From 629bc64c011e1ca2ab93181885f891f2c3eb85d8 Mon Sep 17 00:00:00 2001 From: Magiel Bruntink Date: Fri, 26 Jan 2024 20:11:54 +0100 Subject: [PATCH] Attempted fix for CVE-2024-22233 mess-up. --- .../utils/mappers/VersionRanger.java | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java index ce50bd2..7f43b44 100644 --- a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java +++ b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java @@ -18,7 +18,6 @@ package eu.fasten.vulnerabilityproducer.utils.mappers; -import com.google.common.collect.Lists; import com.google.common.collect.Sets; import eu.fasten.vulnerabilityproducer.utils.Vulnerability; @@ -342,11 +341,11 @@ public List getVulnerableVersionsYAML(List encodedRangeVersions, } public List getVulnerableVersionsJSON(String encodedRangeVersions, List allVersions) { - var allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList()); + List allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList()); Set vulnerableVersions = Sets.newLinkedHashSet(allVersions); - List versionIndicesToRemove = Lists.newArrayList(); - List versionIndicesToKeep = Lists.newArrayList(); + Set versionIndicesToRemove = Sets.newLinkedHashSet(); + Set versionIndicesToKeep = Sets.newLinkedHashSet(); for (String range : encodedRangeVersions.split(",")) { String operator = range.strip().split("[0-9]")[0].strip(); @@ -360,31 +359,30 @@ public List getVulnerableVersionsJSON(String encodedRangeVersions, List< break; } case "<=": { - versionIndicesToRemove = findGreaterVersions(parsedVersionFromRange, allParsedVersions); + versionIndicesToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions)); break; } case "<": { - versionIndicesToRemove = findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions); + versionIndicesToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions)); break; } case ">=": { - versionIndicesToRemove = findSmallerVersions(parsedVersionFromRange, allParsedVersions); + versionIndicesToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions)); break; } case ">": { - versionIndicesToRemove = findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions); + versionIndicesToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions)); break; } default: logger.warn("getVulnerableVersionsJSON: unknown operator " + operator); } - // If we only have some specific versions in the spec, only those should be kept. - if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() > 0) { - vulnerableVersions.clear(); - } - versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove); - versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add); } + if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() != 0) { + vulnerableVersions.clear(); + } + versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove); + versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add); return vulnerableVersions.stream().collect(Collectors.toList()); }