Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit d8c562a

Browse filesBrowse files
miss-islingtonsethmlarson
miss-islington
and
sethmlarson
authored
[3.13] gh-112844: Update CPE references for external dependencies (GH-118521) (#119237)
Co-authored-by: Seth Michael Larson <seth@python.org>
1 parent fda3291 commit d8c562a
Copy full SHA for d8c562a

File tree

1 file changed

+15
-1
lines changed
Filter options

1 file changed

+15
-1
lines changed

‎Tools/build/generate_sbom.py

Copy file name to clipboardExpand all lines: Tools/build/generate_sbom.py
+15-1Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -305,7 +305,21 @@ def create_externals_sbom() -> None:
305305

306306
# Set the versionInfo and downloadLocation fields for all packages.
307307
for package in sbom_data["packages"]:
308-
package["versionInfo"] = externals_name_to_version[package["name"]]
308+
package_version = externals_name_to_version[package["name"]]
309+
310+
# Update the version information in all the locations.
311+
package["versionInfo"] = package_version
312+
for external_ref in package["externalRefs"]:
313+
if external_ref["referenceType"] != "cpe23Type":
314+
continue
315+
# Version is the fifth field of a CPE.
316+
cpe23ref = external_ref["referenceLocator"]
317+
external_ref["referenceLocator"] = re.sub(
318+
r"\A(cpe(?::[^:]+){4}):[^:]+:",
319+
fr"\1:{package_version}:",
320+
cpe23ref
321+
)
322+
309323
download_location = (
310324
f"https://github.com/python/cpython-source-deps/archive/refs/tags/{externals_name_to_git_tag[package['name']]}.tar.gz"
311325
)

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.