From 16a6a2d2d8586e4eb54fae9c5b76dd785fb03a18 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 20 Dec 2017 06:26:03 -0500 Subject: [PATCH] added a max length to limit query parse issues --- .../dependencycheck/analyzer/CPEAnalyzer.java | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 34685d6bf..4769e5600 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -251,20 +251,20 @@ public class CPEAnalyzer extends AbstractAnalyzer { * @param evidence an iterable set of evidence to concatenate * @return the new evidence text */ + @SuppressWarnings("null") private String addEvidenceWithoutDuplicateTerms(final String text, final Iterable evidence) { final String txt = (text == null) ? "" : text; - final StringBuilder sb = new StringBuilder(); + final StringBuilder sb = new StringBuilder(text.length() * 2); sb.append(' ').append(txt).append(' '); for (Evidence e : evidence) { - final String value = e.getValue(); - //removed as the URLTokenizingFilter was created - //hack to get around the fact that lucene does a really good job of recognizing domains and not splitting them. -// if (value.startsWith("http://")) { -// value = value.substring(7).replaceAll("\\.", " "); -// } -// if (value.startsWith("https://")) { -// value = value.substring(8).replaceAll("\\.", " "); -// } + String value = e.getValue(); + if (value.length() > 1000) { + value = value.substring(0, 1000); + final int pos = value.lastIndexOf(" "); + if (pos > 0) { + value = value.substring(0, pos); + } + } if (sb.indexOf(" " + value + " ") < 0) { sb.append(value).append(' '); }