From 2529beb8c35b5bd046710e5c67f629abdd993c7d Mon Sep 17 00:00:00 2001 From: GitHub Date: Mon, 7 Apr 2025 00:38:40 +0000 Subject: [PATCH] chore: update SBOM for Python 3.13 --- sbom/cve-bin-tool-py3.13.json | 74 ++++++++++++++++------------------- sbom/cve-bin-tool-py3.13.spdx | 69 ++++++++++++++++---------------- 2 files changed, 68 insertions(+), 75 deletions(-) diff --git a/sbom/cve-bin-tool-py3.13.json b/sbom/cve-bin-tool-py3.13.json index e6f8cb88bb..f73931f315 100644 --- a/sbom/cve-bin-tool-py3.13.json +++ b/sbom/cve-bin-tool-py3.13.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:d0bd14a8-fa98-429b-9f5d-cf2dde35c5c9", + "serialNumber": "urn:uuid:74b3c01b-cced-488f-a165-eefaaf97890d", "version": 1, "metadata": { - "timestamp": "2025-03-31T00:41:10Z", + "timestamp": "2025-04-07T00:38:38Z", "lifecycles": [ { "phase": "build" @@ -89,14 +89,8 @@ "type": "library", "bom-ref": "2-aiohttp", "name": "aiohttp", - "version": "3.11.14", + "version": "3.11.16", "description": "Async http client/server framework (asyncio)", - "hashes": [ - { - "alg": "SHA-256", - "content": "e2bc827c01f75803de77b134afdbf74fa74b62970eafdf190f3244931d7a5c0d" - } - ], "licenses": [ { "license": { @@ -113,7 +107,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/aiohttp/3.11.14/#files", + "url": "https://pypi.org/project/aiohttp/3.11.16/#files", "type": "distribution", "comment": "Download location for component" }, @@ -150,11 +144,11 @@ "type": "vcs" } ], - "purl": "pkg:pypi/aiohttp@3.11.14", + "purl": "pkg:pypi/aiohttp@3.11.16", "properties": [ { "name": "release_date", - "value": "2025-03-17T02:42:42Z" + "value": "2024-09-17T18:57:44Z" }, { "name": "language", @@ -461,7 +455,7 @@ "type": "library", "bom-ref": "7-multidict", "name": "multidict", - "version": "6.2.0", + "version": "6.3.2", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -470,12 +464,12 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:multidict:6.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:multidict:6.3.2:*:*:*:*:*:*:*", "description": "multidict implementation", "hashes": [ { "alg": "SHA-256", - "content": "b9f6392d98c0bd70676ae41474e2eecf4c7150cb419237a41f8f96043fcb81d1" + "content": "8b3dc0eec9304fa04d84a51ea13b0ec170bace5b7ddeaac748149efd316f1504" } ], "licenses": [ @@ -494,7 +488,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/multidict/6.2.0/#files", + "url": "https://pypi.org/project/multidict/6.3.2/#files", "type": "distribution", "comment": "Download location for component" }, @@ -535,11 +529,11 @@ "type": "vcs" } ], - "purl": "pkg:pypi/multidict@6.2.0", + "purl": "pkg:pypi/multidict@6.3.2", "properties": [ { "name": "release_date", - "value": "2025-03-17T16:53:32Z" + "value": "2025-04-03T19:41:19Z" }, { "name": "language", @@ -555,7 +549,7 @@ "type": "library", "bom-ref": "8-typing-extensions", "name": "typing-extensions", - "version": "4.13.0", + "version": "4.13.1", "supplier": { "name": "Guido van Jukka ukasz Michael", "contact": [ @@ -564,12 +558,12 @@ } ] }, - "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.13.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.13.1:*:*:*:*:*:*:*", "description": "Backported and Experimental Type Hints for Python 3.8+", "hashes": [ { "alg": "SHA-256", - "content": "c8dd92cc0d6425a97c18fbb9d1954e5ff92c1ca881a309c45f06ebc0b79058e5" + "content": "4b6cf02909eb5495cfbc3f6e8fd49217e6cc7944e145cdda8caa3734777f9e69" } ], "externalReferences": [ @@ -579,7 +573,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/typing-extensions/4.13.0/#files", + "url": "https://pypi.org/project/typing-extensions/4.13.1/#files", "type": "distribution", "comment": "Download location for component" }, @@ -604,11 +598,11 @@ "type": "vcs" } ], - "purl": "pkg:pypi/typing-extensions@4.13.0", + "purl": "pkg:pypi/typing-extensions@4.13.1", "properties": [ { "name": "release_date", - "value": "2025-03-26T03:49:40Z" + "value": "2025-04-03T16:11:19Z" }, { "name": "language", @@ -718,7 +712,7 @@ "type": "library", "bom-ref": "10-yarl", "name": "yarl", - "version": "1.18.3", + "version": "1.19.0", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -727,12 +721,12 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.18.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.19.0:*:*:*:*:*:*:*", "description": "Yet another URL library", "hashes": [ { "alg": "SHA-256", - "content": "7df647e8edd71f000a5208fe6ff8c382a1de8edfbccdbbfe649d263de07d8c34" + "content": "0bae32f8ebd35c04d6528cedb4a26b8bf25339d3616b04613b97347f919b76d3" } ], "licenses": [ @@ -751,7 +745,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.18.3/#files", + "url": "https://pypi.org/project/yarl/1.19.0/#files", "type": "distribution", "comment": "Download location for component" }, @@ -792,11 +786,11 @@ "type": "vcs" } ], - "purl": "pkg:pypi/yarl@1.18.3", + "purl": "pkg:pypi/yarl@1.19.0", "properties": [ { "name": "release_date", - "value": "2024-12-01T20:32:32Z" + "value": "2025-04-06T02:33:31Z" }, { "name": "language", @@ -1303,7 +1297,7 @@ "type": "library", "bom-ref": "19-argcomplete", "name": "argcomplete", - "version": "3.6.1", + "version": "3.6.2", "supplier": { "name": "Andrey Kislyuk", "contact": [ @@ -1312,12 +1306,12 @@ } ] }, - "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.6.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.6.2:*:*:*:*:*:*:*", "description": "Bash tab completion for argparse", "hashes": [ { "alg": "SHA-256", - "content": "cef54d7f752560570291214f0f1c48c3b8ef09aca63d65de7747612666725dbc" + "content": "65b3133a29ad53fb42c48cf5114752c7ab66c1c38544fdf6460f450c09b42591" } ], "licenses": [ @@ -1336,7 +1330,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/argcomplete/3.6.1/#files", + "url": "https://pypi.org/project/argcomplete/3.6.2/#files", "type": "distribution", "comment": "Download location for component" }, @@ -1357,11 +1351,11 @@ "type": "log" } ], - "purl": "pkg:pypi/argcomplete@3.6.1", + "purl": "pkg:pypi/argcomplete@3.6.2", "properties": [ { "name": "release_date", - "value": "2025-03-22T17:31:11Z" + "value": "2025-04-03T04:57:01Z" }, { "name": "language", @@ -4129,7 +4123,7 @@ "type": "library", "bom-ref": "64-narwhals", "name": "narwhals", - "version": "1.32.0", + "version": "1.33.0", "supplier": { "name": "Marco Gorelli", "contact": [ @@ -4138,7 +4132,7 @@ } ] }, - "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.32.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.33.0:*:*:*:*:*:*:*", "description": "Extremely lightweight compatibility layer between dataframe libraries", "licenses": [ { @@ -4156,7 +4150,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/narwhals/1.32.0/#files", + "url": "https://pypi.org/project/narwhals/1.33.0/#files", "type": "distribution", "comment": "Download location for component" }, @@ -4173,7 +4167,7 @@ "type": "issue-tracker" } ], - "purl": "pkg:pypi/narwhals@1.32.0", + "purl": "pkg:pypi/narwhals@1.33.0", "properties": [ { "name": "release_date", diff --git a/sbom/cve-bin-tool-py3.13.spdx b/sbom/cve-bin-tool-py3.13.spdx index 6cfaf1152f..01b4047d70 100644 --- a/sbom/cve-bin-tool-py3.13.spdx +++ b/sbom/cve-bin-tool-py3.13.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-ffe92e3c-3759-4299-956c-9da57c64a5ff +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-e4212c69-4e6f-41f5-9e61-74ba8e4549ae LicenseListVersion: 3.25 Creator: Tool: sbom4python-0.12.3 -Created: 2025-03-31T00:41:04Z +Created: 2025-04-07T00:38:32Z CreatorComment: This document has been automatically generated. ##### @@ -29,18 +29,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:* PackageName: aiohttp SPDXID: SPDXRef-2-aiohttp -PackageVersion: 3.11.14 +PackageVersion: 3.11.16 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.14/#files +PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.16/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/aiohttp -PackageChecksum: SHA256: e2bc827c01f75803de77b134afdbf74fa74b62970eafdf190f3244931d7a5c0d PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Async http client/server framework (asyncio) -ReleaseDate: 2025-03-17T02:42:42Z +ReleaseDate: 2024-09-17T18:57:44Z ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org ExternalRef: OTHER build-system https://github.com/aio-libs/aiohttp/actions?query=workflow%3ACI @@ -49,7 +48,7 @@ ExternalRef: OTHER log https://docs.aiohttp.org/en/stable/changes.html ExternalRef: OTHER other https://docs.aiohttp.org ExternalRef: OTHER issue-tracker https://github.com/aio-libs/aiohttp/issues ExternalRef: OTHER vcs https://github.com/aio-libs/aiohttp -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.11.14 +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.11.16 ##### PackageName: aiohappyeyeballs @@ -148,19 +147,19 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:25.3.0:*:*:*:*:* PackageName: multidict SPDXID: SPDXRef-7-multidict -PackageVersion: 6.2.0 +PackageVersion: 6.3.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/multidict/6.2.0/#files +PackageDownloadLocation: https://pypi.org/project/multidict/6.3.2/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/multidict -PackageChecksum: SHA256: b9f6392d98c0bd70676ae41474e2eecf4c7150cb419237a41f8f96043fcb81d1 +PackageChecksum: SHA256: 8b3dc0eec9304fa04d84a51ea13b0ec170bace5b7ddeaac748149efd316f1504 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: multidict declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: multidict implementation -ReleaseDate: 2025-03-17T16:53:32Z +ReleaseDate: 2025-04-03T19:41:19Z ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org ExternalRef: OTHER build-system https://github.com/aio-libs/multidict/actions @@ -170,31 +169,31 @@ ExternalRef: OTHER log https://multidict.aio-libs.org/en/latest/changes/ ExternalRef: OTHER other https://multidict.aio-libs.org ExternalRef: OTHER issue-tracker https://github.com/aio-libs/multidict/issues ExternalRef: OTHER vcs https://github.com/aio-libs/multidict -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/multidict@6.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/multidict@6.3.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.3.2:*:*:*:*:*:*:* ##### PackageName: typing-extensions SPDXID: SPDXRef-8-typing-extensions -PackageVersion: 4.13.0 +PackageVersion: 4.13.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Guido van Jukka ukasz Michael (levkivskyi@gmail.com) -PackageDownloadLocation: https://pypi.org/project/typing-extensions/4.13.0/#files +PackageDownloadLocation: https://pypi.org/project/typing-extensions/4.13.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/python/typing_extensions -PackageChecksum: SHA256: c8dd92cc0d6425a97c18fbb9d1954e5ff92c1ca881a309c45f06ebc0b79058e5 +PackageChecksum: SHA256: 4b6cf02909eb5495cfbc3f6e8fd49217e6cc7944e145cdda8caa3734777f9e69 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backported and Experimental Type Hints for Python 3.8+ -ReleaseDate: 2025-03-26T03:49:40Z +ReleaseDate: 2025-04-03T16:11:19Z ExternalRef: OTHER issue-tracker https://github.com/python/typing_extensions/issues ExternalRef: OTHER log https://github.com/python/typing_extensions/blob/main/CHANGELOG.md ExternalRef: OTHER documentation https://typing-extensions.readthedocs.io/ ExternalRef: OTHER other https://github.com/python/typing/discussions ExternalRef: OTHER vcs https://github.com/python/typing_extensions -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/typing-extensions@4.13.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.13.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/typing-extensions@4.13.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.13.1:*:*:*:*:*:*:* ##### PackageName: propcache @@ -226,18 +225,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:propcache:0.3.1:*:*:*:* PackageName: yarl SPDXID: SPDXRef-10-yarl -PackageVersion: 1.18.3 +PackageVersion: 1.19.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.18.3/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.19.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl -PackageChecksum: SHA256: 7df647e8edd71f000a5208fe6ff8c382a1de8edfbccdbbfe649d263de07d8c34 +PackageChecksum: SHA256: 0bae32f8ebd35c04d6528cedb4a26b8bf25339d3616b04613b97347f919b76d3 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ReleaseDate: 2024-12-01T20:32:32Z +ReleaseDate: 2025-04-06T02:33:31Z ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org ExternalRef: OTHER other https://github.com/aio-libs/yarl/actions?query=branch:master @@ -247,8 +246,8 @@ ExternalRef: OTHER log https://yarl.aio-libs.org/en/latest/changes/ ExternalRef: OTHER other https://yarl.aio-libs.org ExternalRef: OTHER issue-tracker https://github.com/aio-libs/yarl/issues ExternalRef: OTHER vcs https://github.com/aio-libs/yarl -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/yarl@1.18.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.18.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/yarl@1.19.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.19.0:*:*:*:*:*:*:* ##### PackageName: idna @@ -411,25 +410,25 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.31:*:*:*:*:*:*:* PackageName: argcomplete SPDXID: SPDXRef-19-argcomplete -PackageVersion: 3.6.1 +PackageVersion: 3.6.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com) -PackageDownloadLocation: https://pypi.org/project/argcomplete/3.6.1/#files +PackageDownloadLocation: https://pypi.org/project/argcomplete/3.6.2/#files FilesAnalyzed: false PackageHomePage: https://github.com/kislyuk/argcomplete -PackageChecksum: SHA256: cef54d7f752560570291214f0f1c48c3b8ef09aca63d65de7747612666725dbc +PackageChecksum: SHA256: 65b3133a29ad53fb42c48cf5114752c7ab66c1c38544fdf6460f450c09b42591 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Bash tab completion for argparse -ReleaseDate: 2025-03-22T17:31:11Z +ReleaseDate: 2025-04-03T04:57:01Z ExternalRef: OTHER documentation https://kislyuk.github.io/argcomplete ExternalRef: OTHER vcs https://github.com/kislyuk/argcomplete ExternalRef: OTHER issue-tracker https://github.com/kislyuk/argcomplete/issues ExternalRef: OTHER log https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.6.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.6.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.6.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.6.2:*:*:*:*:*:*:* ##### PackageName: crcmod @@ -1363,10 +1362,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.0.1:*:*:*:*:*:*:* PackageName: narwhals SPDXID: SPDXRef-64-narwhals -PackageVersion: 1.32.0 +PackageVersion: 1.33.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Marco Gorelli (33491632+MarcoGorelli@users.noreply.github.com) -PackageDownloadLocation: https://pypi.org/project/narwhals/1.32.0/#files +PackageDownloadLocation: https://pypi.org/project/narwhals/1.33.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/narwhals-dev/narwhals PackageLicenseDeclared: NOASSERTION @@ -1378,8 +1377,8 @@ ReleaseDate: 2025-03-17T15:02:18Z ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/ ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.32.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.32.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.33.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.33.0:*:*:*:*:*:*:* ##### PackageName: requests