diff --git a/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java index a1c4fec280..b7dc8ae97a 100644 --- a/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java +++ b/src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java @@ -198,6 +198,10 @@ private static boolean containsSpecialCharacter(String value) { * false */ private static boolean compareUpdate(VulnerableSoftware vs, String targetUpdate) { + + if (targetUpdate != null && targetUpdate.equals(vs.getUpdate())) { + return true; + } if (LogicalValue.NA.getAbbreviation().equals(vs.getUpdate())) { return false; } diff --git a/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskTest.java b/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskTest.java index 31ed6a1bd0..dc6d667808 100644 --- a/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskTest.java +++ b/src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskTest.java @@ -6,8 +6,12 @@ import org.dependencytrack.model.Project; import org.dependencytrack.model.Vulnerability; import org.dependencytrack.model.VulnerableSoftware; +import org.dependencytrack.parser.nvd.ModelConverter; import org.junit.Test; +import us.springett.parsers.cpe.exceptions.CpeEncodingException; +import us.springett.parsers.cpe.exceptions.CpeParsingException; +import java.util.Collections; import java.util.List; import static org.assertj.core.api.Assertions.assertThat; @@ -18,7 +22,7 @@ public class InternalAnalysisTaskTest extends PersistenceCapableTest { public void testIssue1574() { var project = new Project(); project.setName("acme-app"); - project = qm.createProject(project, List.of(), false); + project = qm.createProject(project, Collections.emptyList(), false); var component = new Component(); component.setProject(project); component.setName("github.com/tidwall/gjson"); @@ -47,4 +51,33 @@ public void testIssue1574() { assertThat(vulnerabilities.getList(Vulnerability.class).get(0).getVulnId()).isEqualTo("GHSA-wjm3-fq3r-5x46"); } + @Test + public void testExactMatchWithNAUpdate() throws CpeParsingException, CpeEncodingException { + var project = new Project(); + project.setName("acme-app"); + project = qm.createProject(project, Collections.emptyList(), false); + var component = new Component(); + component.setProject(project); + component.setGroup("xiph"); + component.setName("speex"); + component.setVersion("1.2"); + component.setCpe("cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*"); + component = qm.createComponent(component, false); + + var vulnerableSoftware = ModelConverter.convertCpe23UriToVulnerableSoftware("cpe:2.3:a:xiph:speex:1.2:-:*:*:*:*:*:*"); + vulnerableSoftware = qm.persist(vulnerableSoftware); + + var vulnerability = new Vulnerability(); + vulnerability.setVulnId("CVE-2020-23904"); + vulnerability.setSource(Vulnerability.Source.NVD); + vulnerability.setVulnerableSoftware(List.of(vulnerableSoftware)); + qm.createVulnerability(vulnerability, false); + + new InternalAnalysisTask().analyze(List.of(component)); + + final PaginatedResult vulnerabilities = qm.getVulnerabilities(component); + assertThat(vulnerabilities.getTotal()).isEqualTo(1); + assertThat(vulnerabilities.getList(Vulnerability.class).get(0).getVulnId()).isEqualTo("CVE-2020-23904"); + } + } \ No newline at end of file