From 04b6633f9c7b3e19c16e360dcc7ef2f834fae61e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 12:34:38 -0700 Subject: [PATCH] chore: update SBOM for Python 3.9 (#4388) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 94 ++++++++++++++++++++---------------- sbom/cve-bin-tool-py3.9.spdx | 64 ++++++++++++------------ 2 files changed, 86 insertions(+), 72 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index c295bc881e..d37e15b7ac 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:a7c4e360-1ac7-4f5a-b5f9-e86512a3016c", + "serialNumber": "urn:uuid:d9b39d3b-6c3f-40c2-92f5-0cb2db8e77c6", "version": 1, "metadata": { - "timestamp": "2024-08-19T00:37:24Z", + "timestamp": "2024-08-26T00:36:59Z", "lifecycles": [ { "phase": "build" @@ -31,7 +31,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.3.1.dev0", + "version": "3.4rc0", "supplier": { "name": "Terri Oda", "contact": [ @@ -40,7 +40,7 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.3.1.dev0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "licenses": [ { @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.3.1.dev0", + "url": "https://pypi.org/project/cve-bin-tool/3.4rc0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.3.1.dev0", + "purl": "pkg:pypi/cve-bin-tool@3.4rc0", "properties": [ { "name": "language", @@ -74,7 +74,7 @@ "type": "library", "bom-ref": "2-aiohttp", "name": "aiohttp", - "version": "3.10.4", + "version": "3.10.5", "description": "Async http client/server framework (asyncio)", "licenses": [ { @@ -87,12 +87,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/aiohttp/3.10.4", + "url": "https://pypi.org/project/aiohttp/3.10.5", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohttp@3.10.4", + "purl": "pkg:pypi/aiohttp@3.10.5", "properties": [ { "name": "language", @@ -108,7 +108,7 @@ "type": "library", "bom-ref": "3-aiohappyeyeballs", "name": "aiohappyeyeballs", - "version": "2.3.7", + "version": "2.4.0", "supplier": { "name": "J. Nick Koston", "contact": [ @@ -117,7 +117,7 @@ } ] }, - "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.7:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", "licenses": [ { @@ -130,12 +130,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/aiohappyeyeballs/2.3.7", + "url": "https://pypi.org/project/aiohappyeyeballs/2.4.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohappyeyeballs@2.3.7", + "purl": "pkg:pypi/aiohappyeyeballs@2.4.0", "properties": [ { "name": "language", @@ -405,7 +405,7 @@ "type": "library", "bom-ref": "10-idna", "name": "idna", - "version": "3.7", + "version": "3.8", "supplier": { "name": "Kim Davies", "contact": [ @@ -414,22 +414,16 @@ } ] }, - "cpe": "cpe:2.3:a:kim_davies:idna:3.7:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", - "hashes": [ - { - "alg": "SHA-1", - "content": "1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/idna/3.7", + "url": "https://pypi.org/project/idna/3.8", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/idna@3.7", + "purl": "pkg:pypi/idna@3.8", "properties": [ { "name": "language", @@ -896,6 +890,12 @@ }, "cpe": "cpe:2.3:a:google_inc.:gcs-oauth2-boto-plugin:3.2:*:*:*:*:*:*:*", "description": "Auth plugin allowing use the use of OAuth 2.0 credentials for Google Cloud Storage in the Boto library.", + "hashes": [ + { + "alg": "SHA-1", + "content": "7dfa0149811e5617fe1428f692a18ab8b8c31ddb" + } + ], "licenses": [ { "license": { @@ -1350,7 +1350,7 @@ "type": "library", "bom-ref": "31-pyparsing", "name": "pyparsing", - "version": "3.1.2", + "version": "3.1.4", "supplier": { "name": "Paul McGuire", "contact": [ @@ -1359,22 +1359,16 @@ } ] }, - "cpe": "cpe:2.3:a:paul_mcguire:pyparsing:3.1.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:paul_mcguire:pyparsing:3.1.4:*:*:*:*:*:*:*", "description": "pyparsing module - Classes and methods to define and execute parsing grammars", - "hashes": [ - { - "alg": "SHA-1", - "content": "7d4bda2743ebc04f68d2594bc4fffc70cd65848f" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/pyparsing/3.1.2", + "url": "https://pypi.org/project/pyparsing/3.1.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyparsing@3.1.2", + "purl": "pkg:pypi/pyparsing@3.1.4", "properties": [ { "name": "language", @@ -1858,7 +1852,7 @@ "type": "library", "bom-ref": "42-importlib-metadata", "name": "importlib-metadata", - "version": "8.2.0", + "version": "8.4.0", "supplier": { "name": "Jason R .", "contact": [ @@ -1867,16 +1861,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:importlib-metadata:8.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:importlib-metadata:8.4.0:*:*:*:*:*:*:*", "description": "Read metadata from Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/importlib-metadata/8.2.0", + "url": "https://pypi.org/project/importlib-metadata/8.4.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/importlib-metadata@8.2.0", + "purl": "pkg:pypi/importlib-metadata@8.4.0", "properties": [ { "name": "language", @@ -1928,6 +1922,12 @@ "name": "jinja2", "version": "3.1.4", "description": "A very fast and expressive template engine.", + "hashes": [ + { + "alg": "SHA-1", + "content": "dd4a8b5466d8790540c181590b14db4d4d889d57" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/jinja2/3.1.4", @@ -2677,6 +2677,12 @@ }, "cpe": "cpe:2.3:a:julien_danjou:tenacity:9.0.0:*:*:*:*:*:*:*", "description": "Retry code until it succeeds", + "hashes": [ + { + "alg": "SHA-1", + "content": "a662bbb487cd6d34541824589f8e8c7a1f7791bb" + } + ], "licenses": [ { "license": { @@ -2982,7 +2988,7 @@ "type": "library", "bom-ref": "69-setuptools", "name": "setuptools", - "version": "72.2.0", + "version": "73.0.1", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -2991,16 +2997,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:72.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/72.2.0", + "url": "https://pypi.org/project/setuptools/73.0.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@72.2.0", + "purl": "pkg:pypi/setuptools@73.0.1", "properties": [ { "name": "language", @@ -3076,6 +3082,12 @@ }, "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.3.2:*:*:*:*:*:*:*", "description": "An XML Schema validator and decoder", + "hashes": [ + { + "alg": "SHA-1", + "content": "90a7233292cfe5d877110fe369869996a3a25928" + } + ], "licenses": [ { "license": { diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index 5239300fcf..00399c3f56 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,56 +2,56 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-b287583b-90ca-4401-89f8-84dbcce81a07 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-23d1e40d-edfc-4a3f-84f6-7d2a69613c5d LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.1 -Created: 2024-08-19T00:36:00Z +Created: 2024-08-26T00:35:43Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.3.1.dev0 +PackageVersion: 3.4rc0 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.3.1.dev0 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc0 FilesAnalyzed: false PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.3.1.dev0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3.1.dev0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:* ##### PackageName: aiohttp SPDXID: SPDXRef-Package-2-aiohttp -PackageVersion: 3.10.4 +PackageVersion: 3.10.5 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.4 +PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.5 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Async http client/server framework (asyncio) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.4 +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.5 ##### PackageName: aiohappyeyeballs SPDXID: SPDXRef-Package-3-aiohappyeyeballs -PackageVersion: 2.3.7 +PackageVersion: 2.4.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) -PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.3.7 +PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0 FilesAnalyzed: false PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION PackageSummary: Happy Eyeballs for asyncio -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.3.7 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.7:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.4.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:* ##### PackageName: aiosignal @@ -151,18 +151,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*: PackageName: idna SPDXID: SPDXRef-Package-10-idna -PackageVersion: 3.7 +PackageVersion: 3.8 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) -PackageDownloadLocation: https://pypi.org/project/idna/3.7 +PackageDownloadLocation: https://pypi.org/project/idna/3.8 FilesAnalyzed: false -PackageChecksum: SHA1: 1d365e17e10d72d0b7876316fc7b9ca0eebdd38d PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Internationalized Domain Names in Applications (IDNA) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/idna@3.7 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.7:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/idna@3.8 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:* ##### PackageName: beautifulsoup4 @@ -332,6 +331,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Google Inc. (gs-team@google.com) PackageDownloadLocation: https://pypi.org/project/gcs-oauth2-boto-plugin/3.2 FilesAnalyzed: false +PackageChecksum: SHA1: 7dfa0149811e5617fe1428f692a18ab8b8c31ddb PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: gcs-oauth2-boto-plugin declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. @@ -487,18 +487,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:joe_gregorio:httplib2:0.20.4:*:*:*:*:* PackageName: pyparsing SPDXID: SPDXRef-Package-31-pyparsing -PackageVersion: 3.1.2 +PackageVersion: 3.1.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Paul McGuire (ptmcg.gm+pyparsing@gmail.com) -PackageDownloadLocation: https://pypi.org/project/pyparsing/3.1.2 +PackageDownloadLocation: https://pypi.org/project/pyparsing/3.1.4 FilesAnalyzed: false -PackageChecksum: SHA1: 7d4bda2743ebc04f68d2594bc4fffc70cd65848f PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: pyparsing module - Classes and methods to define and execute parsing grammars -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyparsing@3.1.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:paul_mcguire:pyparsing:3.1.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyparsing@3.1.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:paul_mcguire:pyparsing:3.1.4:*:*:*:*:*:*:* ##### PackageName: google-reauth @@ -666,17 +665,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ori_livneh:monotonic:1.6:*:*:*:*:*:*:* PackageName: importlib-metadata SPDXID: SPDXRef-Package-42-importlib-metadata -PackageVersion: 8.2.0 +PackageVersion: 8.4.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/importlib-metadata/8.2.0 +PackageDownloadLocation: https://pypi.org/project/importlib-metadata/8.4.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Read metadata from Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/importlib-metadata@8.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/importlib-metadata@8.4.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.4.0:*:*:*:*:*:*:* ##### PackageName: zipp @@ -701,6 +700,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/jinja2/3.1.4 FilesAnalyzed: false +PackageChecksum: SHA1: dd4a8b5466d8790540c181590b14db4d4d889d57 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -979,6 +979,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julien Danjou (julien@danjou.info) PackageDownloadLocation: https://pypi.org/project/tenacity/9.0.0 FilesAnalyzed: false +PackageChecksum: SHA1: a662bbb487cd6d34541824589f8e8c7a1f7791bb PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: tenacity declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. @@ -1085,17 +1086,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-Package-69-setuptools -PackageVersion: 72.2.0 +PackageVersion: 73.0.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/72.2.0 +PackageDownloadLocation: https://pypi.org/project/setuptools/73.0.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@72.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:72.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@73.0.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:* ##### PackageName: toml @@ -1121,6 +1122,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Davide Brunato (brunato@sissa.it) PackageDownloadLocation: https://pypi.org/project/xmlschema/3.3.2 FilesAnalyzed: false +PackageChecksum: SHA1: 90a7233292cfe5d877110fe369869996a3a25928 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION