normalize VULNERABLESOFTWARE table, make CPE matching case-insensitive

Signed-off-by: Steffen Ohrendorf <[email protected]>

Author: stohrendorf

src/main/java/org/dependencytrack/model/VulnerableSoftware.java

@@ -262,23 +262,23 @@ public String getPart() {
     }
 
     public void setPart(String part) {
-        this.part = part;
+        this.part = part == null ? null : part.toLowerCase();
     }
 
     public String getVendor() {
         return vendor;
     }
 
     public void setVendor(String vendor) {
-        this.vendor = vendor;
+        this.vendor = vendor == null ? null : vendor.toLowerCase();
     }
 
     public String getProduct() {
         return product;
     }
 
     public void setProduct(String product) {
-        this.product = product;
+        this.product = product == null ? null : product.toLowerCase();
     }
 
     public String getVersion() {

src/main/java/org/dependencytrack/persistence/VulnerableSoftwareQueryManager.java

@@ -276,9 +276,9 @@ public List<VulnerableSoftware> getAllVulnerableSoftware(
         //   SELECT "ID" FROM "VULNERABLESOFTWARE" WHERE "PART" = 'foo' ...
 
         if (cpePart != null && cpeVendor != null && cpeProduct != null) {
-            final List<CpeFilterCondition> partConditions = buildCpeFilterConditions("\"PART\"", cpePart);
-            final List<CpeFilterCondition> vendorConditions = buildCpeFilterConditions("\"VENDOR\"", cpeVendor);
-            final List<CpeFilterCondition> productConditions = buildCpeFilterConditions("\"PRODUCT\"", cpeProduct);
+            final List<CpeFilterCondition> partConditions = buildCpeFilterConditions("\"PART\"", cpePart.toLowerCase());
+            final List<CpeFilterCondition> vendorConditions = buildCpeFilterConditions("\"VENDOR\"", cpeVendor.toLowerCase());
+            final List<CpeFilterCondition> productConditions = buildCpeFilterConditions("\"PRODUCT\"", cpeProduct.toLowerCase());
 
             for (final CpeFilterCondition partCondition : partConditions) {
                 for (final CpeFilterCondition vendorCondition : vendorConditions) {

src/main/java/org/dependencytrack/search/FuzzyVulnerableSoftwareSearchManager.java

@@ -45,7 +45,6 @@
 import us.springett.parsers.cpe.values.Part;
 
 import java.io.IOException;
-
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -262,7 +261,7 @@ public static String getLuceneCpeRegexp(String cpeString) {
 
     private static String getComponentRegex(String component) {
         if (component != null) {
-            return component.replace("*", ".*");
+            return component.replace("*", ".*").toLowerCase();
         } else {
             return ".*";
         }
@@ -274,7 +273,7 @@ private static String escapeLuceneQuery(final String input) {
         } else if (input.equals(".*")) {
             return input;
         }
-        return QueryParser.escape(input);
+        return QueryParser.escape(input.toLowerCase());
     }
 
 }

src/main/java/org/dependencytrack/search/VulnerableSoftwareIndexer.java

@@ -126,8 +126,10 @@ private static List<VulnerableSoftwareDocument> fetchNext(final QueryManager qm,
     private Document convertToDocument(final VulnerableSoftwareDocument vs) {
         final var doc = new Document();
         addField(doc, IndexConstants.VULNERABLESOFTWARE_UUID, vs.uuid().toString(), Field.Store.YES, false);
-        addField(doc, IndexConstants.VULNERABLESOFTWARE_CPE_22, vs.cpe22(), Field.Store.YES, false);
-        addField(doc, IndexConstants.VULNERABLESOFTWARE_CPE_23, vs.cpe23(), Field.Store.YES, false);
+        final var cpe22 = vs.cpe22() != null ? vs.cpe22().toLowerCase() : null;
+        addField(doc, IndexConstants.VULNERABLESOFTWARE_CPE_22, cpe22, Field.Store.YES, false);
+        final var cpe23 = vs.cpe23() != null ? vs.cpe23().toLowerCase() : null;
+        addField(doc, IndexConstants.VULNERABLESOFTWARE_CPE_23, cpe23, Field.Store.YES, false);
         addField(doc, IndexConstants.VULNERABLESOFTWARE_VENDOR, vs.vendor(), Field.Store.YES, true);
         addField(doc, IndexConstants.VULNERABLESOFTWARE_PRODUCT, vs.product(), Field.Store.YES, true);
         addField(doc, IndexConstants.VULNERABLESOFTWARE_VERSION, vs.version(), Field.Store.YES, true);

src/main/java/org/dependencytrack/tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java

@@ -65,16 +65,20 @@ protected void analyzeVersionRange(final QueryManager qm, final List<VulnerableS
             }
         }
     }
+
+    private static String toLowerCaseNullable(final String string) {
+        return string == null ? null : string.toLowerCase();
+    }
 
     private Boolean maybeMatchCpe(final VulnerableSoftware vs, final Cpe targetCpe, final String targetVersion) {
         if (targetCpe == null || vs.getCpe23() == null) {
             return null;
         }
 
         final List<Relation> relations = List.of(
-                Cpe.compareAttribute(vs.getPart(), targetCpe.getPart().getAbbreviation()),
-                Cpe.compareAttribute(vs.getVendor(), targetCpe.getVendor()),
-                Cpe.compareAttribute(vs.getProduct(), targetCpe.getProduct()),
+                Cpe.compareAttribute(vs.getPart(), toLowerCaseNullable(targetCpe.getPart().getAbbreviation())),
+                Cpe.compareAttribute(vs.getVendor(), toLowerCaseNullable(targetCpe.getVendor())),
+                Cpe.compareAttribute(vs.getProduct(), toLowerCaseNullable(targetCpe.getProduct())),
                 Cpe.compareAttribute(vs.getVersion(), targetVersion),
                 Cpe.compareAttribute(vs.getUpdate(), targetCpe.getUpdate()),
                 Cpe.compareAttribute(vs.getEdition(), targetCpe.getEdition()),

src/main/java/org/dependencytrack/upgrade/UpgradeItems.java

@@ -45,6 +45,7 @@ class UpgradeItems {
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4130.v4130Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4130.v4130_1Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4131.v4131Updater.class);
+        UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4135.v4135Updater.class);
     }
 
     static List<Class<? extends UpgradeItem>> getUpgradeItems() {

src/main/java/org/dependencytrack/upgrade/v4135/v4135Updater.java

@@ -0,0 +1,50 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.upgrade.v4135;
+
+import alpine.common.logging.Logger;
+import alpine.persistence.AlpineQueryManager;
+import alpine.server.upgrade.AbstractUpgradeItem;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public class v4135Updater extends AbstractUpgradeItem {
+    private static final Logger LOGGER = Logger.getLogger(v4135Updater.class);
+
+    @Override
+    public String getSchemaVersion() {
+        return "4.13.5";
+    }
+
+    @Override
+    public void executeUpgrade(final AlpineQueryManager qm, final Connection connection) throws Exception {
+        normalizeCpeData(connection);
+    }
+
+    private void normalizeCpeData(final Connection connection) throws SQLException {
+        try (final Statement statement = connection.createStatement()) {
+            LOGGER.info("Normalizing \"VULNERABLESOFTWARE\" CPE columns");
+            statement.execute(/* language=SQL */ """
+                    UPDATE TABLE "VULNERABLESOFTWARE" SET "PART" = LOWER("PART"), "VENDOR" = LOWER("VENDOR"), "PRODUCT" = LOWER("PRODUCT")
+                    """);
+        }
+    }
+}

src/test/java/org/dependencytrack/search/FuzzyVulnerableSoftwareSearchManagerTest.java

@@ -101,7 +101,7 @@ void getLuceneCpeRegexp() throws CpeValidationException, CpeEncodingException {
         us.springett.parsers.cpe.Cpe os = new us.springett.parsers.cpe.Cpe( Part.OPERATING_SYSTEM, "vendor", "product", "1\\.0", "2", "33","en", "inside", "Vista", "x86", "other");
 
         Assertions.assertEquals("cpe23:/cpe\\:2\\.3\\:a\\:.*\\:.*\\:.*\\:.*\\:.*\\:.*\\:.*\\:.*\\:.*\\:.*/", FuzzyVulnerableSoftwareSearchManager.getLuceneCpeRegexp("cpe:2.3:a:*:*:*:*:*:*:*:*:*:*"));
-        Assertions.assertEquals("cpe23:/cpe\\:2\\.3\\:o\\:vendor\\:product\\:1.0\\:2\\:33\\:en\\:inside\\:Vista\\:x86\\:other/", FuzzyVulnerableSoftwareSearchManager.getLuceneCpeRegexp(os.toCpe23FS()));
+        Assertions.assertEquals("cpe23:/cpe\\:2\\.3\\:o\\:vendor\\:product\\:1.0\\:2\\:33\\:en\\:inside\\:vista\\:x86\\:other/", FuzzyVulnerableSoftwareSearchManager.getLuceneCpeRegexp(os.toCpe23FS()));
         Assertions.assertEquals("cpe22:/cpe\\:\\/o\\:vendor\\:product\\:1.0\\:2\\:33\\:en/", FuzzyVulnerableSoftwareSearchManager.getLuceneCpeRegexp(os.toCpe22Uri()));
     }
 

src/test/java/org/dependencytrack/tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java

@@ -353,7 +353,7 @@ public static Collection<Arguments> parameters() {
                 // Note:      CPEs with uppercase "part" are considered invalid by the cpe-parser library.
                 // TODO:      This should match, but can't currently support this as it would require an function index on UPPER("PART"),
                 //            UPPER("VENDOR"), and UPPER("PRODUCT"), which we cannot add through JDO annotations.
-                Arguments.of("cpe:2.3:o:lInUx:lInUx_KeRnEl:5.15.37:*:*:*:*:*:*:*", WITHOUT_RANGE, DOES_NOT_MATCH, "cpe:2.3:o:LiNuX:LiNuX_kErNeL:5.15.37:*:*:*:*:*:*:*"),
+                Arguments.of("cpe:2.3:o:lInUx:lInUx_KeRnEl:5.15.37:*:*:*:*:*:*:*", WITHOUT_RANGE, MATCHES, "cpe:2.3:o:LiNuX:LiNuX_kErNeL:5.15.37:*:*:*:*:*:*:*"),
                 // ---
                 // Issue:     https://github.com/DependencyTrack/dependency-track/issues/2988
                 // Scenario:  "other" attribute of source is NA, "other" attribute of target is ANY -> SUBSET.