From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: JPEWhacker@gmail.com, richard.purdie@linuxfoundation.org,
stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com,
adrian.freihofer@siemens.com
Subject: [OE-core][PATCH v10 6/7] cve_check: Escape special characters in CPE 2.3 strings
Date: Fri, 20 Mar 2026 17:49:50 +0100 [thread overview]
Message-ID: <20260320164951.128572-7-stondo@gmail.com> (raw)
In-Reply-To: <20260320164951.128572-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
CPE 2.3 formatted string binding (cpe:2.3:...) requires
backslash escaping for special meta-characters per NISTIR 7695.
Characters like '++' and ':' in product names must be escaped.
The CPE 2.3 specification defines two bindings:
- URI binding (cpe:/...) uses percent-encoding
- Formatted string (cpe:2.3:...) uses backslash escaping
Escape the required meta-characters with backslash:
- Backslash (\\) -> \\
- Question mark (?) -> \?
- Asterisk (*) -> \*
- Colon (:) -> \:
- Plus (+) -> \+
All other characters are kept as-is without encoding.
Example CPE identifiers:
- cpe:2.3:*:*:crow:1.0\+x:*:*:*:*:*:*:*
- cpe:2.3:*:*:sdbus-c\+\+:2.2.1:*:*:*:*:*:*:*
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
---
meta/lib/oe/cve_check.py | 38 +++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ae194f27cf..6555743514 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -205,6 +205,35 @@ def get_patched_cves(d):
return patched_cves
+def cpe_escape(value):
+ r"""
+ Escape special characters for CPE 2.3 formatted string binding.
+
+ CPE 2.3 formatted string binding (cpe:2.3:...) uses backslash escaping
+ for special meta-characters, NOT percent-encoding. Percent-encoding is
+ only used in the URI binding (cpe:/...).
+
+ According to NISTIR 7695, these characters need escaping:
+ - Backslash (\) -> \\
+ - Question mark (?) -> \?
+ - Asterisk (*) -> \*
+ - Colon (:) -> \:
+ - Plus (+) -> \+ (required by some SBOM validators)
+ """
+ if not value:
+ return value
+
+ # Escape special meta-characters for CPE 2.3 formatted string binding
+ # Order matters: escape backslash first to avoid double-escaping
+ result = value.replace('\\', '\\\\')
+ result = result.replace('?', '\\?')
+ result = result.replace('*', '\\*')
+ result = result.replace(':', '\\:')
+ result = result.replace('+', '\\+')
+
+ return result
+
+
def get_cpe_ids(cve_product, version):
"""
Get list of CPE identifiers for the given product and version
@@ -221,7 +250,14 @@ def get_cpe_ids(cve_product, version):
else:
vendor = "*"
- cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
+ # Encode special characters per CPE 2.3 specification
+ encoded_vendor = cpe_escape(vendor) if vendor != "*" else vendor
+ encoded_product = cpe_escape(product)
+ encoded_version = cpe_escape(version)
+
+ cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(
+ encoded_vendor, encoded_product, encoded_version
+ )
cpe_ids.append(cpe_id)
return cpe_ids
--
2.53.0
next prev parent reply other threads:[~2026-03-20 16:50 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 16:01 [PATCH v5 00/10] spdx30: SBOM enrichment and documentation Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-03 8:42 ` [OE-core] " Mathieu Dubois-Briand
2026-03-03 10:27 ` Tondo, Stefano
2026-03-02 16:01 ` [PATCH v5 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-02 16:15 ` [OE-core] [PATCH v5 00/10] spdx30: SBOM enrichment and documentation Antonin Godard
2026-03-03 8:20 ` Tondo, Stefano
2026-03-04 17:05 ` [PATCH v6 " Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-07 21:53 ` Joshua Watt
2026-03-04 17:05 ` [PATCH v6 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-07 22:32 ` Joshua Watt
2026-03-04 17:05 ` [PATCH v6 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-06 6:32 ` [PATCH v6 00/10] spdx30: SBOM enrichment and documentation Mathieu Dubois-Briand
2026-03-06 13:59 ` [OE-core][PATCH v7 " Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-07 21:55 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-07 22:15 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-07 22:42 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-07 22:48 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-07 22:51 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-07 22:01 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-07 22:03 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-09 13:28 ` [OE-core][PATCH v8 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-11 20:29 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-11 20:31 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-11 20:34 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-11 22:49 ` Joshua Watt
2026-03-11 22:51 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-11 20:40 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-11 20:44 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-11 20:42 ` Joshua Watt
2026-03-12 15:38 ` [OE-core][PATCH v9 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-19 10:25 ` Richard Purdie
2026-03-12 15:38 ` [OE-core][PATCH v9 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-13 6:14 ` Mathieu Dubois-Briand
2026-03-13 8:30 ` Tondo, Stefano
2026-03-12 15:38 ` [OE-core][PATCH v9 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-20 16:49 ` stondo [this message]
2026-03-20 16:49 ` [OE-core][PATCH v10 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-20 17:13 ` [OE-core][PATCH v10 0/7] SPDX 3.0 SBOM enrichment and compliance improvements Richard Purdie
2026-03-20 17:22 ` [OE-core][PATCH v9 " Mathieu Dubois-Briand
2026-03-20 17:24 ` Mathieu Dubois-Briand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320164951.128572-7-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=JPEWhacker@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=adrian.freihofer@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox