From 412b72540abcca3dcecf70721878e48af7ca4fa9 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 9 Dec 2017 06:46:05 -0500
Subject: [PATCH] resolve version matching for issue #997

---
 .../dependencycheck/data/nvdcve/CveDB.java    |  2 +-
 .../utils/DependencyVersionUtil.java          | 21 ++++++++++++-
 .../dependencycheck-base-suppression.xml      |  8 ++++-
 .../utils/DependencyVersionUtilTest.java      | 31 ++++++++++++++++++-
 4 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
index f67ffb49d..2b82f59ae 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -956,7 +956,7 @@ public final class CveDB implements AutoCloseable {
             } else {
                 versionText = cpe.getVersion();
             }
-            cpeVersion = DependencyVersionUtil.parseVersion(versionText);
+            cpeVersion = DependencyVersionUtil.parseVersion(versionText, true);
         } else {
             cpeVersion = new DependencyVersion("-");
         }
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
index 4bf15f62b..a0ca0aafc 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
@@ -70,6 +70,25 @@ public final class DependencyVersionUtil {
      * @return a DependencyVersion containing the version
      */
     public static DependencyVersion parseVersion(String text) {
+        return parseVersion(text, false);
+    }
+
+    /**
+     * <p>
+     * A utility class to extract version numbers from file names (or other
+     * strings containing version numbers.</p>
+     * <pre>
+     * Example:
+     * Give the file name: library-name-1.4.1r2-release.jar
+     * This function would return: 1.4.1.r2</pre>
+     *
+     * @param text the text being analyzed
+     * @param firstMatchOnly if <code>false</code> and more then one
+     * version string is found in the given text, null will be returned.
+     * Otherwise, the first version found will be returned.
+     * @return a DependencyVersion containing the version
+     */
+    public static DependencyVersion parseVersion(String text, boolean firstMatchOnly) {
         if (text == null) {
             return null;
         }
@@ -87,7 +106,7 @@ public final class DependencyVersionUtil {
             version = matcher.group();
         }
         //throw away the results if there are two things that look like version numbers
-        if (matcher.find()) {
+        if (!firstMatchOnly && matcher.find()) {
             return null;
         }
         if (version == null) {
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index 925c36a42..5c82c5362 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -958,7 +958,13 @@
         <gav regex="true">^org\.codehaus\.groovy:groovy-all:.*$</gav>
         <cve>CVE-2016-6497</cve>
     </suppress>
-
+    <!--suppress base="true">
+        <notes><![CDATA[
+        FP per issue #997 - actual fix was in DependencyVersionUtils
+        ]]></notes>
+        <gav regex="true">^com\.typesafe\.play:play-netty-utils:.*$</gav>
+        <cpe>cpe:/a:playframework:play_framework</cpe>
+    </suppress-->
 
     <suppress base="true">
         <notes><![CDATA[
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
index 825b98f66..efda25535 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
@@ -33,7 +33,7 @@ public class DependencyVersionUtilTest extends BaseTest {
      * Test of parseVersion method, of class DependencyVersionUtil.
      */
     @Test
-    public void testParseVersion() {
+    public void testParseVersion_String() {
         final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
             "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
             "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar",
@@ -59,4 +59,33 @@ public class DependencyVersionUtilTest extends BaseTest {
             assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
         }
     }
+
+    /**
+     * Test of parseVersion method, of class DependencyVersionUtil.
+     */
+    @Test
+    public void testParseVersion_String_boolean() {
+        //cpe:/a:playframework:play_framework:2.1.1:rc1-2.9.x-backport
+        String text = "2.1.1.rc1.2.9.x-backport";
+        boolean firstMatchOnly = false;
+        DependencyVersion expResult = null;
+        DependencyVersion result = DependencyVersionUtil.parseVersion(text, firstMatchOnly);
+        assertNull(result);
+        firstMatchOnly = true;
+        expResult = DependencyVersionUtil.parseVersion("2.1.1.rc1");
+        result = DependencyVersionUtil.parseVersion(text, firstMatchOnly);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of parsePreVersion method, of class DependencyVersionUtil.
+     */
+    @Test
+    public void testParsePreVersion() {
+        String text = "library-name-1.4.1r2-release.jar";
+        String expResult = "library-name";
+        String result = DependencyVersionUtil.parsePreVersion(text);
+        assertEquals(expResult, result);
+
+    }
 }