Stowage/dependency-track
2
0
Fork 0
mirror of https://github.com/DependencyTrack/dependency-track.git synced 2025-10-19 16:03:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added whitespace sanitization in fuzzySearch CPE

Browse source 
The vendor and product String parameters passed to fuzzySearch() might
contain spaces, as the frontend does not prevent inputting these when
manually creating a component. As far as I know CycloneDX and SPDX
also do not restrict this, so imported components could also contain
spaces in their name and vendor properties.
As fuzzySearch() creates a new CPE object which is validated inside the
constructor, this will cause exceptions to be logged for all components
that contain spaces.
I have added a simple replace before passing these strings to the CPE
constructor to prevent the exceptions from being thrown.

Signed-off-by: jonbally <19593213+jonbally@users.noreply.github.com>
This commit is contained in:
jonbally 2025-06-12 16:42:29 +02:00
parent 0b9c45f580
commit 863b820b80
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/main/java/org/dependencytrack/search/FuzzyVulnerableSoftwareSearchManager.java
View file

@ -150,7 +150,9 @@ public class FuzzyVulnerableSoftwareSearchManager {
}
private List<VulnerableSoftware> fuzzySearch(QueryManager qm, Part part, String vendor, String product) {
try {
us.springett.parsers.cpe.Cpe cpe = new us.springett.parsers.cpe.Cpe(part, escape(vendor), escape(product), "*", "*", "*", "*", "*", "*", "*", "*");
String sanitizedVendor = vendor.replace(" ", "_");
String sanitizedProduct = product.replace(" ", "_");
us.springett.parsers.cpe.Cpe cpe = new us.springett.parsers.cpe.Cpe(part, escapeLuceneQuery(sanitizedVendor), escapeLuceneQuery(sanitizedProduct), "*", "*", "*", "*", "*", "*", "*", "*");
String cpeSearch = getLuceneCpeRegexp(cpe.toCpe23FS());
return fuzzySearch(qm, cpeSearch);
} catch (CpeValidationException cpeValidationException) {
@ -239,8 +241,8 @@ public class FuzzyVulnerableSoftwareSearchManager {
exp.insert(0, "cpe22:/");
exp.append("\\/").append(cpe.getPart().getAbbreviation());
}
exp.append("\\:").append(escape(getComponentRegex(cpe.getVendor())));
exp.append("\\:").append(escape(getComponentRegex(cpe.getProduct())));
exp.append("\\:").append(escapeLuceneQuery(getComponentRegex(cpe.getVendor())));
exp.append("\\:").append(escapeLuceneQuery(getComponentRegex(cpe.getProduct())));
exp.append("\\:").append(getComponentRegex(cpe.getVersion()));
exp.append("\\:").append(getComponentRegex(cpe.getUpdate()));
exp.append("\\:").append(getComponentRegex(cpe.getEdition()));
@ -266,7 +268,7 @@ public class FuzzyVulnerableSoftwareSearchManager {
}
}
private static String escape(final String input) {
private static String escapeLuceneQuery(final String input) {
if(input == null) {
return null;
} else if (input.equals(".*")) {