Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/pip/pip-5cdcf6c19f
Browse files Browse the repository at this point in the history
  • Loading branch information
@hugovk
hugovk authored Feb 11, 2025
2 parents 912445d + 51b5905 commit 78577ff
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 4 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/source-and-docs-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ name: "Build Python source and docs artifacts"
# Set from inputs for workflow_dispatch, or set defaults to test push/PR events
env:
GIT_REMOTE: ${{ github.event.inputs.git_remote || 'python' }}
GIT_COMMIT: ${{ github.event.inputs.git_commit || 'f6650f9ad73359051f3e558c2431a109bc016664' }}
CPYTHON_RELEASE: ${{ github.event.inputs.cpython_release || '3.12.3' }}
GIT_COMMIT: ${{ github.event.inputs.git_commit || '4f8bb3947cfbc20f970ff9d9531e1132a9e95396' }}
CPYTHON_RELEASE: ${{ github.event.inputs.cpython_release || '3.13.2' }}

jobs:
verify-input:
Expand Down Expand Up @@ -105,7 +105,7 @@ jobs:
python ../release.py --export "$CPYTHON_RELEASE" --skip-docs
- name: "Upload the source artifacts"
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: source
path: |
Expand Down Expand Up @@ -148,7 +148,7 @@ jobs:
SPHINXOPTS="-j10" make dist
- name: "Upload the docs artifacts"
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: docs
path: |
Expand Down
41 changes: 41 additions & 0 deletions sbom.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,38 @@ def recursive_sort_in_place(value: list[Any] | dict[str, Any]) -> None:
recursive_sort_in_place(cast(dict[str, Any], sbom_data))


def check_sbom_data(sbom_data: SBOM) -> None:
"""Check SBOM data for common issues"""

def check_id_duplicates(sbom_components: list[Package] | list[File]) -> set[str]:
all_ids = set()
for sbom_component in sbom_components:
sbom_component_id = sbom_component["SPDXID"]
assert sbom_component_id not in all_ids
all_ids.add(sbom_component_id)
return all_ids

all_package_ids = check_id_duplicates(sbom_data["packages"])
all_file_ids = check_id_duplicates(sbom_data["files"])

# Check that no files and packages have the same ID.
assert not all_package_ids.intersection(all_file_ids)
all_sbom_ids = all_package_ids | all_file_ids

# Check that all relationships use existing IDs.
for sbom_relationship in sbom_data["relationships"]:

# The exception being 'DESCRIBES' with the meta 'document' ID
if (
sbom_relationship["spdxElementId"] == "SPDXRef-DOCUMENT"
and sbom_relationship["relationshipType"] == "DESCRIBES"
):
continue

assert sbom_relationship["spdxElementId"] in all_sbom_ids
assert sbom_relationship["relatedSpdxElement"] in all_sbom_ids


def fetch_package_metadata_from_pypi(
project: str, version: str, filename: str | None = None
) -> tuple[str, str]:
Expand Down Expand Up @@ -686,6 +718,11 @@ def create_sbom_for_windows_artifact(
with (cpython_source_dir / "Misc/sbom.spdx.json").open() as f:
source_sbom_data = json.loads(f.read())
for sbom_package in source_sbom_data["packages"]:
# Update the SPDX ID to avoid collisions with
# the 'externals' SBOM.
sbom_package["SPDXID"] = spdx_id(
f"SPDXRef-PACKAGE-{sbom_package['name']}-{sbom_package['versionInfo']}"
)
sbom_data["packages"].append(sbom_package)

create_cpython_sbom(
Expand Down Expand Up @@ -755,6 +792,10 @@ def main() -> None:

# Normalize SBOM data for reproducibility.
normalize_sbom_data(sbom_data)

# Check SBOM for validity.
check_sbom_data(sbom_data)

with open(artifact_path + ".spdx.json", mode="w") as f:
f.truncate()
f.write(json.dumps(sbom_data, indent=2, sort_keys=True))
Expand Down

0 comments on commit 78577ff

Please sign in to comment.