fix(cpescan): bug in NvdVendorProductMatch

GNUmakefile

@@ -115,6 +115,8 @@ diff-cpes:
 	@ python integration/diff_server_mode.py cpe_ids --sample_rate 0.01
 
 diff-server-rdb:
+	- pkill -KILL go-cve.old
+	- pkill -KILL go-cve.new
 	integration/go-cve.old server --dbpath=$(PWD)/integration/cve.old.sqlite3 --port 1325 > /dev/null 2>&1 & 
 	integration/go-cve.new server --dbpath=$(PWD)/integration/cve.new.sqlite3 --port 1326 > /dev/null 2>&1 &
 	make diff-cveid
@@ -123,6 +125,8 @@ diff-server-rdb:
 	pkill go-cve.new
 
 diff-server-redis:
+	- pkill -KILL go-cve.old
+	- pkill -KILL go-cve.new
 	integration/go-cve.old server --dbtype redis --dbpath "redis://127.0.0.1:6379/0" --port 1325 > /dev/null 2>&1 & 
 	integration/go-cve.new server --dbtype redis --dbpath "redis://127.0.0.1:6380/0" --port 1326 > /dev/null 2>&1 & 
 	make diff-cveid
@@ -131,6 +135,7 @@ diff-server-redis:
 	pkill go-cve.new
 
 diff-server-rdb-redis:
+	- pkill -KILL go-cve.new
 	integration/go-cve.new server --dbpath=$(PWD)/integration/cve.new.sqlite3 --port 1325 > /dev/null 2>&1 & 
 	integration/go-cve.new server --dbtype redis --dbpath "redis://127.0.0.1:6380/0" --port 1326 > /dev/null 2>&1 & 
 	make diff-cveid

db/db.go

@@ -200,11 +200,6 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou
 		return false, false, false, nil
 	}
 
-	if matching.IsEqual(specified, cpeInNvdWfn) {
-		log.Debugf("%s equals %s", specified.String(), cpeInNvd.URI)
-		return true, false, false, nil
-	}
-
 	specifiedVer := fmt.Sprintf("%s", specified.Get(common.AttributeVersion))
 	switch specifiedVer {
 	case "NA", "ANY":
@@ -214,6 +209,11 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou
 		return false, false, isSuperORSubset(cpeInNvdWfn, specified), nil
 	}
 
+	if matching.IsEqual(specified, cpeInNvdWfn) {
+		log.Debugf("%s equals %s", specified.String(), cpeInNvd.URI)
+		return true, false, false, nil
+	}
+
 	ok, err := matchSemver(specifiedVer, cpeInNvd)
 	if err != nil {
 		// version range specified in cpeInNvd are not defined as semver style

db/db_test.go

@@ -491,6 +491,7 @@ func Test_filterCveDetailByCpeURI1(t *testing.T) {
 			expected: nil,
 		},
 		{
+			name: "NvdExactVersionMatch",
 			args: args{
 				uri: "cpe:/o:vendor:product:1.0.0",
 				cve: &models.CveDetail{
@@ -530,7 +531,7 @@ func Test_filterCveDetailByCpeURI1(t *testing.T) {
 			},
 		},
 		{
-			name: "",
+			name: "NvdVendorProductMatch",
 			args: args{
 				uri: "cpe:/o:vendor:product",
 				cve: &models.CveDetail{
@@ -569,6 +570,32 @@ func Test_filterCveDetailByCpeURI1(t *testing.T) {
 				Jvns: []models.Jvn{},
 			},
 		},
+		{
+			name: "NvdVendorProductMatch",
+			args: args{
+				uri: "cpe:/a:vendor:product",
+				cve: &models.CveDetail{
+					Nvds: []models.Nvd{
+						{
+							Cpes: []models.NvdCpe{
+								{CpeBase: models.CpeBase{URI: "cpe:/a:vendor:product", VersionEndExcluding: "1.0.0"}},
+							},
+						},
+					},
+				},
+			},
+			expected: &models.CveDetail{
+				Nvds: []models.Nvd{
+					{
+						Cpes: []models.NvdCpe{
+							{CpeBase: models.CpeBase{URI: "cpe:/a:vendor:product", VersionEndExcluding: "1.0.0"}},
+						},
+						DetectionMethod: models.NvdVendorProductMatch,
+					},
+				},
+				Jvns: []models.Jvn{},
+			},
+		},
 		{
 			args: args{
 				uri: "cpe:/o:vmware:esxi:7.0:-",

server/server.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"sort"
 
 	"github.com/labstack/echo"
 	"github.com/labstack/echo/middleware"
@@ -83,6 +84,10 @@ func getCveByCpeName(driver db.DB) echo.HandlerFunc {
 			log.Errorf("%s", err)
 			return err
 		}
+
+		sort.Slice(cveDetails, func(i, j int) bool {
+			return cveDetails[i].CveID < cveDetails[j].CveID
+		})
 		return c.JSON(http.StatusOK, &cveDetails)
 	}
 }