Error when creating SPDX-SBOM for package have special-characters

[KAWAHARA-souta]

When trying to create an SPDX-SBOM for packages that have special characters in their package names or versions, the spdx-tools validation fails, and the SBOM cannot be generated.

$ python alma_sbom.py --output-file dust --rpm-package-hash 7067dbd995e1cbfa352dc9dc565adcfa4dac252b85f02e0ee47661f7a6d219fd --file-format spdx-json
Traceback (most recent call last):
  File "/home/khwarizmi/work/alma-sbom/alma_sbom.py", line 704, in <module>
    cli_main()
  File "/home/khwarizmi/work/alma-sbom/alma_sbom.py", line 700, in cli_main
    sbom_formatter.run()
  File "/home/khwarizmi/work/alma-sbom/libsbom/spdx.py", line 276, in run
    writer.write_document_to_file(
  File "/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/spdx_tools/spdx/writer/json/json_writer.py", line 38, in write_document_to_file
    write_document_to_stream(document, out, validate, converter, drop_duplicates)
  File "/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/spdx_tools/spdx/writer/json/json_writer.py", line 25, in write_document_to_stream
    document = validate_and_deduplicate(document, validate, drop_duplicates)
  File "/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/spdx_tools/spdx/writer/write_utils.py", line 17, in validate_and_deduplicate
    raise ValueError(f"Document is not valid. The following errors were detected: {validation_messages}")
ValueError: Document is not valid. The following errors were detected: [ValidationMessage(validation_message='externalPackageRef locator of type "cpe23Type" must conform with the regex ^cpe:2
\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#$$%&\\\'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[
\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#$$%&\\\'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){4}$, but is: cpe:2.3:a:almalinux:libstdc++:0\\:11.3.1-4
.3.el9.alma:*:*:*:*:*:*:*', context=ValidationContext(spdx_id=None, parent_id='SPDXRef-0', element_type=<SpdxElementType.EXTERNAL_PACKAGE_REF: 5>, full_element=ExternalPackageRef(category=<Ex
ternalPackageRefCategory.SECURITY: 1>, reference_type='cpe23Type', locator='cpe:2.3:a:almalinux:libstdc++:0\\:11.3.1-4.3.el9.alma:*:*:*:*:*:*:*', comment=None)))]
$ python alma_sbom.py --output-file dust --rpm-package-hash 7067dbd995e1cbfa352dc9dc565adcfa4dac252b85f02e0ee47661f7a6d219fd --file-format cyclonedx-jso
n
/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/cyclonedx/model/bom.py:401: UserWarning: The Component this BOM is describing (PURL=pkg:rpm/almalinux/libstdc%2B%[email protected]
.el9.alma?arch=i686&epoch=0&upstream=gcc-11.3.1-4.3.el9.alma.src.rpm) has no defined dependencies which means the Dependency Graph is incomplete - you should add direct dependencies to this C
omponent to complete the Dependency Graph data.
  warnings.warn(