OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
The CPE version are not restricted correctly. Instead of ^(CPE2.3|CPE2.2)$, the pattern uses ^(CPE2.3)|(CPE2.2)$. This allows values like NOTAVALIDCPEcpe:/o:example:a:42::anyother resp. (appended ones in CPE2.3).
That is definitely something that we need to address in CSAF 2.1.
Regarding 2:
Our test scripts (using python and nodejs) haven't complained so far. So we need to find out whether an un-escaped / is valid in JSON patterns or just accepted. (This means reading the standard.)
We need to consider improving the situation in CSAF 2.1 by adding the \\ to escape /.
Regarding both parts, the TC needs to decide whether that is something for an errata. I think that heavily depends on the result of 2 as it might be an implementation specific problem.
The current CPE regex seems to have some issues:
^(CPE2.3|CPE2.2)$
, the pattern uses^(CPE2.3)|(CPE2.2)$
. This allows values likeNOTAVALIDCPEcpe:/o:example:a:42::anyother
resp. (appended ones in CPE2.3)./
as un-escaped character in JSON patterns.Regarding 1:
Regarding 2:
python
andnodejs
) haven't complained so far. So we need to find out whether an un-escaped/
is valid in JSON patterns or just accepted. (This means reading the standard.)\\
to escape/
.