CPE for amazoncorretto:19.0.1-al2 is incorrect

[eccles]

Please provide a set of steps on how to reproduce the issue
syft -q packages --scope all-layers -o cyclonedx amazoncorretto:19.0.1-al2
What happened:
SBOM is created successfully but validation against schema produces the following failure:

CDX 1.4 is invalid: Failed to validate: 3183: Element '{http://cyclonedx.org/schema/bom/1.4}cpe': [facet 'pattern'] The value 'cpe:2.3:o:amazon:amazon_linux:2' is not accepted by the pattern '([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9.-~%]){0,6})|(cpe:2.3:aho*-{5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*-]))(:(((?|*?)([a-zA-Z0-9-.]|(\[\*?!"#$$%&'()+,/:;<=>@[]^`{|}~]))+(?*|*?))|[*-])){4})'.

What you expected to happen:
Validation to succeed

Environment:

• Output of syft version: 0.60.3
• OS (e.g: cat /etc/os-release or similar): ubuntu:jammy docker image

[eccles]

Please forgive me if this is not a bug in syft but there is a similar issue to do with invalid cpe for another package and I thought that syft developers should be aware of ths.

[kzantow]

Thanks @eccles -- I've reproduced this with the information you've provided and this definitely looks like an invalid CPE, we'll get this taken care of!