Skip to content

#1775: validate and update CPE vendor and product for all tools#1796

Open
MarvMa wants to merge 1221 commits intodevonfw:mainfrom
MarvMa:bugfix/#1775-validate-cve-reportings
Open

#1775: validate and update CPE vendor and product for all tools#1796
MarvMa wants to merge 1221 commits intodevonfw:mainfrom
MarvMa:bugfix/#1775-validate-cve-reportings

Conversation

@MarvMa
Copy link
Copy Markdown
Contributor

@MarvMa MarvMa commented Apr 2, 2026
edited
Loading

This PR fixes #1775

Implemented changes:

  • updated cpe's for all products
  • removed cpe-vendor and cpe-product for tools where no cpe entry exists on nvd
  • created a shell-script to verify cpe data using a POST request with search params. (doesn't work for all the CPEs, some needed a manual check)
    collect-cpe-report.sh
  • Added the possibility to add several CPE vendors and products
  • Added a documentation for contributers which explains how to use the overwriteable Method initCpe

How to test the functionality

  1. Run the BuildSecurityJsonFiles with the path to the ide-urls as an argument (Running this command for the first time can take some time to download the CVEdb)
  2. Check if the run is successful and all the security.json files are beeing created as expected

Checklist for this PR

Make sure everything is checked before merging this PR. For further info please also see
our DoD.

  • When running mvn clean test locally all tests pass and build is successful
  • PR title is of the form #«issue-id»: «brief summary» (e.g. #921: fixed setup.bat). If no issue ID exists, title only.
  • PR top-level comment summarizes what has been done and contains link to addressed issue(s)
  • PR and issue(s) have suitable labels
  • Issue is set to In Progress and assigned to you or there is no issue (might happen for very small PRs)
  • You followed all coding conventions
  • You have added the issue implemented by your PR in CHANGELOG.adoc unless issue is labeled
    with internal

jan-vcapgemini and others added 30 commits October 23, 2025 12:21
@jan-vcapgemini
devonfw#858: Fixed kotlincnative naming (devonfw#1544)
82b512e
@devonfw-core
set release version to 2025.10.001
2425d43
@devonfw-core
set next version to 2025.10.002-SNAPSHOT
b10cfba
@jan-vcapgemini
devonfw#1545: Fixed Yarn installation (devonfw#1546)
1db9615
@wustudent @hohwille
devonfw#1526: correct parameter name and javadoc for FileAccess.compr…
a09cb4f 
…ess. (devonfw#1542)

Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@wustudent @jan-vcapgemini
devonfw#1475: Fix isOnline check for Wiremock tests. (devonfw#1532)
9f9a7c9 
Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
@jan-vcapgemini @hohwille
devonfw#1549: Adjusted download exception type (devonfw#1550)
202caa0 
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@jan-vcapgemini @hohwille
devonfw#1492: Add Spring-Boot-CLI Commandlet (devonfw#1496)
71621da 
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@devonfw-core
set release version to 2025.10.002
c48a42a
@devonfw-core
set next version to 2025.10.003-SNAPSHOT
e543664
@hohwille
Update Maven revision version to 2025.11.001-SNAPSHOT
65065d2
@jan-vcapgemini @hohwille
devonfw#1555: Add npm_config_prefix env variable to Npm (devonfw#1556)
fc7cbb3 
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@hohwille
Clean up changelog by removing duplicate entry
b7fc682 
Removed duplicate entry for issue devonfw#1549 from changelog.
@hohwille @jan-vcapgemini
devonfw#1553: speed up environment commandlet (devonfw#1554)
1d75209 
Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
@maybeec
Fix test isolation by preventing escape to developer IDE installation
e4466c4 
Fixes devonfw#1581

- Extracted findIdeHome() as protected method in AbstractIdeContext returning Map.Entry<Path, String>
- Made isIdeHome() protected to allow access in test contexts
- Overridden findIdeHome() in AbstractIdeTestContext to enforce test boundaries
- Added findTestProjectRoot() to locate test resource boundaries via src/test/resources/ide-projects marker
- Set ide.test.root.boundary system property to prevent upward traversal beyond test scope
- Validated detected IDE home stays within test boundaries with clear error messages
- All 80 tests pass successfully with no failures or errors
@maybeec
devonfw#1169: Fix Windows junction creation over broken junctions (de…
1525667 
…vonfw#1583)
@hohwille
Merge branch 'feature/1581-test-isolation-fix' of https://github.com/…
0c544ad 
…maybeec/IDEasy into maybeec-feature/1581-test-isolation-fix
@hohwille
devonfw#1581: constructive review
99c9a31
@hohwille
devonfw#1169: devonfw#1583: fixed test on Windows
b2dc11d
@maybeec @jan-vcapgemini
devonfw#1510: Add icd command hint to help output (devonfw#1574)
518726e 
Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
@maybeec @jan-vcapgemini
devonfw#1294: Refactor getMavenConfigurationFolder (devonfw#1573)
ccb99c2 
Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
@maybeec
devonfw#1560: enable trace logging in setup scripts (devonfw#1588)
865c180
@maybeec @jan-vcapgemini @hohwille
devonfw#536: Fix duplicate completion candidates (devonfw#1578)
7c6610a 
Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@maybeec @hohwille
devonfw#1338: Replace IllegalStateException with assert (devonfw#1572)
68dd4ae 
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@hohwille @jan-vcapgemini
devonfw#1551: add NetworkStatus and improve status commandlet (devonf…
4221f55 
…w#1557)

Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
@hohwille
devonfw#1576: screenshots for gatekeeper
f8a90d5
@maybeec @jan-vcapgemini @hohwille
devonfw#1188: Use WindowsHelper to find bash (devonfw#1568)
a9ddf14 
Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
Co-authored-by: jan-vcapgemini <jan-vincent.hoelzle@capgemini.com>
@jan-vcapgemini @hohwille
devonfw#1559: Fix duplicated PATH entry (devonfw#1566)
3821622 
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@jan-vcapgemini @hohwille
devonfw#1586: Validate and use BASH_PATH variable properly (devonfw#1587
a93e6c7 
)

Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@hohwille
devonfw#1564: added to CHANGELOG
438c3e7
jakozian and others added 19 commits April 17, 2026 13:41
@jakozian @MarvMa @hohwille
devonfw#906: Add feature configurable intellij vm args (devonfw#1820)
2bcde06 
Co-authored-by: MarvMa <marvin.meitzner@gmail.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
@MarvMa
Merge branch 'main' into bugfix/devonfw#1775-validate-cve-reportings
75048e2
@MarvMa
Merge branch 'main' into bugfix/devonfw#1775-validate-cve-reportings
07981c8
@devonfw-core
set release version to 2026.04.002
cfc7ccf
@devonfw-core
set next version to 2026.04.003-SNAPSHOT
1c9ecf7
@MarvMa
devonfw#1775: updated cpe logic, added tests and changed cpe values o…
373421f 
…f tools
@MarvMa
devonfw#1775: updated cpe logic, added tests and changed cpe values o…
fd93189 
…f tools
@MarvMa
Merge branch 'bugfix/devonfw#1775-validate-cve-reportings' of github.…
1ec8497 
…com:MarvMa/IDEasy into bugfix/devonfw#1775-validate-cve-reportings
@MarvMa
Merge branch 'bugfix/devonfw#1775-validate-cve-reportings' of github.…
112f57c 
…com:MarvMa/IDEasy into bugfix/devonfw#1775-validate-cve-reportings
@MarvMa
Merge branch 'main' of github.com:devonfw/IDEasy into bugfix/devonfw#…
fc9486b 
…1775-validate-cve-reportings
@MarvMa
Merge branch 'main' of github.com:devonfw/IDEasy into bugfix/devonfw#…
df85be2 
…1775-validate-cve-reportings
@MarvMa
devonfw#1775: update implementation and update cpes for azure
5ed931f
@MarvMa
devonfw#1775: update implementation and update cpes for azure
6035f83
@MarvMa
Merge branch 'main' of github.com:devonfw/IDEasy
58afd99
@MarvMa
Merge branch 'bugfix/devonfw#1775-validate-cve-reportings' of github.…
c4ffdc3 
…com:MarvMa/IDEasy into bugfix/devonfw#1775-validate-cve-reportings
@MarvMa
Merge branch 'main' of github.com:MarvMa/IDEasy into bugfix/devonfw#1775
a85520d 
-validate-cve-reportings
@MarvMa
devonfw#1775: update changelog
ea79798
@MarvMa
Merge branch 'main' of https://github.com/devonfw/IDEasy into bugfix/d…
f3c5262 
…evonfw#1775-validate-cve-reportings
@MarvMa
devonfw#1775: remove unused code, removed logging
312f7e4
@MarvMa MarvMa moved this from 🏗 In progress to Team Review in IDEasy board Apr 24, 2026
@MarvMa MarvMa marked this pull request as ready for review April 24, 2026 12:29
satorus
satorus reviewed Apr 27, 2026
View reviewed changes
Comment thread url-updater/src/main/java/com/devonfw/tools/ide/url/tool/java/JavaUrlUpdater.java Outdated
protected void initCpe(CpeRegistry cpe) {
cpe.addVendor("oracle")
.addProduct("jdk")
.addProduct("java_se");
Copy link
Copy Markdown
Contributor

@satorus satorus Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm previously we checked eclipse temurin as vendor+product...why do we now use oracle ?

Copy link
Copy Markdown
Contributor Author

@MarvMa MarvMa Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct! I changed the CPEs for testing purposes, but your totally right. I will rollback to the previous implementation.

@satorus
Copy link
Copy Markdown
Contributor

satorus commented Apr 28, 2026

Looks good so far, the security.json files are being built and look correct as far as i can see. The only question left is why we switched the vendor to Oracle from Eclipse in the java updater (see comment). But this is only a minor point, I think the PR is ready

@github-project-automation github-project-automation Bot moved this from Team Review to 👀 In review in IDEasy board Apr 28, 2026
@KarimALotfy KarimALotfy moved this from 👀 In review to 🆕 New in IDEasy board May 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hohwille hohwille hohwille approved these changes

+1 more reviewer

@satorus satorus satorus approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@satorus satorus

@MarvMa MarvMa

Labels

security CVEs or other vulnerabilities workflow GitHub actions (CI,CD,update urls/CVEs)

Projects

IDEasy board
Status: 🆕 New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validate and Fix CPE Vendor/Product Identifiers for All Tools