feat: add CPE format validation in property setter

Saquib Saifee · Saquib Saifee · commit c74218ba0f96 · 2024-10-14T18:33:19.000-04:00
Signed-off-by: Saquib Saifee &lt;saquibsaifee@ibm.com&gt;
diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py
@@ -23,6 +23,7 @@
 
 # See https://github.com/package-url/packageurl-python/issues/65
 import serializable
+from cpe import CPE  # type:ignore
 from packageurl import PackageURL
 from sortedcontainers import SortedSet
 
@@ -1457,7 +1458,11 @@ def cpe(self) -> Optional[str]:
 
     @cpe.setter
     def cpe(self, cpe: Optional[str]) -> None:
-        self._cpe = cpe
+        if cpe:
+            try:
+                CPE(cpe)
+            except NotImplementedError:
+                raise ValueError(f'Invalid CPE format: {cpe}')
 
     @property
     @serializable.type_mapping(PackageUrlSH)
diff --git a/pyproject.toml b/pyproject.toml
@@ -74,6 +74,7 @@ sortedcontainers = "^2.4.0"
 license-expression = "^30"
 jsonschema = { version = "^4.18", extras=['format'], optional=true }
 lxml = { version=">=4,<6", optional=true }
+cpe = "^1.3.1"
 
 [tool.poetry.extras]
 validation = ["jsonschema", "lxml"]
diff --git a/tests/test_model_component.py b/tests/test_model_component.py
@@ -283,6 +283,16 @@ def test_nested_components_2(self) -> None:
         self.assertEqual(3, len(comp_b.get_all_nested_components(include_self=True)))
         self.assertEqual(2, len(comp_b.get_all_nested_components(include_self=False)))
 
+    def test_cpe_validation_valid_format(self) -> None:
+        cpe = 'cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*'
+        c = Component(name='test-component', cpe=cpe)
+        self.assertEqual(c.cpe, cpe)
+
+    def test_cpe_validation_invalid_format(self) -> None:
+        invalid_cpe = 'invalid-cpe-string'
+        with self.assertRaises(ValueError):
+            Component(name='test-component', cpe=invalid_cpe)
+
 
 class TestModelComponentEvidence(TestCase):
 
