cve_check: Improve escaping of special characters in CPE 2.3

According to the NISTIR 7695 specification [1], multiple characters
require escaping when using formatted strings (e.g., `cpe:2.3:...`),
which use backslash escaping. In "Figure 6-3. ABNF for Formatted String
Binding"", the characters that need escaping are referenced by "escape",
"special", and "punc". More characters must be escaped than just
`\`, `?`, `*`, `:`, and `+`.

Additionally, use `maketrans()` with `translate()`, which is more
efficient than a simple `replace()`.

[1] https://nvlpubs.nist.gov/nistpubs/legacy/ir/nistir7695.pdf

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 65557435149a1314313b934bd994c288fd23a3e2..22b5062c977cdd9f3887e47d94a9a455a3827033 100644 (file)
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -205,33 +205,29 @@ def get_patched_cves(d):
     return patched_cves
 
 
+_CPE23_ENCODE_TRANS_TABLE = str.maketrans(
+    {c: f"\\{c}" for c in [
+        "\\", "!", '"', "#", "$", "%", "&", "'", "(", ")", "+", ",", "/", ":", ";",
+        "<", "=", ">", "@", "[", "]", "^", "`", "{", "|", "}", "~", "?", "*"
+    ]}
+)
+
+
 def cpe_escape(value):
-    r"""
+    """
     Escape special characters for CPE 2.3 formatted string binding.
 
     CPE 2.3 formatted string binding (cpe:2.3:...) uses backslash escaping
     for special meta-characters, NOT percent-encoding. Percent-encoding is
     only used in the URI binding (cpe:/...).
 
-    According to NISTIR 7695, these characters need escaping:
-    - Backslash (\) -> \\
-    - Question mark (?) -> \?
-    - Asterisk (*) -> \*
-    - Colon (:) -> \:
-    - Plus (+) -> \+ (required by some SBOM validators)
+    According to NISTIR 7695, various characters referenced in the "Figure 6-3.
+    ABNF for Formatted String Binding" need escaping: escape, special and punc.
     """
     if not value:
         return value
 
-    # Escape special meta-characters for CPE 2.3 formatted string binding
-    # Order matters: escape backslash first to avoid double-escaping
-    result = value.replace('\\', '\\\\')
-    result = result.replace('?', '\\?')
-    result = result.replace('*', '\\*')
-    result = result.replace(':', '\\:')
-    result = result.replace('+', '\\+')
-
-    return result
+    return value.translate(_CPE23_ENCODE_TRANS_TABLE)
 
 
 def get_cpe_ids(cve_product, version):