chore: update SBOM for Python 3.10 (#3621)

github-actions[bot] · web-flow · web-flow · commit d68cee304f19 · 2023-12-18T12:00:10.000-08:00
Co-authored-by: GitHub &lt;noreply@github.com&gt;
diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:9d4b0c1e-1f41-466b-9562-6dfb28a23baa",
+  "serialNumber": "urn:uuid:71cf7a87-d95b-45ce-9395-edd4cf653670",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-12-11T00:27:30Z",
+    "timestamp": "2023-12-18T00:27:17Z",
     "tools": {
       "components": [
         {
@@ -65,10 +65,6 @@
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
       "version": "3.9.1",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:aiohttp:3.9.1",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -102,10 +98,6 @@
       "bom-ref": "3-aiosignal",
       "name": "aiosignal",
       "version": "1.3.1",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
       "licenses": [
         {
           "license": {
@@ -137,11 +129,7 @@
       "type": "library",
       "bom-ref": "4-frozenlist",
       "name": "frozenlist",
-      "version": "1.4.0",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
+      "version": "1.4.1",
       "description": "A list-like structure which implements collections.abc.MutableSequence",
       "licenses": [
         {
@@ -153,12 +141,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/frozenlist/1.4.0",
+          "url": "https://pypi.org/project/frozenlist/1.4.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/frozenlist@1.4.0",
+      "purl": "pkg:pypi/frozenlist@1.4.1",
       "properties": [
         {
           "name": "language",
@@ -1529,10 +1517,6 @@
       "bom-ref": "40-markupsafe",
       "name": "markupsafe",
       "version": "2.1.3",
-      "supplier": {
-        "name": "NOASSERTION"
-      },
-      "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
       "description": "Safely add untrusted strings to HTML/XML markup.",
       "licenses": [
         {
@@ -1660,11 +1644,11 @@
       "type": "library",
       "bom-ref": "44-rpds-py",
       "name": "rpds-py",
-      "version": "0.13.2",
+      "version": "0.15.2",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "licenses": [
         {
@@ -1676,12 +1660,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/rpds-py/0.13.2",
+          "url": "https://pypi.org/project/rpds-py/0.15.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/rpds-py@0.13.2",
+      "purl": "pkg:pypi/rpds-py@0.15.2",
       "properties": [
         {
           "name": "language",
@@ -1693,7 +1677,7 @@
       "type": "library",
       "bom-ref": "45-lib4sbom",
       "name": "lib4sbom",
-      "version": "0.5.3",
+      "version": "0.5.4",
       "supplier": {
         "name": "Anthony Harrison",
         "contact": [
@@ -1702,7 +1686,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*",
       "description": "Software Bill of Material (SBOM) generator and consumer library",
       "licenses": [
         {
@@ -1714,12 +1698,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/lib4sbom/0.5.3",
+          "url": "https://pypi.org/project/lib4sbom/0.5.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/lib4sbom@0.5.3",
+      "purl": "pkg:pypi/lib4sbom@0.5.4",
       "properties": [
         {
           "name": "language",
@@ -1811,11 +1795,11 @@
       "type": "library",
       "bom-ref": "48-packageurl-python",
       "name": "packageurl-python",
-      "version": "0.12.0",
+      "version": "0.13.1",
       "supplier": {
         "name": "the purl authors"
       },
-      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*",
       "description": "A purl aka. Package URL parser and builder",
       "licenses": [
         {
@@ -1827,12 +1811,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/packageurl-python/0.12.0",
+          "url": "https://pypi.org/project/packageurl-python/0.13.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/packageurl-python@0.12.0",
+      "purl": "pkg:pypi/packageurl-python@0.13.1",
       "properties": [
         {
           "name": "language",
@@ -1954,7 +1938,7 @@
       "type": "library",
       "bom-ref": "52-python-gnupg",
       "name": "python-gnupg",
-      "version": "0.5.1",
+      "version": "0.5.2",
       "supplier": {
         "name": "Vinay Sajip",
         "contact": [
@@ -1963,7 +1947,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*",
       "description": "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)",
       "licenses": [
         {
@@ -1975,12 +1959,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/python-gnupg/0.5.1",
+          "url": "https://pypi.org/project/python-gnupg/0.5.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/python-gnupg@0.5.1",
+      "purl": "pkg:pypi/python-gnupg@0.5.2",
       "properties": [
         {
           "name": "language",
diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-4992f648-3aa3-4c7e-9862-6074ba2c3ba2
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-87588567-0852-4721-937b-f64990b706a8
 LicenseListVersion: 3.22
 Creator: Tool: sbom4python-0.10.1
-Created: 2023-12-11T00:26:28Z
+Created: 2023-12-18T00:26:14Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -28,7 +28,7 @@ PackageName: aiohttp
 SPDXID: SPDXRef-Package-2-aiohttp
 PackageVersion: 3.9.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiohttp/3.9.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -43,7 +43,7 @@ PackageName: aiosignal
 SPDXID: SPDXRef-Package-3-aiosignal
 PackageVersion: 1.3.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -55,17 +55,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiosignal@1.3.1
 
 PackageName: frozenlist
 SPDXID: SPDXRef-Package-4-frozenlist
-PackageVersion: 1.4.0
+PackageVersion: 1.4.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
+PackageSupplier: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>frozenlist declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A list-like structure which implements collections.abc.MutableSequence</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.1
 ##### 
 
 PackageName: async-timeout
@@ -615,7 +615,7 @@ PackageName: markupsafe
 SPDXID: SPDXRef-Package-40-markupsafe
 PackageVersion: 2.1.3
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Organization: NOASSERTION
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
 FilesAnalyzed: false
 PackageLicenseDeclared: BSD-3-Clause
@@ -672,32 +672,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.32.0:*:*:*
 
 PackageName: rpds-py
 SPDXID: SPDXRef-Package-44-rpds-py
-PackageVersion: 0.13.2
+PackageVersion: 0.15.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.13.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.15.2
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python bindings to Rust's persistent data structures (rpds)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.13.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.13.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.15.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.15.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: lib4sbom
 SPDXID: SPDXRef-Package-45-lib4sbom
-PackageVersion: 0.5.3
+PackageVersion: 0.5.4
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.4
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Software Bill of Material (SBOM) generator and consumer library</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.4:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pyyaml
@@ -733,17 +733,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.
 
 PackageName: packageurl-python
 SPDXID: SPDXRef-Package-48-packageurl-python
-PackageVersion: 0.12.0
+PackageVersion: 0.13.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: the purl authors
-PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.12.0
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.13.1
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A purl aka. Package URL parser and builder</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.12.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.12.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.13.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.13.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: packaging
@@ -794,18 +794,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*
 
 PackageName: python-gnupg
 SPDXID: SPDXRef-Package-52-python-gnupg
-PackageVersion: 0.5.1
+PackageVersion: 0.5.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk)
-PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.1
+PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.2
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: BSD-3-Clause
 PackageLicenseComments: <text>python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A wrapper for the Gnu Privacy Guard (GPG or GnuPG)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/python-gnupg@0.5.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: requests
