Invalid CPE regular expression

[ctron]

Running the validation for csaf_2_0 and csaf_2_0_strict, I get the following error:

"csaf_2_0: must match pattern \"^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$\"", "csaf_2_0_strict: must match pattern \"^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$\""

Testing again the following CPE: cpe:/o:redhat:enterprise_linux:8::fastdatapath (which seems valid to me).

Testing with another regular expression too, I get an error that the regular expression is invalid for ECMAScript. Caused by two missing escape backslashes:

Diff:

- ^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$"", "csaf_2_0_strict: must match pattern "^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$
+ ^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:\/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$"", "csaf_2_0_strict: must match pattern "^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:\/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$

[tschmidtb51]

Hmm, interesting... I have to investigate that... That case did not occur in the CPE dictionary...

[ctron]

Maybe it depends on the regular expression implementation. But escaping the / seemed reasonable to me.

[tschmidtb51]

I was just wondering: Is that a problem of the standard (as the pattern does not escape any /) or just an issue of the implementation?

[ctron]

I am not sure where the csaf-validator-lib gets the regexp from.

[tschmidtb51]

Note to self: According to the test script the JSON schema pattern seems correct and validates also cpe:/o:redhat:enterprise_linux:8::fastdatapath 😌

[tschmidtb51]

It might actually be implementation specific as I don't get the error when using Secvisogram. So, I wonder whether this repo is the correct place to fix it. I guess that needs a bit further investigation.

[ctron]

Ok, let me try dig a bit into that and find out more.

[tschmidtb51]

Ok, let me try dig a bit into that and find out more.

Thank you.

The key question for me would be: Is it allowed to omit the escaping for / in JSON. If not => CSAF standard must fix that. If yes, probably an implementation issue (as it works with nodejs).

[ctron]

I think this is an issue with the regexp itself. JSON just escapes this. I found this in the schema.js file, which seems to carry the schema as a JS (vs JSON):

pattern:
                '^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#\\$%&\'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#\\$%&\'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$',

That is missing the \. Now putting this into the browsers console:

It accepts this, but also corrects it.

[ctron]

Ok, so there's definitely something wrong with the whole regexp stuff, playing with that same regexp on the console of deno (works the same way with bun and node):

It accepts XXcpe:/o:redhat:rhel_aus:7.6::server as a valid CPE.

[ctron]

Which is btw the same behavior I see changing a CPE in the tests of csaf-validator-lib.

[ctron]

Regexps still give me a headache, still I think I understand why that is:

The regexp is kind of like: ^(a)|(b)$ … where it should be: ^(a|b)$.

Still, that's an additional problem, and not the one that I run into.

[tschmidtb51]

@ctron Could you please confirm: You are using that this library via deno?

[ctron]

@ctron Could you please confirm: You are using that this library via deno?

Embedding this (the problem with the missing slashes) comes from an embedded deno use case. However, there's a second component to it: rollup. Testing with bun, node, deno in general leads to the same results. While I can't really reproduce it so far, my gut feeling is that this is being caused for using rollup to create the file I embed in the Rust code.

Nevertheless, the regexp still allows for values such as ABCcpe:/… on all environments, simpley as the regexp is wrong.

[tschmidtb51]

Nevertheless, the regexp still allows for values such as ABCcpe:/… on all environments, simpley as the regexp is wrong.

True and accepted. This is tracked in oasis-tcs/csaf#693 It's up to the TC to decide, what the solution will be, please stay tuned.

[tschmidtb51]

After reading the spec, I'm still confused what the correct answer regarding the / escaping might be, so I opened the discussion to the JSON spec authors: https://github.com/orgs/json-schema-org/discussions/684
Feel free to upvote.

[tschmidtb51]

Nevertheless, the regexp still allows for values such as ABCcpe:/… on all environments, simpley as the regexp is wrong.

True and accepted. This is tracked in oasis-tcs/csaf#693 It's up to the TC to decide, what the solution will be, please stay tuned.

The change is now part of the current Editor Revision for CSAF 2.1.

[tschmidtb51]

After reading the spec, I'm still confused what the correct answer regarding the / escaping might be, so I opened the discussion to the JSON spec authors: https://github.com/orgs/json-schema-org/discussions/684 Feel free to upvote.

BTW: I also started to investigate different implementations at: https://github.com/tschmidtb51/JSON-schema-pattern
Feel free to contribute.

The Node one is more or less what I would expect...

[tschmidtb51]

I still think that the / issue is not our bug - but the TC decided to quote it in CSAF 2.1 and allow backports without loosing conformance.