-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect cpe23Type validation? #796
Comments
The online tools are still using the Java implementation - so the validation may be different. From a quick check, I don't think the verify method in the Java implementation verifies the locator strings for external references - which would be an issue for the Java library. Note that the SPDX 2.3 spec for external references cpe23 type does provide a REGEX we can use. |
For the validation in the tools-python the regex from the spec is used. So I think this is rather an issue in the Java implementation. |
The validation regex is incorrect and has an extra requirement to match \ just before the start of the character class (in two places):
Should be perhaps
However, I note that the requirement to match \ is present in the SPDX 2.2 specification. However, the example provided in the specification would not pass the given regex in the specification either. My own OpenEmbedded SPDX files also fail validation due to this issue, and is fixed by removing that extra leading \ before the character class.
The example in the specification, which is
still fails because the regex does not allow for an empty field. It passes if I put an asterisk in that field though. |
The validation of the cpe23Type does not support strings such as
cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1+g8050fd9c:*:*:*:*:*:*:*
The version string contains +cpe:2.3:a:debian_gcc_maintainers:libstdc++6:12.2.0-9:*:*:*:*:*:*:*
The product name contains +. The cpe definition states a product name can not contain spaces, slashes, or most special characters. An underscore should be used in place of whitespace characters. Is '+' considered a special character?Note that the SPDX file is reported as valid when using the SPDX online tool validator.
Do we have inconsistency in validation between the Python and Java tools.
(Tested with latest version of the Python Tools)
The text was updated successfully, but these errors were encountered: