PackageVersion with ":" are considered invalid token

[surendrapathak]

While applying sbomqs quality checks on SBOMs, we found the parser failing to parse versions with ":" in them

 pyspdxtools_parser --file bom.nginx.spdx

results in the attached file with the missing field -

PackageVersion must be single line of text, line: 148
PackageVersion must be single line of text, line: 272
...

However, the included versions is indeed

PackageName: bsdutils
PackageVersion: 1**:**2.36.1-8+deb11u1

This is not an issue for spdx-json because of the quotes.

What did you expect to happen?
Accept the valid versions correctly.

What happened instead?
bom.nginx.spdx.txt

parser considers the SBOM invalid

Additional details (base image name, container registry info...):

[meretp]

Thanks for the report! This is indeed a problem of the tag-value parser. With the colon within the version the parser assumes that a new tag value pair starts. But as this is not specified in the spec otherwise and should be valid, this is clearly a bug and I will fix this.