Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add CPE format validation in property setter #711

Open
wants to merge 57 commits into
base: main
Choose a base branch
from
Open

feat: add CPE format validation in property setter #711

wants to merge 57 commits into from

Conversation

saquibsaifee
Copy link
Contributor

@saquibsaifee saquibsaifee commented Oct 14, 2024
edited
Loading

Fixes #580

  • Implemented validation of CPE format using CPE library
  • Added tests to verify the handling of invalid CPE strings.

Note:

  • The CPE library is missing library stubs or py.typed marker, not sure how you want to handle it. I used type:ignore.
  • CPE library raises NotImplementedErorr for incorrect CPE Name or version link

saquibsaifee and others added 5 commits June 21, 2024 12:33
@saquibsaifee
Merge pull request CycloneDX#3 from CycloneDX/main
a0bfc3d 
sync
@saquibsaifee
Merge branch 'CycloneDX:main' into main
be4fd4b
@saquibsaifee
feat: add cpe format validation
15d9c19 
- Implemented regex-based validation for CPE format in the model.
- Added tests to verify handling of invalid CPE strings.

Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
chore: update the cpe value
fbf02c2 
Signed-off-by: Saquib Saifee <[email protected]>
feat: add CPE format validation in property setter
c74218b 
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee saquibsaifee requested a review from a team as a code owner October 14, 2024 22:34
@saquibsaifee
Copy link
Contributor Author

@jkowalleck have a look at this PR

chore: fix the typo
92b4d78 
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck jkowalleck changed the title !feat: add CPE format validation in property setter feat: add CPE format validation in property setter Oct 15, 2024
@jkowalleck jkowalleck added enhancement New feature or request breaking change labels Oct 15, 2024
jkowalleck
jkowalleck reviewed Oct 15, 2024
View reviewed changes
cyclonedx/model/component.py
try:
CPE(cpe)
except NotImplementedError:
raise ValueError(f'Invalid CPE format: {cpe}')
Copy link
Member

@jkowalleck jkowalleck Oct 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This behavioral change is considered a breaking change.
Not a blocker, just a remark.

@jkowalleck
Copy link
Member

Thank you for your contribution, @saquibsaifee

We have an schema-based validator in place already, so there already is a mechanism that can check for valid CPE.
This means: there is no REAL reason to implement this in the first place -- it is a nice to have.
That, and the fact that the implementation introduced breaking changes causes this PR to be postponed.

jkowalleck
jkowalleck requested changes Oct 27, 2024
View reviewed changes
cyclonedx/__init__.py Outdated Show resolved Hide resolved
semantic-release and others added 22 commits October 27, 2024 15:49
@saquibsaifee
chore(release): 8.1.0
be8a6e2 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@gruebel @saquibsaifee
feat: Add Python 3.13 support (CycloneDX#718)
c10e593 
Signed-off-by: gruebel <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
chore(release): 8.2.0
dfe02b2 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@weichslgartner @saquibsaifee
chore: fix pre-commit hook for mypy (CycloneDX#723)
a56c4ad 
Fixes CycloneDX#721

Signed-off-by: weichslgartner <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
fix: encode quotation mark in URL (CycloneDX#724)
1933802 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
chore(release): 8.2.1
fc25604 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
chore: render current year in docs
fefee6f 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
docs: revisit examples readme (CycloneDX#725)
dd9ef7f 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
chore: test unpinned daily
1d782dd 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
chore: internals init intended to be empyy
74c76cf 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@hakandilek @saquibsaifee
feat: add basic support for Definitions (CycloneDX#701)
3e6ad14 
---------

Signed-off-by: Hakan Dilek <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
chore(release): 8.3.0
ebd6f75 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
refactor: reuse internal helper bom_ref_from_str (CycloneDX#727)
cf1d880 
fixes CycloneDX#722

Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
chore(release): 1.0.0
45b367f 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
Revert "chore(release): 1.0.0"
22558b8 
This reverts commit ce3fe7f.

Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
chore: py-release workflow is not auto-triggered anymore
272e280 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@dependabot @saquibsaifee
chore(deps-dev): update tox requirement from 4.23.0 to 4.23.2 (Cyclon…
f9f9607 
…eDX#729)

Updates the requirements on [tox](https://github.com/tox-dev/tox) to
permit the latest version.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/tox/releases">tox's
releases</a>.</em></p>
<blockquote>
<h2>4.23.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Support external tox.pytest usage via &quot;test&quot; extra by <a
href="https://github.com/mbra"><code>@​mbra</code></a> in <a
href="https://redirect.github.com/tox-dev/tox/pull/3422">tox-dev/tox#3422</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/mbra"><code>@​mbra</code></a> made their
first contribution in <a
href="https://redirect.github.com/tox-dev/tox/pull/3422">tox-dev/tox#3422</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/tox/compare/4.23.1...4.23.2">https://github.com/tox-dev/tox/compare/4.23.1...4.23.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/tox/blob/main/docs/changelog.rst">tox's
changelog</a>.</em></p>
<blockquote>
<h2>v4.23.2 (2024-10-22)</h2>
<p>Misc - 4.23.2</p>
<pre><code>- :issue:`3415`
<h2>v4.23.1 (2024-10-21)</h2>
<p>Improved Documentation - 4.23.1
</code></pre></p>
<ul>
<li>Fix bad example in documentation for dependency groups - by
:user:<code>gaborbernat</code>. (:issue:<code>3240</code>)</li>
</ul>
<h2>v4.23.0 (2024-10-16)</h2>
<p>Features - 4.23.0</p>
<pre><code>- Add ``NETRC`` to the list of environment variables always
passed through. (:issue:`3410`)
<p>Improved Documentation - 4.23.0
</code></pre></p>
<ul>
<li>replace <code>[tool.pyproject]</code> and
<code>[tool.tox.pyproject]</code> with <code>[tool.tox]</code> in
config.rst (:issue:<code>3411</code>)</li>
</ul>
<h2>v4.22.0 (2024-10-15)</h2>
<p>Features - 4.22.0</p>
<pre><code>- Implement dependency group support as defined in :pep:`735`
- see :ref:`dependency_groups` - by :user:`gaborbernat`. (:issue:`3408`)
<h2>v4.21.2 (2024-10-03)</h2>
<p>Bugfixes - 4.21.2
</code></pre></p>
<ul>
<li>Include <code>tox.toml</code> in sdist archives to fix test failures
resulting from its lack.
<ul>
<li>by :user:<code>mgorny</code> (:issue:<code>3389</code>)</li>
</ul>
</li>
</ul>
<h2>v4.21.1 (2024-10-02)</h2>
<p>Bugfixes - 4.21.1</p>
<pre><code>- Fix error when using ``requires`` within a TOML
configuration file - by :user:`gaborbernat`. (:issue:`3386`)
- Fix error when using ``deps`` within a TOML configuration file - by
:user:`gaborbernat`. (:issue:`3387`)
- Multiple fixes for the TOML configuration by :user:`gaborbernat`.:
<ul>
<li>Do not fail when there is an empty command within
<code>commands</code>.
&lt;/tr&gt;&lt;/table&gt;
</code></pre></li>
</ul>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tox-dev/tox/commit/0447036240f4fe48605124635553c5bbf0469651"><code>0447036</code></a>
release 4.23.2</li>
<li><a
href="https://github.com/tox-dev/tox/commit/f0799ac01d161d7dc00fc92da9734ea08b768f7f"><code>f0799ac</code></a>
Support external tox.pytest usage via &quot;test&quot; extra (<a
href="https://redirect.github.com/tox-dev/tox/issues/3422">#3422</a>)</li>
<li><a
href="https://github.com/tox-dev/tox/commit/ec88713785a81f883ea12387dfb40045b0ac4181"><code>ec88713</code></a>
Fix docs link check</li>
<li><a
href="https://github.com/tox-dev/tox/commit/962bc59626cfa8163ac6068720505408b257163f"><code>962bc59</code></a>
release 4.23.1</li>
<li><a
href="https://github.com/tox-dev/tox/commit/5916cc9814ed16cf6c963da08c5eb0ec01872495"><code>5916cc9</code></a>
Fix example docs (<a
href="https://redirect.github.com/tox-dev/tox/issues/3421">#3421</a>)</li>
<li><a
href="https://github.com/tox-dev/tox/commit/e9cb93a81b6ff1b7a1eb25d540384c84f1186d4d"><code>e9cb93a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/tox/issues/3418">#3418</a>)</li>
<li><a
href="https://github.com/tox-dev/tox/commit/88c1b99c18103186844f8fae4729de9f7f60a44a"><code>88c1b99</code></a>
Docs: adjusting EOL Python version testing remarks (<a
href="https://redirect.github.com/tox-dev/tox/issues/3417">#3417</a>)</li>
<li>See full diff in <a
href="https://github.com/tox-dev/tox/compare/4.23.0...4.23.2">compare
view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Saquib Saifee <[email protected]>
@dependabot @saquibsaifee
chore(deps-dev): update mypy requirement from 1.12.0 to 1.13.0 (Cyclo…
08774d6 
…neDX#730)

Updates the requirements on [mypy](https://github.com/python/mypy) to
permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/python/mypy/blob/master/CHANGELOG.md">mypy's
changelog</a>.</em></p>
<blockquote>
<h1>Mypy Release Notes</h1>
<h2>Next release</h2>
<h2>Mypy 1.13</h2>
<p>We’ve just uploaded mypy 1.13 to the Python Package Index (<a
href="https://pypi.org/project/mypy/">PyPI</a>).
Mypy is a static type checker for Python. You can install it as
follows:</p>
<pre><code>python3 -m pip install -U mypy
</code></pre>
<p>You can read the full documentation for this release on <a
href="http://mypy.readthedocs.io">Read the Docs</a>.</p>
<p>Note that unlike typical releases, Mypy 1.13 does not have any
changes to type checking semantics
from 1.12.1.</p>
<h3>Improved performance</h3>
<p>Mypy 1.13 contains several performance improvements. Users can expect
mypy to be 5-20% faster.
In environments with long search paths (such as environments using many
editable installs), mypy
can be significantly faster, e.g. 2.2x faster in the use case targeted
by these improvements.</p>
<p>Mypy 1.13 allows use of the <code>orjson</code> library for handling
the cache instead of the stdlib <code>json</code>,
for improved performance. You can ensure the presence of
<code>orjson</code> using the <code>faster-cache</code> extra:</p>
<pre><code>python3 -m pip install -U mypy[faster-cache]
</code></pre>
<p>Mypy may depend on <code>orjson</code> by default in the future.</p>
<p>These improvements were contributed by Shantanu.</p>
<p>List of changes:</p>
<ul>
<li>Significantly speed up file handling error paths (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17920">17920</a>)</li>
<li>Use fast path in modulefinder more often (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17950">17950</a>)</li>
<li>Let mypyc optimise os.path.join (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17949">17949</a>)</li>
<li>Make is_sub_path faster (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17962">17962</a>)</li>
<li>Speed up stubs suggestions (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17965">17965</a>)</li>
<li>Use sha1 for hashing (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17953">17953</a>)</li>
<li>Use orjson instead of json, when available (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17955">17955</a>)</li>
<li>Add faster-cache extra, test in CI (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/17978">17978</a>)</li>
</ul>
<h3>Acknowledgements</h3>
<p>Thanks to all mypy contributors who contributed to this release:</p>
<ul>
<li>Shantanu Jain</li>
<li>Jukka Lehtosalo</li>
</ul>
<h2>Mypy 1.12</h2>
<p>We’ve just uploaded mypy 1.12 to the Python Package Index (<a
href="https://pypi.org/project/mypy/">PyPI</a>). Mypy is a static
type</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/python/mypy/commit/eb310343be0399ea6755fabc259755ce1f6711e8"><code>eb31034</code></a>
Bump version to 1.13.0</li>
<li><a
href="https://github.com/python/mypy/commit/2eeb5880184970ae1c0b20c0e06855b6d311bc19"><code>2eeb588</code></a>
Update changelog for 1.12.1 (<a
href="https://redirect.github.com/python/mypy/issues/17999">#17999</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/bc0386b7f96aa131cbf345698a22a9d4b79e9cb4"><code>bc0386b</code></a>
Changelog for 1.13 (<a
href="https://redirect.github.com/python/mypy/issues/18000">#18000</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/5c4d2db7009fa9035b8b3fcffe25182aaa4dc846"><code>5c4d2db</code></a>
Add faster-cache extra, test in CI (<a
href="https://redirect.github.com/python/mypy/issues/17978">#17978</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/854ad189ab7c4f487950ad34e142fd327dce3227"><code>854ad18</code></a>
Make is_sub_path faster (<a
href="https://redirect.github.com/python/mypy/issues/17962">#17962</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/50aa4ca8425d0bb668d514b8ee5c6aeacb605b27"><code>50aa4ca</code></a>
Speed up stubs suggestions (<a
href="https://redirect.github.com/python/mypy/issues/17965">#17965</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/7c27808a0be2fc205788a826be83cbb0a68f89e1"><code>7c27808</code></a>
Use orjson instead of json, when available (<a
href="https://redirect.github.com/python/mypy/issues/17955">#17955</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/2cd2406117e86838de36a9f73ba47c67fa763e1a"><code>2cd2406</code></a>
Use fast path in modulefinder more often (<a
href="https://redirect.github.com/python/mypy/issues/17950">#17950</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/e20aaeeaa215b2e617d460599c4310427ba8f902"><code>e20aaee</code></a>
Let mypyc optimise os.path.join (<a
href="https://redirect.github.com/python/mypy/issues/17949">#17949</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/159974cc59de459cfb3e31ba3e1d8f279734f66d"><code>159974c</code></a>
Use sha1 for hashing (<a
href="https://redirect.github.com/python/mypy/issues/17953">#17953</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/python/mypy/compare/v1.12.0...v1.13.0">compare
view</a></li>
</ul>
</details>
<br />

<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>

| Dependency Name | Ignore Conditions |
| --- | --- |
| mypy | [>= 0.971.a, < 0.972] |
</details>

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
chore: fix the typo
7df7d03 
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck @saquibsaifee
chore(docs): link python test snapshots docs
8ccb9f5 
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@weichslgartner @saquibsaifee
chore: fix pre-commit hook for mypy (CycloneDX#723)
8793fef 
Fixes CycloneDX#721

Signed-off-by: weichslgartner <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee
Merge branch 'main' of https://github.com/saquibsaifee/cyclonedx-pyth…
7623551 
…on-lib
@jkowalleck jkowalleck self-requested a review October 28, 2024 11:22
@jkowalleck jkowalleck added this to the 9.0.0 milestone Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkowalleck jkowalleck Awaiting requested review from jkowalleck

Assignees
No one assigned
Labels
breaking change enhancement New feature or request
Projects
None yet
Milestone
9.0.0
Development

Successfully merging this pull request may close these issues.

Improvement: Apply Regex check to Component.cpe
6 participants
@saquibsaifee @jkowalleck @weichslgartner @Churro @gruebel @hakandilek