Incorrect cpe23Type validation?

[anthonyharrison]

The validation of the cpe23Type does not support strings such as

cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1+g8050fd9c:*:*:*:*:*:*:* The version string contains +

cpe:2.3:a:debian_gcc_maintainers:libstdc++6:12.2.0-9:*:*:*:*:*:*:* The product name contains +. The cpe definition states a product name can not contain spaces, slashes, or most special characters. An underscore should be used in place of whitespace characters. Is '+' considered a special character?

Note that the SPDX file is reported as valid when using the SPDX online tool validator.

Do we have inconsistency in validation between the Python and Java tools.

(Tested with latest version of the Python Tools)

[goneall]

The online tools are still using the Java implementation - so the validation may be different.

From a quick check, I don't think the verify method in the Java implementation verifies the locator strings for external references - which would be an issue for the Java library.

Note that the SPDX 2.3 spec for external references cpe23 type does provide a REGEX we can use.

[meretp]

For the validation in the tools-python the regex from the spec is used. So I think this is rather an issue in the Java implementation. From skipping through the documentation linked in the spec, I think that the "+" should be quoted like "+", for the example mentioned cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1\+g8050fd9c:*:*:*:*:*:*:* would be valid according to the tools-python validation.