From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
Peter.Marko@siemens.com, jpewhacker@gmail.com,
Ross.Burton@arm.com, mathieu.dubois-briand@bootlin.com
Subject: [PATCH v3 10/11] cve_check: Escape special characters in CPE 2.3 formatted strings
Date: Tue, 24 Feb 2026 17:29:45 +0100 [thread overview]
Message-ID: <20260224162946.4000445-11-stondo@gmail.com> (raw)
In-Reply-To: <20260224162946.4000445-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
CPE 2.3 formatted string binding (cpe:2.3:...) requires backslash escaping
for special meta-characters according to NISTIR 7695. Characters like '++'
and ':' in product names must be properly escaped to pass SBOM validation.
The CPE 2.3 specification defines two bindings:
- URI binding (cpe:/...) uses percent-encoding
- Formatted string binding (cpe:2.3:...) uses backslash escaping
This patch implements the formatted string binding properly by escaping
only the required meta-characters with backslash:
- Backslash (\) -> \\
- Question mark (?) -> \?
- Asterisk (*) -> \*
- Colon (:) -> \:
- Plus (+) -> \+ (required by some SBOM validators)
All other characters including -, etc. are kept as-is without encoding.
Example CPE identifiers:
- cpe:2.3:*:*:crow:1.0+x:*:*:*:*:*:*:*
- cpe:2.3:*:*:sdbus-c++:2.2.1:*:*:*:*:*:*:*
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/lib/oe/cve_check.py | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ae194f27cf..fa210e2037 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -205,6 +205,34 @@ def get_patched_cves(d):
return patched_cves
+def cpe_escape(value):
+ r"""
+ Escape special characters for CPE 2.3 formatted string binding.
+
+ CPE 2.3 formatted string binding (cpe:2.3:...) uses backslash escaping
+ for special meta-characters, NOT percent-encoding. Percent-encoding is
+ only used in the URI binding (cpe:/...).
+
+ According to NISTIR 7695, these characters need escaping:
+ - Backslash (\) -> \\
+ - Question mark (?) -> \?
+ - Asterisk (*) -> \*
+ - Colon (:) -> \:
+ - Plus (+) -> \+ (required by some SBOM validators)
+ """
+ if not value:
+ return value
+
+ # Escape special meta-characters for CPE 2.3 formatted string binding
+ # Order matters: escape backslash first to avoid double-escaping
+ result = value.replace('\\', '\\\\')
+ result = result.replace('?', '\\?')
+ result = result.replace('*', '\\*')
+ result = result.replace(':', '\\:')
+ result = result.replace('+', '\\+')
+
+ return result
+
def get_cpe_ids(cve_product, version):
"""
Get list of CPE identifiers for the given product and version
@@ -221,7 +249,14 @@ def get_cpe_ids(cve_product, version):
else:
vendor = "*"
- cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
+ # Encode special characters per CPE 2.3 specification
+ encoded_vendor = cpe_escape(vendor) if vendor != "*" else vendor
+ encoded_product = cpe_escape(product)
+ encoded_version = cpe_escape(version)
+
+ cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(
+ encoded_vendor, encoded_product, encoded_version
+ )
cpe_ids.append(cpe_id)
return cpe_ids
--
2.53.0
next prev parent reply other threads:[~2026-02-24 16:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 16:29 [PATCH v3 00/11] spdx30: SBOM enrichment and documentation Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 01/11] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 02/11] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 03/11] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 04/11] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-26 8:28 ` Mathieu Dubois-Briand
2026-02-24 16:29 ` [PATCH v3 05/11] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 06/11] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 07/11] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 08/11] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 09/11] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-24 16:29 ` Stefano Tondo [this message]
2026-02-24 16:29 ` [PATCH v3 11/11] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260224162946.4000445-11-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.