fix(cpescan): match if affected version is NA (#283)

* fix(cpescan): match if affected version is NA

* add  testcase

* fix

db/db.go

@@ -118,17 +118,17 @@ func parseCpeURI(cpe22uri string) (*models.CpeBase, error) {
 		FormattedString: naming.BindToFS(wfn),
 		WellFormedName:  wfn.String(),
 		CpeWFN: models.CpeWFN{
-			Part:            fmt.Sprintf("%s", wfn.Get(common.AttributePart)),
-			Vendor:          fmt.Sprintf("%s", wfn.Get(common.AttributeVendor)),
-			Product:         fmt.Sprintf("%s", wfn.Get(common.AttributeProduct)),
-			Version:         fmt.Sprintf("%s", wfn.Get(common.AttributeVersion)),
-			Update:          fmt.Sprintf("%s", wfn.Get(common.AttributeUpdate)),
-			Edition:         fmt.Sprintf("%s", wfn.Get(common.AttributeEdition)),
-			Language:        fmt.Sprintf("%s", wfn.Get(common.AttributeLanguage)),
-			SoftwareEdition: fmt.Sprintf("%s", wfn.Get(common.AttributeSwEdition)),
-			TargetSW:        fmt.Sprintf("%s", wfn.Get(common.AttributeTargetSw)),
-			TargetHW:        fmt.Sprintf("%s", wfn.Get(common.AttributeTargetHw)),
-			Other:           fmt.Sprintf("%s", wfn.Get(common.AttributeOther)),
+			Part:            wfn.GetString(common.AttributePart),
+			Vendor:          wfn.GetString(common.AttributeVendor),
+			Product:         wfn.GetString(common.AttributeProduct),
+			Version:         wfn.GetString(common.AttributeVersion),
+			Update:          wfn.GetString(common.AttributeUpdate),
+			Edition:         wfn.GetString(common.AttributeEdition),
+			Language:        wfn.GetString(common.AttributeLanguage),
+			SoftwareEdition: wfn.GetString(common.AttributeSwEdition),
+			TargetSW:        wfn.GetString(common.AttributeTargetSw),
+			TargetHW:        wfn.GetString(common.AttributeTargetHw),
+			Other:           wfn.GetString(common.AttributeOther),
 		},
 	}, nil
 }
@@ -206,7 +206,7 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou
 		return false, false, false, nil
 	}
 
-	specifiedVer := fmt.Sprintf("%s", specified.Get(common.AttributeVersion))
+	specifiedVer := specified.GetString(common.AttributeVersion)
 	switch specifiedVer {
 	case "NA", "ANY":
 		if err := cpeInNvdWfn.Set(common.AttributeVersion, nil); err != nil {
@@ -220,6 +220,11 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou
 		return true, false, false, nil
 	}
 
+	if cpeInNvdWfn.GetString(common.AttributeVersion) == "NA" {
+		log.Debugf("%s matches %s", specified.String(), cpeInNvd.URI)
+		return true, false, false, nil
+	}
+
 	ok, err := matchSemver(specifiedVer, cpeInNvd)
 	if err != nil {
 		// version range specified in cpeInNvd are not defined as semver style
@@ -242,8 +247,7 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou
 	// In this case, target_sw does not match and returns false
 	// - config.toml:  	"cpe:/a:apache:cordova:5.1.1::~~~iphone_os~~",
 	// - AffectedCPEInNVD:    "cpe:/a:apache:cordova:5.1.1::~~~android~~",
-	if fmt.Sprintf("%s", specified.Get(common.AttributeVersion)) !=
-		fmt.Sprintf("%s", cpeInNvdWfn.Get(common.AttributeVersion)) {
+	if specified.GetString(common.AttributeVersion) != cpeInNvdWfn.GetString(common.AttributeVersion) {
 		return false, false, false, nil
 	}
 	return isSuperORSubset(cpeInNvdWfn, specified), false, false, nil

db/db_test.go

@@ -287,6 +287,26 @@ func TestMatch(t *testing.T) {
 			wantIsRoughVerMatch:      false,
 			wantIsVendorProductMatch: false,
 		},
+		{
+			name: "true: NA should match all version",
+			uri:  "cpe:/h:fortinet:fortigate-100d:v6.2.9",
+			cpe: models.CpeBase{
+				URI: "cpe:/h:fortinet:fortigate-100d:-",
+			},
+			wantIsExactVerMatch:      true,
+			wantIsRoughVerMatch:      false,
+			wantIsVendorProductMatch: false,
+		},
+		{
+			name: "true: NA should match all version",
+			uri:  "cpe:/h:fortinet:fortigate-100d:v6.2.9",
+			cpe: models.CpeBase{
+				URI: "cpe:/h:fortinet:fortigate-100d:v6.2.9:-",
+			},
+			wantIsExactVerMatch:      true,
+			wantIsRoughVerMatch:      false,
+			wantIsVendorProductMatch: false,
+		},
 	}
 
 	for _, tt := range testdata {