chrismathis
commented
3 months ago I have to correct myself ? and * do not work as wildcards - the unencoded ? just hides the rest of the query.
Open chrismathis opened 3 months ago
chrismathis
commented
3 months ago I have to correct myself ? and * do not work as wildcards - the unencoded ? just hides the rest of the query.
Description
If a release has no CPE ID set the query for cve-search api seems to be generated from the name, vendor and version. The resulting CPE ID (according to the log) is something like this cpe:2.3:*:apache:log4net:1.2.9_beta.* resulting in a api query like this: https://cvepremium.circl.lu/api/cvefor/cpe%3A2.3%3A*%3Aapache%3Alog4net%3A1.2.9_beta.* It looks like there is a regex in the place of "part" and at the end of the version.
It seems like cve-search (and cvepremium) do not support regexes in the query (any more?). Maybe because of this: https://github.com/cve-search/cve-search/pull/629
The query works with couchdb wildcards ? and instead of regexes i.e.: https://cvepremium.circl.lu/api/cvefor/cpe%3A2.3%3A?%3Aapache%3Alog4net%3A1.2.9_beta
How to reproduce
Versions
Screenshots
SW360 logs
2024-08-21 11:04:22 ERROR Heuristic:53 - IOException in searchlevel 2024-08-21T13:04:23.168155941+02:00 with description=heuristic (dist. 00) 2024-08-21T13:04:23.168159705+02:00 with needle=cpe:2.3:.:apache:log4net:1.2.9_beta.* 2024-08-21T13:04:23.168161712+02:00 with exception message=https://cve-search.internal.bachmann.at/api/cvefor/cpe%3A2.3%3A.%3Aapache%3Alog4net%3A1.2.9_beta.* 2024-08-21T13:04:23.168163972+02:00 java.io.FileNotFoundException: https://cve-search.internal.bachmann.at/api/cvefor/cpe%3A2.3%3A.%3Aapache%3Alog4net%3A1.2.9_beta.*