diff --git a/core/pom.xml b/core/pom.xml
index 50236ab40f2..bace5b818d6 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -126,6 +126,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
generate
+ false
${basedir}/src/main/resources/schema/external/cisa
${project.build.directory}/generated-sources/java
true
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
index 19278a20867..601c7a7d0d7 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
@@ -216,16 +216,18 @@ public boolean isRejected(String description) {
* @return true if the CVE affects CPEs identified by the
* configured CPE Starts with filter
*/
- protected boolean testCveCpeStartWithFilter(final DefCveItem cve) {
+ boolean testCveCpeStartWithFilter(final DefCveItem cve) {
if (cve.getCve().getConfigurations() != null) {
//cycle through to see if this is a CPE we care about (use the CPE filters
- return cve.getCve().getConfigurations().stream()
+ boolean result = cve.getCve().getConfigurations().stream()
.map(Config::getNodes)
.flatMap(List::stream)
+ .filter(node -> node != null)
.map(Node::getCpeMatch)
.flatMap(List::stream)
- .filter(cpe -> cpe.getCriteria() != null)
+ .filter(cpe -> cpe != null && cpe.getCriteria() != null)
.anyMatch(cpe -> cpe.getCriteria().startsWith(cpeStartsWithFilter));
+ return result;
}
return false;
}
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java
new file mode 100644
index 00000000000..480e9ad06de
--- /dev/null
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java
@@ -0,0 +1,91 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2024 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import io.github.jeremylong.openvulnerability.client.nvd.Config;
+import io.github.jeremylong.openvulnerability.client.nvd.CpeMatch;
+import io.github.jeremylong.openvulnerability.client.nvd.CveItem;
+import io.github.jeremylong.openvulnerability.client.nvd.CveTag;
+import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
+import io.github.jeremylong.openvulnerability.client.nvd.LangString;
+import io.github.jeremylong.openvulnerability.client.nvd.Metrics;
+import io.github.jeremylong.openvulnerability.client.nvd.Node;
+import io.github.jeremylong.openvulnerability.client.nvd.Reference;
+import io.github.jeremylong.openvulnerability.client.nvd.VendorComment;
+import io.github.jeremylong.openvulnerability.client.nvd.Weakness;
+import java.time.LocalDate;
+import java.time.ZonedDateTime;
+import java.util.ArrayList;
+import java.util.List;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author jeremy
+ */
+public class CveItemOperatorTest {
+
+ /**
+ * Test of testCveCpeStartWithFilter method, of class CveItemOperator.
+ */
+ @Test
+ public void testTestCveCpeStartWithFilter() {
+
+ ZonedDateTime published = ZonedDateTime.now();
+ ZonedDateTime lastModified = ZonedDateTime.now();
+ LocalDate cisaExploitAdd = null;
+ LocalDate cisaActionDue = null;
+ List cveTags = null;
+ List descriptions = null;
+ List references = null;
+ Metrics metrics = null;
+ List weaknesses = null;
+ List configurations = new ArrayList<>();
+ List matches = new ArrayList<>();
+ matches.add(null);
+
+ Node first = new Node(Node.Operator.OR, null, matches);
+ List cpeMatch = new ArrayList<>();
+ //cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
+ CpeMatch match = new CpeMatch(true, "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId", "versionStartExcluding",
+ "versionStartIncluding", "versionEndExcluding", "versionEndIncluding");
+ cpeMatch.add(match);
+ Node second = new Node(Node.Operator.OR, Boolean.FALSE, cpeMatch);
+ List nodes = new ArrayList<>();
+ nodes.add(null);
+ nodes.add(first);
+ nodes.add(second);
+
+ Config c = new Config(Config.Operator.AND, null, nodes);
+ configurations.add(c);
+ List vendorComments = null;
+ CveItem cveItem = new CveItem("id", "sourceIdentifier", "vulnStatus", published, lastModified,
+ "evaluatorComment", "evaluatorSolution", "evaluatorImpact", cisaExploitAdd, cisaActionDue,
+ "cisaRequiredAction", "cisaVulnerabilityName", cveTags, descriptions, references, metrics,
+ weaknesses, configurations, vendorComments);
+
+ DefCveItem cve = new DefCveItem(cveItem);
+ CveItemOperator instance = new CveItemOperator("cpe:2.3:o:");
+ boolean expResult = true;
+ boolean result = instance.testCveCpeStartWithFilter(cve);
+ assertEquals(expResult, result);
+
+ }
+
+}