Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add CPE format validation in property setter #711

Open
wants to merge 57 commits into
base: main
Choose a base branch
from

Conversation

saquibsaifee
Copy link
Contributor

@saquibsaifee saquibsaifee commented Oct 14, 2024

Fixes #580

  • Implemented validation of CPE format using CPE library
  • Added tests to verify the handling of invalid CPE strings.

Note:

  • The CPE library is missing library stubs or py.typed marker, not sure how you want to handle it. I used type:ignore.
  • CPE library raises NotImplementedErorr for incorrect CPE Name or version link

saquibsaifee and others added 5 commits June 21, 2024 12:33
- Implemented regex-based validation for CPE format in the model.
- Added tests to verify handling of invalid CPE strings.

Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@saquibsaifee saquibsaifee requested a review from a team as a code owner October 14, 2024 22:34
@saquibsaifee
Copy link
Contributor Author

@jkowalleck have a look at this PR

Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck jkowalleck changed the title !feat: add CPE format validation in property setter feat: add CPE format validation in property setter Oct 15, 2024
@jkowalleck jkowalleck added enhancement New feature or request breaking change labels Oct 15, 2024
try:
CPE(cpe)
except NotImplementedError:
raise ValueError(f'Invalid CPE format: {cpe}')
Copy link
Member

@jkowalleck jkowalleck Oct 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This behavioral change is considered a breaking change.
Not a blocker, just a remark.

@jkowalleck
Copy link
Member

Thank you for your contribution, @saquibsaifee

We have an schema-based validator in place already, so there already is a mechanism that can check for valid CPE.
This means: there is no REAL reason to implement this in the first place -- it is a nice to have.
That, and the fact that the implementation introduced breaking changes causes this PR to be postponed.

cyclonedx/__init__.py Outdated Show resolved Hide resolved
semantic-release and others added 22 commits October 27, 2024 15:49
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: gruebel <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Fixes CycloneDX#721

Signed-off-by: weichslgartner <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
---------

Signed-off-by: Hakan Dilek <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
This reverts commit ce3fe7f.

Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
…eDX#729)

Updates the requirements on [tox](https://github.com/tox-dev/tox) to
permit the latest version.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/tox/releases">tox's
releases</a>.</em></p>
<blockquote>
<h2>4.23.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Support external tox.pytest usage via &quot;test&quot; extra by <a
href="https://github.com/mbra"><code>@​mbra</code></a> in <a
href="https://github.com/tox-dev/tox/pull/3422">tox-dev/tox#3422</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/mbra"><code>@​mbra</code></a> made their
first contribution in <a
href="https://github.com/tox-dev/tox/pull/3422">tox-dev/tox#3422</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/tox/compare/4.23.1...4.23.2">https://github.com/tox-dev/tox/compare/4.23.1...4.23.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/tox/blob/main/docs/changelog.rst">tox's
changelog</a>.</em></p>
<blockquote>
<h2>v4.23.2 (2024-10-22)</h2>
<p>Misc - 4.23.2</p>
<pre><code>- :issue:`3415`
<h2>v4.23.1 (2024-10-21)</h2>
<p>Improved Documentation - 4.23.1
</code></pre></p>
<ul>
<li>Fix bad example in documentation for dependency groups - by
:user:<code>gaborbernat</code>. (:issue:<code>3240</code>)</li>
</ul>
<h2>v4.23.0 (2024-10-16)</h2>
<p>Features - 4.23.0</p>
<pre><code>- Add ``NETRC`` to the list of environment variables always
passed through. (:issue:`3410`)
<p>Improved Documentation - 4.23.0
</code></pre></p>
<ul>
<li>replace <code>[tool.pyproject]</code> and
<code>[tool.tox.pyproject]</code> with <code>[tool.tox]</code> in
config.rst (:issue:<code>3411</code>)</li>
</ul>
<h2>v4.22.0 (2024-10-15)</h2>
<p>Features - 4.22.0</p>
<pre><code>- Implement dependency group support as defined in :pep:`735`
- see :ref:`dependency_groups` - by :user:`gaborbernat`. (:issue:`3408`)
<h2>v4.21.2 (2024-10-03)</h2>
<p>Bugfixes - 4.21.2
</code></pre></p>
<ul>
<li>Include <code>tox.toml</code> in sdist archives to fix test failures
resulting from its lack.
<ul>
<li>by :user:<code>mgorny</code> (:issue:<code>3389</code>)</li>
</ul>
</li>
</ul>
<h2>v4.21.1 (2024-10-02)</h2>
<p>Bugfixes - 4.21.1</p>
<pre><code>- Fix error when using ``requires`` within a TOML
configuration file - by :user:`gaborbernat`. (:issue:`3386`)
- Fix error when using ``deps`` within a TOML configuration file - by
:user:`gaborbernat`. (:issue:`3387`)
- Multiple fixes for the TOML configuration by :user:`gaborbernat`.:
<ul>
<li>Do not fail when there is an empty command within
<code>commands</code>.
&lt;/tr&gt;&lt;/table&gt;
</code></pre></li>
</ul>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tox-dev/tox/commit/0447036240f4fe48605124635553c5bbf0469651"><code>0447036</code></a>
release 4.23.2</li>
<li><a
href="https://github.com/tox-dev/tox/commit/f0799ac01d161d7dc00fc92da9734ea08b768f7f"><code>f0799ac</code></a>
Support external tox.pytest usage via &quot;test&quot; extra (<a
href="https://github.com/tox-dev/tox/issues/3422">#3422</a>)</li>
<li><a
href="https://github.com/tox-dev/tox/commit/ec88713785a81f883ea12387dfb40045b0ac4181"><code>ec88713</code></a>
Fix docs link check</li>
<li><a
href="https://github.com/tox-dev/tox/commit/962bc59626cfa8163ac6068720505408b257163f"><code>962bc59</code></a>
release 4.23.1</li>
<li><a
href="https://github.com/tox-dev/tox/commit/5916cc9814ed16cf6c963da08c5eb0ec01872495"><code>5916cc9</code></a>
Fix example docs (<a
href="https://github.com/tox-dev/tox/issues/3421">#3421</a>)</li>
<li><a
href="https://github.com/tox-dev/tox/commit/e9cb93a81b6ff1b7a1eb25d540384c84f1186d4d"><code>e9cb93a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://github.com/tox-dev/tox/issues/3418">#3418</a>)</li>
<li><a
href="https://github.com/tox-dev/tox/commit/88c1b99c18103186844f8fae4729de9f7f60a44a"><code>88c1b99</code></a>
Docs: adjusting EOL Python version testing remarks (<a
href="https://github.com/tox-dev/tox/issues/3417">#3417</a>)</li>
<li>See full diff in <a
href="https://github.com/tox-dev/tox/compare/4.23.0...4.23.2">compare
view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Saquib Saifee <[email protected]>
…neDX#730)

Updates the requirements on [mypy](https://github.com/python/mypy) to
permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/python/mypy/blob/master/CHANGELOG.md">mypy's
changelog</a>.</em></p>
<blockquote>
<h1>Mypy Release Notes</h1>
<h2>Next release</h2>
<h2>Mypy 1.13</h2>
<p>We’ve just uploaded mypy 1.13 to the Python Package Index (<a
href="https://pypi.org/project/mypy/">PyPI</a>).
Mypy is a static type checker for Python. You can install it as
follows:</p>
<pre><code>python3 -m pip install -U mypy
</code></pre>
<p>You can read the full documentation for this release on <a
href="http://mypy.readthedocs.io">Read the Docs</a>.</p>
<p>Note that unlike typical releases, Mypy 1.13 does not have any
changes to type checking semantics
from 1.12.1.</p>
<h3>Improved performance</h3>
<p>Mypy 1.13 contains several performance improvements. Users can expect
mypy to be 5-20% faster.
In environments with long search paths (such as environments using many
editable installs), mypy
can be significantly faster, e.g. 2.2x faster in the use case targeted
by these improvements.</p>
<p>Mypy 1.13 allows use of the <code>orjson</code> library for handling
the cache instead of the stdlib <code>json</code>,
for improved performance. You can ensure the presence of
<code>orjson</code> using the <code>faster-cache</code> extra:</p>
<pre><code>python3 -m pip install -U mypy[faster-cache]
</code></pre>
<p>Mypy may depend on <code>orjson</code> by default in the future.</p>
<p>These improvements were contributed by Shantanu.</p>
<p>List of changes:</p>
<ul>
<li>Significantly speed up file handling error paths (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17920">17920</a>)</li>
<li>Use fast path in modulefinder more often (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17950">17950</a>)</li>
<li>Let mypyc optimise os.path.join (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17949">17949</a>)</li>
<li>Make is_sub_path faster (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17962">17962</a>)</li>
<li>Speed up stubs suggestions (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17965">17965</a>)</li>
<li>Use sha1 for hashing (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17953">17953</a>)</li>
<li>Use orjson instead of json, when available (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17955">17955</a>)</li>
<li>Add faster-cache extra, test in CI (Shantanu, PR <a
href="https://github.com/python/mypy/pull/17978">17978</a>)</li>
</ul>
<h3>Acknowledgements</h3>
<p>Thanks to all mypy contributors who contributed to this release:</p>
<ul>
<li>Shantanu Jain</li>
<li>Jukka Lehtosalo</li>
</ul>
<h2>Mypy 1.12</h2>
<p>We’ve just uploaded mypy 1.12 to the Python Package Index (<a
href="https://pypi.org/project/mypy/">PyPI</a>). Mypy is a static
type</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/python/mypy/commit/eb310343be0399ea6755fabc259755ce1f6711e8"><code>eb31034</code></a>
Bump version to 1.13.0</li>
<li><a
href="https://github.com/python/mypy/commit/2eeb5880184970ae1c0b20c0e06855b6d311bc19"><code>2eeb588</code></a>
Update changelog for 1.12.1 (<a
href="https://github.com/python/mypy/issues/17999">#17999</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/bc0386b7f96aa131cbf345698a22a9d4b79e9cb4"><code>bc0386b</code></a>
Changelog for 1.13 (<a
href="https://github.com/python/mypy/issues/18000">#18000</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/5c4d2db7009fa9035b8b3fcffe25182aaa4dc846"><code>5c4d2db</code></a>
Add faster-cache extra, test in CI (<a
href="https://github.com/python/mypy/issues/17978">#17978</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/854ad189ab7c4f487950ad34e142fd327dce3227"><code>854ad18</code></a>
Make is_sub_path faster (<a
href="https://github.com/python/mypy/issues/17962">#17962</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/50aa4ca8425d0bb668d514b8ee5c6aeacb605b27"><code>50aa4ca</code></a>
Speed up stubs suggestions (<a
href="https://github.com/python/mypy/issues/17965">#17965</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/7c27808a0be2fc205788a826be83cbb0a68f89e1"><code>7c27808</code></a>
Use orjson instead of json, when available (<a
href="https://github.com/python/mypy/issues/17955">#17955</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/2cd2406117e86838de36a9f73ba47c67fa763e1a"><code>2cd2406</code></a>
Use fast path in modulefinder more often (<a
href="https://github.com/python/mypy/issues/17950">#17950</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/e20aaeeaa215b2e617d460599c4310427ba8f902"><code>e20aaee</code></a>
Let mypyc optimise os.path.join (<a
href="https://github.com/python/mypy/issues/17949">#17949</a>)</li>
<li><a
href="https://github.com/python/mypy/commit/159974cc59de459cfb3e31ba3e1d8f279734f66d"><code>159974c</code></a>
Use sha1 for hashing (<a
href="https://github.com/python/mypy/issues/17953">#17953</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/python/mypy/compare/v1.12.0...v1.13.0">compare
view</a></li>
</ul>
</details>
<br />

<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>

| Dependency Name | Ignore Conditions |
| --- | --- |
| mypy | [>= 0.971.a, < 0.972] |
</details>

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
Fixes CycloneDX#721

Signed-off-by: weichslgartner <[email protected]>
Signed-off-by: Saquib Saifee <[email protected]>
@jkowalleck jkowalleck self-requested a review October 28, 2024 11:22
@jkowalleck jkowalleck added this to the 9.0.0 milestone Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking change enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improvement: Apply Regex check to Component.cpe
6 participants