fix: Incorrect validation of PURL string
Closed this issue · 0 comments
Description
All purl components within an SBOM are ignored as they fail validation. This results in no vulnerabilities being reported.
To reproduce
Submit an SBOM with a component with a PURL e.g. pkg:pypi/requests@2.31.0
Expected behaviour:
The PURL should be reported as valid
Actual behaviour:
The PURL always fails to validate.
Anything else?
In the is_valid_string function within the parse.py component of the SBOM Manager, the regular expression used for the PURL is
r"^(?P<scheme>.+):(?P<type>.+)/(?P<namespace>.+)/(?P<name>.+)@(?P<version>.+)\??(?P<qualifiers>.*)#?(?P<subpath>.*)$"
The , etc need to be expanded in accordance with the Purl Specification
Removing the is_valid_check
for a PURL results in vulnerabilities being reported for valid Purls.
Validating a purl using a regular expression isn't necessary as the call to PackageURL.from_string(purl).to_dict()
in the decode_purl function already performs the validation