Fix false positives in Java dependencies

vgaidarji · vgaidarji · commit f7a07384cdc4 · 2026-03-25T10:29:40.000+02:00
See neuvector/neuvector#2205 for more details.
diff --git a/common/db.go b/common/db.go
@@ -499,7 +499,6 @@ func LoadAppVulsTb(path string) (map[string][]AppModuleVul, error) {
 	}
 
 	for _, mn := range mns {
-		colon := strings.LastIndex(mn, ":")
 		m := strings.ReplaceAll(mn, ":", ".")
 		vf := vul[mn]
 
@@ -508,14 +507,6 @@ func LoadAppVulsTb(path string) (map[string][]AppModuleVul, error) {
 		} else {
 			vul[m] = vf
 		}
-		if m = mn[colon+1:]; len(m) > 0 {
-			key := fmt.Sprintf("jar:%s", m)
-			if _, ok := vul[key]; ok {
-				vul[key] = uniqueVulDb(append(vul[key], vf...))
-			} else {
-				vul[key] = vf
-			}
-		}
 	}
 	return vul, nil
 }
diff --git a/common/db_test.go b/common/db_test.go
@@ -162,6 +162,50 @@ func prepareMockDbPaths(t *testing.T, encryptKey []byte, timestamp time.Time) (s
 	return dbPath, expandRoot
 }
 
+func writeAppsTb(t *testing.T, dir string, entries ...AppModuleVul) {
+	t.Helper()
+	var buf bytes.Buffer
+	for _, e := range entries {
+		data, err := json.Marshal(e)
+		require.NoError(t, err)
+		buf.Write(data)
+		buf.WriteByte('\n')
+	}
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "apps.tb"), buf.Bytes(), 0644))
+}
+
+func loadAppsTb(t *testing.T, entries ...AppModuleVul) map[string][]AppModuleVul {
+	t.Helper()
+	dir := t.TempDir()
+	writeAppsTb(t, dir, entries...)
+	vul, err := LoadAppVulsTb(dir)
+	require.NoError(t, err)
+	return vul
+}
+
+func newJarVul(cveName, moduleName, severity, fixedBefore string) AppModuleVul {
+	return AppModuleVul{
+		VulName:     cveName,
+		AppName:     "jar",
+		ModuleName:  moduleName,
+		Severity:    severity,
+		AffectedVer: []AppModuleVersion{{OpCode: "lt", Version: fixedBefore}},
+	}
+}
+
+func requireKeyExists(t *testing.T, vul map[string][]AppModuleVul, key string) []AppModuleVul {
+	t.Helper()
+	v, ok := vul[key]
+	require.True(t, ok, "expected key %q to exist", key)
+	return v
+}
+
+func requireKeyAbsent(t *testing.T, vul map[string][]AppModuleVul, key string) {
+	t.Helper()
+	_, ok := vul[key]
+	require.False(t, ok, "key %q must NOT exist", key)
+}
+
 func TestLoadCveDB(t *testing.T) {
 	testCases := []struct {
 		name        string
@@ -284,3 +328,63 @@ func TestLoadCveDB(t *testing.T) {
 		})
 	}
 }
+
+func TestLoadAppVulsTb_NoJarShortcutKeys(t *testing.T) {
+	vul := loadAppsTb(t,
+		newJarVul("CVE-2021-0341", "com.squareup.okhttp3:okhttp", "High", "4.9.3"),
+		newJarVul("CVE-2022-20621", "org.jenkins-ci.plugins:metrics", "Medium", "4.2.0"),
+		newJarVul("CVE-2018-1000011", "org.jvnet.hudson.plugins:findbugs:library", "High", "4.72"),
+	)
+
+	// --- Verify original groupId:artifactId keys ARE present ---
+	okhttp := requireKeyExists(t, vul, "com.squareup.okhttp3:okhttp")
+	requireKeyExists(t, vul, "org.jenkins-ci.plugins:metrics")
+	requireKeyExists(t, vul, "org.jvnet.hudson.plugins:findbugs:library")
+
+	// --- Verify dot-separated backward-compat keys ARE present ---
+	okhttpDot := requireKeyExists(t, vul, "com.squareup.okhttp3.okhttp")
+	requireKeyExists(t, vul, "org.jenkins-ci.plugins.metrics")
+
+	// --- Verify jar: shortcut keys are NOT present ---
+	for _, key := range []string{"jar:okhttp", "jar:metrics", "jar:library", "jar:findbugs:library"} {
+		requireKeyAbsent(t, vul, key)
+	}
+
+	// --- Verify CVE data integrity for existing keys ---
+	require.Len(t, okhttp, 1)
+	require.Equal(t, "CVE-2021-0341", okhttp[0].VulName)
+
+	// Dot-separated key should have same data
+	require.Len(t, okhttpDot, 1)
+	require.Equal(t, "CVE-2021-0341", okhttpDot[0].VulName)
+}
+
+func TestLoadAppVulsTb_NoColonModuleName(t *testing.T) {
+	vul := loadAppsTb(t, AppModuleVul{
+		VulName:     "CVE-2099-0001",
+		AppName:     "npm",
+		ModuleName:  "lodash",
+		Severity:    "High",
+		AffectedVer: []AppModuleVersion{{OpCode: "lt", Version: "4.17.21"}},
+	})
+
+	requireKeyExists(t, vul, "lodash")
+	requireKeyAbsent(t, vul, "jar:lodash")
+	require.Len(t, vul, 1)
+}
+
+func TestLoadAppVulsTb_MultipleVulsSameModule(t *testing.T) {
+	vul := loadAppsTb(t,
+		newJarVul("CVE-2021-0341", "com.squareup.okhttp3:okhttp", "High", "4.9.3"),
+		newJarVul("CVE-2016-2402", "com.squareup.okhttp3:okhttp", "Medium", "3.1.2"),
+	)
+
+	// Both CVEs should be under the same key
+	require.Len(t, vul["com.squareup.okhttp3:okhttp"], 2)
+
+	// Dot-separated should also have both
+	require.Len(t, vul["com.squareup.okhttp3.okhttp"], 2)
+
+	// No jar: key
+	requireKeyAbsent(t, vul, "jar:okhttp")
+}
diff --git a/cvetools/apps_test.go b/cvetools/apps_test.go

Original file line number	Diff line number	Diff line change
`@@ -499,7 +499,6 @@ func LoadAppVulsTb(path string) (map[string][]AppModuleVul, error) {`
`499`	`499`	`}`
`500`	`500`
`501`	`501`	`for _, mn := range mns {`
`502`		`- colon := strings.LastIndex(mn, ":")`
`503`	`502`	`m := strings.ReplaceAll(mn, ":", ".")`
`504`	`503`	`vf := vul[mn]`
`505`	`504`
`@@ -508,14 +507,6 @@ func LoadAppVulsTb(path string) (map[string][]AppModuleVul, error) {`
`508`	`507`	`} else {`
`509`	`508`	`vul[m] = vf`
`510`	`509`	`}`
`511`		`- if m = mn[colon+1:]; len(m) > 0 {`
`512`		`- key := fmt.Sprintf("jar:%s", m)`
`513`		`- if _, ok := vul[key]; ok {`
`514`		`- vul[key] = uniqueVulDb(append(vul[key], vf...))`
`515`		`- } else {`
`516`		`- vul[key] = vf`
`517`		`- }`
`518`		`- }`
`519`	`510`	`}`
`520`	`511`	`return vul, nil`
`521`	`512`	`}`