Skip to content

Backport: Add whitespace sanitization in fuzzySearch CPE to fix CPE validation errors#5176

Merged
nscuro merged 1 commit intoDependencyTrack:4.13.xfrom
nscuro:backport-pr-5061
Aug 3, 2025
Merged

Backport: Add whitespace sanitization in fuzzySearch CPE to fix CPE validation errors#5176
nscuro merged 1 commit intoDependencyTrack:4.13.xfrom
nscuro:backport-pr-5061

Conversation

@nscuro
Copy link
Copy Markdown
Member

@nscuro nscuro commented Aug 3, 2025

Description

Adds whitespace sanitization in fuzzySearch CPE to fix CPE validation errors.

Addressed Issue

Fixes #4920
Backports #5061

Additional Details

N/A

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@jonbally @nscuro
Added whitespace sanitization in fuzzySearch CPE
b80ceda 
The vendor and product String parameters passed to fuzzySearch() might
contain spaces, as the frontend does not prevent inputting these when
manually creating a component. As far as I know CycloneDX and SPDX
also do not restrict this, so imported components could also contain
spaces in their name and vendor properties.
As fuzzySearch() creates a new CPE object which is validated inside the
constructor, this will cause exceptions to be logged for all components
that contain spaces.
I have added a simple replace before passing these strings to the CPE
constructor to prevent the exceptions from being thrown.

Signed-off-by: jonbally <[email protected]>
@nscuro nscuro added this to the 4.13.3 milestone Aug 3, 2025
@nscuro nscuro added the defect Something isn't working label Aug 3, 2025
@owasp-dt-bot
Copy link
Copy Markdown

owasp-dt-bot commented Aug 3, 2025

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@codacy-production
Copy link
Copy Markdown

codacy-production bot commented Aug 3, 2025

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
Report missing for c48fa1d1 100.00% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (c48fa1d) Report Missing Report Missing Report Missing
Head commit (b80ceda) 24042 19385 80.63%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#5176) 5 5 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Footnotes

  1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

@nscuro nscuro merged commit a58fcdb into DependencyTrack:4.13.x Aug 3, 2025
7 checks passed
@nscuro nscuro deleted the backport-pr-5061 branch August 3, 2025 20:16
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

defect Something isn't working

Projects

None yet

Milestone

4.13.3

Development

Successfully merging this pull request may close these issues.

3 participants

@nscuro @owasp-dt-bot @jonbally