Regex to match CPE 2.3

Question

I'm trying to validate CPE 2.3 names with a regular expression. The basic structure of a CPE 2.3 name is as follows:

cpe:2.3:part:vendor:product:version:update:edition:lang:sw_edition:target_sw:target_hw:other

part, vendor, product, version etc.. can consist of a series of alphanumeric characters, digits and some special characters which are defined in the standard.

The problem I'm facing at the moment is that it is allowed to use an escaped colon (\:) within either of these fields (vendor, product, etc..). Therefore I can't use a quantifier to check if the right amount of fields are present within a CPE.

[Example]

Regex = cpe\:2\.3\:[aho](\:[a-zA-Z0-9\!\"\#\$\%\&\'\(\)\*\+\,\-\_\.\/\;\<\=\>\?\@\[\\\]\\^\`\{\|\}\~]+)\g<1>{9}

Validating the following CPE Name with this regex works just fine:

cpe:2.3:a:1024cms:1024_cms:1.4.1:*:*:*:*:*:*:*

However, validating the following CPE name with the same regular expression fails since the quantifier is wrong due to the \: sequence in the product field of the CPE.

cpe:2.3:a:alawar:motor_town\\:_machine_soul_free:1.1:*:*:*:*:android:*:*

Another example where the matching fails is the following:

cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.6:*:*:*:*:*:*:*

Here the matching still fails because of the \: sequence but for a different reason because now the + quantifier for the first capturing group is not satisfied.

How can I match such a CPE properly without using a greedy quantifier?

Answer 1

Official CPE schema specify this regex:

cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}

Reference: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd