package to express which subset of the
versions are supported. For instance a dependency requirement statement such
as "I require package foo, version 2.0 and later versions" defines a range of
acceptable foo versions.
Version syntaxes and range notations are quite different across ecosystems,
making it is difficult to process versions and version ranges across ecosystems
in a consistent way.
Existing tools and libraries typically support a single algorithms to parse and
compare versions with a single version range notation for a single package
ecosystem.
**univers** is different:
- It tracks each ecosystem versioning scheme and how two versions are compared.
- It support a growing number of package ecosystems versioning in a single
library.
- It can parse version range strings using their native notation (such as an npm
range) into the common "vers" notation and internal object model and can
return back a native version range string rebuilt from a "vers" range.
- It is designed to work with `Package URLs (purl) <https://github.com/package-url>`_.
How does **univers** work ?
============================
**univers** wraps, embeds and implements multiple version comparison libraries,
each focused on a specific ecosystem versioning scheme.
For each scheme, **univers** provides an implementation for:
- the version comparison procedure e.g, how to compare two versions,
- parsing and converting from a native version range notation to the
**univers** normalized and unified internal model,
- converting a range back to its scheme-native range syntax and to the
``vers`` syntax.
**univers** implements ``vers``, an experimental unified and mostly universal
version range syntax. It can parse and convert an existing native version range
strings to this unified syntax. For example, this means:
- converting ">=1.2.3" as used in a Python package into ``vers:pypi/>=1.2.3``,
- or converting "^1.0.2" as used in an npm package dependency declaration into
``vers:npm/>=1.0.2|<2.0.0``
The supported package ecosystems versioning schemes and underlying libraries
include:
- npm that use the "node-semver" ranges notation and the semver versions syntax
This is supported in part by the `semantic_version
<https://github.com/rbarrois/python-semanticversion>`_ library.
- pypi: handled by Python's packaging library and the standard
``packaging.version`` module.
- Rubygems which use a semver-like but not-quite-semver scheme and there can be
commonly more than three version segments.
Gems also use a slightly different range notation from node-semver with
different operators and slightly different semantics: for instance it uses "~>"
as a pessimistic operator and supports exclusion with != and does not support
"OR" between constraints (that it call requirements).
Gem are handled by Python port of the Rubygems requirements and version
handling code from the `puppeteer tool
<https://github.com/nexB/univers/blob/main/src/univers/debian.py.ABOUT>`_
- debian: handled by the `debian-inspector library
<https://github.com/nexB/univers/blob/main/src/univers/debian.py.ABOUT>`_.
- maven: handled by the embedded `pymaven library
<https://github.com/nexB/univers/blob/main/src/univers/pymaven.py.ABOUT>`_.
- rpm: handled by the embedded `rpm_vercmp library
<https://github.com/nexB/univers/blob/main/src/univers/rpm.py.ABOUT>`_.
- golang (using semver)
- PHP composer
- ebuild/gentoo: handled by the embedded `gentoo_vercmp module
<https://github.com/nexB/univers/blob/main/src/univers/gentoo.py.ABOUT>`_.
- arch linux: handled by the embedded `arch utility module borrowed from msys2
<https://github.com/nexB/univers/blob/main/src/univers/arch.py.ABOUT>`_.
- Alpine linux: handled using the base Gentoo version support and extras
specific to Alpine.
The level of support for each ecosystem may not be even for now and new schemes
and support for more package types are implemented on a continuous basis.
Alternative
============
Rather than using ecosystem-specific version schemes and code, another approach
is to use a single procedure for all the versions as implemented in `libversion
<https://github.com/repology/libversion>`_. ``libversion`` works in the most
common case but may not work correctly when a task that demand precise version
comparisons such as for dependency resolution and vulnerability lookup where
a "good enough" comparison accuracy is not acceptable. ``libversion`` does not
handle version range notations.
Installation
============
$ pip install univers
Examples
========
Compare two native Python versions:
.. code:: python
from univers.versions import PypiVersion
assert PypiVersion("1.2.3") < PypiVersion("1.2.4")
Normalize a version range from an npm:
.. code:: python
from univers.version_range import NpmVersionRange
range = NpmVersionRange.from_native("^1.0.2")
assert str(range) == "vers:npm/>=1.0.2|<2.0.0"
Test if a version is within or outside a version range:
.. code:: python
from univers.versions import PypiVersion
from univers.version_range import VersionRange
range = VersionRange.from_string("vers:pypi/>=1.2.4")
assert PypiVersion("1.2.4") in range
assert PypiVersion("1.2.3") not in range
Development
============
Run these commands, starting from a git clone of https://github.com/nexB/univers ::
$ ./configure --dev
$ source venv/bin/active
$ pytest -vvs
We use the same development process as other AboutCode projects.
Visit https://github.com/nexB/univers and
https://gitter.im/aboutcode-org/vulnerablecode and
https://gitter.im/aboutcode-org/aboutcode for support and chat.
Primary license: Apache-2.0
SPDX-License-Identifier: Apache-2.0 AND BSD-3-Clause AND MIT
Raw data
{
"_id": null,
"home_page": "https://github.com/nexB/univers",
"name": "univers",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "semver,utilities,version,release,version range,package URL,purl,arch,pacman,pypi,rpm,gentoo,ebuild,maven,debian,rubygems",
"author": "Shivam Sandbhor, nexB. Inc. and others",
"author_email": "info@aboutcode.org",
"download_url": "https://files.pythonhosted.org/packages/9b/63/7bfa076d87553965413c7db9de397e25574edf444e69a112648d53aee65e/univers-30.11.0.tar.gz",
"platform": null,
"description": "univers: mostly universal version and version ranges comparison and conversion\n===============================================================================\n\n|Build Status| |License| |Python 3.6+|\n\n.. |Build Status| image:: https://api.travis-ci.com/sbs2001/univers.svg?branch=main&status=passed\n.. |License| image:: https://img.shields.io/badge/License-Apache%202.0-blue.svg\n :target: https://scancode-licensedb.aboutcode.org/apache-2.0.html\n.. |Python 3.6+| image:: https://img.shields.io/badge/python-3.6+-blue.svg\n :target: https://www.python.org/downloads/release/python-380/\n\n\n**univers** was born out of the need for a mostly universal way to store version\nranges and to compare two software package versions in VulnerableCode.\n\nPackage version ranges and version constraints are useful and essential:\n\n- When relating a known vulnerability or bug to a range of affected package\n versions. For instance a statement such as \"vulnerability 123 affects \n package bar, version 3.1 and version 4.2 but not version 5\" defines a\n range of bar versions affected by a vulnerability.\n\n- When resolving the dependencies of a package to express which subset of the\n versions are supported. For instance a dependency requirement statement such\n as \"I require package foo, version 2.0 and later versions\" defines a range of\n acceptable foo versions.\n\nVersion syntaxes and range notations are quite different across ecosystems,\nmaking it is difficult to process versions and version ranges across ecosystems\nin a consistent way.\n\nExisting tools and libraries typically support a single algorithms to parse and\ncompare versions with a single version range notation for a single package\necosystem.\n\n\n**univers** is different:\n\n- It tracks each ecosystem versioning scheme and how two versions are compared.\n\n- It support a growing number of package ecosystems versioning in a single\n library.\n\n- It can parse version range strings using their native notation (such as an npm\n range) into the common \"vers\" notation and internal object model and can\n return back a native version range string rebuilt from a \"vers\" range.\n\n- It is designed to work with `Package URLs (purl) <https://github.com/package-url>`_.\n\n\nHow does **univers** work ?\n============================\n\n**univers** wraps, embeds and implements multiple version comparison libraries,\neach focused on a specific ecosystem versioning scheme.\n\nFor each scheme, **univers** provides an implementation for:\n\n- the version comparison procedure e.g, how to compare two versions,\n- parsing and converting from a native version range notation to the\n **univers** normalized and unified internal model,\n- converting a range back to its scheme-native range syntax and to the\n ``vers`` syntax.\n\n**univers** implements ``vers``, an experimental unified and mostly universal\nversion range syntax. It can parse and convert an existing native version range\nstrings to this unified syntax. For example, this means:\n\n- converting \">=1.2.3\" as used in a Python package into ``vers:pypi/>=1.2.3``,\n\n- or converting \"^1.0.2\" as used in an npm package dependency declaration into\n ``vers:npm/>=1.0.2|<2.0.0``\n\nThe supported package ecosystems versioning schemes and underlying libraries\ninclude:\n\n- npm that use the \"node-semver\" ranges notation and the semver versions syntax\n This is supported in part by the `semantic_version\n <https://github.com/rbarrois/python-semanticversion>`_ library.\n\n- pypi: handled by Python's packaging library and the standard \n ``packaging.version`` module.\n\n- Rubygems which use a semver-like but not-quite-semver scheme and there can be\n commonly more than three version segments.\n Gems also use a slightly different range notation from node-semver with\n different operators and slightly different semantics: for instance it uses \"~>\"\n as a pessimistic operator and supports exclusion with != and does not support\n \"OR\" between constraints (that it call requirements).\n Gem are handled by Python port of the Rubygems requirements and version\n handling code from the `puppeteer tool\n <https://github.com/nexB/univers/blob/main/src/univers/debian.py.ABOUT>`_\n\n- debian: handled by the `debian-inspector library\n <https://github.com/nexB/univers/blob/main/src/univers/debian.py.ABOUT>`_.\n\n- maven: handled by the embedded `pymaven library\n <https://github.com/nexB/univers/blob/main/src/univers/pymaven.py.ABOUT>`_.\n\n- rpm: handled by the embedded `rpm_vercmp library\n <https://github.com/nexB/univers/blob/main/src/univers/rpm.py.ABOUT>`_.\n\n- golang (using semver)\n\n- PHP composer\n\n- ebuild/gentoo: handled by the embedded `gentoo_vercmp module\n <https://github.com/nexB/univers/blob/main/src/univers/gentoo.py.ABOUT>`_.\n\n- arch linux: handled by the embedded `arch utility module borrowed from msys2\n <https://github.com/nexB/univers/blob/main/src/univers/arch.py.ABOUT>`_.\n\n- Alpine linux: handled using the base Gentoo version support and extras\n specific to Alpine.\n\n\nThe level of support for each ecosystem may not be even for now and new schemes\nand support for more package types are implemented on a continuous basis.\n\n\nAlternative\n============\n\nRather than using ecosystem-specific version schemes and code, another approach\nis to use a single procedure for all the versions as implemented in `libversion\n<https://github.com/repology/libversion>`_. ``libversion`` works in the most\ncommon case but may not work correctly when a task that demand precise version\ncomparisons such as for dependency resolution and vulnerability lookup where\na \"good enough\" comparison accuracy is not acceptable. ``libversion`` does not\nhandle version range notations.\n\n\nInstallation\n============\n\n $ pip install univers\n\n\nExamples\n========\n\nCompare two native Python versions:\n\n.. code:: python\n\n from univers.versions import PypiVersion\n assert PypiVersion(\"1.2.3\") < PypiVersion(\"1.2.4\")\n\n\nNormalize a version range from an npm:\n\n.. code:: python\n\n from univers.version_range import NpmVersionRange\n range = NpmVersionRange.from_native(\"^1.0.2\")\n assert str(range) == \"vers:npm/>=1.0.2|<2.0.0\"\n\n\nTest if a version is within or outside a version range:\n\n.. code:: python\n\n from univers.versions import PypiVersion\n from univers.version_range import VersionRange\n\n range = VersionRange.from_string(\"vers:pypi/>=1.2.4\")\n\n assert PypiVersion(\"1.2.4\") in range\n assert PypiVersion(\"1.2.3\") not in range\n\n\nDevelopment\n============\n\nRun these commands, starting from a git clone of https://github.com/nexB/univers ::\n\n $ ./configure --dev\n $ source venv/bin/active\n $ pytest -vvs\n\n\nWe use the same development process as other AboutCode projects.\n\nVisit https://github.com/nexB/univers and\nhttps://gitter.im/aboutcode-org/vulnerablecode and\nhttps://gitter.im/aboutcode-org/aboutcode for support and chat.\n\n\nPrimary license: Apache-2.0\nSPDX-License-Identifier: Apache-2.0 AND BSD-3-Clause AND MIT\n",
"bugtrack_url": null,
"license": "Apache-2.0 AND BSD-3-Clause AND MIT",
"summary": "A mostly universal library to parse and compare software package versions and version ranges. A companion to Package URLs.",
"version": "30.11.0",
"project_urls": {
"Homepage": "https://github.com/nexB/univers"
},
"split_keywords": [
"semver",
"utilities",
"version",
"release",
"version range",
"package url",
"purl",
"arch",
"pacman",
"pypi",
"rpm",
"gentoo",
"ebuild",
"maven",
"debian",
"rubygems"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "05ae6604aa9d167dfc76495259a2d1f468835741d2d443f78c8df357f29c215b",
"md5": "35a2afc5c48c069c853ace54c1210de5",
"sha256": "0c27fa2d8c61ef3f62871c01d8b6112cf3ad6d0e82731019ad64ef3abd5ea469"
},
"downloads": -1,
"filename": "univers-30.11.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "35a2afc5c48c069c853ace54c1210de5",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 91415,
"upload_time": "2023-09-12T09:01:21",
"upload_time_iso_8601": "2023-09-12T09:01:21.231557Z",
"url": "https://files.pythonhosted.org/packages/05/ae/6604aa9d167dfc76495259a2d1f468835741d2d443f78c8df357f29c215b/univers-30.11.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "9b637bfa076d87553965413c7db9de397e25574edf444e69a112648d53aee65e",
"md5": "2b0ab55f8a3ce5c8a8ab3ae079421143",
"sha256": "c72ae0f01f82e7150df331cbacc6c07bf3168d96fc7c22f4308033db0e01eff5"
},
"downloads": -1,
"filename": "univers-30.11.0.tar.gz",
"has_sig": false,
"md5_digest": "2b0ab55f8a3ce5c8a8ab3ae079421143",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 270882,
"upload_time": "2023-09-12T09:01:23",
"upload_time_iso_8601": "2023-09-12T09:01:23.093633Z",
"url": "https://files.pythonhosted.org/packages/9b/63/7bfa076d87553965413c7db9de397e25574edf444e69a112648d53aee65e/univers-30.11.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-09-12 09:01:23",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "nexB",
"github_project": "univers",
"github_fetch_exception": true,
"lcname": "univers"
}
JSON
