From f748d794e1be2170e8ab7187da1bc56bb18227aa Mon Sep 17 00:00:00 2001
From: GitHub <noreply@github.com>
Date: Mon, 12 Aug 2024 00:35:44 +0000
Subject: [PATCH] chore: update SBOM for Python 3.9

---
 sbom/cve-bin-tool-py3.9.json | 89 +++++++++++++++++-------------------
 sbom/cve-bin-tool-py3.9.spdx | 76 +++++++++++++++---------------
 2 files changed, 80 insertions(+), 85 deletions(-)

diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json
index 3e7be240f6..ec19f351c6 100644
--- a/sbom/cve-bin-tool-py3.9.json
+++ b/sbom/cve-bin-tool-py3.9.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:485924ac-6344-4b78-b66d-e84d13270170",
+  "serialNumber": "urn:uuid:87b9b11e-38e1-4e9a-8f7a-3548bf602f43",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-08-05T00:37:48Z",
+    "timestamp": "2024-08-12T00:35:43Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -15,7 +15,7 @@
       "components": [
         {
           "name": "sbom4python",
-          "version": "0.11.0",
+          "version": "0.11.1",
           "type": "application"
         }
       ]
@@ -74,7 +74,7 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.10.1",
+      "version": "3.10.3",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -87,12 +87,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/aiohttp/3.10.1",
+          "url": "https://pypi.org/project/aiohttp/3.10.3",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.10.1",
+      "purl": "pkg:pypi/aiohttp@3.10.3",
       "properties": [
         {
           "name": "language",
@@ -108,7 +108,7 @@
       "type": "library",
       "bom-ref": "3-aiohappyeyeballs",
       "name": "aiohappyeyeballs",
-      "version": "2.3.4",
+      "version": "2.3.5",
       "supplier": {
         "name": "J. Nick Koston",
         "contact": [
@@ -117,12 +117,18 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.4:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.5:*:*:*:*:*:*:*",
       "description": "Happy Eyeballs for asyncio",
+      "hashes": [
+        {
+          "alg": "SHA-1",
+          "content": "01595bbda3380154cc4e72702a1f82502a15940a"
+        }
+      ],
       "licenses": [
         {
           "license": {
-            "id": "PSF-2.0",
+            "id": "Python-2.0",
             "url": "https://opensource.org/licenses/Python-2.0",
             "acknowledgement": "concluded"
           }
@@ -130,12 +136,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/aiohappyeyeballs/2.3.4",
+          "url": "https://pypi.org/project/aiohappyeyeballs/2.3.5",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/aiohappyeyeballs@2.3.4",
+      "purl": "pkg:pypi/aiohappyeyeballs@2.3.5",
       "properties": [
         {
           "name": "language",
@@ -273,7 +279,7 @@
       "type": "library",
       "bom-ref": "7-attrs",
       "name": "attrs",
-      "version": "24.1.0",
+      "version": "24.2.0",
       "supplier": {
         "name": "Hynek Schlawack",
         "contact": [
@@ -282,16 +288,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.1.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*",
       "description": "Classes Without Boilerplate",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/attrs/24.1.0",
+          "url": "https://pypi.org/project/attrs/24.2.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/attrs@24.1.0",
+      "purl": "pkg:pypi/attrs@24.2.0",
       "properties": [
         {
           "name": "language",
@@ -761,7 +767,7 @@
       "type": "library",
       "bom-ref": "18-argcomplete",
       "name": "argcomplete",
-      "version": "3.4.0",
+      "version": "3.5.0",
       "supplier": {
         "name": "Andrey Kislyuk",
         "contact": [
@@ -770,7 +776,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.4.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.0:*:*:*:*:*:*:*",
       "description": "Bash tab completion for argparse",
       "licenses": [
         {
@@ -783,12 +789,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/argcomplete/3.4.0",
+          "url": "https://pypi.org/project/argcomplete/3.5.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/argcomplete@3.4.0",
+      "purl": "pkg:pypi/argcomplete@3.5.0",
       "properties": [
         {
           "name": "language",
@@ -1625,7 +1631,7 @@
       "type": "library",
       "bom-ref": "37-cffi",
       "name": "cffi",
-      "version": "1.16.0",
+      "version": "1.17.0",
       "supplier": {
         "name": "Armin Maciej Fijalkowski",
         "contact": [
@@ -1634,14 +1640,8 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.0:*:*:*:*:*:*:*",
       "description": "Foreign Function Interface for Python calling C code.",
-      "hashes": [
-        {
-          "alg": "SHA-1",
-          "content": "ba44abd69cf6f0f1cc90db34cd067275dc10fc71"
-        }
-      ],
       "licenses": [
         {
           "license": {
@@ -1653,12 +1653,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cffi/1.16.0",
+          "url": "https://pypi.org/project/cffi/1.17.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cffi@1.16.0",
+      "purl": "pkg:pypi/cffi@1.17.0",
       "properties": [
         {
           "name": "language",
@@ -1904,7 +1904,7 @@
       "type": "library",
       "bom-ref": "43-zipp",
       "name": "zipp",
-      "version": "3.19.2",
+      "version": "3.20.0",
       "supplier": {
         "name": "Jason R .",
         "contact": [
@@ -1913,16 +1913,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:jason_r.:zipp:3.19.2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*",
       "description": "Backport of pathlib-compatible object wrapper for zip files",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/zipp/3.19.2",
+          "url": "https://pypi.org/project/zipp/3.20.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/zipp@3.19.2",
+      "purl": "pkg:pypi/zipp@3.20.0",
       "properties": [
         {
           "name": "language",
@@ -2114,11 +2114,11 @@
       "type": "library",
       "bom-ref": "49-rpds-py",
       "name": "rpds-py",
-      "version": "0.19.1",
+      "version": "0.20.0",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.19.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "licenses": [
         {
@@ -2131,12 +2131,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/rpds-py/0.19.1",
+          "url": "https://pypi.org/project/rpds-py/0.20.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/rpds-py@0.19.1",
+      "purl": "pkg:pypi/rpds-py@0.20.0",
       "properties": [
         {
           "name": "language",
@@ -2195,7 +2195,7 @@
       "type": "library",
       "bom-ref": "51-pyyaml",
       "name": "pyyaml",
-      "version": "6.0.1",
+      "version": "6.0.2",
       "supplier": {
         "name": "Kirill Simonov",
         "contact": [
@@ -2204,14 +2204,8 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:kirill_simonov:pyyaml:6.0.2:*:*:*:*:*:*:*",
       "description": "YAML parser and emitter for Python",
-      "hashes": [
-        {
-          "alg": "SHA-1",
-          "content": "c42fa3bff1eabdb64763bb1526d9ea1ccb708479"
-        }
-      ],
       "licenses": [
         {
           "license": {
@@ -2223,12 +2217,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/pyyaml/6.0.1",
+          "url": "https://pypi.org/project/pyyaml/6.0.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/pyyaml@6.0.1",
+      "purl": "pkg:pypi/pyyaml@6.0.2",
       "properties": [
         {
           "name": "language",
@@ -3243,6 +3237,7 @@
         "70-toml",
         "67-urllib3",
         "71-xmlschema",
+        "43-zipp",
         "73-zstandard"
       ]
     },
diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx
index 8138cbeb24..cb22b85be5 100644
--- a/sbom/cve-bin-tool-py3.9.spdx
+++ b/sbom/cve-bin-tool-py3.9.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-c409e3d9-98e9-45ef-999b-5e3bf95aa4fb
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-c56f8b9e-ce44-4bbc-a7ef-768580484fd7
 LicenseListVersion: 3.22
-Creator: Tool: sbom4python-0.11.0
-Created: 2024-08-05T00:36:32Z
+Creator: Tool: sbom4python-0.11.1
+Created: 2024-08-12T00:34:16Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -26,32 +26,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3.1.dev0:*:*:
 
 PackageName: aiohttp
 SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.10.1
+PackageVersion: 3.10.3
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.1
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.3
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Async http client/server framework (asyncio)</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.1
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.3
 ##### 
 
 PackageName: aiohappyeyeballs
 SPDXID: SPDXRef-Package-3-aiohappyeyeballs
-PackageVersion: 2.3.4
+PackageVersion: 2.3.5
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: J. Nick Koston (nick@koston.org)
-PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.3.4
+PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.3.5
 FilesAnalyzed: false
-PackageLicenseDeclared: PSF-2.0
-PackageLicenseConcluded: PSF-2.0
+PackageChecksum: SHA1: 01595bbda3380154cc4e72702a1f82502a15940a
+PackageLicenseDeclared: Python-2.0
+PackageLicenseConcluded: Python-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Happy Eyeballs for asyncio</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.3.4
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.4:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.3.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.5:*:*:*:*:*:*:*
 ##### 
 
 PackageName: aiosignal
@@ -103,17 +104,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*
 
 PackageName: attrs
 SPDXID: SPDXRef-Package-7-attrs
-PackageVersion: 24.1.0
+PackageVersion: 24.2.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Hynek Schlawack (hs@ox.cx)
-PackageDownloadLocation: https://pypi.org/project/attrs/24.1.0
+PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Classes Without Boilerplate</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/attrs@24.1.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:24.1.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/attrs@24.2.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: multidict
@@ -281,18 +282,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.30:*:*:*:*:*:*:*
 
 PackageName: argcomplete
 SPDXID: SPDXRef-Package-18-argcomplete
-PackageVersion: 3.4.0
+PackageVersion: 3.5.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.4.0
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.5.0
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Bash tab completion for argparse</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.4.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.4.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.5.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: crcmod
@@ -586,18 +587,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python
 
 PackageName: cffi
 SPDXID: SPDXRef-Package-37-cffi
-PackageVersion: 1.16.0
+PackageVersion: 1.17.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.16.0
+PackageDownloadLocation: https://pypi.org/project/cffi/1.17.0
 FilesAnalyzed: false
-PackageChecksum: SHA1: ba44abd69cf6f0f1cc90db34cd067275dc10fc71
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Foreign Function Interface for Python calling C code.</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cffi@1.16.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cffi@1.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pycparser
@@ -683,17 +683,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.2.0:*:*:
 
 PackageName: zipp
 SPDXID: SPDXRef-Package-43-zipp
-PackageVersion: 3.19.2
+PackageVersion: 3.20.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Jason R. (jaraco@jaraco.com)
-PackageDownloadLocation: https://pypi.org/project/zipp/3.19.2
+PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Backport of pathlib-compatible object wrapper for zip files</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.19.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.19.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: jinja2
@@ -773,17 +773,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:*
 
 PackageName: rpds-py
 SPDXID: SPDXRef-Package-49-rpds-py
-PackageVersion: 0.19.1
+PackageVersion: 0.20.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.19.1
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python bindings to Rust's persistent data structures (rpds)</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.19.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.19.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: lib4sbom
@@ -803,18 +803,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.2:*:*:*:
 
 PackageName: pyyaml
 SPDXID: SPDXRef-Package-51-pyyaml
-PackageVersion: 6.0.1
+PackageVersion: 6.0.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Kirill Simonov (xi@resolvent.net)
-PackageDownloadLocation: https://pypi.org/project/pyyaml/6.0.1
+PackageDownloadLocation: https://pypi.org/project/pyyaml/6.0.2
 FilesAnalyzed: false
-PackageChecksum: SHA1: c42fa3bff1eabdb64763bb1526d9ea1ccb708479
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>YAML parser and emitter for Python</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyyaml@6.0.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyyaml@6.0.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: semantic-version
@@ -1172,6 +1171,7 @@ Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-16-filet
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-17-gsutil
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-2-aiohttp
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-42-importlib-metadata
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-43-zipp
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-44-jinja2
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-46-jsonschema
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-50-lib4sbom