From 877fe1d4108f9602faf3753af3edc3805d60c0b1 Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Tue, 3 Oct 2023 01:15:27 +0200
Subject: [PATCH] Fix false negatives due to preemptive NA check in
 `compareUpdate`

https://github.com/DependencyTrack/dependency-track/pull/1929#issuecomment-1331223525

Co-authored-by: Alioune SY <sy_alioune@yahoo.fr>
Signed-off-by: nscuro <nscuro@protonmail.com>
---
 ...AbstractVulnerableSoftwareAnalysisTask.java |  3 ---
 .../InternalAnalysisTaskCpeMatchingTest.java   | 18 ++++++++++--------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java
index 534429ec73..f19d2e22f4 100644
--- a/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java
+++ b/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java
@@ -154,9 +154,6 @@ private static boolean compareUpdate(VulnerableSoftware vs, String targetUpdate)
         if (targetUpdate != null && targetUpdate.equals(vs.getUpdate())) {
             return true;
         }
-        if (LogicalValue.NA.getAbbreviation().equals(vs.getUpdate())) {
-            return false;
-        }
         if (vs.getUpdate() == null && targetUpdate == null) {
             return true;
         }
diff --git a/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java b/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java
index d78c5c5ffc..597fad50fd 100644
--- a/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java
+++ b/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java
@@ -52,23 +52,25 @@ public static Collection<Object[]> parameters() {
                 // ---
                 // Regression tests
                 // ---
-                // #2988: "other" attribute of source is NA, "other" attribute of target is ANY.
+                // #2988: "other" attribute of source is NA, "other" attribute of target is ANY -> SUBSET.
                 {"cpe:2.3:o:linux:linux_kernel:5.15.37:*:*:*:*:*:*:NA", MATCHES, "cpe:2.3:o:linux:linux_kernel:5.15.37:*:*:*:*:*:*:*"},
-                // #2988: "target_hw" of source if x64, "target_hw" of target is ANY.
+                // #2988: "target_hw" of source if x64, "target_hw" of target is ANY -> SUBSET.
                 {"cpe:2.3:o:linux:linux_kernel:5.15.37:*:*:*:*:*:x86:*", MATCHES, "cpe:2.3:o:linux:linux_kernel:5.15.37:*:*:*:*:*:*:*"},
-                // #2988: "vendor" of source contains wildcard, "vendor" of target is ANY.
+                // #2988: "vendor" of source contains wildcard, "vendor" of target is ANY -> SUBSET.
                 {"cpe:2.3:o:linu*:linux_kernel:5.15.37:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:o:*:linux_kernel:5.15.37:*:*:*:*:*:*:*"},
-                // #2580: Source vendor is , target vendor is wildcard.
+                // #2580: "vendor" of source is "linux", "vendor" of target ANY -> SUBSET.
                 {"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:o:*:linux_kernel:4.19.139:*:*:*:*:*:*:*"},
-                // #2994: "part" of source is "a", "part" of target is ANY.
+                // #2994: "part" of source is "a", "part" of target is ANY -> SUBSET.
                 {"cpe:2.3:a:busybox:busybox:1.34.1:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:*:busybox:busybox:1.34.1:*:*:*:*:*:*:*"},
-                // #2894: "vendor" and "product" with different casing.
+                // #2894: "vendor" and "product" with different casing -> EQUAL.
                 // Note: CPEs with uppercase "part" are considered invalid by the cpe-parser library.
                 {"cpe:2.3:o:linux:linux_kernel:5.15.37:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:o:LiNuX:LiNuX_kErNeL:5.15.37:*:*:*:*:*:*:*"},
-                // #1832: "version" of source is NA, "version" of target is "2.4.54".
+                // #1832: "version" of source is NA, "version" of target is "2.4.54" -> DISJOINT.
                 {"cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*"},
-                // #1832: "version" of source is NA, "version" of target is ANY.
+                // #1832: "version" of source is NA, "version" of target is ANY -> SUBSET.
                 {"cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"},
+                // #2188: "update" of source is NA, "update" of target is ANY -> SUBSET.
+                {"cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*", MATCHES, "cpe:2.3:a:xiph:speex:1.2:*:*:*:*:*:*:*"}
         });
     }