Add support for parsing Nvd version range

src/main/java/io/github/nscuro/versatile/VersUtils.java

@@ -25,6 +25,8 @@
 import java.util.Map;
 import java.util.Set;
 
+import static org.apache.commons.lang3.StringUtils.trimToNull;
+
 public final class VersUtils {
 
     private VersUtils() {
@@ -117,6 +119,58 @@ public static Vers versFromOsvRange(final String type, final String ecosystem, f
         return versBuilder.build();
     }
 
+    /**
+     * Convert ranges or exact version as used by NVD to a {@link Vers} range.
+     *
+     * @param versionStartExcluding   The versionStartExcluding in the range
+     * @param versionStartIncluding   The versionStartIncluding in the range
+     * @param versionEndExcluding   The versionEndExcluding in the range
+     * @param versionEndIncluding   The versionEndIncluding in the range
+     * @param exactVersion  The exact version in CpeMatch
+     * @return The resulting {@link Vers}
+     * @throws IllegalArgumentException When the provided cpe match is invalid,
+     *                                  or the provided {@code events} contains an invalid event
+     * @throws VersException            When the produced {@link Vers} is invalid
+     * @throws InvalidVersionException  When any version in the range is invalid according to the inferred {@link VersioningScheme}
+     */
+    public static Vers versFromNvdRange(final String versionStartExcluding, final String versionStartIncluding,
+                                        final String versionEndExcluding, final String versionEndIncluding,
+                                        final String exactVersion) {
+
+        // Using 'generic' as versioning scheme for NVD due to lack of package data.
+        final var versBuilder = Vers.builder(VersioningScheme.GENERIC);
+
+        if (trimToNull(versionStartExcluding) != null) {
+            versBuilder.withConstraint(Comparator.GREATER_THAN, versionStartExcluding);
+        }
+        if (trimToNull(versionStartIncluding) != null) {
+            versBuilder.withConstraint(Comparator.GREATER_THAN_OR_EQUAL, versionStartIncluding);
+        }
+        if (trimToNull(versionEndExcluding) != null) {
+            versBuilder.withConstraint(Comparator.LESS_THAN, versionEndExcluding);
+        }
+        if (trimToNull(versionEndIncluding) != null) {
+            versBuilder.withConstraint(Comparator.LESS_THAN_OR_EQUAL, versionEndIncluding);
+        }
+        // If CpeMatch does not define a version range, but the CPE itself can
+        // still give us the information we need. The version field can either be:
+        //   * an exact version (e.g. "1.0.0")
+        //   * a wildcard matching all versions ("*")
+        //   * a "not applicable", matching no version at all ("-")
+        if (!versBuilder.hasConstraints() && exactVersion != null) {
+            if (!"*".equals(exactVersion) && !"-".equals(exactVersion)) {
+                // If we have neither upper, nor lower bound, and the CPE version
+                // is not a wildcard, only a specific version is vulnerable.
+                versBuilder.withConstraint(Comparator.EQUAL, exactVersion);
+            } else if ("*".equals(exactVersion)) {
+                // If we have neither upper, nor lower bound, and the CPE version
+                // is a wildcard, all versions are vulnerable, and we can safely use a vers wildcard.
+                versBuilder.withConstraint(Comparator.WILDCARD, null);
+            }
+        }
+        return versBuilder.build();
+    }
+
     static VersioningScheme schemeFromGhsaEcosystem(final String ecosystem) {
         // Can be one of: actions, composer, erlang, go, maven, npm, nuget, other, pip, pub, rubygems, rust.
         return switch (ecosystem.toLowerCase()) {

src/test/java/io/github/nscuro/versatile/VersUtilsTest.java

@@ -59,6 +59,7 @@
 import static io.github.nscuro.versatile.VersUtils.schemeFromGhsaEcosystem;
 import static io.github.nscuro.versatile.VersUtils.schemeFromOsvEcosystem;
 import static io.github.nscuro.versatile.VersUtils.versFromGhsaRange;
+import static io.github.nscuro.versatile.VersUtils.versFromNvdRange;
 import static io.github.nscuro.versatile.VersUtils.versFromOsvRange;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -283,4 +284,33 @@ void testVersFromOsvRangeWithAllRanges(final String ecosystem) throws Exception
         }
     }
 
+    private static Stream<Arguments> testVersFromNvdRangeArguments() {
+        return Stream.of(
+                arguments(
+                        null, "2.2.0", null, "2.2.13", "*",
+                        "vers:generic/>=2.2.0|<=2.2.13"
+                ),
+                arguments(
+                        null, null, null, null, "6.0.7",
+                        "vers:generic/6.0.7"
+                ),
+                arguments(
+                        null, null, null, null, "*",
+                        "vers:generic/*"
+                ),
+                arguments(
+                        null, "2.2.0", null, null, "6.0.7",
+                        "vers:generic/>=2.2.0"
+                )
+        );
+    }
+
+    @ParameterizedTest
+    @MethodSource("testVersFromNvdRangeArguments")
+    void testVersFromNvdRange(final String versionStartExcluding, final String versionStartIncluding,
+                              final String versionEndExcluding, final String versionEndIncluding,
+                              final String exactVersion, final String expectedVers) {
+        assertThat(versFromNvdRange(versionStartExcluding, versionStartIncluding, versionEndExcluding, versionEndIncluding, exactVersion))
+                .hasToString(expectedVers);
+    }
 }