CPEs are case-sensitive

[DaBalt]

Current Behavior

Currently when you're adding component with CPE like:

cpe:2.3:a:7-Zip:7-Zip:18.03:::::::*

The DependencyTrack analyzers will not find any issues. When switching from "Z" to "z" everything works correctly:

cpe:2.3:a:7-zip:7-zip:18.03:::::::*

Proposed Behavior

The CPE (and PURL I suppose) should be case-insensitive, all combination should find vulnerabilities.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Note, we aware of this gap:

dependency-track/src/main/java/org/dependencytrack/persistence/VulnerableSoftwareQueryManager.java

Lines 276 to 288 in a19dba0

	if (!"*".equals(cpePart) && !"-".equals(cpePart)) {
	// | No. | Source A-V | Target A-V | Relation |
	// | :-- | :-------------- | :--------- | :------------------- |
	// | 3 | ANY | i | SUPERSET |
	// | 7 | NA | i | DISJOINT |
	// | 9 | i | i | EQUAL |
	// | 10 | i | k | DISJOINT |
	// | 14 | m1 + wild cards | m2 | SUPERSET or DISJOINT |
	// TODO: Filter should use equalsIgnoreCase as CPE matching is case-insensitive.
	// Can't currently do this as it would require an index on UPPER("PART"),
	// which we cannot add through JDO annotations.
	cpeQueryFilterParts.add("(part == '*' || part == :part)");
	queryParams.put("part", cpePart);

It currently affects the part, vendor, and product portions of CPEs.

Since we can't currently apply indexes on expressions (i.e. lower(part) or upper(part)), an alternative could be to migrate all existing values in the database to lowercase, and only populate it with lowercased values going forward.