From c0013a0ba537dd27dc092f8677ed5e613186d2ba Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 8 Jan 2014 05:23:18 -0500
Subject: [PATCH] fixed bug 40 - version evidence is not showing up in the
 final reports

Former-commit-id: 1d39898252ca5738587947edd6ea977fbc571d55
---
 .../dependencycheck/analyzer/CPEAnalyzer.java | 26 ++++++++++++-------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
index fa97ea9bf..b0e742a4c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -144,11 +144,13 @@ public class CPEAnalyzer implements Analyzer {
      * @throws ParseException is thrown when the Lucene query cannot be parsed.
      */
     protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        Confidence vendorConf = Confidence.HIGHEST;
-        Confidence productConf = Confidence.HIGHEST;
+        Confidence confidence = Confidence.HIGHEST;
 
-        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), vendorConf);
-        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), productConf);
+        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
+        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
+        /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+         * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+        addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
 
         int ctr = 0;
         do {
@@ -164,13 +166,17 @@ public class CPEAnalyzer implements Analyzer {
                     }
                 }
             }
-            vendorConf = reduceConfidence(vendorConf);
-            if (dependency.getVendorEvidence().contains(vendorConf)) {
-                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), vendorConf);
+            confidence = reduceConfidence(confidence);
+            if (dependency.getVendorEvidence().contains(confidence)) {
+                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
             }
-            productConf = reduceConfidence(productConf);
-            if (dependency.getProductEvidence().contains(productConf)) {
-                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), productConf);
+            if (dependency.getProductEvidence().contains(confidence)) {
+                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
+            }
+            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+            if (dependency.getVersionEvidence().contains(confidence)) {
+                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
             }
         } while ((++ctr) < 4);
     }