Skip to content

ERROR Failed to validate fuzz search CPE due to whitespace in cpe string #4920

New issue
New issue
Closed
#5061
Closed
ERROR Failed to validate fuzz search CPE due to whitespace in cpe string#4920
#5061
Labels
defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
Milestone
4.13.3
@jonbally

Description

@jonbally
jonbally
opened on May 6, 2025

Current Behavior

I have been checking the logs for errors after the recent upgrade to 4.13.1 and keep seeing these kinds of errors for some of our projects:

2025-05-05 22:50:30,171 ERROR [FuzzyVulnerableSoftwareSearchManager] Failed to validate fuzz search CPE [projectName=<REDACTED>, vulnAnalysisLevel=PERIODIC_ANALYSIS, projectUuid=3db48ff1-5435-42fe-9c22-ec43ebacba57, projectVersion=1.1]
us.springett.parsers.cpe.exceptions.CpeValidationException: Invalid vendor component: CPE strings may not contain whitespace; consider using an underscore instead
        at us.springett.parsers.cpe.Cpe.validate(Cpe.java:159)
        at us.springett.parsers.cpe.Cpe.<init>(Cpe.java:124)
        at org.dependencytrack.search.FuzzyVulnerableSoftwareSearchManager.fuzzySearch(FuzzyVulnerableSoftwareSearchManager.java:153)
        at org.dependencytrack.search.FuzzyVulnerableSoftwareSearchManager.fuzzyAnalysis(FuzzyVulnerableSoftwareSearchManager.java:127)
        at org.dependencytrack.tasks.scanners.InternalAnalysisTask.versionRangeAnalysis(InternalAnalysisTask.java:146)
        at org.dependencytrack.tasks.scanners.InternalAnalysisTask.analyze(InternalAnalysisTask.java:91)
        at org.dependencytrack.tasks.scanners.InternalAnalysisTask.inform(InternalAnalysisTask.java:65)
        at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:288)
        at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeProject(VulnerabilityAnalysisTask.java:167)
        at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzePortfolio(VulnerabilityAnalysisTask.java:121)
        at org.dependencytrack.tasks.VulnerabilityAnalysisTask.inform(VulnerabilityAnalysisTask.java:89)
        at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)

Apparently the CPE validation in us.springett.parsers.cpe.Cpe fails due to whitespace in the vendor or product cpe component for all of these errors. I have checked all the dt-components with CPEs in the affected projects for whitespace but could not find anything. I also checked all entries in the COMPONENTS database table, also nothing.
As far as my knowledge goes the parts of the CPE strings contain only allowed characters such as - _ .

Here is an example CPE string from an affected project: cpe:2.3:h:intel:cyclone_v_5CGXF_fpga:-:*:*:*:*:*:*:*

My suspicion was that the fuzzy search also utilizes the component name and vendor properties because these may contain spaces (as this is not restricted by the UI) so I looked a bit...

In this part of the fuzzyAnalysis(QueryManager qm, final Component component, us.springett.parsers.cpe.Cpe parsedCpe) method of the FuzzyVulnerableSoftwareSearchManager.java the component group and component name are passed to fuzzySearch(QueryManager qm, Part part, String vendor, String product) as vendor and product:

    searches.add(new SearchTerm(component.getGroup(), component.getName()));
    for (SearchTerm search : searches) {
        fuzzyList = fuzzySearch(qm, part, search.getVendor(), search.getProduct());
        if (fuzzyList.isEmpty() && !"*".equals(search.getVendor())) {
            fuzzyList = fuzzySearch(qm, part, "*", search.getProduct());
        }
        if (!fuzzyList.isEmpty()) {
            break;
        }
    }

The fuzzySearch(QueryManager qm, Part part, String vendor, String product) method then creates a new Cpe object and this is where the exception is thrown (because validate() is called in the Cpe constructor)

private List<VulnerableSoftware> fuzzySearch(QueryManager qm, Part part, String vendor, String product)  {
    try {
        us.springett.parsers.cpe.Cpe cpe = new us.springett.parsers.cpe.Cpe(part, escape(vendor), escape(product), "*", "*", "*", "*", "*", "*", "*", "*");
        String cpeSearch = getLuceneCpeRegexp(cpe.toCpe23FS());
        return fuzzySearch(qm, cpeSearch);
    } catch (CpeValidationException cpeValidationException) {
        LOGGER.error("Failed to validate fuzz search CPE", cpeValidationException);
        return Collections.emptyList();
    }
}

Steps to Reproduce

Not entirely sure about the steps to reproduce this, but my best guess would be this:

  1. Enter a component or vendor/group name that contains spaces
  2. Add a valid CPE to this component
  3. Enable fuzzy CPE matching
  4. Wait for the fuzzy CPE search task to run

Expected Behavior

Spaces in the component vendor/group or component name properties are replaced by _ or similar before being passed to the Cpe constructor, to avoid exceptions from being thrown

Dependency-Track Version

4.13.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

17.4 alpine

Browser

N/A

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions