Merge pull request #614 from stefanneuhaus/issue-613-fix-version-comparison

Fix handling of numerical versions
2026-01-14 15:53:36 +01:00 · 2016-12-22 06:58:26 -05:00
parent 309a5d9bcb e7072ea04c
commit f9d3a9d8d8
2 changed files with 37 additions and 1 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -226,14 +226,24 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp

    /**
     * Determines if the string passed in is a positive integer.
+     * To be counted as a positive integer, the string must only contain 0-9
+     * and must not have any leading zeros (though "0" is a valid positive
+     * integer).
     *
     * @param str the string to test
     * @return true if the string only contains 0-9, otherwise false.
     */
-    private static boolean isPositiveInteger(final String str) {
+    static boolean isPositiveInteger(final String str) {
        if (str == null || str.isEmpty()) {
            return false;
        }
+
+        // numbers with leading zeros should not be treated as numbers
+        // (e.g. when comparing "01" <-> "1")
+        if (str.charAt(0) == '0' && str.length() > 1) {
+            return false;
+        }
+
        for (int i = 0; i < str.length(); i++) {
            final char c = str.charAt(i);
            if (c < '0' || c > '9') {
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
@@ -109,6 +109,10 @@ public class VulnerableSoftwareTest extends BaseTest {
        vs1.setCpe("2.1.10");
        assertTrue(vs.compareTo(vs1) < 0);

+        vs.setCpe("2.1.42");
+        vs1.setCpe("2.3.21");
+        assertTrue(vs.compareTo(vs1) < 0);
+
        vs.setCpe("cpe:/a:hp:system_management_homepage:2.1.1");
        vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10");
        assertTrue(vs.compareTo(vs1) < 0);
@@ -125,6 +129,14 @@ public class VulnerableSoftwareTest extends BaseTest {
        vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10-186");
        assertTrue(vs.compareTo(vs1) < 0);
        //assertTrue(vs1.compareTo(vs)>0);
+
+        vs.setCpe("cpe:/a:ibm:security_guardium_database_activity_monitor:10.01");
+        vs1.setCpe("cpe:/a:ibm:security_guardium_database_activity_monitor:10.1");
+        assertTrue(vs.compareTo(vs1) < 0);
+
+        vs.setCpe("2.0");
+        vs1.setCpe("2.1");
+        assertTrue(vs.compareTo(vs1) < 0);
    }

    @Test
@@ -148,4 +160,18 @@ public class VulnerableSoftwareTest extends BaseTest {
        assertEquals("mysql", vs.getProduct());
        assertEquals("5.1.23a", vs.getVersion());
    }
+
+    @Test
+    public void testIspositiveInteger() {
+        assertTrue(VulnerableSoftware.isPositiveInteger("1"));
+        assertTrue(VulnerableSoftware.isPositiveInteger("10"));
+        assertTrue(VulnerableSoftware.isPositiveInteger("666"));
+        assertTrue(VulnerableSoftware.isPositiveInteger("0"));
+
+        assertFalse(VulnerableSoftware.isPositiveInteger("+1"));
+        assertFalse(VulnerableSoftware.isPositiveInteger("-1"));
+        assertFalse(VulnerableSoftware.isPositiveInteger("2.1"));
+        assertFalse(VulnerableSoftware.isPositiveInteger("01"));
+        assertFalse(VulnerableSoftware.isPositiveInteger("00"));
+    }
 }