Skip to content

SBOM tool doesn't cross-check libexpat version and checksum against refresh.sh #139330

New issue
New issue
Closed
Closed
SBOM tool doesn't cross-check libexpat version and checksum against refresh.sh#139330
Assignees
sethmlarson
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixestopic-XMLtriagedThe issue has been accepted as valid by a triager.type-securityA security issue
@sethmlarson

Description

@sethmlarson
sethmlarson
opened on Sep 25, 2025

Bug report

Bug description:

There's a bad comparison against the magic string == "libexpat" where it should check against == "expat" for the package name. This means that SBOM data for expat doesn't get cross-checked automatically against the refresh.sh script.

Found while reviewing #139319

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixes3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixestopic-XMLtriagedThe issue has been accepted as valid by a triager.type-securityA security issue

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions