TG1999
commented
1 year ago @oheger-bosch can you please point me to the CVE for this reference, so I can check the root cause of the issue
Open oheger-bosch opened 1 year ago
TG1999
commented
1 year ago @oheger-bosch can you please point me to the CVE for this reference, so I can check the root cause of the issue
oheger-bosch
commented
1 year ago Hi @TG1999, this is the affected CVE: CVE-2019-17531
sschuberth
commented
1 year ago which fails in this case due to an invalid character.
Could you help us by stating which character is invalid exactly? Is it the \-escaped ampersand? (It's a bit hard to see due to GitHub's own rendering; could you maybe post the URL inside a code block?)
oheger-bosch
commented
1 year ago Yes, I think it is the backslash that causes the trouble.
sschuberth
commented
11 months ago BTW, there's more wrongly escaped URLs being returned by VulnerableCode, see https://github.com/oss-review-toolkit/ort/pull/8040. So
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:swiftnio_http\/2:*:*:*:*:*:swift:*:*should be
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:swiftnio_http/2:*:*:*:*:*:swift:*:*Yet another case
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hyperion_bi\+:*:*:*:*:*:*:*:*should be
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hyperion_bi%2B:*:*:*:*:*:*:*:*
We encountered a case in which this URL was returned in a vulnerability reference: https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::
ORT converts these references to the Java URI type, which fails in this case due to an invalid character.
Not sure what would be the best way to handle such issues. Should VulnerableCode perform some validation on URLs? Or should ORT better not rely on those strings to be valid URLs?