cyclonedx-python-lib icon indicating copy to clipboard operation
cyclonedx-python-lib copied to clipboard
verified publisher icon CycloneDX

Improvement: Apply Regex check to `Component.cpe`

Open madpah opened this issue 1 year ago • 4 comments

The CycloneDX scpecification defines a Regex for Component.cpe, but this library does not enforce this.

see https://github.com/CycloneDX/specification/blob/c320fc0f0b46873864927d9d5684eea7ba439728/schema/bom-1.5.xsd#L1110-L1112

madpah avatar Apr 08 '24 07:04 madpah

@madpah and @jkowalleck I opened up #706 to add this validation feature.

saquibsaifee avatar Oct 13 '24 15:10 saquibsaifee

CPE is a complex, external spec - outside the domain of CycloneDX. This fact leads me to the architectural decision: we do not want to maintain an implementation of this external spec in the domain of CycloneDX python library.

we might consider a usage of an external library, like https://pypi.org/project/cpe/.

PS: we have an schema-based validator in place already, so there already is a mechanism that can check for valid CPE. This means: there is no REAL reason to implement this in the first place -- it is a nice to have.

jkowalleck avatar Oct 14 '24 14:10 jkowalleck

An enforcement of valid CPE would be considered a breaking change. It is undecided, whether this is a requirement or not... the provided solution will show.

jkowalleck avatar Oct 14 '24 14:10 jkowalleck

revisited the situation, and found out:

  • in CycloneDX JSON there is no regex on CPE.
    in CycloneDX XML there is a regex on CPE.
    need to clarify with the @CycloneDX/core-team what this is about.
  • i think we should not use any 3rd-party library for validation, for the reason that the regex is defined in CycloneDX schema file and therefore is under the control of CycloneDX and not any 3rd-party

jkowalleck avatar Feb 12 '25 13:02 jkowalleck