fix: cpe validation and standardize tests data

[mastersans]

fixes: #4013

• the cpe22 specification regex is too much flexble so in order to test bad cpe22 test data is tweaked.
• validation is refactored to happen in one function

References:
cpe2.3 and cpe2.3 schema

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 94.44444% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 80.45%. Comparing base (d6cbe40) to head (c9146dc).
Report is 146 commits behind head on main.

Files	Patch %	Lines
cve_bin_tool/sbom_manager/__init__.py	94.44%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4014      +/-   ##
==========================================
+ Coverage   75.41%   80.45%   +5.04%     
==========================================
  Files         808      820      +12     
  Lines       11983    12572     +589     
  Branches     1598     1950     +352     
==========================================
+ Hits         9037    10115    +1078     
+ Misses       2593     2038     -555     
- Partials      353      419      +66     

Flag	Coverage Δ
longtests	75.52% <94.44%> (+0.10%)	⬆️
win-longtests	78.66% <94.44%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[terriko]

I love a ridiculous regex, but I think this is going to be hard to maintain and it's almost certainly going to be vulnerable to regex denial of service.

Options:

1. does anyone have a library for validating CPE strings we could leverage?
2. In lieu of this, can we split on : and evaluate each piece separately with an explanation of what we're looking for in the comments?
3. In lieu of this, can we split on : and only evaluate the parts we're going to use later? (e.g. vendor, product, version = cpe[2], cpe[3], cpe[4])
4. In lieu of this, maybe we should validate and sanitize only vendor, product, version after the existing split?

I'm leaning towards the last one as potentially the right solution since that would allow us to have some util functions for sanitize_vendor(), sanitize_product(), sanitize_version() that we could re-use elsewhere in purl and triage work.

[terriko]

Hm, re-thinking my strategy here because I''m hoping to do a 3.3rc3 pre-release this afternoon.

I'm going to merge this as is, since it moves us forwards and gives us some validation (which is better than no validation!) as part of the pre-release, and I'll file my comments as a new issue.