Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should subset of ANY be considered a match #30

Closed
jeremylong opened this issue Dec 26, 2019 · 3 comments
Closed

Should subset of ANY be considered a match #30

jeremylong opened this issue Dec 26, 2019 · 3 comments

Comments

@jeremylong
Copy link
Collaborator

The CPE 2.3 specification does not specify matching in terms of true/false - rather it defines four relations: equal, disjoint, superset, and subset (see table 6-2 in the specification).

The current implementation treats equal and superset as true. However, subsets are considered false (5, 13, 15 - numbers equate to entries in table 6-2):

CPE-Parser/src/main/java/us/springett/parsers/cpe/Cpe.java

Lines 618 to 627 in b90081a

} else if (LogicalValue.NA.getAbbreviation().equals(left)) {
//5 7 8
return false;
} else if (LogicalValue.NA.getAbbreviation().equals(right)) {
//12 16
return false;
} else if (LogicalValue.ANY.getAbbreviation().equals(right)) {
//13 15
return false;
}

This leads to a scenario where we have a source from the NVD for CVE-2019-1003058 of cpe:2.3:a:jenkins:ftp_publisher:*:*:*:*:*:jenkins:*:* that does not match the target CPE identified by dependency-check: cpe:2.3:a:jenkins:ftp_publisher:*:*:*:*:*:*:*. The comparison of the source target software of jenkins is a subset of the target ANY.

Thus, subset should likely be considered true.
jeremylong referenced this issue in jeremylong/CPE-Parser Dec 26, 2019
@jeremylong
updated to make subset comparisons for CPE attributes to be conside…
6e8df24 
…red true per #30
@jeremylong jeremylong mentioned this issue Dec 26, 2019
Merged
@stevespringett
Copy link
Owner

Agree with analysis. Let me know when you need a release.

@jeremylong
Copy link
Collaborator Author

I'll need this released fairly soon as part of the fully resolution to ODC issue #2386. I have two more minor bugs to fix and would like to release. So within 2 weeks if you could merge PR #31 and release - that would be great.

@jeremylong jeremylong changed the title Should subset be considered a match Should subset of ALL be considered a match Dec 27, 2019
@jeremylong jeremylong changed the title Should subset of ALL be considered a match Should subset of ANY be considered a match Dec 27, 2019
@stevespringett
Copy link
Owner

v2.0.2 was released to central.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @stevespringett