[3.13] gh-139330: Check expat version/checksum in SBOM with refresh.sh

miss-islington · sethmlarson · web-flow · commit 11d6c460b86f · 2025-09-25T18:05:09.000Z
gh-139330: Check expat version/checksum in SBOM with refresh.sh Check expat version/checksum in SBOM with refresh.sh (cherry picked from commit 89b5571) Co-authored-by: Seth Michael Larson <seth@python.org>
diff --git a/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst b/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
@@ -0,0 +1,3 @@
+SBOM generation tool didn't cross-check the version and checksum values
+against the ``Modules/expat/refresh.sh`` script, leading to the values
+becoming out-of-date during routine updates.
diff --git a/Misc/sbom.spdx.json b/Misc/sbom.spdx.json
diff --git a/Tools/build/generate_sbom.py b/Tools/build/generate_sbom.py
@@ -245,14 +245,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:
             )
 
         # libexpat specifies its expected rev in a refresh script.
-        if package["name"] == "libexpat":
+        if package["name"] == "expat":
             libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()
             libexpat_expected_version_match = re.search(
                 r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_sha256_match = re.search(
-                r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",
+                r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+SBOM generation tool didn't cross-check the version and checksum values`
	`2`	+against the ``Modules/expat/refresh.sh`` script, leading to the values
	`3`	`+becoming out-of-date during routine updates.`
Original file line number	Diff line number	Diff line change
`@@ -245,14 +245,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:`
`245`	`245`	`)`
`246`	`246`
`247`	`247`	`# libexpat specifies its expected rev in a refresh script.`
`248`		`- if package["name"] == "libexpat":`
	`248`	`+ if package["name"] == "expat":`
`249`	`249`	`libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()`
`250`	`250`	`libexpat_expected_version_match = re.search(`
`251`	`251`	`r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",`
`252`	`252`	`libexpat_refresh_sh`
`253`	`253`	`)`
`254`	`254`	`libexpat_expected_sha256_match = re.search(`
`255`		`- r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",`
	`255`	`+ r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",`
`256`	`256`	`libexpat_refresh_sh`
`257`	`257`	`)`
`258`	`258`	`libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)`