Attempted fix for CVE-2024-22233 mess-up.

fasten-project · Jan 26, 2024 · 0814786 · 0814786
1 parent 1024fe0
commit 0814786
Showing 1 changed file with 12 additions and 14 deletions.
diff --git a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java
@@ -18,7 +18,6 @@
 
 package eu.fasten.vulnerabilityproducer.utils.mappers;
 
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 
 import eu.fasten.vulnerabilityproducer.utils.Vulnerability;
@@ -342,11 +341,11 @@ public List<String> getVulnerableVersionsYAML(List<String> encodedRangeVersions,
     }
 
     public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<String> allVersions) {
-        var allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
+        List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
 	Set<String> vulnerableVersions = Sets.newLinkedHashSet(allVersions);
 
-        List<Integer> versionIndicesToRemove = Lists.newArrayList();
-	List<Integer> versionIndicesToKeep = Lists.newArrayList();
+        Set<Integer> versionIndicesToRemove = Sets.newLinkedHashSet();
+	Set<Integer> versionIndicesToKeep = Sets.newLinkedHashSet();
 
         for (String range : encodedRangeVersions.split(",")) {
             String operator = range.strip().split("[0-9]")[0].strip();
@@ -360,31 +359,30 @@ public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<
                     break;
                 }
                 case "<=": {
-                    versionIndicesToRemove = findGreaterVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case "<": {
-                    versionIndicesToRemove = findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">=": {
-                    versionIndicesToRemove = findSmallerVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">": {
-                    versionIndicesToRemove = findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 default:
                     logger.warn("getVulnerableVersionsJSON: unknown operator " + operator);
             }
-	    // If we only have some specific versions in the spec, only those should be kept.
-	    if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() > 0) {
-		vulnerableVersions.clear();
-	    }
-	    versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);	
-	    versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
         }
+	if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() != 0) {
+		vulnerableVersions.clear();
+	}
+	versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);	
+	versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
         return vulnerableVersions.stream().collect(Collectors.toList());
     }