mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

[3.12] gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (GH-115038) (#115088)

Browse source 
* gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (GH-115038)
(cherry picked from commit 4bf41879d0)

Co-authored-by: Seth Michael Larson <seth@python.org>

* Update pip SBOM package to version in source

---------

Co-authored-by: Seth Michael Larson <seth@python.org>
This commit is contained in:
Miss Islington (bot) 2024-02-06 19:34:03 +01:00 committed by GitHub
parent b39119916c
commit 5fb2204ad4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 51 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

88
Misc/sbom.spdx.json generated
View file

@ -1570,18 +1570,18 @@
"fileName": "Modules/_decimal/libmpdec/vcdiv64.asm" "fileName": "Modules/_decimal/libmpdec/vcdiv64.asm"
}, },
{ {
"SPDXID": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-23.3.2-py3-none-any.whl", "SPDXID": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-24.0-py3-none-any.whl",
"checksums": [ "checksums": [
{ {
"algorithm": "SHA1", "algorithm": "SHA1",
"checksumValue": "8e48f55ab2965ee64bd55cc91a8077d184a33e30" "checksumValue": "e44313ae1e6af3c2bd3b60ab2fa8c34308d00555"
}, },
{ {
"algorithm": "SHA256", "algorithm": "SHA256",
"checksumValue": "5052d7889c1f9d05224cd41741acb7c5d6fa735ab34e339624a614eaaa7e7d76" "checksumValue": "ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc"
} }
], ],
"fileName": "Lib/ensurepip/_bundled/pip-23.3.2-py3-none-any.whl" "fileName": "Lib/ensurepip/_bundled/pip-24.0-py3-none-any.whl"
} }
], ],
"packages": [ "packages": [
@ -1601,7 +1601,7 @@
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "expat", "name": "expat",
"originator": "Organization: Expat development team", "originator": "Organization: Expat development team",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
@ -1623,7 +1623,7 @@
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
} }
], ],
"licenseConcluded": "Apache-2.0", "licenseConcluded": "NOASSERTION",
"name": "hacl-star", "name": "hacl-star",
"originator": "Organization: HACL* Developers", "originator": "Organization: HACL* Developers",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
@ -1645,7 +1645,7 @@
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
} }
], ],
"licenseConcluded": "CC0-1.0", "licenseConcluded": "NOASSERTION",
"name": "libb2", "name": "libb2",
"originator": "Organization: BLAKE2 - fast secure hashing", "originator": "Organization: BLAKE2 - fast secure hashing",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
@ -1667,7 +1667,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "macholib", "name": "macholib",
"originator": "Person: Ronald Oussoren (ronaldoussoren@mac.com)", "originator": "Person: Ronald Oussoren (ronaldoussoren@mac.com)",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
@ -1689,7 +1689,7 @@
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
} }
], ],
"licenseConcluded": "BSD-2-Clause", "licenseConcluded": "NOASSERTION",
"name": "mpdecimal", "name": "mpdecimal",
"originator": "Organization: bytereef.org", "originator": "Organization: bytereef.org",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
@ -1711,7 +1711,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "cachecontrol", "name": "cachecontrol",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "0.13.1" "versionInfo": "0.13.1"
@ -1732,7 +1732,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "colorama", "name": "colorama",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "0.4.6" "versionInfo": "0.4.6"
@ -1742,21 +1742,21 @@
"checksums": [ "checksums": [
{ {
"algorithm": "SHA256", "algorithm": "SHA256",
"checksumValue": "f35c4b692542ca110de7ef0bea44d73981caeb34ca0b9b6b2e6d7790dda8f80e" "checksumValue": "034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784"
} }
], ],
"downloadLocation": "https://files.pythonhosted.org/packages/76/cb/6bbd2b10170ed991cf64e8c8b85e01f2fb38f95d1bc77617569e0b0b26ac/distlib-0.3.6-py2.py3-none-any.whl", "downloadLocation": "https://files.pythonhosted.org/packages/8e/41/9307e4f5f9976bc8b7fea0b66367734e8faf3ec84bc0d412d8cfabbb66cd/distlib-0.3.8-py2.py3-none-any.whl",
"externalRefs": [ "externalRefs": [
{ {
"referenceCategory": "PACKAGE_MANAGER", "referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:pypi/distlib@0.3.6", "referenceLocator": "pkg:pypi/distlib@0.3.8",
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "distlib", "name": "distlib",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "0.3.6" "versionInfo": "0.3.8"
}, },
{ {
"SPDXID": "SPDXRef-PACKAGE-distro", "SPDXID": "SPDXRef-PACKAGE-distro",
@ -1774,7 +1774,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "distro", "name": "distro",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "1.8.0" "versionInfo": "1.8.0"
@ -1795,7 +1795,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "msgpack", "name": "msgpack",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "1.0.5" "versionInfo": "1.0.5"
@ -1816,7 +1816,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "packaging", "name": "packaging",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "21.3" "versionInfo": "21.3"
@ -1837,7 +1837,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "platformdirs", "name": "platformdirs",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "3.8.1" "versionInfo": "3.8.1"
@ -1858,7 +1858,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "pyparsing", "name": "pyparsing",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "3.1.0" "versionInfo": "3.1.0"
@ -1879,7 +1879,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "pyproject-hooks", "name": "pyproject-hooks",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "1.0.0" "versionInfo": "1.0.0"
@ -1900,7 +1900,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "requests", "name": "requests",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "2.31.0" "versionInfo": "2.31.0"
@ -1921,7 +1921,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "certifi", "name": "certifi",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "2023.7.22" "versionInfo": "2023.7.22"
@ -1942,7 +1942,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "chardet", "name": "chardet",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "5.1.0" "versionInfo": "5.1.0"
@ -1963,7 +1963,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "idna", "name": "idna",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "3.4" "versionInfo": "3.4"
@ -1984,7 +1984,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "rich", "name": "rich",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "13.4.2" "versionInfo": "13.4.2"
@ -2005,7 +2005,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "pygments", "name": "pygments",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "2.15.1" "versionInfo": "2.15.1"
@ -2026,7 +2026,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "typing_extensions", "name": "typing_extensions",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "4.7.1" "versionInfo": "4.7.1"
@ -2047,7 +2047,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "resolvelib", "name": "resolvelib",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "1.0.1" "versionInfo": "1.0.1"
@ -2068,7 +2068,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "setuptools", "name": "setuptools",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "68.0.0" "versionInfo": "68.0.0"
@ -2089,7 +2089,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "six", "name": "six",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "1.16.0" "versionInfo": "1.16.0"
@ -2110,7 +2110,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "tenacity", "name": "tenacity",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "8.2.2" "versionInfo": "8.2.2"
@ -2131,7 +2131,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "tomli", "name": "tomli",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "2.0.1" "versionInfo": "2.0.1"
@ -2152,7 +2152,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "truststore", "name": "truststore",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "0.8.0" "versionInfo": "0.8.0"
@ -2173,7 +2173,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "webencodings", "name": "webencodings",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "0.5.1" "versionInfo": "0.5.1"
@ -2194,7 +2194,7 @@
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "urllib3", "name": "urllib3",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "1.26.17" "versionInfo": "1.26.17"
@ -2204,27 +2204,27 @@
"checksums": [ "checksums": [
{ {
"algorithm": "SHA256", "algorithm": "SHA256",
"checksumValue": "5052d7889c1f9d05224cd41741acb7c5d6fa735ab34e339624a614eaaa7e7d76" "checksumValue": "ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc"
} }
], ],
"downloadLocation": "https://files.pythonhosted.org/packages/15/aa/3f4c7bcee2057a76562a5b33ecbd199be08cdb4443a02e26bd2c3cf6fc39/pip-23.3.2-py3-none-any.whl", "downloadLocation": "https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl",
"externalRefs": [ "externalRefs": [
{ {
"referenceCategory": "SECURITY", "referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:pypa:pip:23.3.2:*:*:*:*:*:*:*", "referenceLocator": "cpe:2.3:a:pypa:pip:24.0:*:*:*:*:*:*:*",
"referenceType": "cpe23Type" "referenceType": "cpe23Type"
}, },
{ {
"referenceCategory": "PACKAGE_MANAGER", "referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:pypi/pip@23.3.2", "referenceLocator": "pkg:pypi/pip@24.0",
"referenceType": "purl" "referenceType": "purl"
} }
], ],
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"name": "pip", "name": "pip",
"originator": "Organization: Python Packaging Authority", "originator": "Organization: Python Packaging Authority",
"primaryPackagePurpose": "SOURCE", "primaryPackagePurpose": "SOURCE",
"versionInfo": "23.3.2" "versionInfo": "24.0"
} }
], ],
"relationships": [ "relationships": [
@ -2909,7 +2909,7 @@
"spdxElementId": "SPDXRef-PACKAGE-mpdecimal" "spdxElementId": "SPDXRef-PACKAGE-mpdecimal"
}, },
{ {
"relatedSpdxElement": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-23.3.2-py3-none-any.whl", "relatedSpdxElement": "SPDXRef-FILE-Lib-ensurepip-bundled-pip-24.0-py3-none-any.whl",
"relationshipType": "CONTAINS", "relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-PACKAGE-pip" "spdxElementId": "SPDXRef-PACKAGE-pip"
} }

12
Tools/build/generate_sbom.py
View file

@ -338,7 +338,7 @@ def discover_pip_sbom_package(sbom_data: dict[str, typing.Any]) -> None:
"name": "pip", "name": "pip",
"versionInfo": pip_version, "versionInfo": pip_version,
"originator": "Organization: Python Packaging Authority", "originator": "Organization: Python Packaging Authority",
"licenseConcluded": "MIT", "licenseConcluded": "NOASSERTION",
"downloadLocation": pip_download_url, "downloadLocation": pip_download_url,
"checksums": [ "checksums": [
{"algorithm": "SHA256", "checksumValue": pip_checksum_sha256} {"algorithm": "SHA256", "checksumValue": pip_checksum_sha256}
@ -383,9 +383,11 @@ def main() -> None:
discover_pip_sbom_package(sbom_data) discover_pip_sbom_package(sbom_data)
# Ensure all packages in this tool are represented also in the SBOM file. # Ensure all packages in this tool are represented also in the SBOM file.
actual_names = {package["name"] for package in sbom_data["packages"]}
expected_names = set(PACKAGE_TO_FILES)
error_if( error_if(
{package["name"] for package in sbom_data["packages"]} != set(PACKAGE_TO_FILES), actual_names != expected_names,
"Packages defined in SBOM tool don't match those defined in SBOM file.", f"Packages defined in SBOM tool don't match those defined in SBOM file: {actual_names}, {expected_names}",
) )
# Make a bunch of assertions about the SBOM data to ensure it's consistent. # Make a bunch of assertions about the SBOM data to ensure it's consistent.
@ -422,8 +424,8 @@ def main() -> None:
# License must be on the approved list for SPDX. # License must be on the approved list for SPDX.
license_concluded = package["licenseConcluded"] license_concluded = package["licenseConcluded"]
error_if( error_if(
license_concluded not in ALLOWED_LICENSE_EXPRESSIONS, license_concluded != "NOASSERTION",
f"License identifier '{license_concluded}' not in SBOM tool allowlist" f"License identifier must be 'NOASSERTION'"
) )
# We call 'sorted()' here a lot to avoid filesystem scan order issues. # We call 'sorted()' here a lot to avoid filesystem scan order issues.