From 365e517b27814354b24c77e68bde96090f29d40c Mon Sep 17 00:00:00 2001 From: vithikashukla Date: Mon, 23 Oct 2023 12:49:51 +0100 Subject: [PATCH] Fix AffectedComponent format for CPEs with version ranges Co-authored-by: nscuro Signed-off-by: vithikashukla --- .../resources/v1/vo/AffectedComponent.java | 11 +++++++---- .../resources/v1/vo/AffectedComponentTest.java | 18 ++++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/dependencytrack/resources/v1/vo/AffectedComponent.java b/src/main/java/org/dependencytrack/resources/v1/vo/AffectedComponent.java index e4decc8ac..4afff4a77 100644 --- a/src/main/java/org/dependencytrack/resources/v1/vo/AffectedComponent.java +++ b/src/main/java/org/dependencytrack/resources/v1/vo/AffectedComponent.java @@ -96,15 +96,18 @@ public AffectedComponent(final VulnerableSoftware vs) { LOGGER.warn("Error assembling PURL", e); } } - if (vs.getVersion() != null) { - versionType = VersionType.EXACT; - version = vs.getVersion(); - } else { + if (vs.getVersionStartIncluding() != null + || vs.getVersionStartExcluding() != null + || vs.getVersionEndIncluding() != null + || vs.getVersionEndExcluding() != null) { versionType = VersionType.RANGE; versionEndExcluding = vs.getVersionEndExcluding(); versionEndIncluding = vs.getVersionEndIncluding(); versionStartExcluding = vs.getVersionStartExcluding(); versionStartIncluding = vs.getVersionStartIncluding(); + } else if (vs.getVersion() != null) { + versionType = VersionType.EXACT; + version = vs.getVersion(); } if (vs.getAffectedVersionAttributions() != null) { affectedVersionAttributions = vs.getAffectedVersionAttributions(); diff --git a/src/test/java/org/dependencytrack/resources/v1/vo/AffectedComponentTest.java b/src/test/java/org/dependencytrack/resources/v1/vo/AffectedComponentTest.java index c2207f37d..93d2bc335 100644 --- a/src/test/java/org/dependencytrack/resources/v1/vo/AffectedComponentTest.java +++ b/src/test/java/org/dependencytrack/resources/v1/vo/AffectedComponentTest.java @@ -172,6 +172,24 @@ public void shouldUseVersionRangeWhenAvailable() { assertThat(affectedComponent.getVersionEndExcluding()).isEqualTo("qux"); } + @Test + public void shouldUseVersionRangeWhenBothRangeAndExactVersionAreAvailable() { + final var vs = new VulnerableSoftware(); + vs.setVersion("*"); // CPEs will have a version wildcard when ranges are defined + vs.setVersionStartIncluding("foo"); + vs.setVersionStartExcluding("bar"); + vs.setVersionEndIncluding("baz"); + vs.setVersionEndExcluding("qux"); + + final var affectedComponent = new AffectedComponent(vs); + assertThat(affectedComponent.getVersionType()).isEqualTo(AffectedComponent.VersionType.RANGE); + assertThat(affectedComponent.getVersion()).isNull(); + assertThat(affectedComponent.getVersionStartIncluding()).isEqualTo("foo"); + assertThat(affectedComponent.getVersionStartExcluding()).isEqualTo("bar"); + assertThat(affectedComponent.getVersionEndIncluding()).isEqualTo("baz"); + assertThat(affectedComponent.getVersionEndExcluding()).isEqualTo("qux"); + } + @Test public void shouldMapAffectedPackageAttribution() { final var vs = new VulnerableSoftware();