python
diff --git a/‎sbom.py
Lines changed: 54 additions & 101 deletions b/‎sbom.py
Lines changed: 54 additions & 101 deletions
@@ -316,38 +316,20 @@ def create_pip_sbom_from_wheel(
     )
 
 
-def create_sbom_for_source_tarball(tarball_path: str):
-    """Stitches together an SBOM for a source tarball"""
-    tarball_name = os.path.basename(tarball_path)
-
-    # Open the tarball with known compression settings.
-    if tarball_name.endswith(".tgz"):
-        tarball = tarfile.open(tarball_path, mode="r:gz")
-    elif tarball_name.endswith(".tar.xz"):
-        tarball = tarfile.open(tarball_path, mode="r:xz")
-    else:
-        raise ValueError(f"Unknown tarball format: '{tarball_name}'")
+def create_cpython_sbom(
+    sbom_data: dict[str, typing.Any],
+    cpython_version: str,
+    artifact_path: str,
+):
+    """Creates the top-level SBOM metadata and the CPython SBOM package."""
 
-    # Parse the CPython version from the tarball.
-    # Calculate the download locations from the CPython version and tarball name.
-    cpython_version = re.match(r"^Python-([0-9abrc.]+)\.t", tarball_name).group(1)
     cpython_version_without_suffix = re.match(r"^([0-9.]+)", cpython_version).group(1)
-    tarball_download_location = f"https://www.python.org/ftp/python/{cpython_version_without_suffix}/{tarball_name}"
-
-    # Take a hash of the tarball
-    with open(tarball_path, mode="rb") as f:
-        tarball_checksum_sha256 = hashlib.sha256(f.read()).hexdigest()
+    artifact_name = os.path.basename(artifact_path)
+    artifact_download_location = f"https://www.python.org/ftp/python/{cpython_version_without_suffix}/{artifact_name}"
 
-    # There should be an SBOM included in the tarball.
-    # If there's not we can't create an SBOM.
-    try:
-        sbom_tarball_member = tarball.getmember(f"Python-{cpython_version}/Misc/sbom.spdx.json")
-    except KeyError:
-        raise ValueError(
-            "Tarball doesn't contain an SBOM at 'Misc/sbom.spdx.json'"
-        ) from None
-    sbom_bytes = tarball.extractfile(sbom_tarball_member).read()
-    sbom_data = json.loads(sbom_bytes)
+    # Take a hash of the artifact
+    with open(artifact_path, mode="rb") as f:
+        artifact_checksum_sha256 = hashlib.sha256(f.read()).hexdigest()
 
     sbom_data.update({
         "SPDXID": "SPDXRef-DOCUMENT",
@@ -356,7 +338,7 @@ def create_sbom_for_source_tarball(tarball_path: str):
         "dataLicense": "CC0-1.0",
         # Naming done according to OpenSSF SBOM WG recommendations.
         # See: https://github.com/ossf/sbom-everywhere/blob/main/reference/sbom_naming.md
-        "documentNamespace": f"{tarball_download_location}.spdx.json",
+        "documentNamespace": f"{artifact_download_location}.spdx.json",
         "creationInfo": {
             "created": (
                 datetime.datetime.now(tz=datetime.timezone.utc)
@@ -381,7 +363,7 @@ def create_sbom_for_source_tarball(tarball_path: str):
         "licenseConcluded": "PSF-2.0",
         "originator": "Organization: Python Software Foundation",
         "supplier": "Organization: Python Software Foundation",
-        "packageFileName": tarball_name,
+        "packageFileName": artifact_name,
         "externalRefs": [
             {
                 "referenceCategory": "SECURITY",
@@ -390,8 +372,8 @@ def create_sbom_for_source_tarball(tarball_path: str):
             }
         ],
         "primaryPackagePurpose": "SOURCE",
-        "downloadLocation": tarball_download_location,
-        "checksums": [{"algorithm": "SHA256", "checksumValue": tarball_checksum_sha256}],
+        "downloadLocation": artifact_download_location,
+        "checksums": [{"algorithm": "SHA256", "checksumValue": artifact_checksum_sha256}],
     }
 
     # The top-level CPython package depends on every vendored sub-package.
@@ -404,6 +386,37 @@ def create_sbom_for_source_tarball(tarball_path: str):
 
     sbom_data["packages"].append(sbom_cpython_package)
 
+
+def create_sbom_for_source_tarball(tarball_path: str):
+    """Stitches together an SBOM for a source tarball"""
+    tarball_name = os.path.basename(tarball_path)
+
+    # Open the tarball with known compression settings.
+    if tarball_name.endswith(".tgz"):
+        tarball = tarfile.open(tarball_path, mode="r:gz")
+    elif tarball_name.endswith(".tar.xz"):
+        tarball = tarfile.open(tarball_path, mode="r:xz")
+    else:
+        raise ValueError(f"Unknown tarball format: '{tarball_name}'")
+
+    # Parse the CPython version from the tarball.
+    # Calculate the download locations from the CPython version and tarball name.
+    cpython_version = re.match(r"^Python-([0-9abrc.]+)\.t", tarball_name).group(1)
+
+    # There should be an SBOM included in the tarball.
+    # If there's not we can't create an SBOM.
+    try:
+        sbom_tarball_member = tarball.getmember(f"Python-{cpython_version}/Misc/sbom.spdx.json")
+    except KeyError:
+        raise ValueError(
+            "Tarball doesn't contain an SBOM at 'Misc/sbom.spdx.json'"
+        ) from None
+    sbom_bytes = tarball.extractfile(sbom_tarball_member).read()
+    sbom_data = json.loads(sbom_bytes)
+
+    create_cpython_sbom(sbom_data, cpython_version=cpython_version, artifact_path=tarball_path)
+    sbom_cpython_package_spdx_id = spdx_id("SPDXRef-PACKAGE-cpython")
+
     # Find the pip wheel in ensurepip in the tarball
     for member in tarball.getmembers():
         match = re.match(rf"^Python-{cpython_version}/Lib/ensurepip/_bundled/(pip-.*\.whl)$", member.name)
@@ -487,7 +500,7 @@ def create_sbom_for_source_tarball(tarball_path: str):
             )
             sbom_data["relationships"].append(
                 {
-                    "spdxElementId": sbom_cpython_package["SPDXID"],
+                    "spdxElementId": sbom_cpython_package_spdx_id,
                     "relatedSpdxElement": sbom_file_spdx_id,
                     "relationshipType": "CONTAINS",
                 }
@@ -505,7 +518,7 @@ def create_sbom_for_source_tarball(tarball_path: str):
     sbom_data["relationships"].append(
         {
             "spdxElementId": "SPDXRef-DOCUMENT",
-            "relatedSpdxElement": sbom_cpython_package["SPDXID"],
+            "relatedSpdxElement": sbom_cpython_package_spdx_id,
             "relationshipType": "DESCRIBES",
         }
     )
@@ -519,20 +532,12 @@ def create_sbom_for_source_tarball(tarball_path: str):
     # Calculate the 'packageVerificationCode' values for files in packages.
     calculate_package_verification_codes(sbom_data)
 
-    # Normalize SBOM structures for reproducibility.
-    normalize_sbom_data(sbom_data)
-
     return sbom_data
 
 
 def create_sbom_for_windows_artifact(exe_path):
     exe_name = os.path.basename(exe_path)
     cpython_version = re.match(r"^python-([0-9abrc.]+)(?:-|\.exe)", exe_name).group(1)
-    cpython_version_without_suffix = re.match(r"^([0-9.]+)", cpython_version).group(1)
-    exe_download_location = f"https://www.python.org/ftp/python/{cpython_version_without_suffix}/{exe_name}"
-
-    with open(exe_path, mode="rb") as f:
-        exe_checksum_sha256 = hashlib.sha256(f.read()).hexdigest()
 
     # Start with the CPython source SBOM as a base
     with open("Misc/externals.spdx.json") as f:
@@ -549,80 +554,26 @@ def create_sbom_for_windows_artifact(exe_path):
     sbom_data["relationships"] = []
     sbom_data["files"] = []
 
-    sbom_data.update({
-        "SPDXID": "SPDXRef-DOCUMENT",
-        "spdxVersion": "SPDX-2.3",
-        "name": "CPython SBOM",
-        "dataLicense": "CC0-1.0",
-        # Naming done according to OpenSSF SBOM WG recommendations.
-        # See: https://github.com/ossf/sbom-everywhere/blob/main/reference/sbom_naming.md
-        "documentNamespace": f"{exe_download_location}.spdx.json",
-        "creationInfo": {
-            "created": (
-                datetime.datetime.now(tz=datetime.timezone.utc)
-                .strftime("%Y-%m-%dT%H:%M:%SZ")
-            ),
-            "creators": [
-                "Person: Python Release Managers",
-                f"Tool: ReleaseTools-{get_release_tools_commit_sha()}",
-            ],
-            # Version of the SPDX License ID list.
-            # This shouldn't need to be updated often, if ever.
-            "licenseListVersion": "3.22",
-        },
-    })
-
-    # Create the SBOM entry for the CPython package. We use
-    # the SPDXID later on for creating relationships to files.
-    sbom_cpython_package = {
-        "SPDXID": "SPDXRef-PACKAGE-cpython",
-        "name": "CPython",
-        "versionInfo": cpython_version,
-        "licenseConcluded": "PSF-2.0",
-        "originator": "Organization: Python Software Foundation",
-        "supplier": "Organization: Python Software Foundation",
-        "packageFileName": exe_name,
-        "externalRefs": [
-            {
-                "referenceCategory": "SECURITY",
-                "referenceLocator": f"cpe:2.3:a:python:python:{cpython_version}:*:*:*:*:*:*:*",
-                "referenceType": "cpe23Type",
-            }
-        ],
-        "primaryPackagePurpose": "APPLICATION",
-        "downloadLocation": exe_download_location,
-        "checksums": [{"algorithm": "SHA256", "checksumValue": exe_checksum_sha256}],
-    }
-
-    # The top-level CPython package depends on every vendored sub-package.
-    for sbom_package in sbom_data["packages"]:
-        sbom_data["relationships"].append({
-            "spdxElementId": sbom_cpython_package["SPDXID"],
-            "relatedSpdxElement": sbom_package["SPDXID"],
-            "relationshipType": "DEPENDS_ON",
-        })
-
-    sbom_data["packages"].append(sbom_cpython_package)
+    create_cpython_sbom(sbom_data, cpython_version=cpython_version, artifact_path=exe_path)
+    sbom_cpython_package_spdx_id = spdx_id("SPDXRef-PACKAGE-cpython")
 
     # Final relationship, this SBOM describes the CPython package.
     sbom_data["relationships"].append(
         {
             "spdxElementId": "SPDXRef-DOCUMENT",
-            "relatedSpdxElement": sbom_cpython_package["SPDXID"],
+            "relatedSpdxElement": sbom_cpython_package_spdx_id,
             "relationshipType": "DESCRIBES",
         }
     )
 
     # Apply the 'supplier' tag to every package since we're shipping
-    # the package in the tarball itself. Originator field is used for maintainers.
+    # the package in the artifact itself. Originator field is used for maintainers.
     for sbom_package in sbom_data["packages"]:
         sbom_package["supplier"] = "Organization: Python Software Foundation"
         # Source packages have been compiled.
         if sbom_package["primaryPackagePurpose"] == "SOURCE":
             sbom_package["primaryPackagePurpose"] = "LIBRARY"
 
-    normalize_sbom_data(sbom_data)
-
     return sbom_data
 
 
@@ -634,6 +585,8 @@ def main() -> None:
         else:
             sbom_data = create_sbom_for_source_tarball(artifact_path)
 
+        # Normalize SBOM data for reproducibility.
+        normalize_sbom_data(sbom_data)
         with open(artifact_path + ".spdx.json", mode="w") as f:
             f.truncate()
             f.write(json.dumps(sbom_data, indent=2, sort_keys=True))