Fix version distance policy being evaluated despite not being configured

src/main/java/org/dependencytrack/policy/ComponentAgePolicyEvaluator.java

@@ -25,6 +25,7 @@
 import org.dependencytrack.model.RepositoryMetaComponent;
 import org.dependencytrack.model.RepositoryType;
 import org.dependencytrack.persistence.QueryManager;
+
 import java.time.LocalDate;
 import java.time.Period;
 import java.time.ZoneId;
@@ -62,6 +63,11 @@ public List<PolicyConditionViolation> evaluate(final Policy policy, final Compon
             return violations;
         }
 
+        final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
+
         final RepositoryType repoType = RepositoryType.resolve(component.getPurl());
         if (RepositoryType.UNSUPPORTED == repoType) {
             return violations;

src/main/java/org/dependencytrack/policy/CwePolicyEvaluator.java

@@ -18,17 +18,17 @@
  */
 package org.dependencytrack.policy;
 
- import alpine.common.logging.Logger;
- import org.apache.commons.collections4.CollectionUtils;
- import org.dependencytrack.model.Component;
- import org.dependencytrack.model.Policy;
- import org.dependencytrack.model.PolicyCondition;
- import org.dependencytrack.model.Vulnerability;
- import org.dependencytrack.parser.common.resolver.CweResolver;
+import alpine.common.logging.Logger;
+import org.apache.commons.collections4.CollectionUtils;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.Policy;
+import org.dependencytrack.model.PolicyCondition;
+import org.dependencytrack.model.Vulnerability;
+import org.dependencytrack.parser.common.resolver.CweResolver;
 
- import java.util.ArrayList;
- import java.util.Arrays;
- import java.util.List;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
 /**
  * Evaluates the Common Weakness Enumeration of component vulnerabilities against a policy.
@@ -51,7 +51,12 @@ public PolicyCondition.Subject supportedSubject() {
     @Override
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
         final List<PolicyConditionViolation> violations = new ArrayList<>();
+
         final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
+
         for (final Vulnerability vulnerability : qm.getAllVulnerabilities(component, false)) {
             for (final PolicyCondition condition: policyConditions) {
                 LOGGER.debug("Evaluating component (" + component.getUuid() + ") against policy condition (" + condition.getUuid() + ")");

src/main/java/org/dependencytrack/policy/LicenseGroupPolicyEvaluator.java

@@ -93,9 +93,15 @@ public PolicyCondition.Subject supportedSubject() {
     @Override
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
         final List<PolicyConditionViolation> violations = new ArrayList<>();
+
+        final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
+
         final SpdxExpression expression = getSpdxExpressionFromComponent(component);
 
-        for (final PolicyCondition condition : super.extractSupportedConditions(policy)) {
+        for (final PolicyCondition condition : policyConditions) {
             LOGGER.debug("Evaluating component (" + component.getUuid() + ") against policy condition ("
                     + condition.getUuid() + ")");
             final LicenseGroup lg = qm.getObjectByUuid(LicenseGroup.class, condition.getValue());

src/main/java/org/dependencytrack/policy/LicensePolicyEvaluator.java

@@ -54,6 +54,11 @@ public PolicyCondition.Subject supportedSubject() {
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
         final List<PolicyConditionViolation> violations = new ArrayList<>();
 
+        final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
+
         // use spdx expression checking logic from the license group policy evaluator
         final SpdxExpression expression = LicenseGroupPolicyEvaluator.getSpdxExpressionFromComponent(component);
 

src/main/java/org/dependencytrack/policy/SeverityPolicyEvaluator.java

@@ -52,6 +52,9 @@ public PolicyCondition.Subject supportedSubject() {
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
         final List<PolicyConditionViolation> violations = new ArrayList<>();
         final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
         //final Component component = qm.getObjectById(Component.class, c.getId());
         for (final Vulnerability vulnerability : qm.getAllVulnerabilities(component, false)) {
             for (final PolicyCondition condition: policyConditions) {

src/main/java/org/dependencytrack/policy/VersionDistancePolicyEvaluator.java

@@ -18,9 +18,7 @@
  */
 package org.dependencytrack.policy;
 
-import java.util.ArrayList;
-import java.util.List;
-
+import alpine.common.logging.Logger;
 import org.apache.commons.lang3.StringUtils;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Policy;
@@ -32,7 +30,8 @@
 import org.dependencytrack.util.VersionDistance;
 import org.json.JSONObject;
 
-import alpine.common.logging.Logger;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Evaluates the {@link VersionDistance} between a {@link Component}'s current and it's latest
@@ -64,7 +63,13 @@ public PolicyCondition.Subject supportedSubject() {
     @Override
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
         final var violations = new ArrayList<PolicyConditionViolation>();
-        if (component.getPurl() == null) {
+
+        if (component.getPurl() == null || component.getVersion() == null) {
+            return violations;
+        }
+
+        final List<PolicyCondition> conditions = super.extractSupportedConditions(policy);
+        if (conditions.isEmpty()) {
             return violations;
         }
 
@@ -83,9 +88,18 @@ public List<PolicyConditionViolation> evaluate(final Policy policy, final Compon
             return violations;
         }
 
-        final var versionDistance = VersionDistance.getVersionDistance(component.getVersion(),metaComponent.getLatestVersion());
+        final VersionDistance versionDistance;
+        try {
+            versionDistance = VersionDistance.getVersionDistance(component.getVersion(), metaComponent.getLatestVersion());
+        } catch (RuntimeException e) {
+            LOGGER.warn("""
+                    Failed to compute version distance for component %s (UUID: %s), \
+                    between component version %s and latest version %s; Skipping\
+                    """.formatted(component, component.getUuid(), component.getVersion(), metaComponent.getLatestVersion()), e);
+            return violations;
+        }
 
-        for (final PolicyCondition condition : super.extractSupportedConditions(policy)) {
+        for (final PolicyCondition condition : conditions) {
             if (isDirectDependency(component) && evaluate(condition, versionDistance)) {
                 violations.add(new PolicyConditionViolation(condition, component));
             }

src/main/java/org/dependencytrack/policy/VersionPolicyEvaluator.java

@@ -43,10 +43,15 @@ public PolicyCondition.Subject supportedSubject() {
 
     @Override
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
-        final var componentVersion = new ComponentVersion(component.getVersion());
-
         final List<PolicyConditionViolation> violations = new ArrayList<>();
 
+        final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
+
+        final var componentVersion = new ComponentVersion(component.getVersion());
+
         for (final PolicyCondition condition : super.extractSupportedConditions(policy)) {
             LOGGER.debug("Evaluating component (" + component.getUuid() + ") against policy condition (" + condition.getUuid() + ")");
 

src/main/java/org/dependencytrack/policy/VulnerabilityIdPolicyEvaluator.java

@@ -49,6 +49,9 @@ public PolicyCondition.Subject supportedSubject() {
     public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
         final List<PolicyConditionViolation> violations = new ArrayList<>();
         final List<PolicyCondition> policyConditions = super.extractSupportedConditions(policy);
+        if (policyConditions.isEmpty()) {
+            return violations;
+        }
         for (final Vulnerability vulnerability : qm.getAllVulnerabilities(component, false)) {
             for (final PolicyCondition condition: policyConditions) {
                 LOGGER.debug("Evaluating component (" + component.getUuid() + ") against policy condition (" + condition.getUuid() + ")");