fix: GAD source version parsing (intel#2809)

* Part of what's needed for intel#2793

cve_bin_tool/data_sources/gad_source.py

@@ -6,6 +6,7 @@
 import asyncio
 import datetime
 import io
+import re
 import zipfile
 from pathlib import Path
 
@@ -171,11 +172,35 @@ async def update_cve_entries(self):
 
                 self.all_cve_entries.append(data)
 
+    def parse_multiple_version(self, range_string):
+        version_strings = range_string.split(",")
+        start = False
+        versions = []
+        version = ""
+        for version_string in version_strings:
+            if version:
+                version += ","
+            version += version_string
+            if "(" in version_string or "[" in version_string:
+                start = True
+            if start and ("]" in version_string or ")" in version_string):
+                versions.append(version)
+                version = ""
+                start = False
+
+        # For cases like "<1.0.2"
+        if version:
+            versions.append(version)
+
+        return versions
+
     def parse_range_string(self, range_string):
         """Parses version strings from GAD CVEs and generates array of version data for affected_data."""
         version_list = []
 
-        version_strings = range_string.split("||")
+        version_strings = []
+        for version_string in range_string.split("||"):
+            version_strings.extend(self.parse_multiple_version(version_string))
 
         for version_string in version_strings:
             parsed_data = {
@@ -189,14 +214,34 @@ def parse_range_string(self, range_string):
             versions = version_string.replace(",", " ").split(" ")
 
             for version in versions:
-                if ">=" in version:
+                # Make sure we have an actual version number and not just a bunch of brackets
+                if not re.search("[0-9]", version):
+                    continue
+
+                # Only a specific version is affected eg. [4.4.0]
+                if "[" in version and "]" in version:
+                    parsed_data["version"] = version.replace("[", "").replace("]", "")
+
+                elif ">=" in version:
                     parsed_data["versionStartIncluding"] = version.replace(">=", "")
+                elif "[" in version:
+                    parsed_data["versionStartIncluding"] = version.replace("[", "")
+
                 elif ">" in version:
                     parsed_data["versionStartExcluding"] = version.replace(">", "")
+                elif "(" in version:
+                    parsed_data["versionStartExcluding"] = version.replace("(", "")
+
                 elif "<=" in version:
                     parsed_data["versionEndIncluding"] = version.replace("<=", "")
+                elif "]" in version:
+                    parsed_data["versionEndIncluding"] = version.replace("]", "")
+
                 elif "<" in version:
                     parsed_data["versionEndExcluding"] = version.replace("<", "")
+                elif ")" in version:
+                    parsed_data["versionEndExcluding"] = version.replace(")", "")
+
                 else:
                     parsed_data["version"] = version.replace("=", "")
 

test/test_cli.py

@@ -507,21 +507,11 @@ def test_SBOM(self, caplog):
                 ]
             )
 
-        if "There are 2 products with known CVEs detected" in caplog.record_tuples:
-            # Verify that 2 products detected
-            assert (
-                "cve_bin_tool",
-                logging.INFO,
-                "There are 2 products with known CVEs detected",
-            ) in caplog.record_tuples
-
-        elif "There are 1 products with known CVEs detected" in caplog.record_tuples:
-            # Verify that 1 products detected
-            assert (
-                "cve_bin_tool",
-                logging.INFO,
-                "There are 1 products with known CVEs detected",
-            ) in caplog.record_tuples
+        assert (
+            "cve_bin_tool",
+            logging.INFO,
+            "There are 2 products with known CVEs detected",
+        ) in caplog.record_tuples
 
     @pytest.mark.skipif(not LONG_TESTS(), reason="Skipping long tests")
     def test_console_output_depending_reportlab_existence(self, caplog):

test/test_source_gad.py

@@ -60,6 +60,38 @@ def teardown_class(cls):
                 "versionStartIncluding": "",
             },
         ],
+        "[4.4.0],(,4.2.0)": [
+            {
+                "version": "4.4.0",
+                "versionEndExcluding": "",
+                "versionEndIncluding": "",
+                "versionStartExcluding": "",
+                "versionStartIncluding": "",
+            },
+            {
+                "version": "*",
+                "versionEndExcluding": "4.2.0",
+                "versionEndIncluding": "",
+                "versionStartExcluding": "",
+                "versionStartIncluding": "",
+            },
+        ],
+        "(,1.0],[1.2,)": [
+            {
+                "version": "*",
+                "versionEndExcluding": "",
+                "versionEndIncluding": "1.0",
+                "versionStartExcluding": "",
+                "versionStartIncluding": "",
+            },
+            {
+                "version": "*",
+                "versionEndExcluding": "",
+                "versionEndIncluding": "",
+                "versionStartExcluding": "",
+                "versionStartIncluding": "1.2",
+            },
+        ],
     }
 
     cve_file_data = {