Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix false negatives in NVD CPE matching #861

Merged
merged 4 commits into from
Oct 21, 2023
Merged

Fix false negatives in NVD CPE matching #861

merged 4 commits into from
Oct 21, 2023

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented Oct 19, 2023

@nscuro
Fix false negatives in NVD CPE matching
9db5c5c 
Ported from DependencyTrack/dependency-track#3070

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro added defect Something isn't working domain/vuln-analysis labels Oct 19, 2023
@nscuro nscuro mentioned this pull request Oct 19, 2023
Closed
@nscuro
Fix InternalScannerProcessorTest#testWithPurl
199959a 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Remove redundant compareAttributes test
c2828e0 
We're now calling a library method and don't implement this logic ourselves anymore.

Further, the functionality of `compareAttributes` is already tested in the new CPE matching tests.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix assertion of CPE update attribute NA matching NA
9c44267 
Signed-off-by: nscuro <nscuro@protonmail.com>
@sonarcloud
Copy link

sonarcloud bot commented Oct 20, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 7 Code Smells

65.6% 65.6% Coverage
0.0% 0.0% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@nscuro
Copy link
Member Author

nscuro commented Oct 20, 2023

Sonar is complaining about missing coverage in VulnerableSoftwareRepository. That class is thoroughly exercised in the new CPE matching tests, however those live in a separate module so Sonar doesn't include it in the coverage metrics correctly.

I'd prefer not to write duplicate test code just to make this metric go up, but can do it anyway in case other team members wanted it.

@nscuro nscuro merged commit 4abd801 into main Oct 21, 2023
11 of 12 checks passed
@nscuro nscuro deleted the port-pr3070 branch October 21, 2023 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sahibamittal sahibamittal sahibamittal approved these changes

@mehab mehab mehab approved these changes

Assignees
No one assigned
Labels
defect Something isn't working domain/vuln-analysis
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nscuro @sahibamittal @mehab