fix: don't encode ':' or '/' as part of the canonical representation

This makes the Java canonical representation match the majority of
other implementations.

Fixes package-url#122
Fixes package-url#92

Author: dwalluck

src/main/java/com/github/packageurl/PackageURL.java

@@ -29,6 +29,7 @@
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
+import java.util.BitSet;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Objects;
@@ -59,6 +60,79 @@ public final class PackageURL implements Serializable {
 
     private static final char PERCENT_CHAR = '%';
 
+    private static final int NBITS = 128;
+
+    private static final BitSet DIGIT = new BitSet(NBITS);
+    static {
+        for (int i = '0'; i <= '9'; i++) {
+            DIGIT.set(i);
+        }
+    }
+
+    private static final BitSet LOWER = new BitSet(NBITS);
+    static {
+        for (int i = 'a'; i <= 'z'; i++) {
+            LOWER.set(i);
+        }
+    }
+
+    private static final BitSet UPPER = new BitSet(NBITS);
+    static {
+        for (int i = 'A'; i <= 'Z'; i++) {
+            UPPER.set(i);
+        }
+    }
+
+    private static final BitSet ALPHA = new BitSet(NBITS);
+    static {
+        ALPHA.or(LOWER);
+        ALPHA.or(UPPER);
+    }
+
+    private static final BitSet ALPHA_DIGIT = new BitSet(NBITS);
+    static {
+        ALPHA_DIGIT.or(ALPHA);
+        ALPHA_DIGIT.or(DIGIT);
+    }
+
+    private static final BitSet UNRESERVED = new BitSet(NBITS);
+    static {
+        UNRESERVED.or(ALPHA_DIGIT);
+        UNRESERVED.set('-');
+        UNRESERVED.set('.');
+        UNRESERVED.set('_');
+        UNRESERVED.set('~');
+    }
+    private static final BitSet SUB_DELIMS = new BitSet(NBITS);
+    static {
+        SUB_DELIMS.set('!');
+        SUB_DELIMS.set('$');
+        SUB_DELIMS.set('&');
+        SUB_DELIMS.set('\'');
+        SUB_DELIMS.set('(');
+        SUB_DELIMS.set(')');
+        SUB_DELIMS.set('*');
+        SUB_DELIMS.set('+');
+        SUB_DELIMS.set(',');
+        SUB_DELIMS.set(';');
+        SUB_DELIMS.set('=');
+
+    }
+    private static final BitSet PCHAR = new BitSet(NBITS);
+    static {
+        PCHAR.or(UNRESERVED);
+        PCHAR.or(SUB_DELIMS);
+        PCHAR.set(':');
+        // PCHAR.set('@'); Always encode '@' in the path due to version
+    }
+    private static final BitSet QUERY = new BitSet(NBITS);
+    static {
+        QUERY.or(PCHAR);
+        QUERY.set('/');
+        QUERY.set('?');
+    }
+    private static final BitSet FRAGMENT = QUERY;
+
     /**
      * Constructs a new PackageURL object by parsing the specified string.
      *
@@ -472,37 +546,42 @@ private String canonicalize(boolean coordinatesOnly) {
         final StringBuilder purl = new StringBuilder();
         purl.append(SCHEME_PART).append(type).append("/");
         if (namespace != null) {
-            purl.append(encodePath(namespace));
+            purl.append(encodePath(namespace, PCHAR));
             purl.append("/");
         }
-        purl.append(percentEncode(name));
+        purl.append(percentEncode(name, PCHAR));
         if (version != null) {
-            purl.append("@").append(percentEncode(version));
+            purl.append("@").append(percentEncode(version, PCHAR));
         }
         if (! coordinatesOnly) {
             if (qualifiers != null) {
                 purl.append("?");
                 qualifiers.forEach((key, value) -> {
                     purl.append(toLowerCase(key));
                     purl.append("=");
-                    purl.append(percentEncode(value));
+                    purl.append(percentEncode(value, QUERY));
                     purl.append("&");
                 });
                 purl.setLength(purl.length() - 1);
             }
             if (subpath != null) {
-                purl.append("#").append(encodePath(subpath));
+                purl.append("#").append(encodePath(subpath, FRAGMENT));
             }
         }
         return purl.toString();
     }
 
-    private static boolean isUnreserved(int c) {
-        return (isValidCharForKey(c) || c == '~');
+    private static boolean isUnreserved(int c, BitSet safe) {
+        if (c < 0 || c >= NBITS) {
+            return false;
+        }
+
+        return safe.get(c);
+
     }
 
-    private static boolean shouldEncode(int c) {
-        return !isUnreserved(c);
+    private static boolean shouldEncode(int c, BitSet safe) {
+        return !isUnreserved(c, safe);
     }
 
     private static boolean isAlpha(int c) {
@@ -564,11 +643,11 @@ private static int indexOfPercentChar(final byte[] bytes, final int start) {
         return IntStream.range(start, bytes.length).filter(i -> isPercent(bytes[i])).findFirst().orElse(-1);
     }
 
-    private static int indexOfUnsafeChar(final byte[] bytes, final int start) {
-        return IntStream.range(start, bytes.length).filter(i -> shouldEncode(bytes[i])).findFirst().orElse(-1);
+    private static int indexOfUnsafeChar(final byte[] bytes, final int start, BitSet safe) {
+        return IntStream.range(start, bytes.length).filter(i -> shouldEncode(bytes[i], safe)).findFirst().orElse(-1);
     }
 
-    private static byte percentDecode(final byte[] bytes, final int start) {
+    static byte percentDecode(final byte[] bytes, final int start) {
         if (start + 2 >= bytes.length) {
             throw new ValidationException("Incomplete percent encoding at offset " + start + " with value '" + new String(bytes, start, bytes.length - start, StandardCharsets.UTF_8) + "'");
         }
@@ -598,15 +677,15 @@ public static String percentDecode(final String source) {
         }
 
         byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
-
-        int off = 0;
-        int idx = indexOfPercentChar(bytes, off);
+        int idx = indexOfPercentChar(bytes, 0);
 
         if (idx == -1) {
             return source;
         }
 
+        int off = idx;
         ByteBuffer buffer = ByteBuffer.wrap(bytes);
+        buffer.position(off);
 
         while (true) {
             int len = idx - off;
@@ -650,14 +729,18 @@ private static byte[] percentEncode(byte b) {
     }
 
     public static String percentEncode(final String source) {
+        return percentEncode(source, new BitSet(0));
+    }
+
+    private static String percentEncode(final String source, final BitSet safe) {
         if (source.isEmpty()) {
             return source;
         }
 
         byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
 
         int off = 0;
-        int idx = indexOfUnsafeChar(bytes, off);
+        int idx = indexOfUnsafeChar(bytes, off, safe);
 
         if (idx == -1) {
             return source;
@@ -674,7 +757,7 @@ public static String percentEncode(final String source) {
             }
 
             buffer.put(percentEncode(bytes[off++]));
-            idx = indexOfUnsafeChar(bytes, off);
+            idx = indexOfUnsafeChar(bytes, off, safe);
 
             if (idx == -1) {
                 int rem = bytes.length - off;
@@ -733,7 +816,6 @@ private void parse(final String purl) throws MalformedPackageURLException {
             final String rawQuery = uri.getRawQuery();
             if (rawQuery != null && !rawQuery.isEmpty()) {
                 this.qualifiers = parseQualifiers(rawQuery);
-
             }
             // this is the rest of the purl that needs to be parsed
             String remainder = uri.getRawPath();
@@ -835,8 +917,8 @@ private String[] parsePath(final String path, final boolean isSubpath) {
                 .toArray(String[]::new);
     }
 
-    private String encodePath(final String path) {
-        return Arrays.stream(path.split("/")).map(PackageURL::percentEncode).collect(Collectors.joining("/"));
+    private String encodePath(final String path, BitSet safe) {
+        return Arrays.stream(path.split("/")).map(source -> percentEncode(source, safe)).collect(Collectors.joining("/"));
     }
 
     /**

src/test/resources/test-suite-data.json

@@ -86,7 +86,7 @@
   {
     "description": "docker uses qualifiers and hash image id as versions",
     "purl": "pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io",
-    "canonical_purl": "pkg:docker/customer/dockerimage@sha256%3A244fd47e07d1004f0aed9c?repository_url=gcr.io",
+    "canonical_purl": "pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io",
     "type": "docker",
     "namespace": "customer",
     "name": "dockerimage",
@@ -110,7 +110,7 @@
   {
     "description": "maven often uses qualifiers",
     "purl": "pkg:Maven/org.apache.xmlgraphics/[email protected]?repositorY_url=repo.spring.io/release&classifier=sources",
-    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/[email protected]?classifier=sources&repository_url=repo.spring.io%2Frelease",
+    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/[email protected]?classifier=sources&repository_url=repo.spring.io/release",
     "type": "maven",
     "namespace": "org.apache.xmlgraphics",
     "name": "batik-anim",
@@ -122,7 +122,7 @@
   {
     "description": "maven pom reference",
     "purl": "pkg:Maven/org.apache.xmlgraphics/[email protected]?repositorY_url=repo.spring.io/release&extension=pom",
-    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/[email protected]?extension=pom&repository_url=repo.spring.io%2Frelease",
+    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/[email protected]?extension=pom&repository_url=repo.spring.io/release",
     "type": "maven",
     "namespace": "org.apache.xmlgraphics",
     "name": "batik-anim",
@@ -314,7 +314,7 @@
   {
     "description": "valid debian purl containing a plus in the name and version",
     "purl": "pkg:deb/debian/[email protected]+6",
-    "canonical_purl": "pkg:deb/debian/g%2B%2B[email protected]%2B6",
+    "canonical_purl": "pkg:deb/debian/g++[email protected]+6",
     "type": "deb",
     "namespace": "debian",
     "name": "g++-10",