-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URL in vulnerability reference contains illegal character #1173
Comments
@oheger-bosch can you please point me to the CVE for this reference, so I can check the root cause of the issue |
Hi @TG1999, this is the affected CVE: CVE-2019-17531 |
Could you help us by stating which character is invalid exactly? Is it the |
Yes, I think it is the backslash that causes the trouble. |
Apparently, VulnerableCode sometimes returns URLs that use blackslash escaping instead of percent escaping, see [1]. Work around that issue until it is fixed upstream. Resolves #7364. [1]: aboutcode-org/vulnerablecode#1173 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Apparently, VulnerableCode sometimes returns URLs that use blackslash escaping instead of percent escaping, see [1]. Work around that issue until it is fixed upstream. Resolves #7364. [1]: aboutcode-org/vulnerablecode#1173 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
BTW, there's more wrongly escaped URLs being returned by VulnerableCode, see oss-review-toolkit/ort#8040. So
should be
|
Yet another case
should be
|
See [1]. [1]: aboutcode-org/vulnerablecode#1173 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
See [1]. [1]: aboutcode-org/vulnerablecode#1173 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
See [1]. [1]: aboutcode-org/vulnerablecode#1173 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
We encountered a case in which this URL was returned in a vulnerability reference:
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::
ORT converts these references to the Java URI type, which fails in this case due to an invalid character.
Not sure what would be the best way to handle such issues. Should VulnerableCode perform some validation on URLs? Or should ORT better not rely on those strings to be valid URLs?
The text was updated successfully, but these errors were encountered: