diff --git a/src/spdx_tools/spdx/validation/external_package_ref_validator.py b/src/spdx_tools/spdx/validation/external_package_ref_validator.py index 7dd316354..7a20d379d 100644 --- a/src/spdx_tools/spdx/validation/external_package_ref_validator.py +++ b/src/spdx_tools/spdx/validation/external_package_ref_validator.py @@ -13,9 +13,9 @@ CPE22TYPE_REGEX = r"^c[pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~%]*){0,6}$" CPE23TYPE_REGEX = ( - r'^cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^' + r'^cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|([\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^' r"`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*" - r'|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}$' + r'|\*?)([a-zA-Z0-9\-\._]|([\\\*\?!"#$$%&\'\(\)\+,\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}$' ) MAVEN_CENTRAL_REGEX = r"^[^:]+:[^:]+(:[^:]+)?$" NPM_REGEX = r"^[^@]+@[^@]+$" diff --git a/tests/spdx/validation/test_external_package_ref_validator.py b/tests/spdx/validation/test_external_package_ref_validator.py index eafa31941..c5955955f 100644 --- a/tests/spdx/validation/test_external_package_ref_validator.py +++ b/tests/spdx/validation/test_external_package_ref_validator.py @@ -27,6 +27,18 @@ [ (ExternalPackageRefCategory.SECURITY, "cpe22Type", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"), (ExternalPackageRefCategory.SECURITY, "cpe23Type", "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*"), + # a "+" in the version (#796) must be accepted without being backslash-escaped + ( + ExternalPackageRefCategory.SECURITY, + "cpe23Type", + "cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1+g8050fd9c:*:*:*:*:*:*:*", + ), + # a "+" in the product name (#796) + ( + ExternalPackageRefCategory.SECURITY, + "cpe23Type", + "cpe:2.3:a:debian_gcc_maintainers:libstdc++6:12.2.0-9:*:*:*:*:*:*:*", + ), (ExternalPackageRefCategory.SECURITY, "advisory", "https://nvd.nist.gov/vuln/detail/CVE-2020-28498"), (ExternalPackageRefCategory.SECURITY, "fix", "https://github.com/indutny/elliptic/commit/441b7428"), (