[3.12] gh-139330: Check expat version/checksum in SBOM with refresh.sh

* [3.12] gh-139330: Check expat version/checksum in SBOM with refresh.sh

Check expat version/checksum in SBOM with refresh.sh
(cherry picked from commit 89b5571)

Co-authored-by: Seth Michael Larson <seth@python.org>
* 2.7.1

diff --git a/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst b/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
new file mode 100644 (file)
index 0000000..77e74ba
--- /dev/null
+++ b/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
@@ -0,0 +1,3 @@
+SBOM generation tool didn't cross-check the version and checksum values
+against the ``Modules/expat/refresh.sh`` script, leading to the values
+becoming out-of-date during routine updates.

diff --git a/Misc/sbom.spdx.json b/Misc/sbom.spdx.json
index f7b850af91dc9688dae335c7c4f900afadf9130f..f75533de9ef0dfc6bf177be8cbedb29dbc87c4f8 100644 (file)
--- a/Misc/sbom.spdx.json
+++ b/Misc/sbom.spdx.json
@@ -1562,14 +1562,14 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "17aa6cfc5c4c219c09287abfc10bc13f0c06f30bb654b28bfe6f567ca646eb79"
+          "checksumValue": "0cce2e6e69b327fc607b8ff264f4b66bdf71ead55a87ffd5f3143f535f15cfa2"
         }
       ],
-      "downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_6_3/expat-2.6.3.tar.gz",
+      "downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_7_1/expat-2.7.1.tar.gz",
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.6.3:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.7.1:*:*:*:*:*:*:*",
           "referenceType": "cpe23Type"
         }
       ],
@@ -1577,7 +1577,7 @@
       "name": "expat",
       "originator": "Organization: Expat development team",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "2.6.3"
+      "versionInfo": "2.7.1"
     },
     {
       "SPDXID": "SPDXRef-PACKAGE-hacl-star",

diff --git a/Tools/build/generate_sbom.py b/Tools/build/generate_sbom.py
index 3299e4479e4a2ee2100f7555af7ff9f81500d140..27878ade39ee3d388c5051622b594c3b84af35f0 100644 (file)
--- a/Tools/build/generate_sbom.py
+++ b/Tools/build/generate_sbom.py
@@ -224,14 +224,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:
             )
 
         # libexpat specifies its expected rev in a refresh script.
-        if package["name"] == "libexpat":
+        if package["name"] == "expat":
             libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()
             libexpat_expected_version_match = re.search(
                 r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_sha256_match = re.search(
-                r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",
+                r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)