chore: update SBOM for Python 3.11 (#3620)

Co-authored-by: GitHub <noreply@github.com>
intel · Dec 18, 2023 · 6448570 · 6448570
1 parent d68cee3
commit 6448570
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 62 deletions.
diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:2611a013-0254-4305-85bc-2e7f1a844d1f",
+  "serialNumber": "urn:uuid:21a6ef81-b4b4-4251-b425-5565afe1f262",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-12-11T00:26:51Z",
+    "timestamp": "2023-12-18T00:27:06Z",
     "tools": {
       "components": [
         {
@@ -65,10 +65,6 @@
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
       "version": "3.9.1",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:aiohttp:3.9.1",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -102,10 +98,6 @@
       "bom-ref": "3-aiosignal",
       "name": "aiosignal",
       "version": "1.3.1",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
       "licenses": [
         {
           "license": {
@@ -137,11 +129,7 @@
       "type": "library",
       "bom-ref": "4-frozenlist",
       "name": "frozenlist",
-      "version": "1.4.0",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
+      "version": "1.4.1",
       "description": "A list-like structure which implements collections.abc.MutableSequence",
       "licenses": [
         {
@@ -153,12 +141,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/frozenlist/1.4.0",
+          "url": "https://pypi.org/project/frozenlist/1.4.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/frozenlist@1.4.0",
+      "purl": "pkg:pypi/frozenlist@1.4.1",
       "properties": [
         {
           "name": "language",
@@ -1487,10 +1475,6 @@
       "bom-ref": "39-markupsafe",
       "name": "markupsafe",
       "version": "2.1.3",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
       "description": "Safely add untrusted strings to HTML/XML markup.",
       "licenses": [
         {
@@ -1618,11 +1602,11 @@
       "type": "library",
       "bom-ref": "43-rpds-py",
       "name": "rpds-py",
-      "version": "0.13.2",
+      "version": "0.15.2",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "licenses": [
         {
@@ -1634,12 +1618,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/rpds-py/0.13.2",
+          "url": "https://pypi.org/project/rpds-py/0.15.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/rpds-py@0.13.2",
+      "purl": "pkg:pypi/rpds-py@0.15.2",
       "properties": [
         {
           "name": "language",
@@ -1651,7 +1635,7 @@
       "type": "library",
       "bom-ref": "44-lib4sbom",
       "name": "lib4sbom",
-      "version": "0.5.3",
+      "version": "0.5.4",
       "supplier": {
         "name": "Anthony Harrison",
         "contact": [
@@ -1660,7 +1644,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*",
       "description": "Software Bill of Material (SBOM) generator and consumer library",
       "licenses": [
         {
@@ -1672,12 +1656,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/lib4sbom/0.5.3",
+          "url": "https://pypi.org/project/lib4sbom/0.5.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/lib4sbom@0.5.3",
+      "purl": "pkg:pypi/lib4sbom@0.5.4",
       "properties": [
         {
           "name": "language",
@@ -1769,11 +1753,11 @@
       "type": "library",
       "bom-ref": "47-packageurl-python",
       "name": "packageurl-python",
-      "version": "0.12.0",
+      "version": "0.13.1",
       "supplier": {
         "name": "the purl authors"
       },
-      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*",
       "description": "A purl aka. Package URL parser and builder",
       "licenses": [
         {
@@ -1785,12 +1769,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/packageurl-python/0.12.0",
+          "url": "https://pypi.org/project/packageurl-python/0.13.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/packageurl-python@0.12.0",
+      "purl": "pkg:pypi/packageurl-python@0.13.1",
       "properties": [
         {
           "name": "language",
@@ -1912,7 +1896,7 @@
       "type": "library",
       "bom-ref": "51-python-gnupg",
       "name": "python-gnupg",
-      "version": "0.5.1",
+      "version": "0.5.2",
       "supplier": {
         "name": "Vinay Sajip",
         "contact": [
@@ -1921,7 +1905,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*",
       "description": "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)",
       "licenses": [
         {
@@ -1933,12 +1917,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/python-gnupg/0.5.1",
+          "url": "https://pypi.org/project/python-gnupg/0.5.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/python-gnupg@0.5.1",
+      "purl": "pkg:pypi/python-gnupg@0.5.2",
       "properties": [
         {
           "name": "language",

diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-623585a8-860e-4dfc-9821-a22cb79b0092
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-249a49f6-eff8-43b3-9e6e-41e7ae634fcd
 LicenseListVersion: 3.22
 Creator: Tool: sbom4python-0.10.1
-Created: 2023-12-11T00:25:54Z
+Created: 2023-12-18T00:26:09Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -28,7 +28,7 @@ PackageName: aiohttp
 SPDXID: SPDXRef-Package-2-aiohttp
 PackageVersion: 3.9.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -43,7 +43,7 @@ PackageName: aiosignal
 SPDXID: SPDXRef-Package-3-aiosignal
 PackageVersion: 1.3.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -55,17 +55,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiosignal@1.3.1
 
 PackageName: frozenlist
 SPDXID: SPDXRef-Package-4-frozenlist
-PackageVersion: 1.4.0
+PackageVersion: 1.4.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
+PackageSupplier: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>frozenlist declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A list-like structure which implements collections.abc.MutableSequence</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.1
 ##### 
 
 PackageName: attrs
@@ -599,7 +599,7 @@ PackageName: markupsafe
 SPDXID: SPDXRef-Package-39-markupsafe
 PackageVersion: 2.1.3
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
 FilesAnalyzed: false
 PackageLicenseDeclared: BSD-3-Clause
@@ -656,32 +656,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.32.0:*:*:*
 
 PackageName: rpds-py
 SPDXID: SPDXRef-Package-43-rpds-py
-PackageVersion: 0.13.2
+PackageVersion: 0.15.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.13.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.15.2
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python bindings to Rust's persistent data structures (rpds)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.13.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.15.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: lib4sbom
 SPDXID: SPDXRef-Package-44-lib4sbom
-PackageVersion: 0.5.3
+PackageVersion: 0.5.4
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.4
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Software Bill of Material (SBOM) generator and consumer library</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pyyaml
@@ -717,17 +717,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.
 
 PackageName: packageurl-python
 SPDXID: SPDXRef-Package-47-packageurl-python
-PackageVersion: 0.12.0
+PackageVersion: 0.13.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: the purl authors
-PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.12.0
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.13.1
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A purl aka. Package URL parser and builder</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.12.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.13.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: packaging
@@ -778,18 +778,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*
 
 PackageName: python-gnupg
 SPDXID: SPDXRef-Package-51-python-gnupg
-PackageVersion: 0.5.1
+PackageVersion: 0.5.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk)
-PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.1
+PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.2
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: BSD-3-Clause
 PackageLicenseComments: <text>python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A wrapper for the Gnu Privacy Guard (GPG or GnuPG)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: requests