Incorrect cpe23Type validation?

[anthonyharrison]

The validation of the cpe23Type does not support strings such as

cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1+g8050fd9c:*:*:*:*:*:*:* The version string contains +

cpe:2.3:a:debian_gcc_maintainers:libstdc++6:12.2.0-9:*:*:*:*:*:*:* The product name contains +. The cpe definition states a product name can not contain spaces, slashes, or most special characters. An underscore should be used in place of whitespace characters. Is '+' considered a special character?

Note that the SPDX file is reported as valid when using the SPDX online tool validator.

Do we have inconsistency in validation between the Python and Java tools.

(Tested with latest version of the Python Tools)

[goneall]

The online tools are still using the Java implementation - so the validation may be different.

From a quick check, I don't think the verify method in the Java implementation verifies the locator strings for external references - which would be an issue for the Java library.

Note that the SPDX 2.3 spec for external references cpe23 type does provide a REGEX we can use.

[meretp]

For the validation in the tools-python the regex from the spec is used. So I think this is rather an issue in the Java implementation.
From skipping through the documentation linked in the spec, I think that the "+" should be quoted like "+", for the example mentioned cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1\+g8050fd9c:*:*:*:*:*:*:* would be valid according to the tools-python validation.

[billie-alsup]

The validation regex is incorrect and has an extra requirement to match \ just before the start of the character class (in two places):

CPE23TYPE_REGEX = (
    r'^cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^'
    r"`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*"
    r'|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}$'
)

Should be perhaps

CPE23TYPE_REGEX = (
    r'^cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|([\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^'
    r"`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*"
    r'|\*?)([a-zA-Z0-9\-\._]|([\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}$'
)

However, I note that the requirement to match \ is present in the SPDX 2.2 specification. However, the example provided in the specification would not pass the given regex in the specification either. My own OpenEmbedded SPDX files also fail validation due to this issue, and is fixed by removing that extra leading \ before the character class.

cpe:2.3:a:*:sbsigntool:0.9.2-gitAUTOINC+f12484869c_b1f28e1722:*:*:*:*:*:*:*

The example in the specification, which is

cpe:2.3:o:canonical:ubuntu_linux:10.04::lts:*:*:*:*:*

still fails because the regex does not allow for an empty field. It passes if I put an asterisk in that field though.