Merge pull request #261 from SAP/lib-no-libid

check if libraryId exists before looking for affected libraries
eclipse · Aug 9, 2019 · aa40761 · aa40761
2 parents 3616c20 + bdbd9f2
commit aa40761
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/rest-backend/src/main/java/com/sap/psr/vulas/backend/repo/AffectedLibraryRepositoryImpl.java b/rest-backend/src/main/java/com/sap/psr/vulas/backend/repo/AffectedLibraryRepositoryImpl.java
@@ -209,9 +209,14 @@ public void computeAffectedLib(VulnerableDependency _vd, Library _lib){
 		//check existence of AffectedLibraries for the outer library in the case of rebundled libs (required to mark FP entries for the outer library)
 		Boolean rebundled = (_vd.getDep().getLib().equals(_lib))?false:true;
 		Boolean avForRebundled = null;
-		if(rebundled){
+		if(rebundled && _vd.getDep().getLib().getLibraryId()!=null){
 			avForRebundled = this.affLibRepository.isBugLibIdAffected(_vd.getBug().getBugId(), _vd.getDep().getLib().getLibraryId());
-		}	
+		} 
+		// TODO: the code below should be used to check whether an affectedLIbrary for the outer libs exists using the digest (in case the libid is null)
+		// it still needs to be tested
+//		else if (rebundled){
+//			avForRebundled = this.affLibRepository.isBugLibAffected(_vd.getBug().getBugId(), _vd.getDep().getLib().getDigest());
+//		}
 
 		if(avForRebundled !=null){
 			_vd.setAffectedVersion((avForRebundled)?1:0);