Fix false positives due to preemptive NA check in compareVersions

DependencyTrack#1929 Co-authored-by: Florent Ulvé <[email protected]> Signed-off-by: nscuro <[email protected]>
nscuro · Oct 11, 2023 · d51738b · d51738b
1 parent 388f5ec
commit d51738b
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 6 deletions.
diff --git a/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java
@@ -79,11 +79,6 @@ protected void analyzeVersionRange(final QueryManager qm, final List<VulnerableS
      * Ported from Dependency-Check v5.2.1
      */
     private static boolean compareVersions(VulnerableSoftware vs, String targetVersion) {
-        // For VulnerableSoftware (could actually be hardware) without a version number.
-        // e.g. cpe:2.3:o:intel:2000e_firmware:-:*:*:*:*:*:*:*
-        if (LogicalValue.NA.getAbbreviation().equals(vs.getVersion())) {
-            return true;
-        }
         //if any of the four conditions will be evaluated - then true;
         boolean result = (vs.getVersionEndExcluding() != null && !vs.getVersionEndExcluding().isEmpty())
                 || (vs.getVersionStartExcluding() != null && !vs.getVersionStartExcluding().isEmpty())

diff --git a/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java b/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java
@@ -66,7 +66,7 @@ public static Collection<Object[]> parameters() {
                 // Note: CPEs with uppercase "part" are considered invalid by the cpe-parser library.
                 {"cpe:2.3:o:linux:linux_kernel:5.15.37:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:o:LiNuX:LiNuX_kErNeL:5.15.37:*:*:*:*:*:*:*"},
                 // #1832: "version" of source is NA, "version" of target is "2.4.54" -> DISJOINT.
-                {"cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*"},
+                {"cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*", DOES_NOT_MATCH, "cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*"},
                 // #1832: "version" of source is NA, "version" of target is ANY -> SUBSET.
                 {"cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*", MATCHES, "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"},
                 // #2188: "update" of source is NA, "update" of target is ANY -> SUBSET.