CPE pattern - Githubissues

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code

https://github.com/oasis-tcs/csaf

Other

135 stars 37 forks source link

CPE pattern #693

Open tschmidtb51 opened 4 months ago

tschmidtb51 commented 4 months ago

The current CPE regex seems to have some issues:

The CPE version are not restricted correctly. Instead of ^(CPE2.3|CPE2.2)$, the pattern uses ^(CPE2.3)|(CPE2.2)$. This allows values like NOTAVALIDCPEcpe:/o:example:a:42::anyother resp. (appended ones in CPE2.3).
Some implementations (e.g. deno) don't like the / as un-escaped character in JSON patterns.

Regarding 1:

That is definitely something that we need to address in CSAF 2.1.

Regarding 2:

Our test scripts (using python and nodejs) haven't complained so far. So we need to find out whether an un-escaped / is valid in JSON patterns or just accepted. (This means reading the standard.)
We need to consider improving the situation in CSAF 2.1 by adding the \\ to escape /.

tschmidtb51 commented 4 months ago

Regarding both parts, the TC needs to decide whether that is something for an errata. I think that heavily depends on the result of 2 as it might be an implementation specific problem.