Invalid CPE generated on Debian packages with colon ("epoch") in version number

[bombadil]

I tried to use the tool on Ubuntu and used the zlib1g package as a guinea pig.

distro2sbom --distro deb -p zlib1g --sbom cyclonedx --format json -o zlib1g.sbom.json

The resulting JSON file cannot be parsed with Dependency Track.

024-01-03 11:07:16,676 WARN [InternalAnalysisTask] An error occurred while parsing: cpe:2.3:a:canonical:zlib1g:1:1.2.11.dfsg-2ubuntu9.2:*:*:*:*:*:*:* - The CPE is invalid and will be discarded. Invalid CPE (too many components): cpe:2.3:a:canonical:zlib1g:1:1.2.11.dfsg-2ubuntu9.2:*:*:*:*:*:*:*

This warning disappears when removing the 1: prefix from the version used in the generated CPE entry.

[bombadil]

A proper fix should probably escape the colon from the version in the CPE entry (if that is even possible).

[anthonyharrison]

@bombadil Thanks for the comment. The version string is valid as CycloneDX does not constrain the characters to be included in the version specified for a component. However I can see the issue with a CPE string if the version string contains a ':' and agree that the : should be escaped.

According to the CycloneDX Validator, the generated SBOM is valid.