Fix handling of numerical versions

2026-01-14 15:53:36 +01:00 · 2016-11-13 19:37:29 +01:00
parent 3bbc485968
commit 1337686013
2 changed files with 11 additions and 0 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -234,6 +234,13 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
        if (str == null || str.isEmpty()) {
            return false;
        }
+
+        // numbers/versions with leading zeros should not be treated as numbers
+        // (e.g. when comparing "01" <-> "1")
+        if (str.charAt(0) == '0') {
+            return false;
+        }
+
        for (int i = 0; i < str.length(); i++) {
            final char c = str.charAt(i);
            if (c < '0' || c > '9') {
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
@@ -125,6 +125,10 @@ public class VulnerableSoftwareTest extends BaseTest {
        vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10-186");
        assertTrue(vs.compareTo(vs1) < 0);
        //assertTrue(vs1.compareTo(vs)>0);
+
+        vs.setCpe("cpe:/a:ibm:security_guardium_database_activity_monitor:10.01");
+        vs1.setCpe("cpe:/a:ibm:security_guardium_database_activity_monitor:10.1");
+        assertTrue(vs.compareTo(vs1) < 0);
    }

    @Test