From 993679231481beebf5d90ad4aa41e944e227f903 Mon Sep 17 00:00:00 2001 From: GitHub Date: Mon, 25 Nov 2024 00:39:42 +0000 Subject: [PATCH] chore: update SBOM for Python 3.9 --- sbom/cve-bin-tool-py3.9.json | 78 +++++++++++++++++++++++++----------- sbom/cve-bin-tool-py3.9.spdx | 33 +++++++-------- 2 files changed, 72 insertions(+), 39 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index 3b323e9810..525e36c738 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:4cd7fc8c-899c-44d7-99ce-13fd8013ebd6", + "serialNumber": "urn:uuid:a5bb6dc0-336a-401b-b261-af928298df56", "version": 1, "metadata": { - "timestamp": "2024-11-18T00:41:13Z", + "timestamp": "2024-11-25T00:39:41Z", "lifecycles": [ { "phase": "build" @@ -79,7 +79,7 @@ "type": "library", "bom-ref": "2-aiohttp", "name": "aiohttp", - "version": "3.11.2", + "version": "3.11.7", "description": "Async http client/server framework (asyncio)", "licenses": [ { @@ -97,12 +97,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/aiohttp/3.11.2/#files", + "url": "https://pypi.org/project/aiohttp/3.11.7/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohttp@3.11.2", + "purl": "pkg:pypi/aiohttp@3.11.7", "properties": [ { "name": "language", @@ -111,6 +111,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-11-21T15:42:26.000Z" } ] }, @@ -471,6 +475,12 @@ }, "cpe": "cpe:2.3:a:andrew_svetlov:propcache:0.2.0:*:*:*:*:*:*:*", "description": "Accelerated property cache", + "hashes": [ + { + "alg": "SHA-1", + "content": "f157b0a7b0b3a3c755764b9f03f4d90c43ee5cda" + } + ], "licenses": [ { "license": { @@ -512,7 +522,7 @@ "type": "library", "bom-ref": "11-yarl", "name": "yarl", - "version": "1.17.2", + "version": "1.18.0", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -521,7 +531,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.18.0:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -539,12 +549,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.17.2/#files", + "url": "https://pypi.org/project/yarl/1.18.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.17.2", + "purl": "pkg:pypi/yarl@1.18.0", "properties": [ { "name": "language", @@ -553,6 +563,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-11-21T15:02:50.000Z" } ] }, @@ -2034,6 +2048,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-09-04T20:43:30.000Z" } ] }, @@ -2883,6 +2901,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-06-12T20:10:06.000Z" } ] }, @@ -2896,6 +2918,12 @@ }, "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.16.0:*:*:*:*:*:*:*", "description": "A purl aka. Package URL parser and builder", + "hashes": [ + { + "alg": "SHA-1", + "content": "9155d4173e4c1f29a345de86c280ab783c837882" + } + ], "licenses": [ { "license": { @@ -2926,6 +2954,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-10-22T05:51:23.000Z" } ] }, @@ -3158,6 +3190,12 @@ }, "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "d8e3b31b734926ebbcaff654279f6855a73e052f" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/packaging/24.2/#files", @@ -3617,7 +3655,7 @@ "type": "library", "bom-ref": "71-setuptools", "name": "setuptools", - "version": "75.5.0", + "version": "75.6.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3626,16 +3664,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.5.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.6.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/75.5.0/#files", + "url": "https://pypi.org/project/setuptools/75.6.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@75.5.0", + "purl": "pkg:pypi/setuptools@75.6.0", "properties": [ { "name": "language", @@ -3644,10 +3682,6 @@ { "name": "python_version", "value": "3.9.20" - }, - { - "name": "package_release_date", - "value": "2024-11-13T11:22:04.000Z" } ] }, @@ -3806,6 +3840,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-10-27T21:52:58.000Z" } ] }, @@ -4055,12 +4093,6 @@ "30-six" ] }, - { - "ref": "44-importlib-metadata", - "dependsOn": [ - "45-zipp" - ] - }, { "ref": "46-jinja2", "dependsOn": [ diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index 69f0851dff..6d8b10262e 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-7537a80d-caef-4a47-a5f9-73259eba4425 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-498ea3db-d747-477f-b1df-d88305bf176f LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-11-18T00:40:10Z +Created: 2024-11-25T00:38:45Z CreatorComment: This document has been automatically generated. ##### @@ -27,18 +27,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:* PackageName: aiohttp SPDXID: SPDXRef-2-aiohttp -PackageVersion: 3.11.2 +PackageVersion: 3.11.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.2/#files +PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.7/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/aiohttp -PackageLicenseDeclared: NOASSERTION +PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 -PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Async http client/server framework (asyncio) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.11.2 +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.11.7 ##### PackageName: aiohappyeyeballs @@ -165,6 +164,7 @@ PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) PackageDownloadLocation: https://pypi.org/project/propcache/0.2.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/propcache +PackageChecksum: SHA1: f157b0a7b0b3a3c755764b9f03f4d90c43ee5cda PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION @@ -175,18 +175,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:propcache:0.2.0:*:*:*:* PackageName: yarl SPDXID: SPDXRef-11-yarl -PackageVersion: 1.17.2 +PackageVersion: 1.18.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.17.2/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.18.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.17.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.17.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.18.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.18.0:*:*:*:*:*:*:* ##### PackageName: idna @@ -957,6 +957,7 @@ PackageSupplier: Person: the purl authors PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.16.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/package-url/packageurl-python +PackageChecksum: SHA1: 9155d4173e4c1f29a345de86c280ab783c837882 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -1040,6 +1041,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: d8e3b31b734926ebbcaff654279f6855a73e052f PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1184,17 +1186,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-71-setuptools -PackageVersion: 75.5.0 +PackageVersion: 75.6.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/75.5.0/#files +PackageDownloadLocation: https://pypi.org/project/setuptools/75.6.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.5.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.5.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.6.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.6.0:*:*:*:*:*:*:* ##### PackageName: toml @@ -1348,7 +1350,6 @@ Relationship: SPDXRef-42-google-apitools DEPENDS_ON SPDXRef-22-fasteners Relationship: SPDXRef-42-google-apitools DEPENDS_ON SPDXRef-30-six Relationship: SPDXRef-42-google-apitools DEPENDS_ON SPDXRef-32-httplib2 Relationship: SPDXRef-42-google-apitools DEPENDS_ON SPDXRef-36-oauth2client -Relationship: SPDXRef-44-importlib-metadata DEPENDS_ON SPDXRef-45-zipp Relationship: SPDXRef-46-jinja2 DEPENDS_ON SPDXRef-47-markupsafe Relationship: SPDXRef-48-jsonschema DEPENDS_ON SPDXRef-49-jsonschema-specifications Relationship: SPDXRef-48-jsonschema DEPENDS_ON SPDXRef-50-referencing