Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically generated CVE Search queries are invalid in cve-search #2567

Open
chrismathis opened this issue Aug 21, 2024 · 1 comment
Open
Assignees
Labels
bug Something isn't working

Comments

@chrismathis
Copy link

Description

If a release has no CPE ID set the query for cve-search api seems to be generated from the name, vendor and version.
The resulting CPE ID (according to the log) is something like this
cpe:2.3:*:apache:log4net:1.2.9_beta.* resulting in a api query like this: https://cvepremium.circl.lu/api/cvefor/cpe%3A2.3%3A*%3Aapache%3Alog4net%3A1.2.9_beta.*
It looks like there is a regex in the place of "part" and at the end of the version.

It seems like cve-search (and cvepremium) do not support regexes in the query (any more?).
Maybe because of this: cve-search/cve-search#629

The query works with couchdb wildcards ? and * instead of regexes i.e.:
https://cvepremium.circl.lu/api/cvefor/cpe%3A2.3%3A?%3Aapache%3Alog4net%3A1.2.9_beta*

How to reproduce

  • Have a component with name, vendor and version set
  • Schedule CVE Search
  • observe the log

Versions

  • Docker version: eclipse-sw360/sw360:latest sw360Version=18.1.0-m2 buildNumber=e9ca949

Screenshots

image

SW360 logs

2024-08-21 11:04:22 ERROR Heuristic:53 - IOException in searchlevel 2024-08-21T13:04:23.168155941+02:00 with description=heuristic (dist. 00) 2024-08-21T13:04:23.168159705+02:00 with needle=cpe:2.3:.:apache:log4net:1.2.9_beta.* 2024-08-21T13:04:23.168161712+02:00 with exception message=https://cve-search.internal.bachmann.at/api/cvefor/cpe%3A2.3%3A.%3Aapache%3Alog4net%3A1.2.9_beta.* 2024-08-21T13:04:23.168163972+02:00 java.io.FileNotFoundException: https://cve-search.internal.bachmann.at/api/cvefor/cpe%3A2.3%3A.%3Aapache%3Alog4net%3A1.2.9_beta.*

@chrismathis chrismathis added the bug Something isn't working label Aug 21, 2024
@KoukiHama KoukiHama self-assigned this Aug 21, 2024
@chrismathis
Copy link
Author

I have to correct myself ? and * do not work as wildcards - the unencoded ? just hides the rest of the query.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants