Skip to content

Commit

Permalink
[3.12] gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (G…
Browse files Browse the repository at this point in the history 
…H-115038) (#115088)

* gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (GH-115038)
(cherry picked from commit 4bf4187)

Co-authored-by: Seth Michael Larson <seth@python.org>

* Update pip SBOM package to version in source

---------

Co-authored-by: Seth Michael Larson <seth@python.org>
  • Loading branch information
@miss-islington @sethmlarson
miss-islington and sethmlarson committed Feb 6, 2024
1 parent b391199 commit 5fb2204
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 49 deletions.
88 changes: 44 additions & 44 deletions Misc/sbom.spdx.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 7 additions & 5 deletions Tools/build/generate_sbom.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -338,7 +338,7 @@ def discover_pip_sbom_package(sbom_data: dict[str, typing.Any]) -> None:
"name": "pip",
"versionInfo": pip_version,
"originator": "Organization: Python Packaging Authority",
"licenseConcluded": "MIT",
"licenseConcluded": "NOASSERTION",
"downloadLocation": pip_download_url,
"checksums": [
{"algorithm": "SHA256", "checksumValue": pip_checksum_sha256}
Expand Down Expand Up @@ -383,9 +383,11 @@ def main() -> None:
discover_pip_sbom_package(sbom_data)

# Ensure all packages in this tool are represented also in the SBOM file.
actual_names = {package["name"] for package in sbom_data["packages"]}
expected_names = set(PACKAGE_TO_FILES)
error_if(
{package["name"] for package in sbom_data["packages"]} != set(PACKAGE_TO_FILES),
"Packages defined in SBOM tool don't match those defined in SBOM file.",
actual_names != expected_names,
f"Packages defined in SBOM tool don't match those defined in SBOM file: {actual_names}, {expected_names}",
)

# Make a bunch of assertions about the SBOM data to ensure it's consistent.
Expand Down Expand Up @@ -422,8 +424,8 @@ def main() -> None:
# License must be on the approved list for SPDX.
license_concluded = package["licenseConcluded"]
error_if(
license_concluded not in ALLOWED_LICENSE_EXPRESSIONS,
f"License identifier '{license_concluded}' not in SBOM tool allowlist"
license_concluded != "NOASSERTION",
f"License identifier must be 'NOASSERTION'"
)

# We call 'sorted()' here a lot to avoid filesystem scan order issues.
Expand Down

0 comments on commit 5fb2204

Please sign in to comment.