fixed bug causing vulnerabilities to be missed

Former-commit-id: e625225c6be3be1b471fab48c6eda0a616febfb9
2026-01-14 07:43:40 +01:00 · 2014-05-07 07:05:37 -04:00
parent f2006206d3
commit 8fcf5ee760
1 changed files with 5 additions and 2 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -46,6 +46,7 @@ import org.owasp.dependencycheck.utils.Pair;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public class CveDB {
+
    /**
     * The logger.
     */
@@ -733,8 +734,10 @@ public class CveDB {
        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
        final DependencyVersion v = parseDependencyVersion(cpeId);
        final boolean prevAffected = previous != null && !previous.isEmpty();
-        if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
-            if (v == null || "-".equals(v.toString())) {
+        if (v == null || "-".equals(v.toString())) { //all versions
+            affected = true;
+        } else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
+            if (prevAffected) {
                affected = true;
            }
        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {