From 7cb826cb662d456f34783c373a04d959ead7a0d7 Mon Sep 17 00:00:00 2001 From: Magiel Bruntink Date: Sat, 27 Jan 2024 21:10:00 +0100 Subject: [PATCH] Also always mark as vulnerable the versions explicity named in the version spec for the operators <=, >=, even if the vulnerable version is missing from the Maven central list. --- .../utils/mappers/VersionRanger.java | 33 +++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java index 68f568a..28db96e 100644 --- a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java +++ b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java @@ -341,11 +341,12 @@ public List getVulnerableVersionsYAML(List encodedRangeVersions, } public List getVulnerableVersionsJSON(String encodedRangeVersions, List allVersions) { - List allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList()); - Set vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions); + List allParsedVersions = allVersions.stream().map(ComparableVersion::new) + .collect(Collectors.toList()); + Set vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions); Set versionsToRemove = Sets.newLinkedHashSet(); - Set versionsToKeep = Sets.newLinkedHashSet(); + Set versionsToKeep = Sets.newLinkedHashSet(); for (String range : encodedRangeVersions.split(",")) { String operator = range.strip().split("[0-9]")[0].strip(); @@ -355,34 +356,40 @@ public List getVulnerableVersionsJSON(String encodedRangeVersions, List< switch (operator) { case "==": case "=": { - versionsToKeep.add(parsedVersionFromRange); + versionsToKeep.add(parsedVersionFromRange); break; } case "<=": { - versionsToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions)); + versionsToKeep.add(parsedVersionFromRange); + versionsToRemove.addAll( + findGreaterVersions(parsedVersionFromRange, allParsedVersions)); break; } case "<": { - versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions)); + versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, + allParsedVersions)); break; } case ">=": { - versionsToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions)); + versionsToKeep.add(parsedVersionFromRange); + versionsToRemove.addAll( + findSmallerVersions(parsedVersionFromRange, allParsedVersions)); break; } case ">": { - versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions)); + versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, + allParsedVersions)); break; } default: logger.warn("getVulnerableVersionsJSON: unknown operator " + operator); } } - if(versionsToRemove.size() == 0 && versionsToKeep.size() != 0) { - vulnerableVersions.clear(); - } - versionsToRemove.stream().forEach(vulnerableVersions::remove); - versionsToKeep.stream().forEach(vulnerableVersions::add); + if (versionsToRemove.size() == 0 && versionsToKeep.size() != 0) { + vulnerableVersions.clear(); + } + versionsToRemove.stream().forEach(vulnerableVersions::remove); + versionsToKeep.stream().forEach(vulnerableVersions::add); return vulnerableVersions.stream().map(v -> v.toString()).collect(Collectors.toList()); }