CPE processing fails if (official) CPE contains backslashes.

[mcjaeger]

using some CPEs which contain backslashes will result in an exception when processed, examples of valid CPE

cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*
cpe:2.3:a:icu-project:international_components_for_unicode:4.4.2:*:*:*:*:c\/c\+\+:*:*

results in an exception here:

2020-11-23 11:20:00 INFO  CveSearchHandler:133 - Starting CveSearch update...
2020-11-23 11:20:03 ERROR ProcessFunction:47 - Internal error processing update
java.lang.NullPointerException: null
2020-11-23 11:20:03 ERROR ScheduleHandler:51 - Was not able to schedule sync for client with name:cvesearchService message:Internal error processing update
org.apache.thrift.TApplicationException: Internal error processing update
        at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:79) ~[datahandler-11.1.0-SNAPSHOT.jar:?]
        at org.eclipse.sw360.datahandler.thrift.cvesearch.CveSearchService$Client.recv_update(CveSearchService.java:200) ~[datahandler-11.1.0-SNAPSHOT.jar:?]
        at org.eclipse.sw360.datahandler.thrift.cvesearch.CveSearchService$Client.update(CveSearchService.java:188) ~[datahandler-11.1.0-SNAPSHOT.jar:?]
        at org.eclipse.sw360.schedule.service.ScheduleHandler.lambda$scheduleService$1(ScheduleHandler.java:70) ~[src-schedule-11.1.0-SNAPSHOT.jar:?]
        at org.eclipse.sw360.schedule.service.ScheduleHandler.lambda$wrapSupplierException$0(ScheduleHandler.java:49) ~[src-schedule-11.1.0-SNAPSHOT.jar:?]
        at org.eclipse.sw360.schedule.timer.ScheduleSyncTask.run(ScheduleSyncTask.java:36) [src-schedule-11.1.0-SNAPSHOT.jar:?]
        at java.util.TimerThread.mainLoop(Timer.java:556) [?:?]
        at java.util.TimerThread.run(Timer.java:506) [?:?]
2020-11-23 11:20:03 ERROR ScheduleSyncTask:40 - ScheduleSyncTask ee700fa9-b07a-4c24-b9c9-91fba25c330a failed.

and here:

> 2020-11-19 09:00:00 INFO  CveSearchHandler:133 - Starting CveSearch update...
> 2020-11-19 09:00:00 ERROR ProcessFunction:47 - Internal error processing update
> java.lang.NullPointerException: null
>        at org.eclipse.sw360.cvesearch.datasource.heuristics.Heuristic.runForNeedleWithMeta(Heuristic.java:48) ~[src-cvesearch-11.1.0-SNAPSHOT.jar:?]
>        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
>        at java.util.Collections$2.tryAdvance(Collections.java:4747) ~[?:?]
>        at java.util.Collections$2.forEachRemaining(Collections.java:4755) ~[?:?]
>        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
>        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
>        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
>        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
>        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]

tested with 11.1 but should be there in following versions as well.

[nam-np]

Does it happen when add CPE ID to release?

[KoukiHama]

@nam-np This log appears when cve-search start to work.

[nam-np]

SW360 Version: 11.0.0 | Branch: UNKNOWN (182f456)

I used CPEs which contain backslashes for a release. cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*

After start Schedule CVE service:

Detail CVE in local server:

Show log with some checkpoint:

2021-05-27 11:21:00 INFO  CveSearchHandler:133 - Starting CveSearch update...
11111111111111 cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*
22222222222222 cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*
33333333333333 cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*
=============http://localhost:5000/api/cvefor/cpe%3A2.3%3Aa%3Aicu-project%3Ainternational_components_for_unicode%3A61.2%3A*%3A*%3A*%3A*%3Ac%5C%2Fc%5C%2B%5C%2B%3A*%3A*
2021-05-27 11:21:00 INFO  CveSearchHandler:135 - CveSearch update finished with status:SUCCESS
2021-05-27 11:21:00 INFO  CveSearchHandler:136 - The following vulnerability/ies could not be imported:[]
The following vulnerability/ies were updated:[]
The following vulnerability/ies were added:[]
2021-05-27 11:21:00 INFO  ScheduleSyncTask:38 - Successfully finished ScheduleSyncTask name=cvesearchService id=e90a41d2-5417-49fc-8476-ce15c587cf2f.

Test CVE API with:

curl -X GET http://localhost:5000/api/cvefor/cpe%3A2.3%3Aa%3Aicu-project%3Ainternational_components_for_unicode%3A61.2%3A*%3A*%3A*%3A*%3Ac%5C%2Fc%5C%2B%5C%2B%3A*%3A*

will return CVE information.

[nam-np]

And tested with Version: 13.3.0 | Branch: UNKNOWN (fc3c198) CPE ID:

cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*

Log:

2021-06-02 10:58:18 INFO  Scheduler:60 - New task scheduled. Interval=60sec SW360Task{name='cvesearchService'id='46a5e555-13f0-4c32-b637-e7a9f143131a'scheduledExecutionTime='2021-06-02 10:58:00'}
2021-06-02 10:59:00 INFO  CveSearchHandler:133 - Starting CveSearch update...
2021-06-02 10:59:01 INFO  VulnerabilityDatabaseHandler:67 - Vulnerability id = 00b5094cf364eaf2cca333bcd800a844
2021-06-02 10:59:01 INFO  CveSearchHandler:135 - CveSearch update finished with status:SUCCESS
2021-06-02 10:59:01 INFO  CveSearchHandler:136 - The following vulnerability/ies could not be imported:[]
The following vulnerability/ies were updated:[]
The following vulnerability/ies were added:[CVE-2020-10531]
2021-06-02 10:59:01 INFO  ScheduleSyncTask:38 - Successfully finished ScheduleSyncTask name=cvesearchService id=46a5e555-13f0-4c32-b637-e7a9f143131a.

CVE:

CVE server search:

namnp@namnp:~/cve-search$ python3 ./bin/search.py -p "cpe:2.3:a:icu-project:international_components_for_unicode:61.2:*:*:*:*:c\/c\+\+:*:*" | grep "CVE.*:.*CVE"
CVE : CVE-2020-10531

[KoukiHama]

(Discussion In 2021 June 2th telco) We are going to close this issue.

[nam-np]

OK, thanks.