[3.12] pythongh-139330: Check expat version/checksum in SBOM with refresh.sh

sethmlarson · web-flow · commit ade85bc5f409 · 2025-09-26T17:23:04.000Z
* [3.12] pythongh-139330: Check expat version/checksum in SBOM with refresh.sh Check expat version/checksum in SBOM with refresh.sh (cherry picked from commit 89b5571) Co-authored-by: Seth Michael Larson <seth@python.org> * 2.7.1
diff --git a/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst b/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
@@ -0,0 +1,3 @@
+SBOM generation tool didn't cross-check the version and checksum values
+against the ``Modules/expat/refresh.sh`` script, leading to the values
+becoming out-of-date during routine updates.
diff --git a/Misc/sbom.spdx.json b/Misc/sbom.spdx.json
diff --git a/Tools/build/generate_sbom.py b/Tools/build/generate_sbom.py
@@ -224,14 +224,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:
             )
 
         # libexpat specifies its expected rev in a refresh script.
-        if package["name"] == "libexpat":
+        if package["name"] == "expat":
             libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()
             libexpat_expected_version_match = re.search(
                 r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_sha256_match = re.search(
-                r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",
+                r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+SBOM generation tool didn't cross-check the version and checksum values`
	`2`	+against the ``Modules/expat/refresh.sh`` script, leading to the values
	`3`	`+becoming out-of-date during routine updates.`
Original file line number	Diff line number	Diff line change
`@@ -224,14 +224,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:`
`224`	`224`	`)`
`225`	`225`
`226`	`226`	`# libexpat specifies its expected rev in a refresh script.`
`227`		`- if package["name"] == "libexpat":`
	`227`	`+ if package["name"] == "expat":`
`228`	`228`	`libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()`
`229`	`229`	`libexpat_expected_version_match = re.search(`
`230`	`230`	`r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",`
`231`	`231`	`libexpat_refresh_sh`
`232`	`232`	`)`
`233`	`233`	`libexpat_expected_sha256_match = re.search(`
`234`		`- r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",`
	`234`	`+ r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",`
`235`	`235`	`libexpat_refresh_sh`
`236`	`236`	`)`
`237`	`237`	`libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)`