Skip symlinks when creating SBOM for source tarball (#232)

Co-authored-by: Adam Turner <[email protected]>
Co-authored-by: Seth Michael Larson <[email protected]>

Author: 3 people

sbom.py

@@ -608,12 +608,12 @@ def create_sbom_for_source_tarball(tarball_path: str) -> SBOM:
     # Now we walk the tarball and compare known files to our expected checksums in the SBOM.
     # All files that aren't already in the SBOM can be added as "CPython" files.
     for member in tarball.getmembers():
-        if member.isdir():  # Skip directories!
+        if not member.isfile():  # Only keep files (no symlinks)
             continue
 
         # Get the member from the tarball. CPython prefixes all of its
         # source code with 'Python-{version}/...'.
-        assert member.isfile() and member.name.startswith(f"Python-{cpython_version}/")
+        assert member.name.startswith(f"Python-{cpython_version}/")
 
         # Calculate the hashes, either for comparison with a known value
         # or to embed in the SBOM as a new file. SHA1 is only used because