tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard
verified publisher icon spdx

PackageDownloadLocation validation doesn't allow underscores in git URLs

Open trupples opened this issue 4 months ago • 0 comments

This issue is related to https://github.com/spdx/spdx-java-model-2_X/issues/33 and has identical behaviour and an identical fix.

The regex that validates PackageDownloadLocation tags rejects git URLs with underscores in the repository name: https://github.com/spdx/tools-python/blob/b7f9a3defe8b0af1414cd75f1447ec242428f1d0/src/spdx_tools/spdx/validation/uri_validators.py#L18

Example of a line from an SBOM that doesn't validate (because of the underscore in the repo name) but should:

PackageDownloadLocation: [email protected]:zephyrproject-rtos/CMSIS_6@06d952b6713a2ca41c9224a62075e4059402a151-off

Proposed fix:

- git_pattern = "(git\\+git@[a-zA-Z0-9\\.\\-]+:[a-zA-Z0-9/\\\\.@\\-]+)"
+ git_pattern = "(git\\+git@[a-zA-Z0-9\\.\\-]+:[a-zA-Z0-9/\\\\.@\\-_]+)"

trupples avatar Aug 20 '25 19:08 trupples