intel · terriko · Apr 25, 2024 · Apr 24, 2024 · Apr 25, 2024
diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
@@ -343,7 +343,8 @@ def decode_cpe22(self, cpe22) -> (str | None, str | None, str | None):
 
         """
 
-        cpe = cpe22.split(":")
+        # split on `:` only if it's not escaped
+        cpe = re.split(r"(?<!\\):", cpe22)
         vendor, product, version = cpe[2], cpe[3], cpe[4]
         # Return available data, convert empty fields to None
         return [vendor or None, product or None, version or None]
@@ -361,7 +362,8 @@ def decode_cpe23(self, cpe23) -> (str | None, str | None, str | None):
 
         """
 
-        cpe = cpe23.split(":")
+        # split on `:` only if it's not escaped
+        cpe = re.split(r"(?<!\\):", cpe23)
         vendor, product, version = cpe[3], cpe[4], cpe[5]
         # Return available data, convert empty fields to None
         return [vendor or None, product or None, version or None]