Getting error for product names with '+'

Question

Getting error for product names with '+'

pratikindap opened this issue 7 years ago · 5 comments

Tried the CPE parser library for visual_c++ and it failed with an "Invalid value for product" error

Please refer to the stack trace below -

>>> cpe_str='cpe:/a:microsoft:visual_c++:2005:sp1_redistribution_pkg'
>>> c22 = CPE(cpe_str, CPE.VERSION_2_2)
Traceback (most recent call last):
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe2_2.py", line 161, in _parse
    comp = CPEComponent2_2(value, ck)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/comp/cpecomp_simple.py", line 161, in __init__
    self.set_value(comp_str, comp_att)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/comp/cpecomp_simple.py", line 383, in set_value
    self._parse(comp_att)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/comp/cpecomp_simple.py", line 259, in _parse
    raise ValueError(errmsg)
ValueError: Invalid value of attribute 'product': visual_c++

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe.py", line 315, in __new__
    return _CPE_VERSIONS[version](cpe_str)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe.py", line 234, in __init__
    self._parse()
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe2_2.py", line 165, in _parse
    raise ValueError(errmsg)
ValueError: Bad-formed CPE Name: not correct value: visual_c++

Answer 1 · 2017-11-13T06:35:11.000Z

Thank you for reporting this issue.

I'll take a look in a few days, but feel free to send a patch if you want to.

Answer 2 · 2020-04-07T22:11:53.000Z

Were you able to fix this?

Answer 3 · 2020-08-11T14:04:02.000Z

Try to escape the +, see https://nvd.nist.gov/products/cpe/search/results?keyword=visual_c%2b%2b&status=FINAL&orderBy=CPEURI&namingFormat=2.3
There are different escape methods for versions 2.2 and 2.3.

Answer 4 · 2023-03-22T05:44:31.000Z

@timojuez How can you escape only +? Meaning we'll have to generically escape everything in that part right?

Answer 5 · 2023-03-22T10:37:24.000Z

Check the link in my comment from 3 years ago. They replaced all + with \+. So c++ becomes c\+\+.