From 25606aa3db6b33994726b823425777f105c21f74 Mon Sep 17 00:00:00 2001 From: Chad Wilson Date: Mon, 4 Nov 2024 16:24:11 +0800 Subject: [PATCH] fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#7125) Signed-off-by: Chad Wilson --- .../data/nvdcve/CveItemOperator.java | 8 ++++-- .../data/nvdcve/CveItemOperatorTest.java | 28 +++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java index 113d3a1267..5360322835 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java @@ -18,6 +18,8 @@ package org.owasp.dependencycheck.data.nvdcve; import io.github.jeremylong.openvulnerability.client.nvd.Config; + +import java.util.Objects; import java.util.stream.Collectors; import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem; @@ -219,15 +221,15 @@ public boolean isRejected(String description) { boolean testCveCpeStartWithFilter(final DefCveItem cve) { if (cve.getCve().getConfigurations() != null) { //cycle through to see if this is a CPE we care about (use the CPE filters - final boolean result = cve.getCve().getConfigurations().stream() + return cve.getCve().getConfigurations().stream() .map(Config::getNodes) .flatMap(List::stream) - .filter(node -> node != null) + .filter(Objects::nonNull) .map(Node::getCpeMatch) + .filter(Objects::nonNull) .flatMap(List::stream) .filter(cpe -> cpe != null && cpe.getCriteria() != null) .anyMatch(cpe -> cpe.getCriteria().startsWith(cpeStartsWithFilter)); - return result; } return false; } diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java index 41cdd98fbd..f14c057f47 100644 --- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java @@ -33,6 +33,7 @@ import java.util.ArrayList; import java.util.List; import org.junit.Test; + import static org.junit.Assert.*; /** @@ -89,4 +90,31 @@ public void testTestCveCpeStartWithFilter() { } + @Test + public void testTestCveCpeStartWithFilterForConfigurationWithoutCpeMatches() { + ZonedDateTime published = ZonedDateTime.now(); + ZonedDateTime lastModified = ZonedDateTime.now(); + LocalDate cisaExploitAdd = null; + LocalDate cisaActionDue = null; + List cveTags = null; + List descriptions = null; + List references = null; + Metrics metrics = null; + List weaknesses = null; + + Node noCpeMatches = new Node(Node.Operator.OR, null, null); + Config c = new Config(Config.Operator.AND, null, List.of(noCpeMatches)); + List vendorComments = null; + CveItem cveItem = new CveItem("id", "sourceIdentifier", "vulnStatus", published, lastModified, + "evaluatorComment", "evaluatorSolution", "evaluatorImpact", cisaExploitAdd, cisaActionDue, + "cisaRequiredAction", "cisaVulnerabilityName", cveTags, descriptions, references, metrics, + weaknesses, List.of(c), vendorComments); + + DefCveItem cve = new DefCveItem(cveItem); + CveItemOperator instance = new CveItemOperator("cpe:2.3:o:"); + boolean expResult = false; + boolean result = instance.testCveCpeStartWithFilter(cve); + assertEquals(expResult, result); + } + }