Replace nvdtools CPE library

[asadjaffar]

Hello, i am using a sbom and when i scan it says that CPE is invalid but i believ cpe is not invlaid, can anyone confirm why i am getting this message:

asad@asad-Lenovo-V330-15IKB:~/Downloads/wwe$ grype sbom:u8h8dnoj.cdx.json
 ✔ Vulnerability DB                [updated]  
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
*_*[0000]  WARN invalid CPE: cpe:2.3:a:dicer_project:dicer::*:*:*:*:node.js:*:***_
[0234]  WARN attempted CPE search on OWASP Juice Shop, which has no CPEs. Consider re-running with --add-cpes-if-none
[0234]  WARN attempted CPE search on dicer, which has no CPEs. Consider re-running with --add-cpes-if-none
[0234]  WARN attempted CPE search on multer, which has no CPEs. Consider re-running with --add-cpes-if-none
No vulnerabilities found

the sbom i used was this:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:45dd676b-5fbc-4b01-a28b-2ecbbe87d03e",
  "version": 1,
  "metadata": {
      "timestamp": "2024-01-29T12:51:10Z",
      "tools": {
  },
  "authors": [
    {
      "name": "Martin Rosso",
      "email": "[email protected]"
    }
  ],
  "manufacturer": {
    "name": "Universita degli Studi di Padova, Dipartimento di Matematica",
    "address": {
      "country": "Italy",
      "locality": "Padua"
    },
    "url": ["https://www.math.unipd.it/"]
  },
  "supplier": {
    "name": "OWASP",
    "url": ["https://owasp.org/"]
  },
  "component": {
    "bom-ref": "REF-juiceshop",
    "type": "application",
    "name": "OWASP Juice Shop",
    "version": "14.3.0",
    "author": "OWASP",
    "publisher": "OWASP",
    "supplier": {"name": "OWASP"},
    "copyright": "MIT"
    },
    "licenses": [ {"license": {"id": "CC-BY-4.0"} } ],
    "properties": [
      {
        "name": "comment",
        "value": "Minimal SBOM for research and education"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "REF-multer",
      "type": "library",
      "name": "multer",
      "version": "1.4.2"
    },
    {
        "bom-ref": "REF-dicer",
        "type": "library",
        "name": "dicer",
        "cpe": "cpe:2.3:a:dicer_project:dicer::*:*:*:*:node.js:*:*"
    }
  ],
  "dependencies": [
	  {
      "ref": "REF-juiceshop",
      "dependsOn": ["REF-multer"]
    },
    {
      "ref": "REF-multer",
      "dependsOn": ["REF-dicer"]
    }
  ],
  "vulnerabilities": []
}

[wagoodman]

It looks like the version field is empty which is what is triggering the failure. We use a rather long regex to validate the CPE, since the upstream lib has a few known bugs around parsing, however, this lib has since been archived.

So, I think the next plan is to find a lib that we can use in place of the existing one we're using, test out the string parsing function to ensure it's well behaved relative to the spec, then remove the existing regex validation approach from our codebase.

[asadjaffar]

Hey, thank you for your explanation! It’s really helpful to understand why the validation failed and the background on the CPE parsing issues. Good to know there’s already a plan in place to address this by looking into alternative libraries and making sure everything aligns better with the spec.

Just to confirm, is this inconsistency something that only occurs in edge cases (like the empty version field) and not something that would typically happen in production, especially with a decent SBOM generator? It seems like more of a niche issue, but it’s great to see steps being taken to improve the validation process going forward.