Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-08 06:10:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

[3.13] gh-139330: Check expat version/checksum in SBOM with refresh.sh

Browse source 
gh-139330: Check expat version/checksum in SBOM with refresh.sh

Check expat version/checksum in SBOM with refresh.sh
(cherry picked from commit 89b5571025)

Co-authored-by: Seth Michael Larson <seth@python.org>
This commit is contained in:
Miss Islington (bot) 2025-09-25 20:05:09 +02:00 committed by GitHub
parent d1f6b392e4
commit 11d6c460b8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 9 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst Normal file
View file

@ -0,0 +1,3 @@
SBOM generation tool didn't cross-check the version and checksum values
against the ``Modules/expat/refresh.sh`` script, leading to the values
becoming out-of-date during routine updates.

8
Misc/sbom.spdx.json generated
View file

@ -1562,14 +1562,14 @@
"checksums": [ "checksums": [
{ {
"algorithm": "SHA256", "algorithm": "SHA256",
"checksumValue": "17aa6cfc5c4c219c09287abfc10bc13f0c06f30bb654b28bfe6f567ca646eb79" "checksumValue": "13d42a125897329bfeecab899cb9b5a3ec8c26072994b5cd4c41f28241f5bce7"
} }
], ],
"downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_6_3/expat-2.6.3.tar.gz", "downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_7_2/expat-2.7.2.tar.gz",
"externalRefs": [ "externalRefs": [
{ {
"referenceCategory": "SECURITY", "referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.6.3:*:*:*:*:*:*:*", "referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.7.2:*:*:*:*:*:*:*",
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
} }
], ],
@ -1577,7 +1577,7 @@
"name": "expat", "name": "expat",
"originator": "Organization: Expat development team", "originator": "Organization: Expat development team",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "2.6.3" "versionInfo": "2.7.2"
}, },
{ {
"SPDXID": "SPDXRef-PACKAGE-hacl-star", "SPDXID": "SPDXRef-PACKAGE-hacl-star",

4
Tools/build/generate_sbom.py
View file

@ -245,14 +245,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:
) )
# libexpat specifies its expected rev in a refresh script. # libexpat specifies its expected rev in a refresh script.
if package["name"] == "libexpat": if package["name"] == "expat":
libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text() libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()
libexpat_expected_version_match = re.search( libexpat_expected_version_match = re.search(
r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"", r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",
libexpat_refresh_sh libexpat_refresh_sh
) )
libexpat_expected_sha256_match = re.search( libexpat_expected_sha256_match = re.search(
r"expected_libexpat_sha256=\"[a-f0-9]{40}\"", r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",
libexpat_refresh_sh libexpat_refresh_sh
) )
libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1) libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)