resolve version matching for issue #997

2026-01-14 15:53:36 +01:00 · 2017-12-09 06:46:05 -05:00
parent a1012ded26
commit 412b72540a
4 changed files with 58 additions and 4 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -956,7 +956,7 @@ public final class CveDB implements AutoCloseable {
            } else {
                versionText = cpe.getVersion();
            }
-            cpeVersion = DependencyVersionUtil.parseVersion(versionText);
+            cpeVersion = DependencyVersionUtil.parseVersion(versionText, true);
        } else {
            cpeVersion = new DependencyVersion("-");
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
@@ -70,6 +70,25 @@ public final class DependencyVersionUtil {
     * @return a DependencyVersion containing the version
     */
    public static DependencyVersion parseVersion(String text) {
+        return parseVersion(text, false);
+    }
+
+    /**
+     * <p>
+     * A utility class to extract version numbers from file names (or other
+     * strings containing version numbers.</p>
+     * <pre>
+     * Example:
+     * Give the file name: library-name-1.4.1r2-release.jar
+     * This function would return: 1.4.1.r2</pre>
+     *
+     * @param text the text being analyzed
+     * @param firstMatchOnly if <code>false</code> and more then one
+     * version string is found in the given text, null will be returned.
+     * Otherwise, the first version found will be returned.
+     * @return a DependencyVersion containing the version
+     */
+    public static DependencyVersion parseVersion(String text, boolean firstMatchOnly) {
        if (text == null) {
            return null;
        }
@@ -87,7 +106,7 @@ public final class DependencyVersionUtil {
            version = matcher.group();
        }
        //throw away the results if there are two things that look like version numbers
-        if (matcher.find()) {
+        if (!firstMatchOnly && matcher.find()) {
            return null;
        }
        if (version == null) {
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -958,7 +958,13 @@
        <gav regex="true">^org\.codehaus\.groovy:groovy-all:.*$</gav>
        <cve>CVE-2016-6497</cve>
    </suppress>
-
+    <!--suppress base="true">
+        <notes><![CDATA[
+        FP per issue #997 - actual fix was in DependencyVersionUtils
+        ]]></notes>
+        <gav regex="true">^com\.typesafe\.play:play-netty-utils:.*$</gav>
+        <cpe>cpe:/a:playframework:play_framework</cpe>
+    </suppress-->

    <suppress base="true">
        <notes><![CDATA[
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
@@ -33,7 +33,7 @@ public class DependencyVersionUtilTest extends BaseTest {
     * Test of parseVersion method, of class DependencyVersionUtil.
     */
    @Test
-    public void testParseVersion() {
+    public void testParseVersion_String() {
        final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
            "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
            "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar",
@@ -59,4 +59,33 @@ public class DependencyVersionUtilTest extends BaseTest {
            assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
        }
    }
+
+    /**
+     * Test of parseVersion method, of class DependencyVersionUtil.
+     */
+    @Test
+    public void testParseVersion_String_boolean() {
+        //cpe:/a:playframework:play_framework:2.1.1:rc1-2.9.x-backport
+        String text = "2.1.1.rc1.2.9.x-backport";
+        boolean firstMatchOnly = false;
+        DependencyVersion expResult = null;
+        DependencyVersion result = DependencyVersionUtil.parseVersion(text, firstMatchOnly);
+        assertNull(result);
+        firstMatchOnly = true;
+        expResult = DependencyVersionUtil.parseVersion("2.1.1.rc1");
+        result = DependencyVersionUtil.parseVersion(text, firstMatchOnly);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of parsePreVersion method, of class DependencyVersionUtil.
+     */
+    @Test
+    public void testParsePreVersion() {
+        String text = "library-name-1.4.1r2-release.jar";
+        String expResult = "library-name";
+        String result = DependencyVersionUtil.parsePreVersion(text);
+        assertEquals(expResult, result);
+
+    }
 }