Also always mark as vulnerable the versions explicity named in the ve…

…rsion spec for the operators <=, >=, even if the vulnerable version is missing from the Maven central list.
fasten-project · Jan 27, 2024 · 568bc4b · 568bc4b
1 parent 8f02fee
commit 568bc4b
Showing 1 changed file with 20 additions and 13 deletions.
diff --git a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java
@@ -341,11 +341,12 @@ public List<String> getVulnerableVersionsYAML(List<String> encodedRangeVersions,
     }
 
     public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<String> allVersions) {
-        List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
-	Set<ComparableVersion> vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions);
+        List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new)
+                .collect(Collectors.toList());
+        Set<ComparableVersion> vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions);
 
         Set<ComparableVersion> versionsToRemove = Sets.newLinkedHashSet();
-	Set<ComparableVersion> versionsToKeep = Sets.newLinkedHashSet();
+        Set<ComparableVersion> versionsToKeep = Sets.newLinkedHashSet();
 
         for (String range : encodedRangeVersions.split(",")) {
             String operator = range.strip().split("[0-9]")[0].strip();
@@ -355,34 +356,40 @@ public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<
             switch (operator) {
                 case "==":
                 case "=": {
-		    versionsToKeep.add(parsedVersionFromRange);
+                    versionsToKeep.add(parsedVersionFromRange);
                     break;
                 }
                 case "<=": {
-		    versionsToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
+                    versionsToKeep.add(parsedVersionFromRange);
+                    versionsToRemove.addAll(
+                        findGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case "<": {
-		    versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
+                    versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange,
+                        allParsedVersions));
                     break;
                 }
                 case ">=": {
-		    versionsToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
+                    versionsToKeep.add(parsedVersionFromRange);
+                    versionsToRemove.addAll(
+                        findSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">": {
-		    versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
+                    versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange,
+                        allParsedVersions));
                     break;
                 }
                 default:
                     logger.warn("getVulnerableVersionsJSON: unknown operator " + operator);
             }
         }
-	if(versionsToRemove.size() == 0 && versionsToKeep.size() != 0) {
-		vulnerableVersions.clear();
-	}
-	versionsToRemove.stream().forEach(vulnerableVersions::remove);	
-	versionsToKeep.stream().forEach(vulnerableVersions::add);
+        if (versionsToRemove.size() == 0 && versionsToKeep.size() != 0) {
+            vulnerableVersions.clear();
+        }
+        versionsToRemove.stream().forEach(vulnerableVersions::remove);
+        versionsToKeep.stream().forEach(vulnerableVersions::add);
         return vulnerableVersions.stream().map(v -> v.toString()).collect(Collectors.toList());
     }