chore: update SBOM for Python 3.9 (#4026)

github-actions[bot] · web-flow · web-flow · commit 34eb206a2059 · 2024-04-15T11:02:36.000-07:00
Co-authored-by: GitHub &lt;noreply@github.com&gt;
diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:f3b971fe-7324-4a25-872a-43efebe6bc9d",
+  "serialNumber": "urn:uuid:86bfebc8-cd04-4c9a-98d8-90930122e373",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-04-08T00:27:26Z",
+    "timestamp": "2024-04-15T02:43:08Z",
     "tools": {
       "components": [
         {
@@ -26,7 +26,7 @@
       "type": "application",
       "bom-ref": "1-cve-bin-tool",
       "name": "cve-bin-tool",
-      "version": "3.3rc2",
+      "version": "3.3",
       "supplier": {
         "name": "Terri Oda",
         "contact": [
@@ -35,12 +35,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.3rc2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.3:*:*:*:*:*:*:*",
       "description": "CVE Binary Checker Tool",
       "hashes": [
         {
           "alg": "SHA-1",
-          "content": "c491590aeea36235930d1c6b8480d2489a470ece"
+          "content": "83e30ee0f640bce7a20d4346c85873d359c05d1f"
         }
       ],
       "licenses": [
@@ -53,12 +53,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cve-bin-tool/3.3rc2",
+          "url": "https://pypi.org/project/cve-bin-tool/3.3",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cve-bin-tool@3.3rc2",
+      "purl": "pkg:pypi/cve-bin-tool@3.3",
       "properties": [
         {
           "name": "language",
@@ -74,7 +74,7 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.9.3",
+      "version": "3.9.4",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -86,12 +86,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/aiohttp/3.9.3",
+          "url": "https://pypi.org/project/aiohttp/3.9.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.9.3",
+      "purl": "pkg:pypi/aiohttp@3.9.4",
       "properties": [
         {
           "name": "language",
@@ -356,7 +356,7 @@
       "type": "library",
       "bom-ref": "9-idna",
       "name": "idna",
-      "version": "3.6",
+      "version": "3.7",
       "supplier": {
         "name": "Kim Davies",
         "contact": [
@@ -365,16 +365,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:kim_davies:idna:3.6:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:kim_davies:idna:3.7:*:*:*:*:*:*:*",
       "description": "Internationalized Domain Names in Applications (IDNA)",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/idna/3.6",
+          "url": "https://pypi.org/project/idna/3.7",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/idna@3.6",
+      "purl": "pkg:pypi/idna@3.7",
       "properties": [
         {
           "name": "language",
@@ -472,7 +472,7 @@
       "type": "library",
       "bom-ref": "12-cvss",
       "name": "cvss",
-      "version": "3.0",
+      "version": "3.1",
       "supplier": {
         "name": "Stanislav Red Hat Product Security",
         "contact": [
@@ -481,14 +481,8 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.1:*:*:*:*:*:*:*",
       "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3",
-      "hashes": [
-        {
-          "alg": "SHA-1",
-          "content": "c637e63a16b7411c6135b5ae8bb5408d06d89b41"
-        }
-      ],
       "licenses": [
         {
           "license": {
@@ -499,12 +493,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cvss/3.0",
+          "url": "https://pypi.org/project/cvss/3.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cvss@3.0",
+      "purl": "pkg:pypi/cvss@3.1",
       "properties": [
         {
           "name": "language",
@@ -700,7 +694,7 @@
       "type": "library",
       "bom-ref": "17-argcomplete",
       "name": "argcomplete",
-      "version": "3.2.3",
+      "version": "3.3.0",
       "supplier": {
         "name": "Andrey Kislyuk",
         "contact": [
@@ -709,7 +703,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.2.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.3.0:*:*:*:*:*:*:*",
       "description": "Bash tab completion for argparse",
       "licenses": [
         {
@@ -721,12 +715,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/argcomplete/3.2.3",
+          "url": "https://pypi.org/project/argcomplete/3.3.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/argcomplete@3.2.3",
+      "purl": "pkg:pypi/argcomplete@3.3.0",
       "properties": [
         {
           "name": "language",
diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx
@@ -2,42 +2,42 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-179884b8-4d95-4ae4-9d55-d569d800b01a
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-07124c73-1f18-4124-ac1c-c53724579633
 LicenseListVersion: 3.22
 Creator: Tool: sbom4python-0.10.4
-Created: 2024-04-08T00:26:09Z
+Created: 2024-04-15T02:41:52Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
 PackageName: cve-bin-tool
 SPDXID: SPDXRef-Package-1-cve-bin-tool
-PackageVersion: 3.3rc2
+PackageVersion: 3.3
 PrimaryPackagePurpose: APPLICATION
 PackageSupplier: Person: Terri Oda (terri.oda@intel.com)
-PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.3rc2
+PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.3
 FilesAnalyzed: false
-PackageChecksum: SHA1: c491590aeea36235930d1c6b8480d2489a470ece
+PackageChecksum: SHA1: 83e30ee0f640bce7a20d4346c85873d359c05d1f
 PackageLicenseDeclared: GPL-3.0-or-later
 PackageLicenseConcluded: GPL-3.0-or-later
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>CVE Binary Checker Tool</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.3rc2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3rc2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3:*:*:*:*:*:*:*
 ##### 
 
 PackageName: aiohttp
 SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.9.3
+PackageVersion: 3.9.4
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.3
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.4
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Async http client/server framework (asyncio)</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.9.3
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.9.4
 ##### 
 
 PackageName: aiosignal
@@ -137,17 +137,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:
 
 PackageName: idna
 SPDXID: SPDXRef-Package-9-idna
-PackageVersion: 3.6
+PackageVersion: 3.7
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org)
-PackageDownloadLocation: https://pypi.org/project/idna/3.6
+PackageDownloadLocation: https://pypi.org/project/idna/3.7
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Internationalized Domain Names in Applications (IDNA)</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/idna@3.6
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.6:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/idna@3.7
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.7:*:*:*:*:*:*:*
 ##### 
 
 PackageName: beautifulsoup4
@@ -184,19 +184,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*
 
 PackageName: cvss
 SPDXID: SPDXRef-Package-12-cvss
-PackageVersion: 3.0
+PackageVersion: 3.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com)
-PackageDownloadLocation: https://pypi.org/project/cvss/3.0
+PackageDownloadLocation: https://pypi.org/project/cvss/3.1
 FilesAnalyzed: false
-PackageChecksum: SHA1: c637e63a16b7411c6135b5ae8bb5408d06d89b41
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: LGPL-3.0-or-later
 PackageLicenseComments: <text>cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>CVSS2/3/4 library with interactive calculator for Python 2 and Python 3</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: defusedxml
@@ -266,18 +265,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*
 
 PackageName: argcomplete
 SPDXID: SPDXRef-Package-17-argcomplete
-PackageVersion: 3.2.3
+PackageVersion: 3.3.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.2.3
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.3.0
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Bash tab completion for argparse</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.2.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.2.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.3.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: crcmod
