Added whitespace sanitization in fuzzySearch CPE

jonbally · jonbally · commit 863b820b8049 · 2025-06-17T15:04:40.000+02:00
The vendor and product String parameters passed to fuzzySearch() might
contain spaces, as the frontend does not prevent inputting these when
manually creating a component. As far as I know CycloneDX and SPDX
also do not restrict this, so imported components could also contain
spaces in their name and vendor properties.
As fuzzySearch() creates a new CPE object which is validated inside the
constructor, this will cause exceptions to be logged for all components
that contain spaces.
I have added a simple replace before passing these strings to the CPE
constructor to prevent the exceptions from being thrown.

Signed-off-by: jonbally &lt;19593213+jonbally@users.noreply.github.com&gt;
diff --git a/src/main/java/org/dependencytrack/search/FuzzyVulnerableSoftwareSearchManager.java b/src/main/java/org/dependencytrack/search/FuzzyVulnerableSoftwareSearchManager.java
@@ -150,7 +150,9 @@ public List<VulnerableSoftware> fuzzyAnalysis(QueryManager qm, final Component c
     }
     private List<VulnerableSoftware> fuzzySearch(QueryManager qm, Part part, String vendor, String product)  {
         try {
-            us.springett.parsers.cpe.Cpe cpe = new us.springett.parsers.cpe.Cpe(part, escape(vendor), escape(product), "*", "*", "*", "*", "*", "*", "*", "*");
+            String sanitizedVendor = vendor.replace(" ", "_");
+            String sanitizedProduct = product.replace(" ", "_");
+            us.springett.parsers.cpe.Cpe cpe = new us.springett.parsers.cpe.Cpe(part, escapeLuceneQuery(sanitizedVendor), escapeLuceneQuery(sanitizedProduct), "*", "*", "*", "*", "*", "*", "*", "*");
             String cpeSearch = getLuceneCpeRegexp(cpe.toCpe23FS());
             return fuzzySearch(qm, cpeSearch);
         } catch (CpeValidationException cpeValidationException) {
@@ -239,8 +241,8 @@ public static String getLuceneCpeRegexp(String cpeString) {
                 exp.insert(0, "cpe22:/");
                 exp.append("\\/").append(cpe.getPart().getAbbreviation());
             }
-            exp.append("\\:").append(escape(getComponentRegex(cpe.getVendor())));
-            exp.append("\\:").append(escape(getComponentRegex(cpe.getProduct())));
+            exp.append("\\:").append(escapeLuceneQuery(getComponentRegex(cpe.getVendor())));
+            exp.append("\\:").append(escapeLuceneQuery(getComponentRegex(cpe.getProduct())));
             exp.append("\\:").append(getComponentRegex(cpe.getVersion()));
             exp.append("\\:").append(getComponentRegex(cpe.getUpdate()));
             exp.append("\\:").append(getComponentRegex(cpe.getEdition()));
@@ -266,7 +268,7 @@ private static String getComponentRegex(String component) {
         }
     }
 
-    private static String escape(final String input) {
+    private static String escapeLuceneQuery(final String input) {
         if(input == null) {
             return null;
         } else if (input.equals(".*")) {
