Fix: Exact match between CPE with NA (-) update part in vulnerability…

… and vulnerable_software should be possible See DependencyTrack#1929 (comment) Signed-off-by: Alioune SY <[email protected]>
syalioune · Dec 6, 2022 · bc2e844 · bc2e844
1 parent be8790e
commit bc2e844
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java
@@ -198,6 +198,10 @@ private static boolean containsSpecialCharacter(String value) {
      * <code>false</code>
      */
     private static boolean compareUpdate(VulnerableSoftware vs, String targetUpdate) {
+
+        if (targetUpdate != null && targetUpdate.equals(vs.getUpdate())) {
+            return true;
+        }
         if (LogicalValue.NA.getAbbreviation().equals(vs.getUpdate())) {
             return false;
         }

diff --git a/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskTest.java b/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskTest.java
@@ -6,8 +6,12 @@
 import org.dependencytrack.model.Project;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.model.VulnerableSoftware;
+import org.dependencytrack.parser.nvd.ModelConverter;
 import org.junit.Test;
+import us.springett.parsers.cpe.exceptions.CpeEncodingException;
+import us.springett.parsers.cpe.exceptions.CpeParsingException;
 
+import java.util.Collections;
 import java.util.List;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -18,7 +22,7 @@ public class InternalAnalysisTaskTest extends PersistenceCapableTest {
     public void testIssue1574() {
         var project = new Project();
         project.setName("acme-app");
-        project = qm.createProject(project, List.of(), false);
+        project = qm.createProject(project, Collections.emptyList(), false);
         var component = new Component();
         component.setProject(project);
         component.setName("github.com/tidwall/gjson");
@@ -47,4 +51,33 @@ public void testIssue1574() {
         assertThat(vulnerabilities.getList(Vulnerability.class).get(0).getVulnId()).isEqualTo("GHSA-wjm3-fq3r-5x46");
     }
 
+    @Test
+    public void testExactMatchWithNAUpdate() throws CpeParsingException, CpeEncodingException {
+        var project = new Project();
+        project.setName("acme-app");
+        project = qm.createProject(project, Collections.emptyList(), false);
+        var component = new Component();
+        component.setProject(project);
+        component.setGroup("xiph");
+        component.setName("speex");
+        component.setVersion("1.2");
+        component.setCpe("cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*");
+        component = qm.createComponent(component, false);
+
+        var vulnerableSoftware = ModelConverter.convertCpe23UriToVulnerableSoftware("cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*");
+        vulnerableSoftware = qm.persist(vulnerableSoftware);
+
+        var vulnerability = new Vulnerability();
+        vulnerability.setVulnId("CVE-2020-23904");
+        vulnerability.setSource(Vulnerability.Source.NVD);
+        vulnerability.setVulnerableSoftware(List.of(vulnerableSoftware));
+        qm.createVulnerability(vulnerability, false);
+
+        new InternalAnalysisTask().analyze(List.of(component));
+
+        final PaginatedResult vulnerabilities = qm.getVulnerabilities(component);
+        assertThat(vulnerabilities.getTotal()).isEqualTo(1);
+        assertThat(vulnerabilities.getList(Vulnerability.class).get(0).getVulnId()).isEqualTo("CVE-2020-23904");
+    }
+
 }