fix: Incorrect validation of purl (fixes #4420) (#4422)

cve_bin_tool/sbom_manager/parse.py

@@ -214,21 +214,18 @@ def get_vendor(self, product: str) -> list:
 
     def is_valid_string(self, string_type: str, ref_string: str) -> bool:
         """
-        Validate the PURL, CPE string is the correct form.
+        Validate the CPE string is the correct form.
 
         Args:
-        - ref_string (str): PURL, CPE strings
-        - string_type (str): ref_string type. (purl, cpe22 or cpe23)
+        - ref_string (str): CPE strings
+        - string_type (str): ref_string type. (cpe22 or cpe23)
 
         Returns:
         - bool: True if the ref_string parameter is a valid purl or cpe string, False otherwise.
 
         """
         string_pattern: str
-        if string_type == "purl":
-            string_pattern = r"^(?P<scheme>.+):(?P<type>.+)/(?P<namespace>.+)/(?P<name>.+)@(?P<version>.+)\??(?P<qualifiers>.*)#?(?P<subpath>.*)$"
-
-        elif string_type == "cpe23":
+        if string_type == "cpe23":
             string_pattern = r"^cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?\!\"#\$%&'\(\)\+,\-\.\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?\!\"#\$%&'\(\)\+,\-\.\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}"
 
         elif string_type == "cpe22":
@@ -377,7 +374,8 @@ def parse_ext_ref(self, ext_ref) -> (str | None, str | None, str | None):
             elif ref_type == "cpe22Type" and self.is_valid_string("cpe22", ref_string):
                 decoded["cpe22Type"] = decode_cpe22(ref_string)
 
-            elif ref_type == "purl" and self.is_valid_string("purl", ref_string):
+            elif ref_type == "purl":
+                # Validation of purl is performed implicitly within the decode_purl function
                 decoded["purl"] = self.decode_purl(ref_string)
 
         # No ext-ref matches, return none