From a61746aea65c48f09b16ead7acacca5bcd669ee2 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Mon, 20 May 2024 13:27:09 -0400
Subject: [PATCH] gh-112844: Update CPE references for external dependencies
 (GH-118521) (cherry picked from commit
 1195c164daab873ebf87ba8efe44fffdf47307ef)

Co-authored-by: Seth Michael Larson <seth@python.org>
---
 Tools/build/generate_sbom.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/Tools/build/generate_sbom.py b/Tools/build/generate_sbom.py
index 258b58c03c6800..c08568f2e00326 100644
--- a/Tools/build/generate_sbom.py
+++ b/Tools/build/generate_sbom.py
@@ -305,7 +305,21 @@ def create_externals_sbom() -> None:
 
     # Set the versionInfo and downloadLocation fields for all packages.
     for package in sbom_data["packages"]:
-        package["versionInfo"] = externals_name_to_version[package["name"]]
+        package_version = externals_name_to_version[package["name"]]
+
+        # Update the version information in all the locations.
+        package["versionInfo"] = package_version
+        for external_ref in package["externalRefs"]:
+            if external_ref["referenceType"] != "cpe23Type":
+                continue
+            # Version is the fifth field of a CPE.
+            cpe23ref = external_ref["referenceLocator"]
+            external_ref["referenceLocator"] = re.sub(
+                r"\A(cpe(?::[^:]+){4}):[^:]+:",
+                fr"\1:{package_version}:",
+                cpe23ref
+            )
+
         download_location = (
             f"https://github.com/python/cpython-source-deps/archive/refs/tags/{externals_name_to_git_tag[package['name']]}.tar.gz"
         )

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/119237.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/119237.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/119237.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/119237.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>