Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement: Apply Regex check to Component.cpe #580

Open
madpah opened this issue Apr 8, 2024 · 3 comments · May be fixed by #711
Open

Improvement: Apply Regex check to Component.cpe #580

madpah opened this issue Apr 8, 2024 · 3 comments · May be fixed by #711
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest help wanted Extra attention is needed

Comments

@madpah
Copy link
Collaborator

madpah commented Apr 8, 2024
edited by jkowalleck
Loading

The CycloneDX scpecification defines a Regex for Component.cpe, but this library does not enforce this.

see https://github.com/CycloneDX/specification/blob/c320fc0f0b46873864927d9d5684eea7ba439728/schema/bom-1.5.xsd#L1110-L1112
@madpah madpah added enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed schema 1.4 schema 1.5 schema 1.6 labels Apr 8, 2024
@saquibsaifee saquibsaifee mentioned this issue Oct 13, 2024
Closed
@saquibsaifee
Copy link
Contributor

@madpah and @jkowalleck I opened up #706 to add this validation feature.

@jkowalleck
Copy link
Member

jkowalleck commented Oct 14, 2024
edited
Loading

CPE is a complex, external spec - outside the domain of CycloneDX.
This fact leads me to the architectural decision: we do not want to maintain an implementation of this external spec in the domain of CycloneDX python library.

we might consider a usage of an external library, like https://pypi.org/project/cpe/.

PS: we have an schema-based validator in place already, so there already is a mechanism that can check for valid CPE.
This means: there is no REAL reason to implement this in the first place -- it is a nice to have.

@jkowalleck
Copy link
Member

jkowalleck commented Oct 14, 2024
edited
Loading

An enforcement of valid CPE would be considered a breaking change.
It is undecided, whether this is a requirement or not... the provided solution will show.

@saquibsaifee saquibsaifee linked a pull request Oct 14, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
3 participants
@jkowalleck @madpah @saquibsaifee