From 8f02fee54a835de9a2819ae10919692b65c1b123 Mon Sep 17 00:00:00 2001 From: Magiel Bruntink Date: Fri, 26 Jan 2024 20:51:49 +0100 Subject: [PATCH] So Maven actually removed the vulnerable artifacts in CVE-2024-22233. Great! But it exposed a bug in our code. That should now be fixed :-) --- .../utils/mappers/VersionRanger.java | 48 +++++++++---------- .../parsers/GHParserTest.java | 2 +- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java index 7f43b44..68f568a 100644 --- a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java +++ b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java @@ -342,10 +342,10 @@ public List getVulnerableVersionsYAML(List encodedRangeVersions, public List getVulnerableVersionsJSON(String encodedRangeVersions, List allVersions) { List allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList()); - Set vulnerableVersions = Sets.newLinkedHashSet(allVersions); + Set vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions); - Set versionIndicesToRemove = Sets.newLinkedHashSet(); - Set versionIndicesToKeep = Sets.newLinkedHashSet(); + Set versionsToRemove = Sets.newLinkedHashSet(); + Set versionsToKeep = Sets.newLinkedHashSet(); for (String range : encodedRangeVersions.split(",")) { String operator = range.strip().split("[0-9]")[0].strip(); @@ -355,80 +355,80 @@ public List getVulnerableVersionsJSON(String encodedRangeVersions, List< switch (operator) { case "==": case "=": { - versionIndicesToKeep.addAll(findEqualVersions(parsedVersionFromRange, allParsedVersions)); + versionsToKeep.add(parsedVersionFromRange); break; } case "<=": { - versionIndicesToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions)); + versionsToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions)); break; } case "<": { - versionIndicesToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions)); + versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions)); break; } case ">=": { - versionIndicesToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions)); + versionsToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions)); break; } case ">": { - versionIndicesToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions)); + versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions)); break; } default: logger.warn("getVulnerableVersionsJSON: unknown operator " + operator); } } - if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() != 0) { + if(versionsToRemove.size() == 0 && versionsToKeep.size() != 0) { vulnerableVersions.clear(); } - versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove); - versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add); - return vulnerableVersions.stream().collect(Collectors.toList()); + versionsToRemove.stream().forEach(vulnerableVersions::remove); + versionsToKeep.stream().forEach(vulnerableVersions::add); + return vulnerableVersions.stream().map(v -> v.toString()).collect(Collectors.toList()); } - private List findUnequalVersions(ComparableVersion v, List allVersions) { + private List findUnequalVersions(ComparableVersion v, List allVersions) { var matches = findSmallerVersions(v, allVersions); matches.addAll(findGreaterVersions(v, allVersions)); return matches; } - private List findEqualAndGreaterVersions(ComparableVersion v, List allVersions) { + private List findEqualAndGreaterVersions(ComparableVersion v, List allVersions) { var matches = findEqualVersions(v, allVersions); matches.addAll(findGreaterVersions(v, allVersions)); return matches; } - private List findEqualAndSmallerVersions(ComparableVersion v, List allVersions) { + private List findEqualAndSmallerVersions(ComparableVersion v, List allVersions) { var matches = findEqualVersions(v, allVersions); matches.addAll(findSmallerVersions(v, allVersions)); return matches; } - private List findEqualVersions(ComparableVersion v, List allVersions) { - var result = new ArrayList(); + private List findEqualVersions(ComparableVersion v, List allVersions) { + var result = new ArrayList(); for(int i = 0; i < allVersions.size(); i++) { if(v.compareTo(allVersions.get(i)) == 0) { - result.add(i); + result.add(allVersions.get(i)); } } return result; } - private List findSmallerVersions(ComparableVersion v, List allVersions) { - var result = new ArrayList(); + private List findSmallerVersions(ComparableVersion v, List allVersions) { + var result = new ArrayList(); for(int i = 0; i < allVersions.size(); i++) { if(v.compareTo(allVersions.get(i)) > 0) { - result.add(i); + result.add(allVersions.get(i)); } } return result; } - private List findGreaterVersions(ComparableVersion v, List allVersions) { - var result = new ArrayList(); + private List findGreaterVersions(ComparableVersion v, List allVersions) { + var result = new ArrayList(); for(int i = 0; i < allVersions.size(); i++) { if(v.compareTo(allVersions.get(i)) < 0) { - result.add(i); + result.add(allVersions.get(i)); } } return result; diff --git a/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java b/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java index 2c12880..c892a8c 100644 --- a/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java +++ b/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java @@ -220,7 +220,7 @@ public void testParseCVE_2024_22233() throws Exception { HashMap values = new HashMap<>(); values.put("query", queryNoCursor); when(clientMock.sendPost("https://api.github.com/graphql", token, values)).thenReturn(CVE_2024_22233); - var versions = Stream.of("", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList()); + var versions = Stream.of("", "1.0.0", "1.0.1-m1", "1.0.1.RELEASE", "1.0.2.SEC01", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList()); ghParser.getVersionRanger().versionsMappings.put("pkg:maven/org.springframework/spring-core", versions); ghParser.setCursor(null);