chore: update SBOM for Python 3.8 (#3622)

Co-authored-by: GitHub <noreply@github.com>
intel · Dec 18, 2023 · 3947866 · 3947866
1 parent 8d81fb6
commit 3947866
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 62 deletions.
diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:dbe81473-bc6a-4f42-83b0-111ae79f8a5d",
+  "serialNumber": "urn:uuid:5e077d1b-8263-436e-a610-44acf9087075",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-12-11T00:27:25Z",
+    "timestamp": "2023-12-18T00:27:39Z",
     "tools": {
       "components": [
         {
@@ -65,10 +65,6 @@
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
       "version": "3.9.1",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:aiohttp:3.9.1",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -102,10 +98,6 @@
       "bom-ref": "3-aiosignal",
       "name": "aiosignal",
       "version": "1.3.1",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
       "licenses": [
         {
           "license": {
@@ -137,11 +129,7 @@
       "type": "library",
       "bom-ref": "4-frozenlist",
       "name": "frozenlist",
-      "version": "1.4.0",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
+      "version": "1.4.1",
       "description": "A list-like structure which implements collections.abc.MutableSequence",
       "licenses": [
         {
@@ -153,12 +141,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/frozenlist/1.4.0",
+          "url": "https://pypi.org/project/frozenlist/1.4.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/frozenlist@1.4.0",
+      "purl": "pkg:pypi/frozenlist@1.4.1",
       "properties": [
         {
           "name": "language",
@@ -1619,10 +1607,6 @@
       "bom-ref": "43-markupsafe",
       "name": "markupsafe",
       "version": "2.1.3",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
       "description": "Safely add untrusted strings to HTML/XML markup.",
       "licenses": [
         {
@@ -1750,11 +1734,11 @@
       "type": "library",
       "bom-ref": "47-rpds-py",
       "name": "rpds-py",
-      "version": "0.13.2",
+      "version": "0.15.2",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "licenses": [
         {
@@ -1766,12 +1750,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/rpds-py/0.13.2",
+          "url": "https://pypi.org/project/rpds-py/0.15.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/rpds-py@0.13.2",
+      "purl": "pkg:pypi/rpds-py@0.15.2",
       "properties": [
         {
           "name": "language",
@@ -1813,7 +1797,7 @@
       "type": "library",
       "bom-ref": "49-lib4sbom",
       "name": "lib4sbom",
-      "version": "0.5.3",
+      "version": "0.5.4",
       "supplier": {
         "name": "Anthony Harrison",
         "contact": [
@@ -1822,7 +1806,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*",
       "description": "Software Bill of Material (SBOM) generator and consumer library",
       "licenses": [
         {
@@ -1834,12 +1818,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/lib4sbom/0.5.3",
+          "url": "https://pypi.org/project/lib4sbom/0.5.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/lib4sbom@0.5.3",
+      "purl": "pkg:pypi/lib4sbom@0.5.4",
       "properties": [
         {
           "name": "language",
@@ -1931,11 +1915,11 @@
       "type": "library",
       "bom-ref": "52-packageurl-python",
       "name": "packageurl-python",
-      "version": "0.12.0",
+      "version": "0.13.1",
       "supplier": {
         "name": "the purl authors"
       },
-      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*",
       "description": "A purl aka. Package URL parser and builder",
       "licenses": [
         {
@@ -1947,12 +1931,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/packageurl-python/0.12.0",
+          "url": "https://pypi.org/project/packageurl-python/0.13.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/packageurl-python@0.12.0",
+      "purl": "pkg:pypi/packageurl-python@0.13.1",
       "properties": [
         {
           "name": "language",
@@ -2074,7 +2058,7 @@
       "type": "library",
       "bom-ref": "56-python-gnupg",
       "name": "python-gnupg",
-      "version": "0.5.1",
+      "version": "0.5.2",
       "supplier": {
         "name": "Vinay Sajip",
         "contact": [
@@ -2083,7 +2067,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*",
       "description": "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)",
       "licenses": [
         {
@@ -2095,12 +2079,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/python-gnupg/0.5.1",
+          "url": "https://pypi.org/project/python-gnupg/0.5.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/python-gnupg@0.5.1",
+      "purl": "pkg:pypi/python-gnupg@0.5.2",
       "properties": [
         {
           "name": "language",

diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-8f6dc0e5-f734-4e02-b567-528c334f2968
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-32dbe4f5-fb23-49e4-aa04-ffa01c5c3d9d
 LicenseListVersion: 3.22
 Creator: Tool: sbom4python-0.10.1
-Created: 2023-12-11T00:26:12Z
+Created: 2023-12-18T00:26:24Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -28,7 +28,7 @@ PackageName: aiohttp
 SPDXID: SPDXRef-Package-2-aiohttp
 PackageVersion: 3.9.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -43,7 +43,7 @@ PackageName: aiosignal
 SPDXID: SPDXRef-Package-3-aiosignal
 PackageVersion: 1.3.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -55,17 +55,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiosignal@1.3.1
 
 PackageName: frozenlist
 SPDXID: SPDXRef-Package-4-frozenlist
-PackageVersion: 1.4.0
+PackageVersion: 1.4.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
+PackageSupplier: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>frozenlist declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A list-like structure which implements collections.abc.MutableSequence</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.1
 ##### 
 
 PackageName: async-timeout
@@ -660,7 +660,7 @@ PackageName: markupsafe
 SPDXID: SPDXRef-Package-43-markupsafe
 PackageVersion: 2.1.3
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
 FilesAnalyzed: false
 PackageLicenseDeclared: BSD-3-Clause
@@ -717,17 +717,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.32.0:*:*:*
 
 PackageName: rpds-py
 SPDXID: SPDXRef-Package-47-rpds-py
-PackageVersion: 0.13.2
+PackageVersion: 0.15.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.13.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.15.2
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python bindings to Rust's persistent data structures (rpds)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.13.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.15.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pkgutil-resolve-name
@@ -747,17 +747,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:pkgutil-resolve-name:1.3.1
 
 PackageName: lib4sbom
 SPDXID: SPDXRef-Package-49-lib4sbom
-PackageVersion: 0.5.3
+PackageVersion: 0.5.4
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.4
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Software Bill of Material (SBOM) generator and consumer library</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pyyaml
@@ -793,17 +793,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.
 
 PackageName: packageurl-python
 SPDXID: SPDXRef-Package-52-packageurl-python
-PackageVersion: 0.12.0
+PackageVersion: 0.13.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: the purl authors
-PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.12.0
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.13.1
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A purl aka. Package URL parser and builder</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.12.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.13.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: packaging
@@ -854,18 +854,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*
 
 PackageName: python-gnupg
 SPDXID: SPDXRef-Package-56-python-gnupg
-PackageVersion: 0.5.1
+PackageVersion: 0.5.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk)
-PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.1
+PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.2
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: BSD-3-Clause
 PackageLicenseComments: <text>python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A wrapper for the Gnu Privacy Guard (GPG or GnuPG)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: requests