Fix multi equals in version spec (again)

src/main/java/eu/fasten/vulnerabilityproducer/utils/mappers/VersionRanger.java

@@ -18,7 +18,6 @@
 
 package eu.fasten.vulnerabilityproducer.utils.mappers;
 
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 
 import eu.fasten.vulnerabilityproducer.utils.Vulnerability;
@@ -342,11 +341,11 @@ public List<String> getVulnerableVersionsYAML(List<String> encodedRangeVersions,
     }
 
     public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<String> allVersions) {
-        var allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
+        List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
 	Set<String> vulnerableVersions = Sets.newLinkedHashSet(allVersions);
 
-        List<Integer> versionIndicesToRemove = Lists.newArrayList();
-	List<Integer> versionIndicesToKeep = Lists.newArrayList();
+        Set<Integer> versionIndicesToRemove = Sets.newLinkedHashSet();
+	Set<Integer> versionIndicesToKeep = Sets.newLinkedHashSet();
 
         for (String range : encodedRangeVersions.split(",")) {
             String operator = range.strip().split("[0-9]")[0].strip();
@@ -360,31 +359,30 @@ public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<
                     break;
                 }
                 case "<=": {
-                    versionIndicesToRemove = findGreaterVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case "<": {
-                    versionIndicesToRemove = findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">=": {
-                    versionIndicesToRemove = findSmallerVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 case ">": {
-                    versionIndicesToRemove = findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions);
+		    versionIndicesToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
                     break;
                 }
                 default:
                     logger.warn("getVulnerableVersionsJSON: unknown operator " + operator);
             }
-	    // If we only have some specific versions in the spec, only those should be kept.
-	    if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() > 0) {
-		vulnerableVersions.clear();
-	    }
-	    versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);	
-	    versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
         }
+	if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() != 0) {
+		vulnerableVersions.clear();
+	}
+	versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);	
+	versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
         return vulnerableVersions.stream().collect(Collectors.toList());
     }
 

src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java

@@ -39,6 +39,7 @@
 import java.util.stream.Stream;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.when;
 
 public class GHParserTest {
@@ -153,6 +154,16 @@ public class GHParserTest {
         }
     }
 
+    String CVE_2024_22233;
+
+    {
+        try {
+             CVE_2024_22233 = FileUtils.readFileToString(new File("./src/test/resources/parsers/CVE-2024-22233.json"), StandardCharsets.UTF_8);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
     @Test
     public void testQueryBuilder() {
         String queryWithoutCursor = ghParser.buildQuery(null);
@@ -204,6 +215,24 @@ public void testParseGHResponseWithdrawn() throws Exception {
         assertEquals(0, result.size());
     }
 
+    @Test
+    public void testParseCVE_2024_22233() throws Exception {
+        HashMap<String, String> values = new HashMap<>();
+        values.put("query", queryNoCursor);
+        when(clientMock.sendPost("https://api.github.com/graphql", token, values)).thenReturn(CVE_2024_22233);
+        var versions = Stream.of("", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList());
+        ghParser.getVersionRanger().versionsMappings.put("pkg:maven/org.springframework/spring-core", versions);
+        ghParser.setCursor(null);
+
+        HashMap<String, Vulnerability> result = ghParser.getVulnerabilities(false);
+
+        assertEquals(1, result.size());
+	var purls = result.get("CVE-2024-22233").getPurls();
+	assertEquals(2, purls.size());
+	assertTrue(purls.contains("pkg:maven/org.springframework/[email protected]"));
+	assertTrue(purls.contains("pkg:maven/org.springframework/[email protected]"));
+    }
+
     @AfterAll
     public static void deleteCursor() {
         File ghCursor = new File("./src/test/resources/parsers/cursor.txt.txt");

src/test/resources/parsers/CVE-2024-22233.json

@@ -0,0 +1,69 @@
+{
+  "data" : {
+    "securityAdvisories": {
+      "nodes": [
+	{
+	  "description": "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n  *  the application uses Spring MVC\n  *  Spring Security 6.1.6+ or 6.2.1+ is on the classpath\n\n\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.\n\n\n",
+	  "withdrawnAt": null,
+	  "identifiers": [
+	    {
+	      "type": "GHSA",
+	      "value": "GHSA-r4q3-7g4q-x89m"
+	    },
+	    {
+	      "type": "CVE",
+	      "value": "CVE-2024-22233"
+	    }
+	  ],
+	  "severity": "HIGH",
+	  "cvss": {
+	    "score": 7.5,
+	    "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+	  },
+	  "cwes": {
+	    "nodes": []
+	  },
+	  "references": [
+	    {
+	      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22233"
+	    },
+	    {
+	      "url": "https://spring.io/security/cve-2024-22233/"
+	    },
+	    {
+	      "url": "https://github.com/advisories/GHSA-r4q3-7g4q-x89m"
+	    }
+	  ],
+	  "vulnerabilities": {
+	    "nodes": [
+	      {
+		"vulnerableVersionRange": "= 6.0.15",
+		"firstPatchedVersion": {
+		  "identifier": "6.0.16"
+		},
+		"package": {
+		  "ecosystem": "MAVEN",
+		  "name": "org.springframework:spring-core"
+		}
+	      },
+	      {
+		"vulnerableVersionRange": "= 6.1.2",
+		"firstPatchedVersion": {
+		  "identifier": "6.1.3"
+		},
+		"package": {
+		  "ecosystem": "MAVEN",
+		  "name": "org.springframework:spring-core"
+		}
+	      }
+	    ]
+	  }
+	}
+      ],
+      "pageInfo": {
+        "endCursor": "Y3Vyc29yOnYyOpK5MjAyMC0wNi0wNFQwMDowMjoxOSswMjowMM0ITw==",
+        "hasNextPage": false
+      }
+    }
+  }
+}