From 4b286c8cdd863237c8f00074fbf90ab6006fbfa7 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 10 Dec 2022 05:48:32 -0500
Subject: [PATCH 1/4] fix: correct path for deeply nested dependencies,
 resolves #5116

---
 .../dependencycheck/analyzer/NodePackageAnalyzer.java      | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
index 57bcf58aaea..3f680f02a2f 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -347,7 +347,7 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
             String parentPackage, Engine engine) throws AnalysisException {
           final boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
           final JsonObject deps;
-
+          final File modules_root = new File(rootFile.getParentFile(), "node_modules");
           final int lockJsonVersion = json.containsKey("lockfileVersion") ? json.getInt("lockfileVersion") : 1;
           if (lockJsonVersion >= 2) {
             deps = json.getJsonObject("packages");
@@ -370,8 +370,9 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
                 } else {
                     base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
                     if (!base.isFile()) {
-                        if ("node_modules".equals(baseDir.getParentFile().getName())) {
-                            base = Paths.get(baseDir.getParent(), name).toFile();
+                        final File test = new File(modules_root, name);
+                        if (test.isDirectory()) {
+                            base = test;
                         }
                     }
                 }

From 2c1feb7e828677fa420b336d89115cae0a5ab9b2 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 10 Dec 2022 05:49:13 -0500
Subject: [PATCH 2/4] fix: change coordinates for semver4j - resolves #5128

---
 .../dependencycheck/utils/SemverTest.java     | 85 +++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java

diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
new file mode 100644
index 00000000000..6da403c66d7
--- /dev/null
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2014 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.util.Calendar;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.exception.ParseException;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class DateUtilTest extends BaseTest {
+
+    /**
+     * Test of withinDateRange method, of class DateUtil.
+     */
+    @Test
+    public void testWithinDateRange() {
+        Calendar c = Calendar.getInstance();
+
+        long current = c.getTimeInMillis() / 1000;
+        long lastRun = current - (3 * (60 * 60 * 24));
+        int range = 7; // 7 days
+        boolean expResult = true;
+        boolean result = DateUtil.withinDateRange(lastRun, current, range);
+        assertEquals(expResult, result);
+
+        lastRun = c.getTimeInMillis() / 1000 - (8 * (60 * 60 * 24));
+        expResult = false;
+        result = DateUtil.withinDateRange(lastRun, current, range);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of parseXmlDate method, of class DateUtil.
+     *
+     * @throws ParseException thrown when there is a parse error
+     */
+    @Test
+    public void testParseXmlDate() throws ParseException {
+        String xsDate = "2019-01-02Z";
+        Calendar result = DateUtil.parseXmlDate(xsDate);
+        assertEquals(2019, result.get(Calendar.YEAR));
+        //month is zero based.
+        assertEquals(0, result.get(Calendar.MONTH));
+        assertEquals(2, result.get(Calendar.DATE));
+    }
+
+    @Test
+    public void testGetEpochValueInSeconds() throws ParseException {
+        String milliseconds = "1550538553466";
+        long expected = 1550538553;
+        long result = DateUtil.getEpochValueInSeconds(milliseconds);
+        assertEquals(expected, result);
+
+        milliseconds = "blahblahblah";
+        expected = 0;
+        result = DateUtil.getEpochValueInSeconds(milliseconds);
+        assertEquals(expected, result);
+
+        milliseconds = "1550538553";
+        expected = 1550538553;
+        result = DateUtil.getEpochValueInSeconds(milliseconds);
+        assertEquals(expected, result);
+    }
+
+}

From 4698e15fafaf4af5577f771a80b0ced309589e76 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 10 Dec 2022 05:50:16 -0500
Subject: [PATCH 3/4] fix: change coordinates for semver4j - resolves #5128

---
 core/pom.xml                                  |  2 +-
 .../analyzer/AbstractNpmAnalyzer.java         |  7 +-
 .../analyzer/DependencyBundlingAnalyzer.java  | 11 ++--
 .../data/nvdcve/DatabasePropertiesIT.java     |  4 +-
 .../dependencycheck/utils/SemverTest.java     | 64 ++-----------------
 pom.xml                                       |  4 +-
 6 files changed, 20 insertions(+), 72 deletions(-)

diff --git a/core/pom.xml b/core/pom.xml
index 361f147607f..72c4091a835 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -189,7 +189,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <artifactId>cpe-parser</artifactId>
         </dependency>
         <dependency>
-            <groupId>com.vdurmont</groupId>
+            <groupId>org.semver4j</groupId>
             <artifactId>semver4j</artifactId>
         </dependency>
         <dependency>
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
index 92db0cb92c5..7faacb0c04c 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
@@ -21,9 +21,8 @@
 import com.github.packageurl.PackageURL;
 import com.github.packageurl.PackageURL.StandardTypes;
 import com.github.packageurl.PackageURLBuilder;
-import com.vdurmont.semver4j.Semver;
-import com.vdurmont.semver4j.Semver.SemverType;
-import com.vdurmont.semver4j.SemverException;
+import org.semver4j.Semver;
+import org.semver4j.SemverException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nodeaudit.Advisory;
 import org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch;
@@ -530,7 +529,7 @@ public static String determineVersionFromMap(String versionRange, Collection<Str
         }
         for (String v : availableVersions) {
             try {
-                final Semver version = new Semver(v, SemverType.NPM);
+                final Semver version = new Semver(v);
                 if (version.satisfies(versionRange)) {
                     return v;
                 }
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
index 77bcec5c63a..7f16342a027 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -18,9 +18,8 @@
 package org.owasp.dependencycheck.analyzer;
 
 import com.github.packageurl.MalformedPackageURLException;
-import com.vdurmont.semver4j.Semver;
-import com.vdurmont.semver4j.Semver.SemverType;
-import com.vdurmont.semver4j.SemverException;
+import org.semver4j.Semver;
+import org.semver4j.SemverException;
 import java.io.File;
 import java.util.Set;
 import java.util.regex.Matcher;
@@ -625,7 +624,7 @@ public static boolean npmVersionsMatch(String current, String next) {
                 }
             }
             try {
-                final Semver v = new Semver(right, SemverType.NPM);
+                final Semver v = new Semver(right);
                 return v.satisfies(left);
             } catch (SemverException ex) {
                 LOGGER.trace("ignore", ex);
@@ -638,7 +637,7 @@ public static boolean npmVersionsMatch(String current, String next) {
                 }
             }
             try {
-                Semver v = new Semver(left, SemverType.NPM);
+                Semver v = new Semver(left);
                 if (!right.isEmpty() && v.satisfies(right)) {
                     return true;
                 }
@@ -646,7 +645,7 @@ public static boolean npmVersionsMatch(String current, String next) {
                     left = current;
                     right = stripLeadingNonNumeric(right);
                     if (right != null) {
-                        v = new Semver(right, SemverType.NPM);
+                        v = new Semver(right);
                         return v.satisfies(left);
                     }
                 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
index 332cbc76fdc..54b3d5b179e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
@@ -17,7 +17,7 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import com.vdurmont.semver4j.Semver;
+import org.semver4j.Semver;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.Properties;
 import org.junit.After;
@@ -99,7 +99,7 @@ public void testGetProperty_String() throws DatabaseException {
         DatabaseProperties instance = cveDb.getDatabaseProperties();
         String result = instance.getProperty(key);
         
-        Semver ver = new Semver(result, Semver.SemverType.LOOSE);
+        Semver ver = new Semver(result);
         assertTrue(ver.getMajor() >= 5);
     }
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
index 6da403c66d7..758f8d9d47f 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
@@ -1,6 +1,4 @@
 /*
- * Copyright 2014 OWASP.
- *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -15,71 +13,23 @@
  */
 package org.owasp.dependencycheck.utils;
 
-import java.util.Calendar;
-
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.exception.ParseException;
+import org.semver4j.Semver;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DateUtilTest extends BaseTest {
+public class SemverTest {
 
     /**
-     * Test of withinDateRange method, of class DateUtil.
+     * Test of semver4j. See https://github.com/jeremylong/DependencyCheck/issues/5128#issuecomment-1343080426
      */
     @Test
-    public void testWithinDateRange() {
-        Calendar c = Calendar.getInstance();
-
-        long current = c.getTimeInMillis() / 1000;
-        long lastRun = current - (3 * (60 * 60 * 24));
-        int range = 7; // 7 days
-        boolean expResult = true;
-        boolean result = DateUtil.withinDateRange(lastRun, current, range);
-        assertEquals(expResult, result);
-
-        lastRun = c.getTimeInMillis() / 1000 - (8 * (60 * 60 * 24));
-        expResult = false;
-        result = DateUtil.withinDateRange(lastRun, current, range);
-        assertEquals(expResult, result);
+    public void testSemver() {
+        Semver semver = new Semver("3.1.4");
+        assertTrue(semver.satisfies("^3.0.0-0"));
     }
-
-    /**
-     * Test of parseXmlDate method, of class DateUtil.
-     *
-     * @throws ParseException thrown when there is a parse error
-     */
-    @Test
-    public void testParseXmlDate() throws ParseException {
-        String xsDate = "2019-01-02Z";
-        Calendar result = DateUtil.parseXmlDate(xsDate);
-        assertEquals(2019, result.get(Calendar.YEAR));
-        //month is zero based.
-        assertEquals(0, result.get(Calendar.MONTH));
-        assertEquals(2, result.get(Calendar.DATE));
-    }
-
-    @Test
-    public void testGetEpochValueInSeconds() throws ParseException {
-        String milliseconds = "1550538553466";
-        long expected = 1550538553;
-        long result = DateUtil.getEpochValueInSeconds(milliseconds);
-        assertEquals(expected, result);
-
-        milliseconds = "blahblahblah";
-        expected = 0;
-        result = DateUtil.getEpochValueInSeconds(milliseconds);
-        assertEquals(expected, result);
-
-        milliseconds = "1550538553";
-        expected = 1550538553;
-        result = DateUtil.getEpochValueInSeconds(milliseconds);
-        assertEquals(expected, result);
-    }
-
 }
diff --git a/pom.xml b/pom.xml
index e4f8700f396..edf2aedb6bd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1068,9 +1068,9 @@ Copyright (c) 2012 - Jeremy Long
                 <version>0.0.2.1</version>
             </dependency>
             <dependency>
-                <groupId>com.vdurmont</groupId>
+                <groupId>org.semver4j</groupId>
                 <artifactId>semver4j</artifactId>
-                <version>3.1.0</version>
+                <version>4.0.0</version>
             </dependency>
             <dependency>
                 <groupId>org.jetbrains</groupId>

From 38f6a52f4be22c4f00ac4cb3acdb3ae2947d5070 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 11 Dec 2022 15:25:16 -0500
Subject: [PATCH 4/4] fix: checkstyle

---
 .../owasp/dependencycheck/analyzer/NodePackageAnalyzer.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
index 3f680f02a2f..dd377f6ff65 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -347,7 +347,7 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
             String parentPackage, Engine engine) throws AnalysisException {
           final boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
           final JsonObject deps;
-          final File modules_root = new File(rootFile.getParentFile(), "node_modules");
+          final File modulesRoot = new File(rootFile.getParentFile(), "node_modules");
           final int lockJsonVersion = json.containsKey("lockfileVersion") ? json.getInt("lockfileVersion") : 1;
           if (lockJsonVersion >= 2) {
             deps = json.getJsonObject("packages");
@@ -370,7 +370,7 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
                 } else {
                     base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
                     if (!base.isFile()) {
-                        final File test = new File(modules_root, name);
+                        final File test = new File(modulesRoot, name);
                         if (test.isDirectory()) {
                             base = test;
                         }