Skip to content

Commit

Permalink
Merge pull request DependencyTrack#2967 from nscuro/fix-affected-comp…
Browse files Browse the repository at this point in the history
…onent-ranges

Fix `AffectedComponent` format for CPEs with version ranges
  • Loading branch information
nscuro authored Aug 30, 2023
2 parents 73c0d1b + ff746c2 commit 9ffca65
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -96,15 +96,18 @@ public AffectedComponent(final VulnerableSoftware vs) {
LOGGER.warn("Error assembling PURL", e);
}
}
if (vs.getVersion() != null) {
versionType = VersionType.EXACT;
version = vs.getVersion();
} else {
if (vs.getVersionStartIncluding() != null
|| vs.getVersionStartExcluding() != null
|| vs.getVersionEndIncluding() != null
|| vs.getVersionEndExcluding() != null) {
versionType = VersionType.RANGE;
versionEndExcluding = vs.getVersionEndExcluding();
versionEndIncluding = vs.getVersionEndIncluding();
versionStartExcluding = vs.getVersionStartExcluding();
versionStartIncluding = vs.getVersionStartIncluding();
} else if (vs.getVersion() != null) {
versionType = VersionType.EXACT;
version = vs.getVersion();
}
if (vs.getAffectedVersionAttributions() != null) {
affectedVersionAttributions = vs.getAffectedVersionAttributions();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,24 @@ public void shouldUseVersionRangeWhenAvailable() {
assertThat(affectedComponent.getVersionEndExcluding()).isEqualTo("qux");
}

@Test
public void shouldUseVersionRangeWhenBothRangeAndExactVersionAreAvailable() {
final var vs = new VulnerableSoftware();
vs.setVersion("*"); // CPEs will have a version wildcard when ranges are defined
vs.setVersionStartIncluding("foo");
vs.setVersionStartExcluding("bar");
vs.setVersionEndIncluding("baz");
vs.setVersionEndExcluding("qux");

final var affectedComponent = new AffectedComponent(vs);
assertThat(affectedComponent.getVersionType()).isEqualTo(AffectedComponent.VersionType.RANGE);
assertThat(affectedComponent.getVersion()).isNull();
assertThat(affectedComponent.getVersionStartIncluding()).isEqualTo("foo");
assertThat(affectedComponent.getVersionStartExcluding()).isEqualTo("bar");
assertThat(affectedComponent.getVersionEndIncluding()).isEqualTo("baz");
assertThat(affectedComponent.getVersionEndExcluding()).isEqualTo("qux");
}

@Test
public void shouldMapAffectedPackageAttribution() {
final var vs = new VulnerableSoftware();
Expand Down

0 comments on commit 9ffca65

Please sign in to comment.