Added util func around semver to allow for custom preprocessing. Upgraded semver lib

[ksykulev]

For #22919

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
• Added/updated automated tests
• A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it)
• Manual QA for all new/changed functionality

[ksykulev]

This is failing because semver v3 considers6.72.10-06 an invalid prerelease value.

V1 seems to be ok parsing it.

major: 6
minor: 72
patch: 10
pre: "06"
metadata: ""
original: "6.72.10-06"

Looking at the regex https://regex101.com/r/Ly7O1x/3/ this is indeed technically "not valid"

[ksykulev]

https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/nvd/cve_test.go#L710-L719

{
			name: "Can compare 4th version part",
			cve:  "CVE-2022-45889",
			meta: &wfn.Attributes{
				Vendor:  "planetestream",
				Product: "planet_estream",
				Version: "6.72.10.06",
			},
			want:    "6.72.10.07",
			wantErr: false,
		},

[ksykulev]

Added as part of #17683

[ksykulev]

Changing this test to something like 6.72.10.1 and 6.72.10.2 would make this test pass. The 0\d+ pattern is what is considered "invalid"

[ksykulev]

Going to skip this location as #24810 will most likely be removing semver usage here.

6.72.10.07 is a real software version number > https://nvd.nist.gov/vuln/detail/CVE-2022-45889

So trying to munge this sort of parsing to be valid semver seems futile.

[ksykulev]

Should server/vulnerabilities/nvd/cve.go#L731 be merged with the new func VersionToSemverVersion?

Answer: No. This code is going to be dealt with #24810

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.59%. Comparing base (a672ff8) to head (73131a3).
Report is 114 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #25437   +/-   ##
=======================================
  Coverage   63.58%   63.59%           
=======================================
  Files        1619     1619           
  Lines      154939   154986   +47     
  Branches     4038     4038           
=======================================
+ Hits        98524    98568   +44     
- Misses      48646    48648    +2     
- Partials     7769     7770    +1     

Flag	Coverage Δ
backend	64.44% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mostlikelee]

suggested a few places to remove to reduce risk/testing, otherwise LGTM

[mostlikelee]

i'd argue we don't need to change this (possibly adding risk) since this code only touches cryptsetup on linux

[mostlikelee]

same as above, Apple host OS version shouldn't come through this path

[mostlikelee]

same here as above

[mostlikelee]

LGTM!