From a6aae6292e71fe33b36f5ff5e6895e55a1174ef7 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Fri, 31 May 2013 22:57:04 -0400
Subject: [PATCH] added initial version filter - only supporting struts1/2
 right now

Former-commit-id: aa432c189c55d9ed66cf86d48041dd69dd43ab86
---
 .../data/nvdcve/NvdCveAnalyzer.java           | 44 ++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
index 4f79a951b..31d81a18c 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
@@ -29,6 +29,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and
  * attempts to discern if there is an associated CVEs. It uses the the
@@ -106,7 +107,9 @@ public class NvdCveAnalyzer implements Analyzer {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     for (Vulnerability v : vulns) {
-                        dependency.addVulnerability(v);
+                        if (isValidMatch(dependency, v)) {
+                            dependency.addVulnerability(v);
+                        }
                     }
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
@@ -160,4 +163,43 @@ public class NvdCveAnalyzer implements Analyzer {
     public void initialize() throws Exception {
         this.open();
     }
+
+    private boolean isValidMatch(final Dependency dependency, final Vulnerability v) {
+        //right now I only know of the issue with Struts1/2
+        // start with fixing this problem.
+
+        //TODO extend this solution to do better version matching for the vulnerable software.
+        boolean struts1 = false;
+        boolean struts2 = false;
+        for (Identifier i : dependency.getIdentifiers()) {
+            if (i.getValue().startsWith("cpe:/a:apache:struts:")) {
+                char version = i.getValue().charAt(21);
+                if (version == '1') {
+                    struts1 = true;
+                }
+                if (version == '2') {
+                    struts2 = true;
+                }
+            }
+        }
+        if (!struts1 && !struts2) {
+            return true; //we are not looking at struts, so return true.
+        }
+        if (struts1 && struts2) {
+            return true; //there is a mismatch here, but we can't solve it here so we return valid.
+        }
+        if (struts1) {
+            boolean hasStruts1Vuln = false;
+            boolean hasStruts2PreviousVersion = false;
+            for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
+                hasStruts2PreviousVersion |= vs.hasPreviousVersion() && vs.getName().charAt(21) == '2';
+                hasStruts1Vuln |= vs.getName().charAt(21) == '1';
+            }
+            if (!hasStruts1Vuln && hasStruts2PreviousVersion) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }