Broken CPE ID when supplier contains -

[ffontaine]

The following line will result in a broken CPE ID when a supplier contain a - such as d-bus_project or json-c_project: https://github.com/anthonyharrison/lib4sbom/blob/498355a41d85fc42696e25948f94597a643113ec/lib4sbom/cyclonedx/cyclonedx_generator.py#L212

For example, above line will split d-bus_project as d, bus and project and concatenate it into d bus project. Then, the piece of code below will replace ` to_resulting in the wrongd_bus_projectvendor instead of the correctd-bus_project`: https://github.com/anthonyharrison/lib4sbom/blob/498355a41d85fc42696e25948f94597a643113ec/lib4sbom/cyclonedx/cyclonedx_generator.py#L352

I don't understand what is the goal of this piece of code so I don't know how to "fix" it properly.

[anthonyharrison]

Thanks @ffontaine.

Line 212 assumes that product authors are alphabetic and not project names which is why it only allow names such as Fred Smith or F. Smith and not Project123 or Awesome-project-team. Extending the regex to include '-' should hopefully resolve your problem.

Line 352 is removing spaces in supplier names as a space is not allowed in a supplier name for a CPE. However there is no consistency in CPE supplier names as I have seen both AB and A-B used as the concatenation form so maybe there should be an improvement in which the concatenation character '' or '-' is chosen depending of whether the character is already present in the name to avoid names such as A-B_C.

[ffontaine]

Thanks @anthonyharrison, adding - will indeed allow d-bus_project. But perhaps a better solution would be to just delete line 212? It would probably be more future-proof.