In preparing CPE 2.3 specifications, we noticed an oddity in the
2.2 specification having to do with trailing colons in CPE names.
The question is: should the CPE names “cpe:/a:b:c”
and “cpe:/a:b:c::” be considered different, or should we be
permitted to automatically delete trailing colons?
The 2.2 specification, as written, is unclear on this
point. The matching algorithm has a length test, but is silent on whether
“cpe:/a:b:c::” is of length 3 or 4. The sample matching
algorithm in Java, posted on the CPE website, appears to treat the two names as
being of different lengths, and this leads to matching behavior that strikes
some of us as undesirable. NIST’s implementation of matching normalizes
all names prior to matching, and the Core Team’s consensus is that the
two names SHOULD NOT be considered different, and that a default practice of
deleting trailing colons is acceptable.
In 2.3, we’ve specified a backward-compatible URI binding
procedure which deletes trailing colons. We’d like to know if any
implementations depend on preserving trailing colons.
Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352