chore: update SBOM for Python 3.12 (#4583)

github-actions[bot] · web-flow · web-flow · commit e4b3fd39532a · 2024-11-26T20:21:33.000Z
Co-authored-by: GitHub &lt;noreply@github.com&gt;
diff --git a/sbom/cve-bin-tool-py3.12.json b/sbom/cve-bin-tool-py3.12.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:b68a2b85-9212-4889-b7b2-84f3edf441ff",
+  "serialNumber": "urn:uuid:a061e09a-b4f0-449a-bc41-098f3ead640a",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-11-18T00:38:25Z",
+    "timestamp": "2024-11-25T00:37:29Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -79,7 +79,7 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.11.2",
+      "version": "3.11.7",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -97,12 +97,12 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/aiohttp/3.11.2/#files",
+          "url": "https://pypi.org/project/aiohttp/3.11.7/#files",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.11.2",
+      "purl": "pkg:pypi/aiohttp@3.11.7",
       "properties": [
         {
           "name": "language",
@@ -111,6 +111,10 @@
         {
           "name": "python_version",
           "value": "3.12.7"
+        },
+        {
+          "name": "package_release_date",
+          "value": "2024-11-21T15:42:26.000Z"
         }
       ]
     },
@@ -375,6 +379,12 @@
       },
       "cpe": "cpe:2.3:a:andrew_svetlov:propcache:0.2.0:*:*:*:*:*:*:*",
       "description": "Accelerated property cache",
+      "hashes": [
+        {
+          "alg": "SHA-1",
+          "content": "f157b0a7b0b3a3c755764b9f03f4d90c43ee5cda"
+        }
+      ],
       "licenses": [
         {
           "license": {
@@ -416,7 +426,7 @@
       "type": "library",
       "bom-ref": "9-yarl",
       "name": "yarl",
-      "version": "1.17.2",
+      "version": "1.18.0",
       "supplier": {
         "name": "Andrew Svetlov",
         "contact": [
@@ -425,7 +435,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.18.0:*:*:*:*:*:*:*",
       "description": "Yet another URL library",
       "licenses": [
         {
@@ -443,12 +453,12 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/yarl/1.17.2/#files",
+          "url": "https://pypi.org/project/yarl/1.18.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/yarl@1.17.2",
+      "purl": "pkg:pypi/yarl@1.18.0",
       "properties": [
         {
           "name": "language",
@@ -457,6 +467,10 @@
         {
           "name": "python_version",
           "value": "3.12.7"
+        },
+        {
+          "name": "package_release_date",
+          "value": "2024-11-21T15:02:50.000Z"
         }
       ]
     },
@@ -1938,6 +1952,10 @@
         {
           "name": "python_version",
           "value": "3.12.7"
+        },
+        {
+          "name": "package_release_date",
+          "value": "2024-09-04T20:43:30.000Z"
         }
       ]
     },
@@ -2705,6 +2723,10 @@
         {
           "name": "python_version",
           "value": "3.12.7"
+        },
+        {
+          "name": "package_release_date",
+          "value": "2024-06-12T20:10:06.000Z"
         }
       ]
     },
@@ -2718,6 +2740,12 @@
       },
       "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.16.0:*:*:*:*:*:*:*",
       "description": "A purl aka. Package URL parser and builder",
+      "hashes": [
+        {
+          "alg": "SHA-1",
+          "content": "9155d4173e4c1f29a345de86c280ab783c837882"
+        }
+      ],
       "licenses": [
         {
           "license": {
@@ -2748,6 +2776,10 @@
         {
           "name": "python_version",
           "value": "3.12.7"
+        },
+        {
+          "name": "package_release_date",
+          "value": "2024-10-22T05:51:23.000Z"
         }
       ]
     },
@@ -2980,6 +3012,12 @@
       },
       "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*",
       "description": "Core utilities for Python packages",
+      "hashes": [
+        {
+          "alg": "SHA-1",
+          "content": "d8e3b31b734926ebbcaff654279f6855a73e052f"
+        }
+      ],
       "externalReferences": [
         {
           "url": "https://pypi.org/project/packaging/24.2/#files",
@@ -3439,7 +3477,7 @@
       "type": "library",
       "bom-ref": "67-setuptools",
       "name": "setuptools",
-      "version": "75.5.0",
+      "version": "75.6.0",
       "supplier": {
         "name": "Python Packaging Authority",
         "contact": [
@@ -3448,16 +3486,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.5.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.6.0:*:*:*:*:*:*:*",
       "description": "Easily download, build, install, upgrade, and uninstall Python packages",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/setuptools/75.5.0/#files",
+          "url": "https://pypi.org/project/setuptools/75.6.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/setuptools@75.5.0",
+      "purl": "pkg:pypi/setuptools@75.6.0",
       "properties": [
         {
           "name": "language",
@@ -3466,10 +3504,6 @@
         {
           "name": "python_version",
           "value": "3.12.7"
-        },
-        {
-          "name": "package_release_date",
-          "value": "2024-11-13T11:22:04.000Z"
         }
       ]
     },
@@ -3570,6 +3604,10 @@
         {
           "name": "python_version",
           "value": "3.12.7"
+        },
+        {
+          "name": "package_release_date",
+          "value": "2024-10-27T21:52:58.000Z"
         }
       ]
     },
diff --git a/sbom/cve-bin-tool-py3.12.spdx b/sbom/cve-bin-tool-py3.12.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-babbb628-7d9c-4a26-8587-854eedfee7d8
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-36045916-f900-49d4-8e22-5885aa0e310b
 LicenseListVersion: 3.22
 Creator: Tool: sbom4python-0.11.3
-Created: 2024-11-18T00:37:38Z
+Created: 2024-11-25T00:36:48Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -27,18 +27,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:*
 
 PackageName: aiohttp
 SPDXID: SPDXRef-2-aiohttp
-PackageVersion: 3.11.2
+PackageVersion: 3.11.7
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.2/#files
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.7/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/aio-libs/aiohttp
-PackageLicenseDeclared: NOASSERTION
+PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
-PackageLicenseComments: <text>aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Async http client/server framework (asyncio)</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.11.2
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.11.7
 ##### 
 
 PackageName: aiohappyeyeballs
@@ -132,6 +131,7 @@ PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com)
 PackageDownloadLocation: https://pypi.org/project/propcache/0.2.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/aio-libs/propcache
+PackageChecksum: SHA1: f157b0a7b0b3a3c755764b9f03f4d90c43ee5cda
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
@@ -142,18 +142,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:propcache:0.2.0:*:*:*:*
 
 PackageName: yarl
 SPDXID: SPDXRef-9-yarl
-PackageVersion: 1.17.2
+PackageVersion: 1.18.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/yarl/1.17.2/#files
+PackageDownloadLocation: https://pypi.org/project/yarl/1.18.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/aio-libs/yarl
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Yet another URL library</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.17.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.17.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.18.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.18.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: idna
@@ -893,6 +893,7 @@ PackageSupplier: Person: the purl authors
 PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.16.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/package-url/packageurl-python
+PackageChecksum: SHA1: 9155d4173e4c1f29a345de86c280ab783c837882
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
@@ -976,6 +977,7 @@ PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Donald Stufft (donald@stufft.io)
 PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files
 FilesAnalyzed: false
+PackageChecksum: SHA1: d8e3b31b734926ebbcaff654279f6855a73e052f
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
@@ -1120,17 +1122,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:*
 
 PackageName: setuptools
 SPDXID: SPDXRef-67-setuptools
-PackageVersion: 75.5.0
+PackageVersion: 75.6.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org)
-PackageDownloadLocation: https://pypi.org/project/setuptools/75.5.0/#files
+PackageDownloadLocation: https://pypi.org/project/setuptools/75.6.0/#files
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Easily download, build, install, upgrade, and uninstall Python packages</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.5.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.5.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.6.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.6.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: xmlschema

Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,10 @@`
`2`	`2`	`"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",`
`3`	`3`	`"bomFormat": "CycloneDX",`
`4`	`4`	`"specVersion": "1.6",`
`5`		`- "serialNumber": "urn:uuid:b68a2b85-9212-4889-b7b2-84f3edf441ff",`
	`5`	`+ "serialNumber": "urn:uuid:a061e09a-b4f0-449a-bc41-098f3ead640a",`
`6`	`6`	`"version": 1,`
`7`	`7`	`"metadata": {`
`8`		`- "timestamp": "2024-11-18T00:38:25Z",`
	`8`	`+ "timestamp": "2024-11-25T00:37:29Z",`
`9`	`9`	`"lifecycles": [`
`10`	`10`	`{`
`11`	`11`	`"phase": "build"`
`@@ -79,7 +79,7 @@`
`79`	`79`	`"type": "library",`
`80`	`80`	`"bom-ref": "2-aiohttp",`
`81`	`81`	`"name": "aiohttp",`
`82`		`- "version": "3.11.2",`
	`82`	`+ "version": "3.11.7",`
`83`	`83`	`"description": "Async http client/server framework (asyncio)",`
`84`	`84`	`"licenses": [`
`85`	`85`	`{`
`@@ -97,12 +97,12 @@`
`97`	`97`	`"comment": "Home page for project"`
`98`	`98`	`},`
`99`	`99`	`{`
`100`		`- "url": "https://pypi.org/project/aiohttp/3.11.2/#files",`
	`100`	`+ "url": "https://pypi.org/project/aiohttp/3.11.7/#files",`
`101`	`101`	`"type": "distribution",`
`102`	`102`	`"comment": "Download location for component"`
`103`	`103`	`}`
`104`	`104`	`],`
`105`		`- "purl": "pkg:pypi/[email protected].2",`
	`105`	`+ "purl": "pkg:pypi/[email protected].7",`
`106`	`106`	`"properties": [`
`107`	`107`	`{`
`108`	`108`	`"name": "language",`
`@@ -111,6 +111,10 @@`
`111`	`111`	`{`
`112`	`112`	`"name": "python_version",`
`113`	`113`	`"value": "3.12.7"`
	`114`	`+ },`
	`115`	`+ {`
	`116`	`+ "name": "package_release_date",`
	`117`	`+ "value": "2024-11-21T15:42:26.000Z"`
`114`	`118`	`}`
`115`	`119`	`]`
`116`	`120`	`},`
`@@ -375,6 +379,12 @@`
`375`	`379`	`},`
`376`	`380`	`"cpe": "cpe:2.3:a:andrew_svetlov:propcache:0.2.0:::::::*",`
`377`	`381`	`"description": "Accelerated property cache",`
	`382`	`+ "hashes": [`
	`383`	`+ {`
	`384`	`+ "alg": "SHA-1",`
	`385`	`+ "content": "f157b0a7b0b3a3c755764b9f03f4d90c43ee5cda"`
	`386`	`+ }`
	`387`	`+ ],`
`378`	`388`	`"licenses": [`
`379`	`389`	`{`
`380`	`390`	`"license": {`
`@@ -416,7 +426,7 @@`
`416`	`426`	`"type": "library",`
`417`	`427`	`"bom-ref": "9-yarl",`
`418`	`428`	`"name": "yarl",`
`419`		`- "version": "1.17.2",`
	`429`	`+ "version": "1.18.0",`
`420`	`430`	`"supplier": {`
`421`	`431`	`"name": "Andrew Svetlov",`
`422`	`432`	`"contact": [`
`@@ -425,7 +435,7 @@`
`425`	`435`	`}`
`426`	`436`	`]`
`427`	`437`	`},`
`428`		`- "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.2:::::::*",`
	`438`	`+ "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.18.0:::::::*",`
`429`	`439`	`"description": "Yet another URL library",`
`430`	`440`	`"licenses": [`
`431`	`441`	`{`
`@@ -443,12 +453,12 @@`
`443`	`453`	`"comment": "Home page for project"`
`444`	`454`	`},`
`445`	`455`	`{`
`446`		`- "url": "https://pypi.org/project/yarl/1.17.2/#files",`
	`456`	`+ "url": "https://pypi.org/project/yarl/1.18.0/#files",`
`447`	`457`	`"type": "distribution",`
`448`	`458`	`"comment": "Download location for component"`
`449`	`459`	`}`
`450`	`460`	`],`
`451`		`- "purl": "pkg:pypi/yarl@1.17.2",`
	`461`	`+ "purl": "pkg:pypi/yarl@1.18.0",`
`452`	`462`	`"properties": [`
`453`	`463`	`{`
`454`	`464`	`"name": "language",`
`@@ -457,6 +467,10 @@`
`457`	`467`	`{`
`458`	`468`	`"name": "python_version",`
`459`	`469`	`"value": "3.12.7"`
	`470`	`+ },`
	`471`	`+ {`
	`472`	`+ "name": "package_release_date",`
	`473`	`+ "value": "2024-11-21T15:02:50.000Z"`
`460`	`474`	`}`
`461`	`475`	`]`
`462`	`476`	`},`
`@@ -1938,6 +1952,10 @@`
`1938`	`1952`	`{`
`1939`	`1953`	`"name": "python_version",`
`1940`	`1954`	`"value": "3.12.7"`
	`1955`	`+ },`
	`1956`	`+ {`
	`1957`	`+ "name": "package_release_date",`
	`1958`	`+ "value": "2024-09-04T20:43:30.000Z"`
`1941`	`1959`	`}`
`1942`	`1960`	`]`
`1943`	`1961`	`},`
`@@ -2705,6 +2723,10 @@`
`2705`	`2723`	`{`
`2706`	`2724`	`"name": "python_version",`
`2707`	`2725`	`"value": "3.12.7"`
	`2726`	`+ },`
	`2727`	`+ {`
	`2728`	`+ "name": "package_release_date",`
	`2729`	`+ "value": "2024-06-12T20:10:06.000Z"`
`2708`	`2730`	`}`
`2709`	`2731`	`]`
`2710`	`2732`	`},`
`@@ -2718,6 +2740,12 @@`
`2718`	`2740`	`},`
`2719`	`2741`	`"cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.16.0:::::::*",`
`2720`	`2742`	`"description": "A purl aka. Package URL parser and builder",`
	`2743`	`+ "hashes": [`
	`2744`	`+ {`
	`2745`	`+ "alg": "SHA-1",`
	`2746`	`+ "content": "9155d4173e4c1f29a345de86c280ab783c837882"`
	`2747`	`+ }`
	`2748`	`+ ],`
`2721`	`2749`	`"licenses": [`
`2722`	`2750`	`{`
`2723`	`2751`	`"license": {`
`@@ -2748,6 +2776,10 @@`
`2748`	`2776`	`{`
`2749`	`2777`	`"name": "python_version",`
`2750`	`2778`	`"value": "3.12.7"`
	`2779`	`+ },`
	`2780`	`+ {`
	`2781`	`+ "name": "package_release_date",`
	`2782`	`+ "value": "2024-10-22T05:51:23.000Z"`
`2751`	`2783`	`}`
`2752`	`2784`	`]`
`2753`	`2785`	`},`
`@@ -2980,6 +3012,12 @@`
`2980`	`3012`	`},`
`2981`	`3013`	`"cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:::::::*",`
`2982`	`3014`	`"description": "Core utilities for Python packages",`
	`3015`	`+ "hashes": [`
	`3016`	`+ {`
	`3017`	`+ "alg": "SHA-1",`
	`3018`	`+ "content": "d8e3b31b734926ebbcaff654279f6855a73e052f"`
	`3019`	`+ }`
	`3020`	`+ ],`
`2983`	`3021`	`"externalReferences": [`
`2984`	`3022`	`{`
`2985`	`3023`	`"url": "https://pypi.org/project/packaging/24.2/#files",`
`@@ -3439,7 +3477,7 @@`
`3439`	`3477`	`"type": "library",`
`3440`	`3478`	`"bom-ref": "67-setuptools",`
`3441`	`3479`	`"name": "setuptools",`
`3442`		`- "version": "75.5.0",`
	`3480`	`+ "version": "75.6.0",`
`3443`	`3481`	`"supplier": {`
`3444`	`3482`	`"name": "Python Packaging Authority",`
`3445`	`3483`	`"contact": [`
`@@ -3448,16 +3486,16 @@`
`3448`	`3486`	`}`
`3449`	`3487`	`]`
`3450`	`3488`	`},`
`3451`		`- "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.5.0:::::::*",`
	`3489`	`+ "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.6.0:::::::*",`
`3452`	`3490`	`"description": "Easily download, build, install, upgrade, and uninstall Python packages",`
`3453`	`3491`	`"externalReferences": [`
`3454`	`3492`	`{`
`3455`		`- "url": "https://pypi.org/project/setuptools/75.5.0/#files",`
	`3493`	`+ "url": "https://pypi.org/project/setuptools/75.6.0/#files",`
`3456`	`3494`	`"type": "distribution",`
`3457`	`3495`	`"comment": "Download location for component"`
`3458`	`3496`	`}`
`3459`	`3497`	`],`
`3460`		`- "purl": "pkg:pypi/setuptools@75.5.0",`
	`3498`	`+ "purl": "pkg:pypi/setuptools@75.6.0",`
`3461`	`3499`	`"properties": [`
`3462`	`3500`	`{`
`3463`	`3501`	`"name": "language",`
`@@ -3466,10 +3504,6 @@`
`3466`	`3504`	`{`
`3467`	`3505`	`"name": "python_version",`
`3468`	`3506`	`"value": "3.12.7"`
`3469`		`- },`
`3470`		`- {`
`3471`		`- "name": "package_release_date",`
`3472`		`- "value": "2024-11-13T11:22:04.000Z"`
`3473`	`3507`	`}`
`3474`	`3508`	`]`
`3475`	`3509`	`},`
`@@ -3570,6 +3604,10 @@`
`3570`	`3604`	`{`
`3571`	`3605`	`"name": "python_version",`
`3572`	`3606`	`"value": "3.12.7"`
	`3607`	`+ },`
	`3608`	`+ {`
	`3609`	`+ "name": "package_release_date",`
	`3610`	`+ "value": "2024-10-27T21:52:58.000Z"`
`3573`	`3611`	`}`
`3574`	`3612`	`]`
`3575`	`3613`	`},`