diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java index 327e182d0b..31763bf21e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java +++ b/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java @@ -124,16 +124,25 @@ public VulnerableSoftware(Part part, String vendor, String product, String versi } //CSON: ParameterNumber + /** + * Normalizes null and empty strings to null for consistent comparison. + * @param s the string to normalize + * @return null if s is null or empty, otherwise s + */ + private static String normalizeForComparison(String s) { + return (s == null || s.isEmpty()) ? null : s; + } + @Override public int compareTo(@NotNull ICpe o) { if (o instanceof VulnerableSoftware) { final VulnerableSoftware other = (VulnerableSoftware) o; return new CompareToBuilder() .appendSuper(super.compareTo(other)) - .append(versionStartIncluding, other.versionStartIncluding) - .append(versionStartExcluding, other.versionStartExcluding) - .append(versionEndIncluding, other.versionEndIncluding) - .append(versionEndExcluding, other.versionEndExcluding) + .append(normalizeForComparison(versionStartIncluding), normalizeForComparison(other.versionStartIncluding)) + .append(normalizeForComparison(versionStartExcluding), normalizeForComparison(other.versionStartExcluding)) + .append(normalizeForComparison(versionEndIncluding), normalizeForComparison(other.versionEndIncluding)) + .append(normalizeForComparison(versionEndExcluding), normalizeForComparison(other.versionEndExcluding)) .append(this.vulnerable, other.vulnerable) .build(); } else if (o instanceof Cpe) {