[3.14] gh-139330: Check expat version/checksum in SBOM with refresh.sh

gh-139330: Check expat version/checksum in SBOM with refresh.sh Check expat version/checksum in SBOM with refresh.sh (cherry picked from commit 89b5571025) Co-authored-by: Seth Michael Larson <seth@python.org>
2025-12-31 04:23:37 +00:00 · 2025-09-25 20:30:14 +02:00 · 2025-09-25 20:30:14 +02:00 · 7519ac294f
commit 7519ac294f
parent c76fd771b5
3 changed files with 9 additions and 6 deletions
--- a/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
+++ b/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
@ -0,0 +1,3 @@
+SBOM generation tool didn't cross-check the version and checksum values
+against the ``Modules/expat/refresh.sh`` script, leading to the values
+becoming out-of-date during routine updates.
--- a/Misc/sbom.spdx.json
+++ b/Misc/sbom.spdx.json
@ -1730,14 +1730,14 @@
      "checksums": [
        {
          "algorithm": "SHA256",
-          "checksumValue": "17aa6cfc5c4c219c09287abfc10bc13f0c06f30bb654b28bfe6f567ca646eb79"
+          "checksumValue": "13d42a125897329bfeecab899cb9b5a3ec8c26072994b5cd4c41f28241f5bce7"
        }
      ],
-      "downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_6_3/expat-2.6.3.tar.gz",
+      "downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_7_2/expat-2.7.2.tar.gz",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.6.3:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.7.2:*:*:*:*:*:*:*",
          "referenceType": "cpe23Type"
        }
      ],
@ -1745,7 +1745,7 @@
      "name": "expat",
      "originator": "Organization: Expat development team",
      "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "2.6.3"
+      "versionInfo": "2.7.2"
    },
    {
      "SPDXID": "SPDXRef-PACKAGE-hacl-star",