cpe icon indicating copy to clipboard operation
cpe copied to clipboard

Published 20 hours ago verified publisher icon nilp0inter

Getting error for product names with '+'

Open pratikindap opened this issue 7 years ago • 5 comments

Tried the CPE parser library for visual_c++ and it failed with an "Invalid value for product" error

Please refer to the stack trace below -

>>> cpe_str='cpe:/a:microsoft:visual_c++:2005:sp1_redistribution_pkg'
>>> c22 = CPE(cpe_str, CPE.VERSION_2_2)
Traceback (most recent call last):
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe2_2.py", line 161, in _parse
    comp = CPEComponent2_2(value, ck)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/comp/cpecomp_simple.py", line 161, in __init__
    self.set_value(comp_str, comp_att)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/comp/cpecomp_simple.py", line 383, in set_value
    self._parse(comp_att)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/comp/cpecomp_simple.py", line 259, in _parse
    raise ValueError(errmsg)
ValueError: Invalid value of attribute 'product': visual_c++

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe.py", line 315, in __new__
    return _CPE_VERSIONS[version](cpe_str)
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe.py", line 234, in __init__
    self._parse()
  File "/home/roaringturtle/.local/lib/python3.5/site-packages/cpe/cpe2_2.py", line 165, in _parse
    raise ValueError(errmsg)
ValueError: Bad-formed CPE Name: not correct value: visual_c++

pratikindap avatar Nov 09 '17 23:11 pratikindap

Thank you for reporting this issue.

I'll take a look in a few days, but feel free to send a patch if you want to.

nilp0inter avatar Nov 13 '17 06:11 nilp0inter

Were you able to fix this?

suleimanmahmoud avatar Apr 07 '20 22:04 suleimanmahmoud

Try to escape the +, see https://nvd.nist.gov/products/cpe/search/results?keyword=visual_c%2b%2b&status=FINAL&orderBy=CPEURI&namingFormat=2.3 There are different escape methods for versions 2.2 and 2.3.

timojuez avatar Aug 11 '20 14:08 timojuez

@timojuez How can you escape only +? Meaning we'll have to generically escape everything in that part right?

sfc-gh-pkommini avatar Mar 22 '23 05:03 sfc-gh-pkommini

Check the link in my comment from 3 years ago. They replaced all + with \+. So c++ becomes c\+\+.

timojuez avatar Mar 22 '23 10:03 timojuez