From 7bd48cc8118a7667bf5adcd144d723ebfef3427b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 9 Sep 2014 15:07:28 -0400
Subject: [PATCH] updated version analysis to reduce false positives and
 increase accurate detection

Former-commit-id: 6097160434b7e98182738706790d82cdbd867175
---
 .../utils/DependencyVersion.java              | 22 ++++++++++++-------
 .../utils/DependencyVersionTest.java          |  8 +++----
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
index a11ca9123..b0ba88311 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
@@ -189,17 +189,23 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
         if (version == null) {
             return false;
         }
-
-        boolean ret = true;
-        int max = (this.versionParts.size() < version.versionParts.size())
-                ? this.versionParts.size() : version.versionParts.size();
-
-        if (max > 3) {
-            max = 3;
+        if (Math.abs(this.versionParts.size() - version.versionParts.size()) >= 3) {
+            return false;
         }
 
+        final int max = (this.versionParts.size() < version.versionParts.size())
+                ? this.versionParts.size() : version.versionParts.size();
+
+        boolean ret = true;
         for (int i = 0; i < max; i++) {
-            if (this.versionParts.get(i) == null || !this.versionParts.get(i).equals(version.versionParts.get(i))) {
+            String thisVersion = this.versionParts.get(i);
+            String otherVersion = version.getVersionParts().get(i);
+            if (i >= 3) {
+                if (thisVersion.compareToIgnoreCase(otherVersion) >= 0) {
+                    ret = false;
+                    break;
+                }
+            } else if (!thisVersion.equals(otherVersion)) {
                 ret = false;
                 break;
             }
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
index 62e4b4397..642bc99a4 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
@@ -134,14 +134,14 @@ public class DependencyVersionTest {
     @Test
     public void testMatchesAtLeastThreeLevels() {
 
-        DependencyVersion instance = new DependencyVersion("1.2.3.4");
-        DependencyVersion version = new DependencyVersion("1.2.3.5");
+        DependencyVersion instance = new DependencyVersion("2.3.16.3");
+        DependencyVersion version = new DependencyVersion("2.3.16.4");
         //true tests
         assertEquals(true, instance.matchesAtLeastThreeLevels(version));
-        version = new DependencyVersion("1.2");
+        version = new DependencyVersion("2.3");
         assertEquals(true, instance.matchesAtLeastThreeLevels(version));
         //false tests
-        version = new DependencyVersion("1.2.2.5");
+        version = new DependencyVersion("2.3.16.1");
         assertEquals(false, instance.matchesAtLeastThreeLevels(version));
         version = new DependencyVersion("2");
         assertEquals(false, instance.matchesAtLeastThreeLevels(version));