From 25577a5ece76bd95a3b7aa84dcd565497d29783c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 13:47:42 -0700 Subject: [PATCH] chore: update SBOM for Python 3.9 (#4481) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 50 ++++++++++++++++++++++-------------- sbom/cve-bin-tool-py3.9.spdx | 30 ++++++++++++---------- 2 files changed, 47 insertions(+), 33 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index f17802d83c..182436530c 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:df593032-720d-4cac-a94a-2e4c84d8254f", + "serialNumber": "urn:uuid:b01bf299-408a-4e43-a959-44c49efa21f8", "version": 1, "metadata": { - "timestamp": "2024-09-23T00:36:53Z", + "timestamp": "2024-09-30T00:40:37Z", "lifecycles": [ { "phase": "build" @@ -79,7 +79,7 @@ "type": "library", "bom-ref": "2-aiohttp", "name": "aiohttp", - "version": "3.10.5", + "version": "3.10.8", "description": "Async http client/server framework (asyncio)", "licenses": [ { @@ -97,12 +97,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/aiohttp/3.10.5/#files", + "url": "https://pypi.org/project/aiohttp/3.10.8/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohttp@3.10.5", + "purl": "pkg:pypi/aiohttp@3.10.8", "properties": [ { "name": "language", @@ -118,7 +118,7 @@ "type": "library", "bom-ref": "3-aiohappyeyeballs", "name": "aiohappyeyeballs", - "version": "2.4.0", + "version": "2.4.2", "supplier": { "name": "J. Nick Koston", "contact": [ @@ -127,14 +127,8 @@ } ] }, - "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.2:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", - "hashes": [ - { - "alg": "SHA-1", - "content": "c31b127a69bdcd7895d1a521985d918061955348" - } - ], "licenses": [ { "license": { @@ -151,12 +145,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/aiohappyeyeballs/2.4.0/#files", + "url": "https://pypi.org/project/aiohappyeyeballs/2.4.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohappyeyeballs@2.4.0", + "purl": "pkg:pypi/aiohappyeyeballs@2.4.2", "properties": [ { "name": "language", @@ -438,7 +432,7 @@ "type": "library", "bom-ref": "10-yarl", "name": "yarl", - "version": "1.11.1", + "version": "1.13.1", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -447,7 +441,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.11.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.13.1:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -465,12 +459,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.11.1/#files", + "url": "https://pypi.org/project/yarl/1.13.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.11.1", + "purl": "pkg:pypi/yarl@1.13.1", "properties": [ { "name": "language", @@ -2416,6 +2410,12 @@ }, "cpe": "cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:*:*:*:*:*", "description": "JSON Referencing + Python", + "hashes": [ + { + "alg": "SHA-1", + "content": "1863d4a5c18af1edd0f3b49caeb9fedfdaff9845" + } + ], "externalReferences": [ { "url": "https://github.com/python-jsonschema/referencing", @@ -2459,6 +2459,12 @@ }, "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", + "hashes": [ + { + "alg": "SHA-1", + "content": "fac4daa73aacf2df7b4341d51f0c24f5f80aa03d" + } + ], "licenses": [ { "license": { @@ -2661,6 +2667,12 @@ }, "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:*", "description": "VEX generator and consumer library", + "hashes": [ + { + "alg": "SHA-1", + "content": "b7815c41b68867451b849d4d8e239cb79cc0acf2" + } + ], "licenses": [ { "license": { diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index 5c7247ccf6..9dce6225a3 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-020d5fea-e58f-4c27-bc90-5b5b857cbf3e +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-cd098b6e-d3fd-4cd2-bae8-9649c9842de8 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.2 -Created: 2024-09-23T00:35:40Z +Created: 2024-09-30T00:39:14Z CreatorComment: This document has been automatically generated. ##### @@ -27,10 +27,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:* PackageName: aiohttp SPDXID: SPDXRef-2-aiohttp -PackageVersion: 3.10.5 +PackageVersion: 3.10.8 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.5/#files +PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.8/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/aiohttp PackageLicenseDeclared: NOASSERTION @@ -38,24 +38,23 @@ PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Async http client/server framework (asyncio) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.5 +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.8 ##### PackageName: aiohappyeyeballs SPDXID: SPDXRef-3-aiohappyeyeballs -PackageVersion: 2.4.0 +PackageVersion: 2.4.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) -PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0/#files +PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.2/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/aiohappyeyeballs -PackageChecksum: SHA1: c31b127a69bdcd7895d1a521985d918061955348 PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION PackageSummary: Happy Eyeballs for asyncio -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.4.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.4.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.2:*:*:*:*:*:*:* ##### PackageName: aiosignal @@ -158,18 +157,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-e PackageName: yarl SPDXID: SPDXRef-10-yarl -PackageVersion: 1.11.1 +PackageVersion: 1.13.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.11.1/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.13.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.11.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.11.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.13.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.13.1:*:*:*:*:*:*:* ##### PackageName: idna @@ -819,6 +818,7 @@ PackageSupplier: Person: Julian Berman (Julian+referencing@GrayVines.com) PackageDownloadLocation: https://pypi.org/project/referencing/0.35.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/python-jsonschema/referencing +PackageChecksum: SHA1: 1863d4a5c18af1edd0f3b49caeb9fedfdaff9845 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -835,6 +835,7 @@ PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds +PackageChecksum: SHA1: fac4daa73aacf2df7b4341d51f0c24f5f80aa03d PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -901,6 +902,7 @@ PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) PackageDownloadLocation: https://pypi.org/project/lib4vex/0.2.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/anthonyharrison/lib4vex +PackageChecksum: SHA1: b7815c41b68867451b849d4d8e239cb79cc0acf2 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION