gh-139330: Check expat version/checksum in SBOM with refresh.sh

sethmlarson · web-flow · commit 89b5571025a5 · 2025-09-25T17:13:45.000Z
Check expat version/checksum in SBOM with refresh.sh
diff --git a/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst b/Misc/NEWS.d/next/Tools-Demos/2025-09-25-10-31-02.gh-issue-139330.5WWkY0.rst
@@ -0,0 +1,3 @@
+SBOM generation tool didn't cross-check the version and checksum values
+against the ``Modules/expat/refresh.sh`` script, leading to the values
+becoming out-of-date during routine updates.
diff --git a/Misc/sbom.spdx.json b/Misc/sbom.spdx.json
diff --git a/Tools/build/generate_sbom.py b/Tools/build/generate_sbom.py
@@ -242,14 +242,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:
             )
 
         # libexpat specifies its expected rev in a refresh script.
-        if package["name"] == "libexpat":
+        if package["name"] == "expat":
             libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()
             libexpat_expected_version_match = re.search(
                 r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_sha256_match = re.search(
-                r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",
+                r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",
                 libexpat_refresh_sh
             )
             libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+SBOM generation tool didn't cross-check the version and checksum values`
	`2`	+against the ``Modules/expat/refresh.sh`` script, leading to the values
	`3`	`+becoming out-of-date during routine updates.`
Original file line number	Diff line number	Diff line change
`@@ -242,14 +242,14 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:`
`242`	`242`	`)`
`243`	`243`
`244`	`244`	`# libexpat specifies its expected rev in a refresh script.`
`245`		`- if package["name"] == "libexpat":`
	`245`	`+ if package["name"] == "expat":`
`246`	`246`	`libexpat_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/expat/refresh.sh").read_text()`
`247`	`247`	`libexpat_expected_version_match = re.search(`
`248`	`248`	`r"expected_libexpat_version=\"([0-9]+\.[0-9]+\.[0-9]+)\"",`
`249`	`249`	`libexpat_refresh_sh`
`250`	`250`	`)`
`251`	`251`	`libexpat_expected_sha256_match = re.search(`
`252`		`- r"expected_libexpat_sha256=\"[a-f0-9]{40}\"",`
	`252`	`+ r"expected_libexpat_sha256=\"([a-f0-9]{64})\"",`
`253`	`253`	`libexpat_refresh_sh`
`254`	`254`	`)`
`255`	`255`	`libexpat_expected_version = libexpat_expected_version_match and libexpat_expected_version_match.group(1)`