[3.12] gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (GH-115038) (...

* gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (GH-115038)
(cherry picked from commit 4bf41879d03b1da3c6d38c39a04331e3ae2e7545)

Co-authored-by: Seth Michael Larson <seth@python.org>
* Update pip SBOM package to version in source

---------

Co-authored-by: Seth Michael Larson <seth@python.org>

diff --git a/Misc/sbom.spdx.json b/Misc/sbom.spdx.json
index 94566772338b1082b74f8efd2e5ddba77dc3ae32..d783d14255e66f1712f91a6091793f6cc5184bd7 100644 (file)
--- a/Misc/sbom.spdx.json
+++ b/Misc/sbom.spdx.json
@@ -1570,18 +1570,18 @@
       "fileName": "Modules/_decimal/libmpdec/vcdiv64.asm"
     },
     {
-      "SPDXID": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-23.3.2-py3-none-any.whl",
+      "SPDXID": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-24.0-py3-none-any.whl",
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "8e48f55ab2965ee64bd55cc91a8077d184a33e30"
+          "checksumValue": "e44313ae1e6af3c2bd3b60ab2fa8c34308d00555"
         },
         {
           "algorithm": "SHA256",
-          "checksumValue": "5052d7889c1f9d05224cd41741acb7c5d6fa735ab34e339624a614eaaa7e7d76"
+          "checksumValue": "ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc"
         }
       ],
-      "fileName": "Lib/ensurepip/_bundled/pip-23.3.2-py3-none-any.whl"
+      "fileName": "Lib/ensurepip/_bundled/pip-24.0-py3-none-any.whl"
     }
   ],
   "packages": [
@@ -1601,7 +1601,7 @@
           "referenceType": "cpe23Type"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "expat",
       "originator": "Organization: Expat development team",
       "primaryPackagePurpose": "SOURCE",
@@ -1623,7 +1623,7 @@
           "referenceType": "cpe23Type"
         }
       ],
-      "licenseConcluded": "Apache-2.0",
+      "licenseConcluded": "NOASSERTION",
       "name": "hacl-star",
       "originator": "Organization: HACL* Developers",
       "primaryPackagePurpose": "SOURCE",
@@ -1645,7 +1645,7 @@
           "referenceType": "cpe23Type"
         }
       ],
-      "licenseConcluded": "CC0-1.0",
+      "licenseConcluded": "NOASSERTION",
       "name": "libb2",
       "originator": "Organization: BLAKE2 - fast secure hashing",
       "primaryPackagePurpose": "SOURCE",
@@ -1667,7 +1667,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "macholib",
       "originator": "Person: Ronald Oussoren (ronaldoussoren@mac.com)",
       "primaryPackagePurpose": "SOURCE",
@@ -1689,7 +1689,7 @@
           "referenceType": "cpe23Type"
         }
       ],
-      "licenseConcluded": "BSD-2-Clause",
+      "licenseConcluded": "NOASSERTION",
       "name": "mpdecimal",
       "originator": "Organization: bytereef.org",
       "primaryPackagePurpose": "SOURCE",
@@ -1711,7 +1711,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "cachecontrol",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "0.13.1"
@@ -1732,7 +1732,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "colorama",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "0.4.6"
@@ -1742,21 +1742,21 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "f35c4b692542ca110de7ef0bea44d73981caeb34ca0b9b6b2e6d7790dda8f80e"
+          "checksumValue": "034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784"
         }
       ],
-      "downloadLocation": "https://files.pythonhosted.org/packages/76/cb/6bbd2b10170ed991cf64e8c8b85e01f2fb38f95d1bc77617569e0b0b26ac/distlib-0.3.6-py2.py3-none-any.whl",
+      "downloadLocation": "https://files.pythonhosted.org/packages/8e/41/9307e4f5f9976bc8b7fea0b66367734e8faf3ec84bc0d412d8cfabbb66cd/distlib-0.3.8-py2.py3-none-any.whl",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE_MANAGER",
-          "referenceLocator": "pkg:pypi/distlib@0.3.6",
+          "referenceLocator": "pkg:pypi/distlib@0.3.8",
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "distlib",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "0.3.6"
+      "versionInfo": "0.3.8"
     },
     {
       "SPDXID": "SPDXRef-PACKAGE-distro",
@@ -1774,7 +1774,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "distro",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "1.8.0"
@@ -1795,7 +1795,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "msgpack",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "1.0.5"
@@ -1816,7 +1816,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "packaging",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "21.3"
@@ -1837,7 +1837,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "platformdirs",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "3.8.1"
@@ -1858,7 +1858,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "pyparsing",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "3.1.0"
@@ -1879,7 +1879,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "pyproject-hooks",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "1.0.0"
@@ -1900,7 +1900,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "requests",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "2.31.0"
@@ -1921,7 +1921,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "certifi",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "2023.7.22"
@@ -1942,7 +1942,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "chardet",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "5.1.0"
@@ -1963,7 +1963,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "idna",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "3.4"
@@ -1984,7 +1984,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "rich",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "13.4.2"
@@ -2005,7 +2005,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "pygments",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "2.15.1"
@@ -2026,7 +2026,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "typing_extensions",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "4.7.1"
@@ -2047,7 +2047,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "resolvelib",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "1.0.1"
@@ -2068,7 +2068,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "setuptools",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "68.0.0"
@@ -2089,7 +2089,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "six",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "1.16.0"
@@ -2110,7 +2110,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "tenacity",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "8.2.2"
@@ -2131,7 +2131,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "tomli",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "2.0.1"
@@ -2152,7 +2152,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "truststore",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "0.8.0"
@@ -2173,7 +2173,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "webencodings",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "0.5.1"
@@ -2194,7 +2194,7 @@
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "urllib3",
       "primaryPackagePurpose": "SOURCE",
       "versionInfo": "1.26.17"
@@ -2204,27 +2204,27 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "5052d7889c1f9d05224cd41741acb7c5d6fa735ab34e339624a614eaaa7e7d76"
+          "checksumValue": "ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc"
         }
       ],
-      "downloadLocation": "https://files.pythonhosted.org/packages/15/aa/3f4c7bcee2057a76562a5b33ecbd199be08cdb4443a02e26bd2c3cf6fc39/pip-23.3.2-py3-none-any.whl",
+      "downloadLocation": "https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl",
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:pypa:pip:23.3.2:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:pypa:pip:24.0:*:*:*:*:*:*:*",
           "referenceType": "cpe23Type"
         },
         {
           "referenceCategory": "PACKAGE_MANAGER",
-          "referenceLocator": "pkg:pypi/pip@23.3.2",
+          "referenceLocator": "pkg:pypi/pip@24.0",
           "referenceType": "purl"
         }
       ],
-      "licenseConcluded": "MIT",
+      "licenseConcluded": "NOASSERTION",
       "name": "pip",
       "originator": "Organization: Python Packaging Authority",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "23.3.2"
+      "versionInfo": "24.0"
     }
   ],
   "relationships": [
@@ -2909,7 +2909,7 @@
       "spdxElementId": "SPDXRef-PACKAGE-mpdecimal"
     },
     {
-      "relatedSpdxElement": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-23.3.2-py3-none-any.whl",
+      "relatedSpdxElement": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-24.0-py3-none-any.whl",
       "relationshipType": "CONTAINS",
       "spdxElementId": "SPDXRef-PACKAGE-pip"
     }

diff --git a/Tools/build/generate_sbom.py b/Tools/build/generate_sbom.py
index aceb13f141cba407e2a9adf520fa7e015a915d3e..442487f2d2546b4db957f3add874b236610c79b3 100644 (file)
--- a/Tools/build/generate_sbom.py
+++ b/Tools/build/generate_sbom.py
@@ -338,7 +338,7 @@ def discover_pip_sbom_package(sbom_data: dict[str, typing.Any]) -> None:
             "name": "pip",
             "versionInfo": pip_version,
             "originator": "Organization: Python Packaging Authority",
-            "licenseConcluded": "MIT",
+            "licenseConcluded": "NOASSERTION",
             "downloadLocation": pip_download_url,
             "checksums": [
                 {"algorithm": "SHA256", "checksumValue": pip_checksum_sha256}
@@ -383,9 +383,11 @@ def main() -> None:
     discover_pip_sbom_package(sbom_data)
 
     # Ensure all packages in this tool are represented also in the SBOM file.
+    actual_names = {package["name"] for package in sbom_data["packages"]}
+    expected_names = set(PACKAGE_TO_FILES)
     error_if(
-        {package["name"] for package in sbom_data["packages"]} != set(PACKAGE_TO_FILES),
-        "Packages defined in SBOM tool don't match those defined in SBOM file.",
+        actual_names != expected_names,
+        f"Packages defined in SBOM tool don't match those defined in SBOM file: {actual_names}, {expected_names}",
     )
 
     # Make a bunch of assertions about the SBOM data to ensure it's consistent.
@@ -422,8 +424,8 @@ def main() -> None:
         # License must be on the approved list for SPDX.
         license_concluded = package["licenseConcluded"]
         error_if(
-            license_concluded not in ALLOWED_LICENSE_EXPRESSIONS,
-            f"License identifier '{license_concluded}' not in SBOM tool allowlist"
+            license_concluded != "NOASSERTION",
+            f"License identifier must be 'NOASSERTION'"
         )
 
     # We call 'sorted()' here a lot to avoid filesystem scan order issues.