fix: Incorrect validation of PURL string

Question

fix: Incorrect validation of PURL string

Closed this issue 16 days ago · 0 comments

Description

All purl components within an SBOM are ignored as they fail validation. This results in no vulnerabilities being reported.

To reproduce

Submit an SBOM with a component with a PURL e.g. pkg:pypi/requests@2.31.0

Expected behaviour:

The PURL should be reported as valid

Actual behaviour:

The PURL always fails to validate.

Anything else?

In the is_valid_string function within the parse.py component of the SBOM Manager, the regular expression used for the PURL is
r"^(?P<scheme>.+):(?P<type>.+)/(?P<namespace>.+)/(?P<name>.+)@(?P<version>.+)\??(?P<qualifiers>.*)#?(?P<subpath>.*)$"

The , etc need to be expanded in accordance with the Purl Specification

Removing the is_valid_check for a PURL results in vulnerabilities being reported for valid Purls.

Validating a purl using a regular expression isn't necessary as the call to PackageURL.from_string(purl).to_dict() in the decode_purl function already performs the validation

cc: @inosmeet @terriko