From 37a8902c79a53dfe0c1a88d0128c77caef0e6960 Mon Sep 17 00:00:00 2001
From: ranjanmangla1 <ranjanmangla1@gmail.com>
Date: Wed, 24 Apr 2024 23:06:22 +0530
Subject: [PATCH 1/2] fix: improved cpe parsing in sbom code

Signed-off-by: ranjanmangla1 <ranjanmangla1@gmail.com>
---
 cve_bin_tool/sbom_manager/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
index ca5935679a..7b244a67d3 100644
--- a/cve_bin_tool/sbom_manager/__init__.py
+++ b/cve_bin_tool/sbom_manager/__init__.py
@@ -343,7 +343,7 @@ def decode_cpe22(self, cpe22) -> (str | None, str | None, str | None):
 
         """
 
-        cpe = cpe22.split(":")
+        cpe = re.split(r"(?<!\\):", cpe22)
         vendor, product, version = cpe[2], cpe[3], cpe[4]
         # Return available data, convert empty fields to None
         return [vendor or None, product or None, version or None]
@@ -361,7 +361,7 @@ def decode_cpe23(self, cpe23) -> (str | None, str | None, str | None):
 
         """
 
-        cpe = cpe23.split(":")
+        cpe = re.split(r"(?<!\\):", cpe23)
         vendor, product, version = cpe[3], cpe[4], cpe[5]
         # Return available data, convert empty fields to None
         return [vendor or None, product or None, version or None]

From 9adee51843291f2052444f8eba40cbdcc3b1d487 Mon Sep 17 00:00:00 2001
From: Terri Oda <terri@toybox.ca>
Date: Thu, 25 Apr 2024 09:57:43 -0700
Subject: [PATCH 2/2] fix: explain : escaping regex

---
 cve_bin_tool/sbom_manager/__init__.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
index 7b244a67d3..f2249c9460 100644
--- a/cve_bin_tool/sbom_manager/__init__.py
+++ b/cve_bin_tool/sbom_manager/__init__.py
@@ -343,6 +343,7 @@ def decode_cpe22(self, cpe22) -> (str | None, str | None, str | None):
 
         """
 
+        # split on `:` only if it's not escaped
         cpe = re.split(r"(?<!\\):", cpe22)
         vendor, product, version = cpe[2], cpe[3], cpe[4]
         # Return available data, convert empty fields to None
@@ -361,6 +362,7 @@ def decode_cpe23(self, cpe23) -> (str | None, str | None, str | None):
 
         """
 
+        # split on `:` only if it's not escaped
         cpe = re.split(r"(?<!\\):", cpe23)
         vendor, product, version = cpe[3], cpe[4], cpe[5]
         # Return available data, convert empty fields to None