From 39478666edf32720fd62ff8a3431c947388c74c9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 11:59:35 -0800 Subject: [PATCH] chore: update SBOM for Python 3.8 (#3622) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.8.json | 58 +++++++++++++----------------------- sbom/cve-bin-tool-py3.8.spdx | 50 +++++++++++++++---------------- 2 files changed, 46 insertions(+), 62 deletions(-) diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json index 0e5ccfc372..0eeef1b199 100644 --- a/sbom/cve-bin-tool-py3.8.json +++ b/sbom/cve-bin-tool-py3.8.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:dbe81473-bc6a-4f42-83b0-111ae79f8a5d", + "serialNumber": "urn:uuid:5e077d1b-8263-436e-a610-44acf9087075", "version": 1, "metadata": { - "timestamp": "2023-12-11T00:27:25Z", + "timestamp": "2023-12-18T00:27:39Z", "tools": { "components": [ { @@ -65,10 +65,6 @@ "bom-ref": "2-aiohttp", "name": "aiohttp", "version": "3.9.1", - "supplier": { - "name": "NOASSERTION" - }, - "cpe": "cpe:/a:NOASSERTION:aiohttp:3.9.1", "description": "Async http client/server framework (asyncio)", "licenses": [ { @@ -102,10 +98,6 @@ "bom-ref": "3-aiosignal", "name": "aiosignal", "version": "1.3.1", - "supplier": { - "name": "NOASSERTION" - }, - "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1", "licenses": [ { "license": { @@ -137,11 +129,7 @@ "type": "library", "bom-ref": "4-frozenlist", "name": "frozenlist", - "version": "1.4.0", - "supplier": { - "name": "NOASSERTION" - }, - "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0", + "version": "1.4.1", "description": "A list-like structure which implements collections.abc.MutableSequence", "licenses": [ { @@ -153,12 +141,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/frozenlist/1.4.0", + "url": "https://pypi.org/project/frozenlist/1.4.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/frozenlist@1.4.0", + "purl": "pkg:pypi/frozenlist@1.4.1", "properties": [ { "name": "language", @@ -1619,10 +1607,6 @@ "bom-ref": "43-markupsafe", "name": "markupsafe", "version": "2.1.3", - "supplier": { - "name": "NOASSERTION" - }, - "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3", "description": "Safely add untrusted strings to HTML/XML markup.", "licenses": [ { @@ -1750,11 +1734,11 @@ "type": "library", "bom-ref": "47-rpds-py", "name": "rpds-py", - "version": "0.13.2", + "version": "0.15.2", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", "licenses": [ { @@ -1766,12 +1750,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/rpds-py/0.13.2", + "url": "https://pypi.org/project/rpds-py/0.15.2", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.13.2", + "purl": "pkg:pypi/rpds-py@0.15.2", "properties": [ { "name": "language", @@ -1813,7 +1797,7 @@ "type": "library", "bom-ref": "49-lib4sbom", "name": "lib4sbom", - "version": "0.5.3", + "version": "0.5.4", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -1822,7 +1806,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -1834,12 +1818,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.5.3", + "url": "https://pypi.org/project/lib4sbom/0.5.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.5.3", + "purl": "pkg:pypi/lib4sbom@0.5.4", "properties": [ { "name": "language", @@ -1931,11 +1915,11 @@ "type": "library", "bom-ref": "52-packageurl-python", "name": "packageurl-python", - "version": "0.12.0", + "version": "0.13.1", "supplier": { "name": "the purl authors" }, - "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*", "description": "A purl aka. Package URL parser and builder", "licenses": [ { @@ -1947,12 +1931,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/packageurl-python/0.12.0", + "url": "https://pypi.org/project/packageurl-python/0.13.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packageurl-python@0.12.0", + "purl": "pkg:pypi/packageurl-python@0.13.1", "properties": [ { "name": "language", @@ -2074,7 +2058,7 @@ "type": "library", "bom-ref": "56-python-gnupg", "name": "python-gnupg", - "version": "0.5.1", + "version": "0.5.2", "supplier": { "name": "Vinay Sajip", "contact": [ @@ -2083,7 +2067,7 @@ } ] }, - "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*", "description": "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)", "licenses": [ { @@ -2095,12 +2079,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/python-gnupg/0.5.1", + "url": "https://pypi.org/project/python-gnupg/0.5.2", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/python-gnupg@0.5.1", + "purl": "pkg:pypi/python-gnupg@0.5.2", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx index 30c4e45156..a42a56920d 100644 --- a/sbom/cve-bin-tool-py3.8.spdx +++ b/sbom/cve-bin-tool-py3.8.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-8f6dc0e5-f734-4e02-b567-528c334f2968 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-32dbe4f5-fb23-49e4-aa04-ffa01c5c3d9d LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.10.1 -Created: 2023-12-11T00:26:12Z +Created: 2023-12-18T00:26:24Z CreatorComment: This document has been automatically generated. ##### @@ -28,7 +28,7 @@ PackageName: aiohttp SPDXID: SPDXRef-Package-2-aiohttp PackageVersion: 3.9.1 PrimaryPackagePurpose: LIBRARY -PackageSupplier: Organization: NOASSERTION +PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION @@ -43,7 +43,7 @@ PackageName: aiosignal SPDXID: SPDXRef-Package-3-aiosignal PackageVersion: 1.3.1 PrimaryPackagePurpose: LIBRARY -PackageSupplier: Organization: NOASSERTION +PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION @@ -55,17 +55,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiosignal@1.3.1 PackageName: frozenlist SPDXID: SPDXRef-Package-4-frozenlist -PackageVersion: 1.4.0 +PackageVersion: 1.4.1 PrimaryPackagePurpose: LIBRARY -PackageSupplier: Organization: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0 +PackageSupplier: NOASSERTION +PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: frozenlist declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A list-like structure which implements collections.abc.MutableSequence -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0 +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.1 ##### PackageName: async-timeout @@ -660,7 +660,7 @@ PackageName: markupsafe SPDXID: SPDXRef-Package-43-markupsafe PackageVersion: 2.1.3 PrimaryPackagePurpose: LIBRARY -PackageSupplier: Organization: NOASSERTION +PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3 FilesAnalyzed: false PackageLicenseDeclared: BSD-3-Clause @@ -717,17 +717,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.32.0:*:*:* PackageName: rpds-py SPDXID: SPDXRef-Package-47-rpds-py -PackageVersion: 0.13.2 +PackageVersion: 0.15.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.13.2 +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.15.2 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.13.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.15.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:* ##### PackageName: pkgutil-resolve-name @@ -747,17 +747,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:pkgutil-resolve-name:1.3.1 PackageName: lib4sbom SPDXID: SPDXRef-Package-49-lib4sbom -PackageVersion: 0.5.3 +PackageVersion: 0.5.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.3 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.4 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -793,17 +793,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10. PackageName: packageurl-python SPDXID: SPDXRef-Package-52-packageurl-python -PackageVersion: 0.12.0 +PackageVersion: 0.13.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: the purl authors -PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.12.0 +PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.13.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: A purl aka. Package URL parser and builder -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.12.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.13.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:* ##### PackageName: packaging @@ -854,18 +854,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:* PackageName: python-gnupg SPDXID: SPDXRef-Package-56-python-gnupg -PackageVersion: 0.5.1 +PackageVersion: 0.5.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk) -PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.1 +PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.2 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: BSD-3-Clause PackageLicenseComments: python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A wrapper for the Gnu Privacy Guard (GPG or GnuPG) -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:* ##### PackageName: requests