updated compareTo so that null values are handled properly

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -25,6 +25,7 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.StringTokenizer;
+import org.apache.commons.lang3.builder.CompareToBuilder;
 import org.apache.lucene.document.Document;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
@@ -801,6 +802,12 @@ public class CPEAnalyzer implements Analyzer {
          */
         @Override
         public int compareTo(IdentifierMatch o) {
+            return new CompareToBuilder()
+                    .append(confidence, o.confidence)
+                    .append(evidenceConfidence, o.evidenceConfidence)
+                    .append(identifier, o.identifier)
+                    .toComparison();
+            /*
             int conf = this.confidence.compareTo(o.confidence);
             if (conf == 0) {
                 conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
@@ -809,6 +816,7 @@ public class CPEAnalyzer implements Analyzer {
                 }
             }
             return conf;
+             */
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -21,6 +21,7 @@ import java.io.Serializable;
 import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
+import org.apache.commons.lang3.builder.CompareToBuilder;
 
 /**
  * Contains the information about a vulnerability.
@@ -161,7 +162,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * Adds an entry for vulnerable software.
      *
      * @param cpe string representation of a cpe
-     * @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
+     * @param previousVersion the previous version (previousVersion - cpe would
+     * be considered vulnerable)
      * @return if the add succeeded
      */
     public boolean addVulnerableSoftware(String cpe, String previousVersion) {
@@ -402,16 +404,20 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         }
         return sb.toString();
     }
+
     /**
      * Compares two vulnerabilities.
      *
      * @param v a vulnerability to be compared
-     * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than
+     * @return a negative integer, zero, or a positive integer as this object is
-     * the specified vulnerability
+     * less than, equal to, or greater than the specified vulnerability
      */
     @Override
     public int compareTo(Vulnerability v) {
-        return v.getName().compareTo(this.getName());
+        return new CompareToBuilder()
+                .append(this.name, v.name)
+                .toComparison();
+        //return v.getName().compareTo(this.getName());
     }
 
     /**
@@ -427,8 +433,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * Sets the CPE that caused this vulnerability to be flagged.
      *
      * @param cpeId a CPE identifier
-     * @param previous a flag indicating whether or not all previous versions were affected (any non-null value is
+     * @param previous a flag indicating whether or not all previous versions
-     * considered true)
+     * were affected (any non-null value is considered true)
      */
     public void setMatchedCPE(String cpeId, String previous) {
         matchedCPE = cpeId;