github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-28 03:51:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated version analysis to reduce false positives and increase accurate detection

Browse Source 
Former-commit-id: 6097160434b7e98182738706790d82cdbd867175
This commit is contained in:
Jeremy Long
2014-09-09 15:07:28 -04:00
parent 8f3ce38418
commit 7bd48cc811
2 changed files with 18 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -189,17 +189,23 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
if (version == null) { if (version == null) {
return false; return false;
} }
if (Math.abs(this.versionParts.size() - version.versionParts.size()) >= 3) {
boolean ret = true; return false;
int max = (this.versionParts.size() < version.versionParts.size())
? this.versionParts.size() : version.versionParts.size();
if (max > 3) {
max = 3;
} }
final int max = (this.versionParts.size() < version.versionParts.size())
? this.versionParts.size() : version.versionParts.size();
boolean ret = true;
for (int i = 0; i < max; i++) { for (int i = 0; i < max; i++) {
if (this.versionParts.get(i) == null || !this.versionParts.get(i).equals(version.versionParts.get(i))) { String thisVersion = this.versionParts.get(i);
String otherVersion = version.getVersionParts().get(i);
if (i >= 3) {
if (thisVersion.compareToIgnoreCase(otherVersion) >= 0) {
ret = false;
break;
}
} else if (!thisVersion.equals(otherVersion)) {
ret = false; ret = false;
break; break;
} }

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
View File

@@ -134,14 +134,14 @@ public class DependencyVersionTest {
@Test @Test
public void testMatchesAtLeastThreeLevels() { public void testMatchesAtLeastThreeLevels() {
DependencyVersion instance = new DependencyVersion("1.2.3.4"); DependencyVersion instance = new DependencyVersion("2.3.16.3");
DependencyVersion version = new DependencyVersion("1.2.3.5"); DependencyVersion version = new DependencyVersion("2.3.16.4");
//true tests //true tests
assertEquals(true, instance.matchesAtLeastThreeLevels(version)); assertEquals(true, instance.matchesAtLeastThreeLevels(version));
version = new DependencyVersion("1.2"); version = new DependencyVersion("2.3");
assertEquals(true, instance.matchesAtLeastThreeLevels(version)); assertEquals(true, instance.matchesAtLeastThreeLevels(version));
//false tests //false tests
version = new DependencyVersion("1.2.2.5"); version = new DependencyVersion("2.3.16.1");
assertEquals(false, instance.matchesAtLeastThreeLevels(version)); assertEquals(false, instance.matchesAtLeastThreeLevels(version));
version = new DependencyVersion("2"); version = new DependencyVersion("2");
assertEquals(false, instance.matchesAtLeastThreeLevels(version)); assertEquals(false, instance.matchesAtLeastThreeLevels(version));