fix: Update NVD CPE search URLs to match new search interface (#7970)

Signed-off-by: Chad Wilson <[email protected]>

Author: chadlwilson

core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -20,8 +20,6 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -111,24 +109,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
      * alpha characters.
      */
     private static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
-    /**
-     * UTF-8 character set name.
-     */
-    private static final String UTF8 = StandardCharsets.UTF_8.name();
-    /**
-     * The URL to search the NVD CVE data at NIST. This is used by calling:
-     * <pre>String.format(NVD_SEARCH_URL, vendor, product, version);</pre>
-     */
-    public static final String NVD_SEARCH_URL = "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&"
-            + "results_type=overview&search_type=all&cpe_vendor=cpe%%3A%%2F%%3A%1$s&cpe_product=cpe%%3A%%2F%%3A%1$s%%3A%2$s&"
-            + "cpe_version=cpe%%3A%%2F%%3A%1$s%%3A%2$s%%3A%3$s";
 
-    /**
-     * The URL to search the NVD CVE data at NIST. This is used by calling:
-     * <pre>String.format(NVD_SEARCH_URL, vendor, product);</pre>
-     */
-    public static final String NVD_SEARCH_BROAD_URL = "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&"
-            + "results_type=overview&search_type=all&cpe_vendor=cpe%%3A%%2F%%3A%1$s&cpe_product=cpe%%3A%%2F%%3A%1$s%%3A%2$s";
     /**
      * The CPE in memory index.
      */
@@ -806,12 +787,11 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
      * analysis
      * @return <code>true</code> if an identifier was added to the dependency;
      * otherwise <code>false</code>
-     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
      * @throws AnalysisException thrown if the suppression rules failed
      */
     @SuppressWarnings("StringSplitter")
     protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
-            Confidence currentConfidence) throws UnsupportedEncodingException, AnalysisException {
+            Confidence currentConfidence) throws AnalysisException {
 
         final CpeBuilder cpeBuilder = new CpeBuilder();
 
@@ -864,8 +844,7 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
                         dbVerUpdate = DependencyVersionUtil.parseVersion(vs.getVersion() + '.' + vs.getUpdate(), true);
                     }
                     if (dbVer == null) { //special case, no version specified - everything is vulnerable
-                        final String url = String.format(NVD_SEARCH_BROAD_URL, URLEncoder.encode(vs.getVendor(), UTF8),
-                                URLEncoder.encode(vs.getProduct(), UTF8));
+                        final String url = CpeIdentifier.nvdProductSearchUrlFor(vs);
                         final IdentifierMatch match = new IdentifierMatch(vs, url, IdentifierConfidence.BROAD_MATCH, conf);
                         collected.add(match);
                     } else if (evVer.equals(dbVer)) {
@@ -875,8 +854,7 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
                         bestGuessConf = conf;
                         bestGuess = dbVer;
                         bestGuessUpdate = evBaseVerUpdate;
-                        bestGuessURL = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getVendor(), UTF8),
-                                URLEncoder.encode(vs.getProduct(), UTF8), URLEncoder.encode(vs.getVersion(), UTF8));
+                        bestGuessURL = CpeIdentifier.nvdSearchUrlFor(vs);
                     } else if (dbVerUpdate != null && evVer.getVersionParts().size() <= dbVerUpdate.getVersionParts().size()
                             && evVer.matchesAtLeastThreeLevels(dbVerUpdate)) {
                         if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
@@ -983,14 +961,12 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
      * @param updateVersion the update version
      * @param conf the current confidence
      * @param collected a reference to the collected identifiers
-     * @throws UnsupportedEncodingException thrown if UTF-8 is not supported
      */
     private void addExactMatch(Cpe vs, String updateVersion, Confidence conf,
-            final Set<IdentifierMatch> collected) throws UnsupportedEncodingException {
+            final Set<IdentifierMatch> collected) {
 
         final CpeBuilder cpeBuilder = new CpeBuilder();
-        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getVendor(), UTF8),
-                URLEncoder.encode(vs.getProduct(), UTF8), URLEncoder.encode(vs.getVersion(), UTF8));
+        final String url = CpeIdentifier.nvdSearchUrlFor(vs);
         Cpe useCpe;
         if (updateVersion != null && "*".equals(vs.getUpdate())) {
             try {
@@ -1022,13 +998,11 @@ private void addExactMatch(Cpe vs, String updateVersion, Confidence conf,
      * @param collected a reference to the identifiers matched
      * @throws AnalysisException thrown if aliens attacked and valid input could
      * not be used to construct a CPE
-     * @throws UnsupportedEncodingException thrown if run on a system that
-     * doesn't support UTF-8
      */
     private void considerDependencyVersion(Dependency dependency,
             String vendor, String product, Confidence confidence,
             final Set<IdentifierMatch> collected)
-            throws AnalysisException, UnsupportedEncodingException {
+            throws AnalysisException {
 
         if (dependency.getVersion() != null && !dependency.getVersion().isEmpty()) {
             final CpeBuilder cpeBuilder = new CpeBuilder();
@@ -1051,8 +1025,7 @@ private void considerDependencyVersion(Dependency dependency,
                     addVersionAndUpdate(depVersion, cpeBuilder);
                     try {
                         final Cpe depCpe = cpeBuilder.build();
-                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vendor, UTF8),
-                                URLEncoder.encode(product, UTF8), URLEncoder.encode(depCpe.getVersion(), UTF8));
+                        final String url = CpeIdentifier.nvdSearchUrlFor(vendor, product, depCpe.getVersion());
                         final IdentifierMatch match = new IdentifierMatch(depCpe, url, IdentifierConfidence.EXACT_MATCH, confidence);
                         collected.add(match);
                     } catch (CpeValidationException ex) {

core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java

@@ -28,6 +28,7 @@
 import org.apache.commons.lang3.builder.HashCodeBuilder;
 import org.jetbrains.annotations.NotNull;
 import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
+import org.owasp.dependencycheck.dependency.naming.CpeIdentifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import us.springett.parsers.cpe.Cpe;
 import us.springett.parsers.cpe.ICpe;
@@ -517,4 +518,8 @@ public String toString() {
         }
         return sb.toString();
     }
+
+    public String toNvdSearchUrl() {
+        return CpeIdentifier.nvdSearchUrlFor(this);
+    }
 }

core/src/main/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifier.java

@@ -20,13 +20,16 @@
 import org.apache.commons.lang3.builder.CompareToBuilder;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
+import org.apache.hc.core5.net.PercentCodec;
 import org.jetbrains.annotations.NotNull;
 import org.owasp.dependencycheck.dependency.Confidence;
 import us.springett.parsers.cpe.Cpe;
 import us.springett.parsers.cpe.CpeBuilder;
 import us.springett.parsers.cpe.exceptions.CpeValidationException;
 import us.springett.parsers.cpe.values.Part;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 /**
  * A CPE Identifier for a dependency object.
  *
@@ -203,4 +206,41 @@ public int compareTo(@NotNull Identifier o) {
                 .append(this.confidence, o.getConfidence())
                 .toComparison();
     }
+
+    /**
+     * Produces an NVD search URL for a given CPE to find all applicable vulnerabilities, including all populated parts
+     * of the given CPE.
+     * <p/>
+     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
+     */
+    public static String nvdSearchUrlFor(Cpe cpe) {
+        // Use PercentCodec to force `*` to be encoded for CPE strings inside the URL. Technically '*' is not a reserved
+        // character in the fragment of URLs, but not all browsers handle this consistently, so better to encode aggressively.
+        // URlEncoder does not distinguish between parts of URLs appropriately, as well as not forcing encoding of these.
+        return String.format("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&cpeName=%s",
+                PercentCodec.encode(cpe.toCpe23FS(), UTF_8));
+    }
+
+    /**
+     * Produces an NVD search URL for a given application vendor/product/version combination to find all applicable vulnerabilities.
+     * <p/>
+     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
+     */
+    public static String nvdSearchUrlFor(String vendor, String product, String version) throws CpeValidationException {
+        return nvdSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor(vendor).product(product).version(version).build());
+    }
+
+    /**
+     * Produces an NVD search URL for a given CPE to find all applicable vulnerabilities, including only the part, vendor,
+     * and product of the given CPE (if populated). Discards all other parts/discriminators of the CPE in the generated search.
+     * <p/>
+     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
+     */
+    public static String nvdProductSearchUrlFor(Cpe cpe) {
+        try {
+            return nvdSearchUrlFor(new CpeBuilder().part(cpe.getPart()).vendor(cpe.getVendor()).product(cpe.getProduct()).build());
+        } catch (CpeValidationException e) {
+            throw new RuntimeException(e);
+        }
+    }
 }

core/src/main/resources/templates/htmlReport.vsl

@@ -945,7 +945,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                         #end
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #set($supressPkgUrl='')
                         #if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
@@ -1060,14 +1059,14 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                             #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                 #if ($vuln.getVulnerableSoftware().size()<2)
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     </ul></p>
                                 #else
                                     <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" class="versionToggle" data-toggle=".vs$vsctr">show all</a>)<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                         <li class="vs$vsctr">...</li>
                                     #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                        <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                        <li class="vs$vsctr hidden"><a target="_blank" href="$enc.html($vs.toNvdSearchUrl())">$enc.html($vs.toString())</a></li>
                                     #end
                                     </ul></p>
                                 #end
@@ -1174,7 +1173,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                 #end
                                 #set($cnt=$cnt+1)
                                 <h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
-                                ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                                 <div id="content$cnt" class="subsectioncontent standardsubsection">
                                 #if ($dependency.getSuppressedIdentifiers().size()==0)
                                     <ul><li><b>None</b></li></ul>
@@ -1267,14 +1265,14 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                      #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                         #if ($vuln.getVulnerableSoftware().size()<2)
                                             <p>Vulnerable Software &amp; Versions:<ul>
-                                                <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                                <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                             </ul></p>
                                         #else
                                             <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" class="versionToggle" data-toggle=".vs$vsctr">show all</a>)<ul>
-                                                <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                                <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                                 <li class="vs$vsctr">...</li>
                                             #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                                <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                                <li class="vs$vsctr hidden"><a target="_blank" href="$enc.html($vs.toNvdSearchUrl())">$enc.html($vs.toString())</a></li>
                                             #end
                                             </ul></p>
                                         #end

core/src/main/resources/templates/jenkinsReport.vsl

@@ -670,7 +670,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                         #end
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
                             <ul><li><b>None</b></li></ul>
@@ -764,13 +763,13 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                             #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                 #if ($vuln.getVulnerableSoftware().size()<2)
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     </ul></p>
                                 #else
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vs.toString())</a></li>
                                     #end
                                     </ul></p>
                                 #end