fix: Fix bad links in HTML reports for "Vulnerable Software & Versions"

chadlwilson · chadlwilson · commit 4c71e205003e · 2025-09-25T23:52:05.000+08:00
Since the search function accepts a full CPE 2.3 name, we should be able to use whatever CPE we have, with whatever specificity the CPE has. If it happens to have a
version number in it, that will be in the URL. If it does not (due to match being against version ranges, then it will do a broad search).

Signed-off-by: Chad Wilson &lt;29788154+chadlwilson@users.noreply.github.com&gt;
diff --git a/core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java b/core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java
@@ -213,4 +213,8 @@ private String buildDescription(String description,
         sb.append(description);
         return sb.toString();
     }
+
+    public String nvdSearchUrlFor(Cpe cpe) {
+        return CpeIdentifier.nvdSearchUrlFor(cpe);
+    }
 }
diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl
@@ -945,7 +945,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                         #end
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #set($supressPkgUrl='')
                         #if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
@@ -1060,14 +1059,14 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                             #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                 #if ($vuln.getVulnerableSoftware().size()<2)
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     </ul></p>
                                 #else
                                     <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" class="versionToggle" data-toggle=".vs$vsctr">show all</a>)<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                         <li class="vs$vsctr">...</li>
                                     #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                        <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                        <li class="vs$vsctr hidden"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vs))">$enc.html($vs.toString())</a></li>
                                     #end
                                     </ul></p>
                                 #end
@@ -1174,7 +1173,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                 #end
                                 #set($cnt=$cnt+1)
                                 <h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
-                                ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                                 <div id="content$cnt" class="subsectioncontent standardsubsection">
                                 #if ($dependency.getSuppressedIdentifiers().size()==0)
                                     <ul><li><b>None</b></li></ul>
@@ -1267,14 +1265,14 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                      #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                         #if ($vuln.getVulnerableSoftware().size()<2)
                                             <p>Vulnerable Software &amp; Versions:<ul>
-                                                <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                                <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                             </ul></p>
                                         #else
                                             <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" class="versionToggle" data-toggle=".vs$vsctr">show all</a>)<ul>
-                                                <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                                <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                                 <li class="vs$vsctr">...</li>
                                             #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                                <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                                <li class="vs$vsctr hidden"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vs))">$enc.html($vs.toString())</a></li>
                                             #end
                                             </ul></p>
                                         #end
diff --git a/core/src/main/resources/templates/jenkinsReport.vsl b/core/src/main/resources/templates/jenkinsReport.vsl
@@ -670,7 +670,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                         #end
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
                             <ul><li><b>None</b></li></ul>
@@ -764,13 +763,13 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                             #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                 #if ($vuln.getVulnerableSoftware().size()<2)
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     </ul></p>
                                 #else
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($rpt.nvdSearchUrlFor($vuln.matchedVulnerableSoftware))">$enc.html($vs.toString())</a></li>
                                     #end
                                     </ul></p>
                                 #end

Original file line number	Diff line number	Diff line change
`@@ -213,4 +213,8 @@ private String buildDescription(String description,`
`213`	`213`	`sb.append(description);`
`214`	`214`	`return sb.toString();`
`215`	`215`	`}`
	`216`	`+`
	`217`	`+ public String nvdSearchUrlFor(Cpe cpe) {`
	`218`	`+ return CpeIdentifier.nvdSearchUrlFor(cpe);`
	`219`	`+ }`
`216`	`220`	`}`