From 6e26b58c0b995ca5ec433c88566ccfc2fabc0d62 Mon Sep 17 00:00:00 2001 From: GitHub Date: Mon, 15 Apr 2024 02:43:09 +0000 Subject: [PATCH] chore: update SBOM for Python 3.9 --- sbom/cve-bin-tool-py3.9.json | 50 ++++++++++++++++-------------------- sbom/cve-bin-tool-py3.9.spdx | 45 ++++++++++++++++---------------- 2 files changed, 44 insertions(+), 51 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index a5cdd1164d..e395a0c471 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:f3b971fe-7324-4a25-872a-43efebe6bc9d", + "serialNumber": "urn:uuid:86bfebc8-cd04-4c9a-98d8-90930122e373", "version": 1, "metadata": { - "timestamp": "2024-04-08T00:27:26Z", + "timestamp": "2024-04-15T02:43:08Z", "tools": { "components": [ { @@ -26,7 +26,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.3rc2", + "version": "3.3", "supplier": { "name": "Terri Oda", "contact": [ @@ -35,12 +35,12 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.3rc2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.3:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "hashes": [ { "alg": "SHA-1", - "content": "c491590aeea36235930d1c6b8480d2489a470ece" + "content": "83e30ee0f640bce7a20d4346c85873d359c05d1f" } ], "licenses": [ @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.3rc2", + "url": "https://pypi.org/project/cve-bin-tool/3.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.3rc2", + "purl": "pkg:pypi/cve-bin-tool@3.3", "properties": [ { "name": "language", @@ -74,7 +74,7 @@ "type": "library", "bom-ref": "2-aiohttp", "name": "aiohttp", - "version": "3.9.3", + "version": "3.9.4", "description": "Async http client/server framework (asyncio)", "licenses": [ { @@ -86,12 +86,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/aiohttp/3.9.3", + "url": "https://pypi.org/project/aiohttp/3.9.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohttp@3.9.3", + "purl": "pkg:pypi/aiohttp@3.9.4", "properties": [ { "name": "language", @@ -356,7 +356,7 @@ "type": "library", "bom-ref": "9-idna", "name": "idna", - "version": "3.6", + "version": "3.7", "supplier": { "name": "Kim Davies", "contact": [ @@ -365,16 +365,16 @@ } ] }, - "cpe": "cpe:2.3:a:kim_davies:idna:3.6:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kim_davies:idna:3.7:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", "externalReferences": [ { - "url": "https://pypi.org/project/idna/3.6", + "url": "https://pypi.org/project/idna/3.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/idna@3.6", + "purl": "pkg:pypi/idna@3.7", "properties": [ { "name": "language", @@ -472,7 +472,7 @@ "type": "library", "bom-ref": "12-cvss", "name": "cvss", - "version": "3.0", + "version": "3.1", "supplier": { "name": "Stanislav Red Hat Product Security", "contact": [ @@ -481,14 +481,8 @@ } ] }, - "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.1:*:*:*:*:*:*:*", "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3", - "hashes": [ - { - "alg": "SHA-1", - "content": "c637e63a16b7411c6135b5ae8bb5408d06d89b41" - } - ], "licenses": [ { "license": { @@ -499,12 +493,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cvss/3.0", + "url": "https://pypi.org/project/cvss/3.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cvss@3.0", + "purl": "pkg:pypi/cvss@3.1", "properties": [ { "name": "language", @@ -700,7 +694,7 @@ "type": "library", "bom-ref": "17-argcomplete", "name": "argcomplete", - "version": "3.2.3", + "version": "3.3.0", "supplier": { "name": "Andrey Kislyuk", "contact": [ @@ -709,7 +703,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.2.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.3.0:*:*:*:*:*:*:*", "description": "Bash tab completion for argparse", "licenses": [ { @@ -721,12 +715,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/argcomplete/3.2.3", + "url": "https://pypi.org/project/argcomplete/3.3.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/argcomplete@3.2.3", + "purl": "pkg:pypi/argcomplete@3.3.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index 56e11cbf3e..5eb7ed5204 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,42 +2,42 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-179884b8-4d95-4ae4-9d55-d569d800b01a +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-07124c73-1f18-4124-ac1c-c53724579633 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.10.4 -Created: 2024-04-08T00:26:09Z +Created: 2024-04-15T02:41:52Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.3rc2 +PackageVersion: 3.3 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.3rc2 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.3 FilesAnalyzed: false -PackageChecksum: SHA1: c491590aeea36235930d1c6b8480d2489a470ece +PackageChecksum: SHA1: 83e30ee0f640bce7a20d4346c85873d359c05d1f PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.3rc2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3rc2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3:*:*:*:*:*:*:* ##### PackageName: aiohttp SPDXID: SPDXRef-Package-2-aiohttp -PackageVersion: 3.9.3 +PackageVersion: 3.9.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.3 +PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.4 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Async http client/server framework (asyncio) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.9.3 +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.9.4 ##### PackageName: aiosignal @@ -137,17 +137,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*: PackageName: idna SPDXID: SPDXRef-Package-9-idna -PackageVersion: 3.6 +PackageVersion: 3.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) -PackageDownloadLocation: https://pypi.org/project/idna/3.6 +PackageDownloadLocation: https://pypi.org/project/idna/3.7 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Internationalized Domain Names in Applications (IDNA) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/idna@3.6 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.6:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/idna@3.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.7:*:*:*:*:*:*:* ##### PackageName: beautifulsoup4 @@ -184,19 +184,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:* PackageName: cvss SPDXID: SPDXRef-Package-12-cvss -PackageVersion: 3.0 +PackageVersion: 3.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com) -PackageDownloadLocation: https://pypi.org/project/cvss/3.0 +PackageDownloadLocation: https://pypi.org/project/cvss/3.1 FilesAnalyzed: false -PackageChecksum: SHA1: c637e63a16b7411c6135b5ae8bb5408d06d89b41 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: LGPL-3.0-or-later PackageLicenseComments: cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: CVSS2/3/4 library with interactive calculator for Python 2 and Python 3 -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.1:*:*:*:*:*:*:* ##### PackageName: defusedxml @@ -266,18 +265,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:* PackageName: argcomplete SPDXID: SPDXRef-Package-17-argcomplete -PackageVersion: 3.2.3 +PackageVersion: 3.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com) -PackageDownloadLocation: https://pypi.org/project/argcomplete/3.2.3 +PackageDownloadLocation: https://pypi.org/project/argcomplete/3.3.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Bash tab completion for argparse -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.2.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.2.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.3.0:*:*:*:*:*:*:* ##### PackageName: crcmod