So Maven actually removed the vulnerable artifacts in CVE-2024-22233.…

… Great! But it exposed a bug in our code. That should now be fixed :-)
fasten-project · Jan 26, 2024 · 8f02fee · 8f02fee
1 parent 2119045
commit 8f02fee
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 25 deletions.
diff --git a/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java b/src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java
@@ -342,10 +342,10 @@ public List<String> getVulnerableVersionsYAML(List<String> encodedRangeVersions,
 
     public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<String> allVersions) {
         List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
-	Set<String> vulnerableVersions = Sets.newLinkedHashSet(allVersions);
+	Set<ComparableVersion> vulnerableVersions = Sets.newLinkedHashSet(allParsedVersions);
 
-        Set<Integer> versionIndicesToRemove = Sets.newLinkedHashSet();
-	Set<Integer> versionIndicesToKeep = Sets.newLinkedHashSet();
+        Set<ComparableVersion> versionsToRemove = Sets.newLinkedHashSet();
+	Set<ComparableVersion> versionsToKeep = Sets.newLinkedHashSet();
 
         for (String range : encodedRangeVersions.split(",")) {
             String operator = range.strip().split("[0-9]")[0].strip();
@@ -355,80 +355,80 @@ public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<
             switch (operator) {
                 case "==":
                 case "=": {
-		    versionIndicesToKeep.addAll(findEqualVersions(parsedVersionFromRange, allParsedVersions));
+		    versionsToKeep.add(parsedVersionFromRange);
                     break;
                 }
                 case "<=": {
-		    versionIndicesToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
+		    versionsToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case "<": {
-		    versionIndicesToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
+		    versionsToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">=": {
-		    versionIndicesToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
+		    versionsToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">": {
-		    versionIndicesToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
+		    versionsToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 default:
                     logger.warn("getVulnerableVersionsJSON: unknown operator " + operator);
             }
         }
-	if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() != 0) {
+	if(versionsToRemove.size() == 0 && versionsToKeep.size() != 0) {
 		vulnerableVersions.clear();
 	}
-	versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);	
-	versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
-        return vulnerableVersions.stream().collect(Collectors.toList());
+	versionsToRemove.stream().forEach(vulnerableVersions::remove);	
+	versionsToKeep.stream().forEach(vulnerableVersions::add);
+        return vulnerableVersions.stream().map(v -> v.toString()).collect(Collectors.toList());
     }
 
-     private List<Integer> findUnequalVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
+     private List<ComparableVersion> findUnequalVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
         var matches = findSmallerVersions(v, allVersions);
         matches.addAll(findGreaterVersions(v, allVersions));
         return matches;
     }
 
-    private List<Integer> findEqualAndGreaterVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
+    private List<ComparableVersion> findEqualAndGreaterVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
         var matches = findEqualVersions(v, allVersions);
         matches.addAll(findGreaterVersions(v, allVersions));
         return matches;
     }
 
-    private List<Integer> findEqualAndSmallerVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
+    private List<ComparableVersion> findEqualAndSmallerVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
         var matches = findEqualVersions(v, allVersions);
         matches.addAll(findSmallerVersions(v, allVersions));
         return matches;
     }
 
-    private List<Integer> findEqualVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
-        var result = new ArrayList<Integer>();
+    private List<ComparableVersion> findEqualVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
+        var result = new ArrayList<ComparableVersion>();
         for(int i = 0; i < allVersions.size(); i++) {
             if(v.compareTo(allVersions.get(i)) == 0) {
-                result.add(i);
+                result.add(allVersions.get(i));
             }
         }
         return result;
     }
 
-    private List<Integer> findSmallerVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
-        var result = new ArrayList<Integer>();
+    private List<ComparableVersion> findSmallerVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
+        var result = new ArrayList<ComparableVersion>();
         for(int i = 0; i < allVersions.size(); i++) {
             if(v.compareTo(allVersions.get(i)) > 0) {
-                result.add(i);
+                result.add(allVersions.get(i));
             }
         }
         return result;
     }
 
-    private List<Integer> findGreaterVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
-        var result = new ArrayList<Integer>();
+    private List<ComparableVersion> findGreaterVersions(ComparableVersion v, List<ComparableVersion> allVersions) {
+        var result = new ArrayList<ComparableVersion>();
         for(int i = 0; i < allVersions.size(); i++) {
             if(v.compareTo(allVersions.get(i)) < 0) {
-                result.add(i);
+                result.add(allVersions.get(i));
             }
         }
         return result;

diff --git a/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java b/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java
@@ -220,7 +220,7 @@ public void testParseCVE_2024_22233() throws Exception {
         HashMap<String, String> values = new HashMap<>();
         values.put("query", queryNoCursor);
         when(clientMock.sendPost("https://api.github.com/graphql", token, values)).thenReturn(CVE_2024_22233);
-        var versions = Stream.of("", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList());
+        var versions = Stream.of("", "1.0.0", "1.0.1-m1", "1.0.1.RELEASE", "1.0.2.SEC01", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList());
         ghParser.getVersionRanger().versionsMappings.put("pkg:maven/org.springframework/spring-core", versions);
         ghParser.setCursor(null);