Skip to content

Commit

Permalink
Also always mark as vulnerable the versions explicity named in the ve…
Browse files Browse the repository at this point in the history
…rsion spec

for the operators <=, >=, even if the vulnerable version is missing from the
Maven central list.
  • Loading branch information
MagielBruntink committed Jan 27, 2024
1 parent 8f02fee commit 568bc4b
Showing 1 changed file with 20 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -341,11 +341,12 @@ public List<String> getVulnerableVersionsYAML(List<String> encodedRangeVersions,
}

public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<String> allVersions) {
List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
Set<ComparableVersion> vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions);
List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new)
.collect(Collectors.toList());
Set<ComparableVersion> vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions);

Set<ComparableVersion> versionsToRemove = Sets.newLinkedHashSet();
Set<ComparableVersion> versionsToKeep = Sets.newLinkedHashSet();
Set<ComparableVersion> versionsToKeep = Sets.newLinkedHashSet();

for (String range : encodedRangeVersions.split(",")) {
String operator = range.strip().split("[0-9]")[0].strip();
Expand All @@ -355,34 +356,40 @@ public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<
switch (operator) {
case "==":
case "=": {
versionsToKeep.add(parsedVersionFromRange);
versionsToKeep.add(parsedVersionFromRange);
break;
}
case "<=": {
versionsToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
versionsToKeep.add(parsedVersionFromRange);
versionsToRemove.addAll(
findGreaterVersions(parsedVersionFromRange, allParsedVersions));
break;
}
case "<": {
versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange,
allParsedVersions));
break;
}
case ">=": {
versionsToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
versionsToKeep.add(parsedVersionFromRange);
versionsToRemove.addAll(
findSmallerVersions(parsedVersionFromRange, allParsedVersions));
break;
}
case ">": {
versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange,
allParsedVersions));
break;
}
default:
logger.warn("getVulnerableVersionsJSON: unknown operator " + operator);
}
}
if(versionsToRemove.size() == 0 && versionsToKeep.size() != 0) {
vulnerableVersions.clear();
}
versionsToRemove.stream().forEach(vulnerableVersions::remove);
versionsToKeep.stream().forEach(vulnerableVersions::add);
if (versionsToRemove.size() == 0 && versionsToKeep.size() != 0) {
vulnerableVersions.clear();
}
versionsToRemove.stream().forEach(vulnerableVersions::remove);
versionsToKeep.stream().forEach(vulnerableVersions::add);
return vulnerableVersions.stream().map(v -> v.toString()).collect(Collectors.toList());
}

Expand Down

0 comments on commit 568bc4b

Please sign in to comment.