diff --git a/advisor/src/main/kotlin/advisors/VulnerableCode.kt b/advisor/src/main/kotlin/advisors/VulnerableCode.kt index 63d51205753ff..d8924b15f024d 100644 --- a/advisor/src/main/kotlin/advisors/VulnerableCode.kt +++ b/advisor/src/main/kotlin/advisors/VulnerableCode.kt @@ -41,6 +41,7 @@ import org.ossreviewtoolkit.model.utils.toPurl import org.ossreviewtoolkit.utils.common.Options import org.ossreviewtoolkit.utils.common.collectMessages import org.ossreviewtoolkit.utils.common.enumSetOf +import org.ossreviewtoolkit.utils.common.percentEncode import org.ossreviewtoolkit.utils.ort.OkHttpClientHelper /** @@ -140,7 +141,7 @@ class VulnerableCode(name: String, config: VulnerableCodeConfiguration) : Advice issues: MutableList ): List = runCatching { - val sourceUri = URI(url) + val sourceUri = URI(url.fixupUrlEscaping()) if (scores.isEmpty()) return listOf(VulnerabilityReference(sourceUri, null, null)) return scores.map { // VulnerableCode returns MODERATE instead of MEDIUM in case of cvssv3.1_qr, see: @@ -167,3 +168,10 @@ class VulnerableCode(name: String, config: VulnerableCodeConfiguration) : Advice return aliases.firstOrNull { it.startsWith("cve", ignoreCase = true) } ?: aliases.first() } } + +private val BACKSLASH_ESCAPE_REGEX = Regex("\\\\\\\\(.)") + +internal fun String.fixupUrlEscaping(): String = + replace(BACKSLASH_ESCAPE_REGEX) { + it.groupValues[1].percentEncode() + } diff --git a/advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt b/advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt index 9d1f7a5771304..f0161dad5a95e 100644 --- a/advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt +++ b/advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt @@ -276,6 +276,17 @@ class VulnerableCodeTest : WordSpec({ ) } } + + "fixupUrlEscaping()" should { + "fixup a wrongly escaped ampersand" { + "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true" + + "&query=cpe:2.3:a:oracle:retail_category_management_planning_" + + "\\\\&_optimization:16.0.3:*:*:*:*:*:*:*".fixupUrlEscaping() shouldBe + "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true" + + "&query=cpe:2.3:a:oracle:retail_category_management_planning_" + + "%26_optimization:16.0.3:*:*:*:*:*:*:*" + } + } }) private const val ADVISOR_NAME = "VulnerableCodeTestAdvisor"