From 4f7848a88362e56bd29b3670ca8ae1be3e89deef Mon Sep 17 00:00:00 2001 From: GitHub Date: Mon, 24 Apr 2023 00:26:31 +0000 Subject: [PATCH] chore: update SBOM for Python 3.10 --- sbom/cve-bin-tool-py3.10.json | 86 ++++++++++++++++------------------- sbom/cve-bin-tool-py3.10.spdx | 73 +++++++++++++++-------------- 2 files changed, 76 insertions(+), 83 deletions(-) diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json index b7cdbccbaa..e60b284e6f 100644 --- a/sbom/cve-bin-tool-py3.10.json +++ b/sbom/cve-bin-tool-py3.10.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuidc89719df-9ec0-4316-b73e-8723ff724b27", + "serialNumber": "urn:uuid9b76c916-732e-4270-b318-b3184bd48654", "version": 1, "metadata": { - "timestamp": "2023-04-17T00:28:29Z", + "timestamp": "2023-04-24T00:26:29Z", "tools": [ { "name": "sbom4python", @@ -309,7 +309,7 @@ "type": "library", "bom-ref": "9-yarl", "name": "yarl", - "version": "1.8.2", + "version": "1.9.1", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -318,7 +318,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.8.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.1:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -335,18 +335,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.8.2", + "url": "https://pypi.org/project/yarl/1.9.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.8.2", - "properties": [ - { - "name": "License Comments", - "value": "yarl declares Apache 2 which is not currently a valid SPDX License identifier or expression." - } - ] + "purl": "pkg:pypi/yarl@1.9.1" }, { "type": "library", @@ -596,7 +590,7 @@ "type": "library", "bom-ref": "17-argcomplete", "name": "argcomplete", - "version": "3.0.5", + "version": "3.0.8", "supplier": { "name": "Andrey Kislyuk", "contact": [ @@ -605,7 +599,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.0.5:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.0.8:*:*:*:*:*:*:*", "description": "Bash tab completion for argparse", "licenses": [ { @@ -622,12 +616,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/argcomplete/3.0.5", + "url": "https://pypi.org/project/argcomplete/3.0.8", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/argcomplete@3.0.5", + "purl": "pkg:pypi/argcomplete@3.0.8", "properties": [ { "name": "License Comments", @@ -1021,7 +1015,7 @@ "type": "library", "bom-ref": "28-pyasn1", "name": "pyasn1", - "version": "0.4.8", + "version": "0.5.0", "supplier": { "name": "Ilya Etingof", "contact": [ @@ -1030,41 +1024,35 @@ } ] }, - "cpe": "cpe:2.3:a:ilya_etingof:pyasn1:0.4.8:*:*:*:*:*:*:*", - "description": "ASN.1 types and codecs", + "cpe": "cpe:2.3:a:ilya_etingof:pyasn1:0.5.0:*:*:*:*:*:*:*", + "description": "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)", "licenses": [ { "license": { - "id": "BSD-3-Clause", - "url": "https://opensource.org/licenses/BSD-3-Clause" + "id": "BSD-2-Clause", + "url": "https://opensource.org/licenses/BSD-2-Clause" } } ], "externalReferences": [ { - "url": "https://github.com/etingof/pyasn1", + "url": "https://github.com/pyasn1/pyasn1", "type": "website", "comment": "Home page for project" }, { - "url": "https://pypi.org/project/pyasn1/0.4.8", + "url": "https://pypi.org/project/pyasn1/0.5.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyasn1@0.4.8", - "properties": [ - { - "name": "License Comments", - "value": "pyasn1 declares BSD which is not currently a valid SPDX License identifier or expression." - } - ] + "purl": "pkg:pypi/pyasn1@0.5.0" }, { "type": "library", "bom-ref": "29-pyasn1-modules", "name": "pyasn1-modules", - "version": "0.2.8", + "version": "0.3.0", "supplier": { "name": "Ilya Etingof", "contact": [ @@ -1073,29 +1061,35 @@ } ] }, - "cpe": "cpe:2.3:a:ilya_etingof:pyasn1-modules:0.2.8:*:*:*:*:*:*:*", - "description": "A collection of ASN.1-based protocols modules.", + "cpe": "cpe:2.3:a:ilya_etingof:pyasn1-modules:0.3.0:*:*:*:*:*:*:*", + "description": "A collection of ASN.1-based protocols modules", "licenses": [ { "license": { - "id": "BSD-2-Clause", - "url": "https://opensource.org/licenses/BSD-2-Clause" + "id": "BSD-3-Clause", + "url": "https://opensource.org/licenses/BSD-3-Clause" } } ], "externalReferences": [ { - "url": "https://github.com/etingof/pyasn1-modules", + "url": "https://github.com/pyasn1/pyasn1-modules", "type": "website", "comment": "Home page for project" }, { - "url": "https://pypi.org/project/pyasn1-modules/0.2.8", + "url": "https://pypi.org/project/pyasn1-modules/0.3.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyasn1-modules@0.2.8" + "purl": "pkg:pypi/pyasn1-modules@0.3.0", + "properties": [ + { + "name": "License Comments", + "value": "pyasn1-modules declares BSD which is not currently a valid SPDX License identifier or expression." + } + ] }, { "type": "library", @@ -2085,7 +2079,7 @@ "type": "library", "bom-ref": "56-pygments", "name": "pygments", - "version": "2.15.0", + "version": "2.15.1", "supplier": { "name": "Georg Brandl", "contact": [ @@ -2094,7 +2088,7 @@ } ] }, - "cpe": "cpe:2.3:a:georg_brandl:pygments:2.15.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:georg_brandl:pygments:2.15.1:*:*:*:*:*:*:*", "description": "Pygments is a syntax highlighting package written in Python.", "licenses": [ { @@ -2106,12 +2100,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/Pygments/2.15.0", + "url": "https://pypi.org/project/Pygments/2.15.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pygments@2.15.0" + "purl": "pkg:pypi/pygments@2.15.1" }, { "type": "library", @@ -2265,7 +2259,7 @@ "type": "library", "bom-ref": "61-zstandard", "name": "zstandard", - "version": "0.20.0", + "version": "0.21.0", "supplier": { "name": "Gregory Szorc", "contact": [ @@ -2274,7 +2268,7 @@ } ] }, - "cpe": "cpe:2.3:a:gregory_szorc:zstandard:0.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*", "description": "Zstandard bindings for Python", "licenses": [ { @@ -2291,12 +2285,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/zstandard/0.20.0", + "url": "https://pypi.org/project/zstandard/0.21.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zstandard@0.20.0", + "purl": "pkg:pypi/zstandard@0.21.0", "properties": [ { "name": "License Comments", diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx index 06433bbc0e..16e35b3029 100644 --- a/sbom/cve-bin-tool-py3.10.spdx +++ b/sbom/cve-bin-tool-py3.10.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-c5d5d886-7f9b-4e00-a349-8ae8947ccd9d +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-39a8443b-80ea-4d11-b1fe-547b534a2d42 LicenseListVersion: 3.20 Creator: Tool: sbom4python-0.9.1 -Created: 2023-04-17T00:27:05Z +Created: 2023-04-24T00:25:19Z CreatorComment: This document has been automatically generated. ##### @@ -140,19 +140,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.4:*:*:*:* PackageName: yarl SPDXID: SPDXRef-Package-9-yarl -PackageVersion: 1.8.2 +PackageVersion: 1.9.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.8.2 +PackageDownloadLocation: https://pypi.org/project/yarl/1.9.1 FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl/ -PackageLicenseDeclared: NOASSERTION +PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 -PackageLicenseComments: yarl declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/yarl@1.8.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.8.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/yarl@1.9.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.1:*:*:*:*:*:*:* ##### PackageName: idna @@ -270,10 +269,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.23:*:*:*:*:*:*:* PackageName: argcomplete SPDXID: SPDXRef-Package-17-argcomplete -PackageVersion: 3.0.5 +PackageVersion: 3.0.8 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com) -PackageDownloadLocation: https://pypi.org/project/argcomplete/3.0.5 +PackageDownloadLocation: https://pypi.org/project/argcomplete/3.0.8 FilesAnalyzed: false PackageHomePage: https://github.com/kislyuk/argcomplete PackageLicenseDeclared: NOASSERTION @@ -281,8 +280,8 @@ PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Bash tab completion for argparse -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.0.5 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.0.5:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.0.8 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.0.8:*:*:*:*:*:*:* ##### PackageName: crcmod @@ -451,35 +450,35 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:oauth2client:4.1.3:*:*:*:* PackageName: pyasn1 SPDXID: SPDXRef-Package-28-pyasn1 -PackageVersion: 0.4.8 +PackageVersion: 0.5.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Ilya Etingof (etingof@gmail.com) -PackageDownloadLocation: https://pypi.org/project/pyasn1/0.4.8 +PackageDownloadLocation: https://pypi.org/project/pyasn1/0.5.0 FilesAnalyzed: false -PackageHomePage: https://github.com/etingof/pyasn1 -PackageLicenseDeclared: NOASSERTION -PackageLicenseConcluded: BSD-3-Clause -PackageLicenseComments: pyasn1 declares BSD which is not currently a valid SPDX License identifier or expression. +PackageHomePage: https://github.com/pyasn1/pyasn1 +PackageLicenseDeclared: BSD-2-Clause +PackageLicenseConcluded: BSD-2-Clause PackageCopyrightText: NOASSERTION -PackageSummary: ASN.1 types and codecs -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyasn1@0.4.8 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:ilya_etingof:pyasn1:0.4.8:*:*:*:*:*:*:* +PackageSummary: Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208) +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyasn1@0.5.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:ilya_etingof:pyasn1:0.5.0:*:*:*:*:*:*:* ##### PackageName: pyasn1-modules SPDXID: SPDXRef-Package-29-pyasn1-modules -PackageVersion: 0.2.8 +PackageVersion: 0.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Ilya Etingof (etingof@gmail.com) -PackageDownloadLocation: https://pypi.org/project/pyasn1-modules/0.2.8 +PackageDownloadLocation: https://pypi.org/project/pyasn1-modules/0.3.0 FilesAnalyzed: false -PackageHomePage: https://github.com/etingof/pyasn1-modules -PackageLicenseDeclared: BSD-2-Clause -PackageLicenseConcluded: BSD-2-Clause +PackageHomePage: https://github.com/pyasn1/pyasn1-modules +PackageLicenseDeclared: NOASSERTION +PackageLicenseConcluded: BSD-3-Clause +PackageLicenseComments: pyasn1-modules declares BSD which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION -PackageSummary: A collection of ASN.1-based protocols modules. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyasn1-modules@0.2.8 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:ilya_etingof:pyasn1-modules:0.2.8:*:*:*:*:*:*:* +PackageSummary: A collection of ASN.1-based protocols modules +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyasn1-modules@0.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:ilya_etingof:pyasn1-modules:0.3.0:*:*:*:*:*:*:* ##### PackageName: rsa @@ -907,17 +906,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:taneli_hukkinen:mdurl:0.1.2:*:*:*:*:*: PackageName: pygments SPDXID: SPDXRef-Package-56-pygments -PackageVersion: 2.15.0 +PackageVersion: 2.15.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Georg Brandl (georg@python.org) -PackageDownloadLocation: https://pypi.org/project/Pygments/2.15.0 +PackageDownloadLocation: https://pypi.org/project/Pygments/2.15.1 FilesAnalyzed: false PackageLicenseDeclared: BSD-2-Clause PackageLicenseConcluded: BSD-2-Clause PackageCopyrightText: NOASSERTION PackageSummary: Pygments is a syntax highlighting package written in Python. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pygments@2.15.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.15.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pygments@2.15.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.15.1:*:*:*:*:*:*:* ##### PackageName: rpmfile @@ -986,10 +985,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.1.1:*:*:* PackageName: zstandard SPDXID: SPDXRef-Package-61-zstandard -PackageVersion: 0.20.0 +PackageVersion: 0.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com) -PackageDownloadLocation: https://pypi.org/project/zstandard/0.20.0 +PackageDownloadLocation: https://pypi.org/project/zstandard/0.21.0 FilesAnalyzed: false PackageHomePage: https://github.com/indygreg/python-zstandard PackageLicenseDeclared: NOASSERTION @@ -997,8 +996,8 @@ PackageLicenseConcluded: BSD-3-Clause PackageLicenseComments: zstandard declares BSD which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Zstandard bindings for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:* ##### Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool