From 9664e12bef6a2a6b3ce21eacbeb48fc9f255c45c Mon Sep 17 00:00:00 2001 From: GitHub Date: Mon, 29 Jul 2024 00:30:29 +0000 Subject: [PATCH] chore: update SBOM for Python 3.9 --- sbom/cve-bin-tool-py3.9.json | 310 +++++++++++++++++++---------------- sbom/cve-bin-tool-py3.9.spdx | 116 +++++++------ 2 files changed, 228 insertions(+), 198 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index 20cd6643f4..3a47f5689c 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:315f2a51-50c8-4ce3-85a6-4d80347c618d", + "serialNumber": "urn:uuid:c55db0d4-3bfe-442b-9b16-b3b25bf97a80", "version": 1, "metadata": { - "timestamp": "2024-07-01T00:32:36Z", + "timestamp": "2024-07-29T00:30:28Z", "tools": { "components": [ { @@ -41,7 +41,8 @@ { "license": { "id": "GPL-3.0-or-later", - "url": "https://www.gnu.org/licenses/gpl-3.0-standalone.html" + "url": "https://www.gnu.org/licenses/gpl-3.0-standalone.html", + "acknowledgement": "concluded" } } ], @@ -74,7 +75,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -112,7 +114,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -145,7 +148,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -193,7 +197,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -275,7 +280,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -323,7 +329,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -405,7 +412,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -493,7 +501,8 @@ { "license": { "id": "LGPL-3.0-or-later", - "url": "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + "url": "https://www.gnu.org/licenses/lgpl-3.0-standalone.html", + "acknowledgement": "concluded" } } ], @@ -541,7 +550,8 @@ { "license": { "id": "PSF-2.0", - "url": "https://opensource.org/licenses/Python-2.0" + "url": "https://opensource.org/licenses/Python-2.0", + "acknowledgement": "concluded" } } ], @@ -583,7 +593,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -631,7 +642,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -673,7 +685,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -715,7 +728,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -757,7 +771,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -800,7 +815,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -842,7 +858,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -890,7 +907,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -938,7 +956,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -965,7 +984,7 @@ "type": "library", "bom-ref": "23-cachetools", "name": "cachetools", - "version": "5.3.3", + "version": "5.4.0", "supplier": { "name": "Thomas Kemmer", "contact": [ @@ -974,24 +993,25 @@ } ] }, - "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.4.0:*:*:*:*:*:*:*", "description": "Extensible memoizing collections and decorators", "licenses": [ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/cachetools/5.3.3", + "url": "https://pypi.org/project/cachetools/5.4.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cachetools@5.3.3", + "purl": "pkg:pypi/cachetools@5.4.0", "properties": [ { "name": "language", @@ -1022,7 +1042,8 @@ { "license": { "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "url": "https://opensource.org/licenses/BSD-3-Clause", + "acknowledgement": "concluded" } } ], @@ -1064,7 +1085,8 @@ { "license": { "id": "BSD-2-Clause", - "url": "https://opensource.org/licenses/BSD-2-Clause" + "url": "https://opensource.org/licenses/BSD-2-Clause", + "acknowledgement": "concluded" } } ], @@ -1112,7 +1134,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1160,7 +1183,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -1207,7 +1231,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1255,7 +1280,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -1343,7 +1369,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1391,7 +1418,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1439,7 +1467,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1466,7 +1495,7 @@ "type": "library", "bom-ref": "34-pyopenssl", "name": "pyopenssl", - "version": "24.1.0", + "version": "24.2.1", "supplier": { "name": "The pyOpenSSL developers", "contact": [ @@ -1475,30 +1504,25 @@ } ] }, - "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.1.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.2.1:*:*:*:*:*:*:*", "description": "Python wrapper module around the OpenSSL library", - "hashes": [ - { - "alg": "SHA-1", - "content": "d9f2c46de70c1aee20a4309424d9f506b7aae68e" - } - ], "licenses": [ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/pyOpenSSL/24.1.0", + "url": "https://pypi.org/project/pyOpenSSL/24.2.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyopenssl@24.1.0", + "purl": "pkg:pypi/pyopenssl@24.2.1", "properties": [ { "name": "language", @@ -1514,16 +1538,16 @@ "type": "library", "bom-ref": "35-cryptography", "name": "cryptography", - "version": "42.0.8", + "version": "43.0.0", "supplier": { - "name": "The Python Cryptographic Authority and individual contributors", + "name": "The cryptography developers The Python Cryptographic Authority and individual contributors", "contact": [ { "email": "cryptography-dev@python.org" } ] }, - "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:42.0.8:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.0:*:*:*:*:*:*:*", "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.", "licenses": [ { @@ -1532,12 +1556,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cryptography/42.0.8", + "url": "https://pypi.org/project/cryptography/43.0.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cryptography@42.0.8", + "purl": "pkg:pypi/cryptography@43.0.0", "properties": [ { "name": "language", @@ -1574,7 +1598,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -1622,7 +1647,8 @@ { "license": { "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "url": "https://opensource.org/licenses/BSD-3-Clause", + "acknowledgement": "concluded" } } ], @@ -1670,7 +1696,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -1718,7 +1745,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1766,7 +1794,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -1793,7 +1822,7 @@ "type": "library", "bom-ref": "41-importlib-metadata", "name": "importlib-metadata", - "version": "8.0.0", + "version": "8.2.0", "supplier": { "name": "Jason R .", "contact": [ @@ -1802,16 +1831,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:importlib-metadata:8.0.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:importlib-metadata:8.2.0:*:*:*:*:*:*:*", "description": "Read metadata from Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/importlib_metadata/8.0.0", + "url": "https://pypi.org/project/importlib_metadata/8.2.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/importlib-metadata@8.0.0", + "purl": "pkg:pypi/importlib-metadata@8.2.0", "properties": [ { "name": "language", @@ -1898,7 +1927,8 @@ { "license": { "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "url": "https://opensource.org/licenses/BSD-3-Clause", + "acknowledgement": "concluded" } } ], @@ -1925,28 +1955,29 @@ "type": "library", "bom-ref": "45-jsonschema", "name": "jsonschema", - "version": "4.22.0", + "version": "4.23.0", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.22.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.23.0:*:*:*:*:*:*:*", "description": "An implementation of JSON Schema validation for Python", "licenses": [ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/jsonschema/4.22.0", + "url": "https://pypi.org/project/jsonschema/4.23.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/jsonschema@4.22.0", + "purl": "pkg:pypi/jsonschema@4.23.0", "properties": [ { "name": "language", @@ -1978,7 +2009,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -2034,28 +2066,29 @@ "type": "library", "bom-ref": "48-rpds-py", "name": "rpds-py", - "version": "0.18.1", + "version": "0.19.1", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.18.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.19.1:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", "licenses": [ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/rpds-py/0.18.1", + "url": "https://pypi.org/project/rpds-py/0.19.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.18.1", + "purl": "pkg:pypi/rpds-py@0.19.1", "properties": [ { "name": "language", @@ -2071,7 +2104,7 @@ "type": "library", "bom-ref": "49-lib4sbom", "name": "lib4sbom", - "version": "0.7.1", + "version": "0.7.2", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2080,30 +2113,25 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.2:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", - "hashes": [ - { - "alg": "SHA-1", - "content": "4acc6e53fef71b007dc63bac2d407a0d2bbf3bd4" - } - ], "licenses": [ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.7.1", + "url": "https://pypi.org/project/lib4sbom/0.7.2", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.7.1", + "purl": "pkg:pypi/lib4sbom@0.7.2", "properties": [ { "name": "language", @@ -2140,7 +2168,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -2188,7 +2217,8 @@ { "license": { "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "url": "https://opensource.org/licenses/BSD-3-Clause", + "acknowledgement": "concluded" } } ], @@ -2236,7 +2266,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -2284,7 +2315,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -2311,34 +2343,29 @@ "type": "library", "bom-ref": "54-packageurl-python", "name": "packageurl-python", - "version": "0.15.1", + "version": "0.15.6", "supplier": { "name": "the purl authors" }, - "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.15.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.15.6:*:*:*:*:*:*:*", "description": "A purl aka. Package URL parser and builder", - "hashes": [ - { - "alg": "SHA-1", - "content": "b744d07798b8aa1454f949e17d89791a18d85b0e" - } - ], "licenses": [ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/packageurl-python/0.15.1", + "url": "https://pypi.org/project/packageurl-python/0.15.6", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packageurl-python@0.15.1", + "purl": "pkg:pypi/packageurl-python@0.15.6", "properties": [ { "name": "language", @@ -2369,7 +2396,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -2497,7 +2525,8 @@ { "license": { "id": "BSD-2-Clause", - "url": "https://opensource.org/licenses/BSD-2-Clause" + "url": "https://opensource.org/licenses/BSD-2-Clause", + "acknowledgement": "concluded" } } ], @@ -2558,7 +2587,7 @@ "type": "library", "bom-ref": "60-plotly", "name": "plotly", - "version": "5.22.0", + "version": "5.23.0", "supplier": { "name": "Chris P", "contact": [ @@ -2567,24 +2596,25 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.22.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.22.0", + "url": "https://pypi.org/project/plotly/5.23.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.22.0", + "purl": "pkg:pypi/plotly@5.23.0", "properties": [ { "name": "language", @@ -2600,7 +2630,7 @@ "type": "library", "bom-ref": "61-tenacity", "name": "tenacity", - "version": "8.4.2", + "version": "8.5.0", "supplier": { "name": "Julien Danjou", "contact": [ @@ -2609,24 +2639,25 @@ } ] }, - "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.4.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.5.0:*:*:*:*:*:*:*", "description": "Retry code until it succeeds", "licenses": [ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/tenacity/8.4.2", + "url": "https://pypi.org/project/tenacity/8.5.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/tenacity@8.4.2", + "purl": "pkg:pypi/tenacity@8.5.0", "properties": [ { "name": "language", @@ -2663,7 +2694,8 @@ { "license": { "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "url": "https://opensource.org/licenses/BSD-3-Clause", + "acknowledgement": "concluded" } } ], @@ -2711,7 +2743,8 @@ { "license": { "id": "Apache-2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0" + "url": "https://www.apache.org/licenses/LICENSE-2.0", + "acknowledgement": "concluded" } } ], @@ -2738,7 +2771,7 @@ "type": "library", "bom-ref": "64-certifi", "name": "certifi", - "version": "2024.6.2", + "version": "2024.7.4", "supplier": { "name": "Kenneth Reitz", "contact": [ @@ -2747,24 +2780,25 @@ } ] }, - "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.6.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:*", "description": "Python package for providing Mozilla's CA Bundle.", "licenses": [ { "license": { "id": "MPL-2.0", - "url": "https://www.mozilla.org/MPL/2.0/" + "url": "https://www.mozilla.org/MPL/2.0/", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/certifi/2024.6.2", + "url": "https://pypi.org/project/certifi/2024.7.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/certifi@2024.6.2", + "purl": "pkg:pypi/certifi@2024.7.4", "properties": [ { "name": "language", @@ -2801,7 +2835,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -2862,7 +2897,7 @@ "type": "library", "bom-ref": "67-rpmfile", "name": "rpmfile", - "version": "2.0.0", + "version": "2.1.0", "supplier": { "name": "Sean Ross", "contact": [ @@ -2871,30 +2906,31 @@ } ] }, - "cpe": "cpe:2.3:a:sean_ross:rpmfile:2.0.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:*", "description": "Read rpm archive files", "hashes": [ { "alg": "SHA-1", - "content": "c0498cd5173afb6fb0af9ed5c7d61335b7c9af0e" + "content": "4cd4ae2bd191d3489c95dfa540da14585670adb5" } ], "licenses": [ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/rpmfile/2.0.0", + "url": "https://pypi.org/project/rpmfile/2.1.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpmfile@2.0.0", + "purl": "pkg:pypi/rpmfile@2.1.0", "properties": [ { "name": "language", @@ -2931,7 +2967,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -2973,7 +3010,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -3021,7 +3059,8 @@ { "license": { "id": "MIT", - "url": "https://opensource.org/licenses/MIT" + "url": "https://opensource.org/licenses/MIT", + "acknowledgement": "concluded" } } ], @@ -3048,7 +3087,7 @@ "type": "library", "bom-ref": "71-zstandard", "name": "zstandard", - "version": "0.22.0", + "version": "0.23.0", "supplier": { "name": "Gregory Szorc", "contact": [ @@ -3057,30 +3096,25 @@ } ] }, - "cpe": "cpe:2.3:a:gregory_szorc:zstandard:0.22.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:gregory_szorc:zstandard:0.23.0:*:*:*:*:*:*:*", "description": "Zstandard bindings for Python", - "hashes": [ - { - "alg": "SHA-1", - "content": "255b579735f26c2d0e08257f632de75d2ab882cf" - } - ], "licenses": [ { "license": { "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "url": "https://opensource.org/licenses/BSD-3-Clause", + "acknowledgement": "concluded" } } ], "externalReferences": [ { - "url": "https://pypi.org/project/zstandard/0.22.0", + "url": "https://pypi.org/project/zstandard/0.23.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zstandard@0.22.0", + "purl": "pkg:pypi/zstandard@0.23.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index b6f03ad5c0..9b9c904742 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-66a1e2ed-d350-4ec2-a045-9233ae2258a5 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-537d3fc3-395f-408e-844b-60648b1086c3 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.10.4 -Created: 2024-07-01T00:31:42Z +Created: 2024-07-29T00:29:20Z CreatorComment: This document has been automatically generated. ##### @@ -362,17 +362,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.17 PackageName: cachetools SPDXID: SPDXRef-Package-23-cachetools -PackageVersion: 5.3.3 +PackageVersion: 5.4.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org) -PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.3 +PackageDownloadLocation: https://pypi.org/project/cachetools/5.4.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Extensible memoizing collections and decorators -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cachetools@5.3.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cachetools@5.4.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.4.0:*:*:*:*:*:*:* ##### PackageName: pyasn1-modules @@ -540,34 +540,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:oauth2client:4.1.3:*:*:*:* PackageName: pyopenssl SPDXID: SPDXRef-Package-34-pyopenssl -PackageVersion: 24.1.0 +PackageVersion: 24.2.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/24.1.0 +PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/24.2.1 FilesAnalyzed: false -PackageChecksum: SHA1: d9f2c46de70c1aee20a4309424d9f506b7aae68e PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Python wrapper module around the OpenSSL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyopenssl@24.1.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.1.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyopenssl@24.2.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.2.1:*:*:*:*:*:*:* ##### PackageName: cryptography SPDXID: SPDXRef-Package-35-cryptography -PackageVersion: 42.0.8 +PackageVersion: 43.0.0 PrimaryPackagePurpose: LIBRARY -PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/cryptography/42.0.8 +PackageSupplier: Organization: The cryptography developers The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org) +PackageDownloadLocation: https://pypi.org/project/cryptography/43.0.0 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause PackageCopyrightText: NOASSERTION PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cryptography@42.0.8 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:42.0.8:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cryptography@43.0.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.0:*:*:*:*:*:*:* ##### PackageName: cffi @@ -654,17 +653,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ori_livneh:monotonic:1.6:*:*:*:*:*:*:* PackageName: importlib-metadata SPDXID: SPDXRef-Package-41-importlib-metadata -PackageVersion: 8.0.0 +PackageVersion: 8.2.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/importlib_metadata/8.0.0 +PackageDownloadLocation: https://pypi.org/project/importlib_metadata/8.2.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Read metadata from Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/importlib-metadata@8.0.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.0.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/importlib-metadata@8.2.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.2.0:*:*:*:*:*:*:* ##### PackageName: zipp @@ -713,17 +712,17 @@ ExternalRef: PACKAGE_MANAGER purl pkg:pypi/markupsafe@2.1.5 PackageName: jsonschema SPDXID: SPDXRef-Package-45-jsonschema -PackageVersion: 4.22.0 +PackageVersion: 4.23.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/jsonschema/4.22.0 +PackageDownloadLocation: https://pypi.org/project/jsonschema/4.23.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An implementation of JSON Schema validation for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/jsonschema@4.22.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.22.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/jsonschema@4.23.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.23.0:*:*:*:*:*:*:* ##### PackageName: jsonschema-specifications @@ -759,33 +758,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-Package-48-rpds-py -PackageVersion: 0.18.1 +PackageVersion: 0.19.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.18.1 +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.19.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.18.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.18.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.19.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.19.1:*:*:*:*:*:*:* ##### PackageName: lib4sbom SPDXID: SPDXRef-Package-49-lib4sbom -PackageVersion: 0.7.1 +PackageVersion: 0.7.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.1 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.2 FilesAnalyzed: false -PackageChecksum: SHA1: 4acc6e53fef71b007dc63bac2d407a0d2bbf3bd4 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.2:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -855,18 +853,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:csaf-tool:0.3.2:*:*:* PackageName: packageurl-python SPDXID: SPDXRef-Package-54-packageurl-python -PackageVersion: 0.15.1 +PackageVersion: 0.15.6 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: the purl authors -PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.15.1 +PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.15.6 FilesAnalyzed: false -PackageChecksum: SHA1: b744d07798b8aa1454f949e17d89791a18d85b0e PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: A purl aka. Package URL parser and builder -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packageurl-python@0.15.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.15.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packageurl-python@0.15.6 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.15.6:*:*:*:*:*:*:* ##### PackageName: rich @@ -949,33 +946,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:* PackageName: plotly SPDXID: SPDXRef-Package-60-plotly -PackageVersion: 5.22.0 +PackageVersion: 5.23.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.22.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.23.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.22.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.22.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.23.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:* ##### PackageName: tenacity SPDXID: SPDXRef-Package-61-tenacity -PackageVersion: 8.4.2 +PackageVersion: 8.5.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julien Danjou (julien@danjou.info) -PackageDownloadLocation: https://pypi.org/project/tenacity/8.4.2 +PackageDownloadLocation: https://pypi.org/project/tenacity/8.5.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: tenacity declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Retry code until it succeeds -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/tenacity@8.4.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.4.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/tenacity@8.5.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.5.0:*:*:*:*:*:*:* ##### PackageName: python-gnupg @@ -1013,17 +1010,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.3:*:*:*:*: PackageName: certifi SPDXID: SPDXRef-Package-64-certifi -PackageVersion: 2024.6.2 +PackageVersion: 2024.7.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com) -PackageDownloadLocation: https://pypi.org/project/certifi/2024.6.2 +PackageDownloadLocation: https://pypi.org/project/certifi/2024.7.4 FilesAnalyzed: false PackageLicenseDeclared: MPL-2.0 PackageLicenseConcluded: MPL-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Python package for providing Mozilla's CA Bundle. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.6.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.6.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.7.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:* ##### PackageName: charset-normalizer @@ -1059,18 +1056,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.2.2:*:*:*:*:*: PackageName: rpmfile SPDXID: SPDXRef-Package-67-rpmfile -PackageVersion: 2.0.0 +PackageVersion: 2.1.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Sean Ross (srossross@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rpmfile/2.0.0 +PackageDownloadLocation: https://pypi.org/project/rpmfile/2.1.0 FilesAnalyzed: false -PackageChecksum: SHA1: c0498cd5173afb6fb0af9ed5c7d61335b7c9af0e +PackageChecksum: SHA1: 4cd4ae2bd191d3489c95dfa540da14585670adb5 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Read rpm archive files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpmfile@2.0.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.0.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpmfile@2.1.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* ##### PackageName: toml @@ -1122,19 +1119,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.4.0:*:*:* PackageName: zstandard SPDXID: SPDXRef-Package-71-zstandard -PackageVersion: 0.22.0 +PackageVersion: 0.23.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com) -PackageDownloadLocation: https://pypi.org/project/zstandard/0.22.0 +PackageDownloadLocation: https://pypi.org/project/zstandard/0.23.0 FilesAnalyzed: false -PackageChecksum: SHA1: 255b579735f26c2d0e08257f632de75d2ab882cf PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: BSD-3-Clause PackageLicenseComments: zstandard declares BSD which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Zstandard bindings for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zstandard@0.22.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.22.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zstandard@0.23.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.23.0:*:*:*:*:*:*:* ##### Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool