From ab886a513b9492434205e64e66d35e20ccd9c626 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:02:28 +0000 Subject: [PATCH 01/19] chore: update SBOM for Python 3.11 (#4551) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.11.json | 70 +++++++++++++++++++---------------- sbom/cve-bin-tool-py3.11.spdx | 55 +++++++++++++-------------- 2 files changed, 66 insertions(+), 59 deletions(-) diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json index 9fd08a49aa..1ab4cf5700 100644 --- a/sbom/cve-bin-tool-py3.11.json +++ b/sbom/cve-bin-tool-py3.11.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:0f266371-5f01-4b1f-a630-b4a42e8ab4c2", + "serialNumber": "urn:uuid:d41bd464-c594-4908-998a-aa31f02d37f2", "version": 1, "metadata": { - "timestamp": "2024-10-28T00:37:40Z", + "timestamp": "2024-11-04T00:39:27Z", "lifecycles": [ { "phase": "build" @@ -271,6 +271,12 @@ }, "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*", "description": "Classes Without Boilerplate", + "hashes": [ + { + "alg": "SHA-1", + "content": "6771a04893780166e4b7826b63599f43ac30d00a" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/attrs/24.2.0/#files", @@ -342,7 +348,7 @@ "type": "library", "bom-ref": "8-yarl", "name": "yarl", - "version": "1.16.0", + "version": "1.17.1", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -351,7 +357,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -369,12 +375,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.16.0/#files", + "url": "https://pypi.org/project/yarl/1.17.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.16.0", + "purl": "pkg:pypi/yarl@1.17.1", "properties": [ { "name": "language", @@ -563,7 +569,7 @@ "type": "library", "bom-ref": "13-cvss", "name": "cvss", - "version": "3.2", + "version": "3.3", "supplier": { "name": "Stanislav Red Hat Product Security", "contact": [ @@ -572,7 +578,7 @@ } ] }, - "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:*", "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3", "licenses": [ { @@ -590,12 +596,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/cvss/3.2/#files", + "url": "https://pypi.org/project/cvss/3.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cvss@3.2", + "purl": "pkg:pypi/cvss@3.3", "properties": [ { "name": "language", @@ -2301,7 +2307,7 @@ "type": "library", "bom-ref": "47-rpds-py", "name": "rpds-py", - "version": "0.20.0", + "version": "0.20.1", "supplier": { "name": "Julian Berman", "contact": [ @@ -2310,14 +2316,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "hashes": [ - { - "alg": "SHA-1", - "content": "fac4daa73aacf2df7b4341d51f0c24f5f80aa03d" - } - ], "licenses": [ { "license": { @@ -2334,12 +2334,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.0/#files", + "url": "https://pypi.org/project/rpds-py/0.20.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.0", + "purl": "pkg:pypi/rpds-py@0.20.1", "properties": [ { "name": "language", @@ -2660,7 +2660,7 @@ "type": "library", "bom-ref": "54-rich", "name": "rich", - "version": "13.9.3", + "version": "13.9.4", "supplier": { "name": "Will McGugan", "contact": [ @@ -2669,7 +2669,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2687,12 +2687,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rich/13.9.3/#files", + "url": "https://pypi.org/project/rich/13.9.4/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.9.3", + "purl": "pkg:pypi/rich@13.9.4", "properties": [ { "name": "language", @@ -2875,6 +2875,12 @@ }, "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/packaging/24.1/#files", @@ -3286,7 +3292,7 @@ "type": "library", "bom-ref": "67-setuptools", "name": "setuptools", - "version": "75.2.0", + "version": "75.3.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3295,16 +3301,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/75.2.0/#files", + "url": "https://pypi.org/project/setuptools/75.3.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@75.2.0", + "purl": "pkg:pypi/setuptools@75.3.0", "properties": [ { "name": "language", @@ -3320,7 +3326,7 @@ "type": "library", "bom-ref": "68-xmlschema", "name": "xmlschema", - "version": "3.4.2", + "version": "3.4.3", "supplier": { "name": "Davide Brunato", "contact": [ @@ -3329,7 +3335,7 @@ } ] }, - "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:*", "description": "An XML Schema validator and decoder", "licenses": [ { @@ -3347,12 +3353,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/xmlschema/3.4.2/#files", + "url": "https://pypi.org/project/xmlschema/3.4.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/xmlschema@3.4.2", + "purl": "pkg:pypi/xmlschema@3.4.3", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx index 19aef3bfe5..17f485a570 100644 --- a/sbom/cve-bin-tool-py3.11.spdx +++ b/sbom/cve-bin-tool-py3.11.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-74592506-2886-44ae-895a-da1f0f1334ca +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-42a5440d-e497-4f5a-8c23-5f4cbc506669 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-10-28T00:36:57Z +Created: 2024-11-04T00:38:31Z CreatorComment: This document has been automatically generated. ##### @@ -98,6 +98,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Hynek Schlawack (hs@ox.cx) PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: 6771a04893780166e4b7826b63599f43ac30d00a PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -125,18 +126,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.1.0:*:*:*:* PackageName: yarl SPDXID: SPDXRef-8-yarl -PackageVersion: 1.16.0 +PackageVersion: 1.17.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.16.0/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.17.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.16.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.17.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:* ##### PackageName: idna @@ -205,10 +206,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:* PackageName: cvss SPDXID: SPDXRef-13-cvss -PackageVersion: 3.2 +PackageVersion: 3.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com) -PackageDownloadLocation: https://pypi.org/project/cvss/3.2/#files +PackageDownloadLocation: https://pypi.org/project/cvss/3.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/RedHatProductSecurity/cvss PackageLicenseDeclared: NOASSERTION @@ -216,8 +217,8 @@ PackageLicenseConcluded: LGPL-3.0-or-later PackageLicenseComments: cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: CVSS2/3/4 library with interactive calculator for Python 2 and Python 3 -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:* ##### PackageName: defusedxml @@ -782,19 +783,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-47-rpds-py -PackageVersion: 0.20.0 +PackageVersion: 0.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageChecksum: SHA1: fac4daa73aacf2df7b4341d51f0c24f5f80aa03d PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -899,18 +899,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-54-rich -PackageVersion: 13.9.3 +PackageVersion: 13.9.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.9.3/#files +PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -971,6 +971,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files FilesAnalyzed: false +PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1113,33 +1114,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-67-setuptools -PackageVersion: 75.2.0 +PackageVersion: 75.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/75.2.0/#files +PackageDownloadLocation: https://pypi.org/project/setuptools/75.3.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:* ##### PackageName: xmlschema SPDXID: SPDXRef-68-xmlschema -PackageVersion: 3.4.2 +PackageVersion: 3.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Davide Brunato (brunato@sissa.it) -PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.2/#files +PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/sissaschool/xmlschema PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An XML Schema validator and decoder -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:* ##### PackageName: elementpath From 5c42868ae8d2ece510e4d05652f57f9230f827ed Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:04:08 +0000 Subject: [PATCH 02/19] chore: update SBOM for Python 3.9 (#4550) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 76 +++++++++++++++++++++--------------- sbom/cve-bin-tool-py3.9.spdx | 56 +++++++++++++------------- 2 files changed, 73 insertions(+), 59 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index b3bd6dc437..d9f6feaf78 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:fad70535-a2c6-4cf6-84b8-75bf196560b4", + "serialNumber": "urn:uuid:cf0e1889-1a11-4eb0-90b5-58e1bd7cf8fb", "version": 1, "metadata": { - "timestamp": "2024-10-28T00:40:22Z", + "timestamp": "2024-11-04T00:39:04Z", "lifecycles": [ { "phase": "build" @@ -329,6 +329,12 @@ }, "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*", "description": "Classes Without Boilerplate", + "hashes": [ + { + "alg": "SHA-1", + "content": "6771a04893780166e4b7826b63599f43ac30d00a" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/attrs/24.2.0/#files", @@ -434,7 +440,7 @@ "type": "library", "bom-ref": "10-yarl", "name": "yarl", - "version": "1.16.0", + "version": "1.17.1", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -443,7 +449,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -461,12 +467,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.16.0/#files", + "url": "https://pypi.org/project/yarl/1.17.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.16.0", + "purl": "pkg:pypi/yarl@1.17.1", "properties": [ { "name": "language", @@ -655,7 +661,7 @@ "type": "library", "bom-ref": "15-cvss", "name": "cvss", - "version": "3.2", + "version": "3.3", "supplier": { "name": "Stanislav Red Hat Product Security", "contact": [ @@ -664,7 +670,7 @@ } ] }, - "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:*", "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3", "licenses": [ { @@ -682,12 +688,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/cvss/3.2/#files", + "url": "https://pypi.org/project/cvss/3.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cvss@3.2", + "purl": "pkg:pypi/cvss@3.3", "properties": [ { "name": "language", @@ -2202,6 +2208,12 @@ }, "cpe": "cpe:2.3:a:jason_r.:importlib-metadata:8.5.0:*:*:*:*:*:*:*", "description": "Read metadata from Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "b34810b1e0665580a91ea19b6317a1890ecd42c1" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/importlib-metadata/8.5.0/#files", @@ -2461,7 +2473,7 @@ "type": "library", "bom-ref": "51-rpds-py", "name": "rpds-py", - "version": "0.20.0", + "version": "0.20.1", "supplier": { "name": "Julian Berman", "contact": [ @@ -2470,14 +2482,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "hashes": [ - { - "alg": "SHA-1", - "content": "fac4daa73aacf2df7b4341d51f0c24f5f80aa03d" - } - ], "licenses": [ { "license": { @@ -2494,12 +2500,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.0/#files", + "url": "https://pypi.org/project/rpds-py/0.20.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.0", + "purl": "pkg:pypi/rpds-py@0.20.1", "properties": [ { "name": "language", @@ -2820,7 +2826,7 @@ "type": "library", "bom-ref": "58-rich", "name": "rich", - "version": "13.9.3", + "version": "13.9.4", "supplier": { "name": "Will McGugan", "contact": [ @@ -2829,7 +2835,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2847,12 +2853,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rich/13.9.3/#files", + "url": "https://pypi.org/project/rich/13.9.4/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.9.3", + "purl": "pkg:pypi/rich@13.9.4", "properties": [ { "name": "language", @@ -3035,6 +3041,12 @@ }, "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/packaging/24.1/#files", @@ -3446,7 +3458,7 @@ "type": "library", "bom-ref": "71-setuptools", "name": "setuptools", - "version": "75.2.0", + "version": "75.3.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3455,16 +3467,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/75.2.0/#files", + "url": "https://pypi.org/project/setuptools/75.3.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@75.2.0", + "purl": "pkg:pypi/setuptools@75.3.0", "properties": [ { "name": "language", @@ -3538,7 +3550,7 @@ "type": "library", "bom-ref": "73-xmlschema", "name": "xmlschema", - "version": "3.4.2", + "version": "3.4.3", "supplier": { "name": "Davide Brunato", "contact": [ @@ -3547,7 +3559,7 @@ } ] }, - "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:*", "description": "An XML Schema validator and decoder", "licenses": [ { @@ -3565,12 +3577,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/xmlschema/3.4.2/#files", + "url": "https://pypi.org/project/xmlschema/3.4.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/xmlschema@3.4.2", + "purl": "pkg:pypi/xmlschema@3.4.3", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index b948398790..f90e2a7e85 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-eb859755-2df3-4cff-8f13-6688d449550c +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-9f3d8833-874a-4b8d-97a0-34ac23a6561e LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-10-28T00:39:33Z +Created: 2024-11-04T00:38:06Z CreatorComment: This document has been automatically generated. ##### @@ -116,6 +116,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Hynek Schlawack (hs@ox.cx) PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: 6771a04893780166e4b7826b63599f43ac30d00a PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -158,18 +159,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-e PackageName: yarl SPDXID: SPDXRef-10-yarl -PackageVersion: 1.16.0 +PackageVersion: 1.17.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.16.0/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.17.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.16.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.17.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:* ##### PackageName: idna @@ -238,10 +239,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:* PackageName: cvss SPDXID: SPDXRef-15-cvss -PackageVersion: 3.2 +PackageVersion: 3.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com) -PackageDownloadLocation: https://pypi.org/project/cvss/3.2/#files +PackageDownloadLocation: https://pypi.org/project/cvss/3.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/RedHatProductSecurity/cvss PackageLicenseDeclared: NOASSERTION @@ -249,8 +250,8 @@ PackageLicenseConcluded: LGPL-3.0-or-later PackageLicenseComments: cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: CVSS2/3/4 library with interactive calculator for Python 2 and Python 3 -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:* ##### PackageName: defusedxml @@ -740,6 +741,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) PackageDownloadLocation: https://pypi.org/project/importlib-metadata/8.5.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: b34810b1e0665580a91ea19b6317a1890ecd42c1 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -845,19 +847,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-51-rpds-py -PackageVersion: 0.20.0 +PackageVersion: 0.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageChecksum: SHA1: fac4daa73aacf2df7b4341d51f0c24f5f80aa03d PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -962,18 +963,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-58-rich -PackageVersion: 13.9.3 +PackageVersion: 13.9.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.9.3/#files +PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -1034,6 +1035,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files FilesAnalyzed: false +PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1176,17 +1178,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-71-setuptools -PackageVersion: 75.2.0 +PackageVersion: 75.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/75.2.0/#files +PackageDownloadLocation: https://pypi.org/project/setuptools/75.3.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:* ##### PackageName: toml @@ -1208,18 +1210,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*: PackageName: xmlschema SPDXID: SPDXRef-73-xmlschema -PackageVersion: 3.4.2 +PackageVersion: 3.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Davide Brunato (brunato@sissa.it) -PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.2/#files +PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/sissaschool/xmlschema PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An XML Schema validator and decoder -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:* ##### PackageName: elementpath From cb74c562a7776866aabe94cce964924c58995b63 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:05:42 +0000 Subject: [PATCH 03/19] chore: update SBOM for Python 3.10 (#4549) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.10.json | 70 +++++++++++++++++++---------------- sbom/cve-bin-tool-py3.10.spdx | 55 +++++++++++++-------------- 2 files changed, 66 insertions(+), 59 deletions(-) diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json index 19a898bcac..a6e3c0437d 100644 --- a/sbom/cve-bin-tool-py3.10.json +++ b/sbom/cve-bin-tool-py3.10.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:f845813e-87fb-4b9d-a68b-cf62b5eebeb4", + "serialNumber": "urn:uuid:888833a5-aabf-426e-88d8-8eb73ab2cb9d", "version": 1, "metadata": { - "timestamp": "2024-10-28T00:37:59Z", + "timestamp": "2024-11-04T00:38:13Z", "lifecycles": [ { "phase": "build" @@ -329,6 +329,12 @@ }, "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*", "description": "Classes Without Boilerplate", + "hashes": [ + { + "alg": "SHA-1", + "content": "6771a04893780166e4b7826b63599f43ac30d00a" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/attrs/24.2.0/#files", @@ -434,7 +440,7 @@ "type": "library", "bom-ref": "10-yarl", "name": "yarl", - "version": "1.16.0", + "version": "1.17.1", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -443,7 +449,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -461,12 +467,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.16.0/#files", + "url": "https://pypi.org/project/yarl/1.17.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.16.0", + "purl": "pkg:pypi/yarl@1.17.1", "properties": [ { "name": "language", @@ -655,7 +661,7 @@ "type": "library", "bom-ref": "15-cvss", "name": "cvss", - "version": "3.2", + "version": "3.3", "supplier": { "name": "Stanislav Red Hat Product Security", "contact": [ @@ -664,7 +670,7 @@ } ] }, - "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:*", "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3", "licenses": [ { @@ -682,12 +688,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/cvss/3.2/#files", + "url": "https://pypi.org/project/cvss/3.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cvss@3.2", + "purl": "pkg:pypi/cvss@3.3", "properties": [ { "name": "language", @@ -2393,7 +2399,7 @@ "type": "library", "bom-ref": "49-rpds-py", "name": "rpds-py", - "version": "0.20.0", + "version": "0.20.1", "supplier": { "name": "Julian Berman", "contact": [ @@ -2402,14 +2408,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "hashes": [ - { - "alg": "SHA-1", - "content": "fac4daa73aacf2df7b4341d51f0c24f5f80aa03d" - } - ], "licenses": [ { "license": { @@ -2426,12 +2426,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.0/#files", + "url": "https://pypi.org/project/rpds-py/0.20.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.0", + "purl": "pkg:pypi/rpds-py@0.20.1", "properties": [ { "name": "language", @@ -2752,7 +2752,7 @@ "type": "library", "bom-ref": "56-rich", "name": "rich", - "version": "13.9.3", + "version": "13.9.4", "supplier": { "name": "Will McGugan", "contact": [ @@ -2761,7 +2761,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2779,12 +2779,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rich/13.9.3/#files", + "url": "https://pypi.org/project/rich/13.9.4/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.9.3", + "purl": "pkg:pypi/rich@13.9.4", "properties": [ { "name": "language", @@ -2967,6 +2967,12 @@ }, "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/packaging/24.1/#files", @@ -3378,7 +3384,7 @@ "type": "library", "bom-ref": "69-setuptools", "name": "setuptools", - "version": "75.2.0", + "version": "75.3.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3387,16 +3393,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/75.2.0/#files", + "url": "https://pypi.org/project/setuptools/75.3.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@75.2.0", + "purl": "pkg:pypi/setuptools@75.3.0", "properties": [ { "name": "language", @@ -3470,7 +3476,7 @@ "type": "library", "bom-ref": "71-xmlschema", "name": "xmlschema", - "version": "3.4.2", + "version": "3.4.3", "supplier": { "name": "Davide Brunato", "contact": [ @@ -3479,7 +3485,7 @@ } ] }, - "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:*", "description": "An XML Schema validator and decoder", "licenses": [ { @@ -3497,12 +3503,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/xmlschema/3.4.2/#files", + "url": "https://pypi.org/project/xmlschema/3.4.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/xmlschema@3.4.2", + "purl": "pkg:pypi/xmlschema@3.4.3", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx index 6adec42bb4..7b519501da 100644 --- a/sbom/cve-bin-tool-py3.10.spdx +++ b/sbom/cve-bin-tool-py3.10.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-9d9a0807-ce81-4de1-9676-a3d3dbacf13f +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-3b2a6d00-6777-463e-bce6-aac435fde0eb LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-10-28T00:37:06Z +Created: 2024-11-04T00:37:10Z CreatorComment: This document has been automatically generated. ##### @@ -116,6 +116,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Hynek Schlawack (hs@ox.cx) PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: 6771a04893780166e4b7826b63599f43ac30d00a PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -158,18 +159,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-e PackageName: yarl SPDXID: SPDXRef-10-yarl -PackageVersion: 1.16.0 +PackageVersion: 1.17.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.16.0/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.17.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.16.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.17.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:* ##### PackageName: idna @@ -238,10 +239,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:* PackageName: cvss SPDXID: SPDXRef-15-cvss -PackageVersion: 3.2 +PackageVersion: 3.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com) -PackageDownloadLocation: https://pypi.org/project/cvss/3.2/#files +PackageDownloadLocation: https://pypi.org/project/cvss/3.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/RedHatProductSecurity/cvss PackageLicenseDeclared: NOASSERTION @@ -249,8 +250,8 @@ PackageLicenseConcluded: LGPL-3.0-or-later PackageLicenseComments: cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: CVSS2/3/4 library with interactive calculator for Python 2 and Python 3 -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:* ##### PackageName: defusedxml @@ -815,19 +816,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-49-rpds-py -PackageVersion: 0.20.0 +PackageVersion: 0.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageChecksum: SHA1: fac4daa73aacf2df7b4341d51f0c24f5f80aa03d PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -932,18 +932,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-56-rich -PackageVersion: 13.9.3 +PackageVersion: 13.9.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.9.3/#files +PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -1004,6 +1004,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files FilesAnalyzed: false +PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1146,17 +1147,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-69-setuptools -PackageVersion: 75.2.0 +PackageVersion: 75.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/75.2.0/#files +PackageDownloadLocation: https://pypi.org/project/setuptools/75.3.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:* ##### PackageName: toml @@ -1178,18 +1179,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*: PackageName: xmlschema SPDXID: SPDXRef-71-xmlschema -PackageVersion: 3.4.2 +PackageVersion: 3.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Davide Brunato (brunato@sissa.it) -PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.2/#files +PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/sissaschool/xmlschema PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An XML Schema validator and decoder -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:* ##### PackageName: elementpath From a0bc80b69596679361b0bdd4bea39d3b6ac669c7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:06:30 +0000 Subject: [PATCH 04/19] chore: update SBOM for Python 3.8 (#4548) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.8.json | 74 ++++++++++++++++++++++-------------- sbom/cve-bin-tool-py3.8.spdx | 49 +++++++++++++----------- 2 files changed, 72 insertions(+), 51 deletions(-) diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json index aaa515d518..4079d26ba9 100644 --- a/sbom/cve-bin-tool-py3.8.json +++ b/sbom/cve-bin-tool-py3.8.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:e019cd5f-9c97-4fd6-b01a-e1fdc281d319", + "serialNumber": "urn:uuid:b70c8919-aa47-439d-9ce3-c84a2d16b633", "version": 1, "metadata": { - "timestamp": "2024-10-28T00:40:20Z", + "timestamp": "2024-11-04T00:37:54Z", "lifecycles": [ { "phase": "build" @@ -329,6 +329,12 @@ }, "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*", "description": "Classes Without Boilerplate", + "hashes": [ + { + "alg": "SHA-1", + "content": "6771a04893780166e4b7826b63599f43ac30d00a" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/attrs/24.2.0/#files", @@ -445,6 +451,12 @@ }, "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.15.2:*:*:*:*:*:*:*", "description": "Yet another URL library", + "hashes": [ + { + "alg": "SHA-1", + "content": "33294bf084d2dde1ac1e8133b0125e1f142a8274" + } + ], "licenses": [ { "license": { @@ -655,7 +667,7 @@ "type": "library", "bom-ref": "15-cvss", "name": "cvss", - "version": "3.2", + "version": "3.3", "supplier": { "name": "Stanislav Red Hat Product Security", "contact": [ @@ -664,7 +676,7 @@ } ] }, - "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:*", "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3", "licenses": [ { @@ -682,12 +694,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/cvss/3.2/#files", + "url": "https://pypi.org/project/cvss/3.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cvss@3.2", + "purl": "pkg:pypi/cvss@3.3", "properties": [ { "name": "language", @@ -2202,6 +2214,12 @@ }, "cpe": "cpe:2.3:a:jason_r.:importlib-metadata:8.5.0:*:*:*:*:*:*:*", "description": "Read metadata from Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "b34810b1e0665580a91ea19b6317a1890ecd42c1" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/importlib-metadata/8.5.0/#files", @@ -2532,7 +2550,7 @@ "type": "library", "bom-ref": "52-rpds-py", "name": "rpds-py", - "version": "0.20.0", + "version": "0.20.1", "supplier": { "name": "Julian Berman", "contact": [ @@ -2541,14 +2559,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "hashes": [ - { - "alg": "SHA-1", - "content": "fac4daa73aacf2df7b4341d51f0c24f5f80aa03d" - } - ], "licenses": [ { "license": { @@ -2565,12 +2577,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.0/#files", + "url": "https://pypi.org/project/rpds-py/0.20.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.0", + "purl": "pkg:pypi/rpds-py@0.20.1", "properties": [ { "name": "language", @@ -2934,7 +2946,7 @@ "type": "library", "bom-ref": "60-rich", "name": "rich", - "version": "13.9.3", + "version": "13.9.4", "supplier": { "name": "Will McGugan", "contact": [ @@ -2943,7 +2955,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2961,12 +2973,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rich/13.9.3/#files", + "url": "https://pypi.org/project/rich/13.9.4/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.9.3", + "purl": "pkg:pypi/rich@13.9.4", "properties": [ { "name": "language", @@ -3149,6 +3161,12 @@ }, "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/packaging/24.1/#files", @@ -3560,7 +3578,7 @@ "type": "library", "bom-ref": "73-setuptools", "name": "setuptools", - "version": "75.2.0", + "version": "75.3.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3569,16 +3587,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/75.2.0/#files", + "url": "https://pypi.org/project/setuptools/75.3.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@75.2.0", + "purl": "pkg:pypi/setuptools@75.3.0", "properties": [ { "name": "language", @@ -3652,7 +3670,7 @@ "type": "library", "bom-ref": "75-xmlschema", "name": "xmlschema", - "version": "3.4.2", + "version": "3.4.3", "supplier": { "name": "Davide Brunato", "contact": [ @@ -3661,7 +3679,7 @@ } ] }, - "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:*", "description": "An XML Schema validator and decoder", "licenses": [ { @@ -3679,12 +3697,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/xmlschema/3.4.2/#files", + "url": "https://pypi.org/project/xmlschema/3.4.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/xmlschema@3.4.2", + "purl": "pkg:pypi/xmlschema@3.4.3", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx index 8522bd1ea0..c2f86ce550 100644 --- a/sbom/cve-bin-tool-py3.8.spdx +++ b/sbom/cve-bin-tool-py3.8.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-a8eca549-4f66-4938-9caa-1ff2abaec047 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-549306a2-498d-4c40-9fba-23e2d0d32c42 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-10-28T00:39:21Z +Created: 2024-11-04T00:36:57Z CreatorComment: This document has been automatically generated. ##### @@ -116,6 +116,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Hynek Schlawack (hs@ox.cx) PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: 6771a04893780166e4b7826b63599f43ac30d00a PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -164,6 +165,7 @@ PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) PackageDownloadLocation: https://pypi.org/project/yarl/1.15.2/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl +PackageChecksum: SHA1: 33294bf084d2dde1ac1e8133b0125e1f142a8274 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION @@ -238,10 +240,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:* PackageName: cvss SPDXID: SPDXRef-15-cvss -PackageVersion: 3.2 +PackageVersion: 3.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com) -PackageDownloadLocation: https://pypi.org/project/cvss/3.2/#files +PackageDownloadLocation: https://pypi.org/project/cvss/3.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/RedHatProductSecurity/cvss PackageLicenseDeclared: NOASSERTION @@ -249,8 +251,8 @@ PackageLicenseConcluded: LGPL-3.0-or-later PackageLicenseComments: cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: CVSS2/3/4 library with interactive calculator for Python 2 and Python 3 -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:* ##### PackageName: defusedxml @@ -740,6 +742,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) PackageDownloadLocation: https://pypi.org/project/importlib-metadata/8.5.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: b34810b1e0665580a91ea19b6317a1890ecd42c1 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -861,19 +864,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-52-rpds-py -PackageVersion: 0.20.0 +PackageVersion: 0.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageChecksum: SHA1: fac4daa73aacf2df7b4341d51f0c24f5f80aa03d PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* ##### PackageName: pkgutil-resolve-name @@ -994,18 +996,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-60-rich -PackageVersion: 13.9.3 +PackageVersion: 13.9.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.9.3/#files +PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -1066,6 +1068,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files FilesAnalyzed: false +PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1208,17 +1211,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-73-setuptools -PackageVersion: 75.2.0 +PackageVersion: 75.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/75.2.0/#files +PackageDownloadLocation: https://pypi.org/project/setuptools/75.3.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:* ##### PackageName: toml @@ -1240,18 +1243,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*: PackageName: xmlschema SPDXID: SPDXRef-75-xmlschema -PackageVersion: 3.4.2 +PackageVersion: 3.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Davide Brunato (brunato@sissa.it) -PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.2/#files +PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/sissaschool/xmlschema PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An XML Schema validator and decoder -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:* ##### PackageName: elementpath From e3962393163d9a8383c800da097849328ae513f1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:07:42 +0000 Subject: [PATCH 05/19] chore: update SBOM for Python 3.12 (#4547) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.12.json | 70 +++++++++++++++++++---------------- sbom/cve-bin-tool-py3.12.spdx | 55 +++++++++++++-------------- 2 files changed, 66 insertions(+), 59 deletions(-) diff --git a/sbom/cve-bin-tool-py3.12.json b/sbom/cve-bin-tool-py3.12.json index beafd63bdf..78cbb8c8a1 100644 --- a/sbom/cve-bin-tool-py3.12.json +++ b/sbom/cve-bin-tool-py3.12.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:c3f0a58f-1000-4930-b89e-cb88efacd5d3", + "serialNumber": "urn:uuid:06a39a94-1422-40df-893c-b488d152ad6c", "version": 1, "metadata": { - "timestamp": "2024-10-28T00:38:50Z", + "timestamp": "2024-11-04T00:37:49Z", "lifecycles": [ { "phase": "build" @@ -271,6 +271,12 @@ }, "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*", "description": "Classes Without Boilerplate", + "hashes": [ + { + "alg": "SHA-1", + "content": "6771a04893780166e4b7826b63599f43ac30d00a" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/attrs/24.2.0/#files", @@ -342,7 +348,7 @@ "type": "library", "bom-ref": "8-yarl", "name": "yarl", - "version": "1.16.0", + "version": "1.17.1", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -351,7 +357,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:*", "description": "Yet another URL library", "licenses": [ { @@ -369,12 +375,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/yarl/1.16.0/#files", + "url": "https://pypi.org/project/yarl/1.17.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.16.0", + "purl": "pkg:pypi/yarl@1.17.1", "properties": [ { "name": "language", @@ -563,7 +569,7 @@ "type": "library", "bom-ref": "13-cvss", "name": "cvss", - "version": "3.2", + "version": "3.3", "supplier": { "name": "Stanislav Red Hat Product Security", "contact": [ @@ -572,7 +578,7 @@ } ] }, - "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:*", "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3", "licenses": [ { @@ -590,12 +596,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/cvss/3.2/#files", + "url": "https://pypi.org/project/cvss/3.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cvss@3.2", + "purl": "pkg:pypi/cvss@3.3", "properties": [ { "name": "language", @@ -2301,7 +2307,7 @@ "type": "library", "bom-ref": "47-rpds-py", "name": "rpds-py", - "version": "0.20.0", + "version": "0.20.1", "supplier": { "name": "Julian Berman", "contact": [ @@ -2310,14 +2316,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "hashes": [ - { - "alg": "SHA-1", - "content": "fac4daa73aacf2df7b4341d51f0c24f5f80aa03d" - } - ], "licenses": [ { "license": { @@ -2334,12 +2334,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.0/#files", + "url": "https://pypi.org/project/rpds-py/0.20.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.0", + "purl": "pkg:pypi/rpds-py@0.20.1", "properties": [ { "name": "language", @@ -2660,7 +2660,7 @@ "type": "library", "bom-ref": "54-rich", "name": "rich", - "version": "13.9.3", + "version": "13.9.4", "supplier": { "name": "Will McGugan", "contact": [ @@ -2669,7 +2669,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2687,12 +2687,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rich/13.9.3/#files", + "url": "https://pypi.org/project/rich/13.9.4/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.9.3", + "purl": "pkg:pypi/rich@13.9.4", "properties": [ { "name": "language", @@ -2875,6 +2875,12 @@ }, "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/packaging/24.1/#files", @@ -3286,7 +3292,7 @@ "type": "library", "bom-ref": "67-setuptools", "name": "setuptools", - "version": "75.2.0", + "version": "75.3.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3295,16 +3301,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/75.2.0/#files", + "url": "https://pypi.org/project/setuptools/75.3.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@75.2.0", + "purl": "pkg:pypi/setuptools@75.3.0", "properties": [ { "name": "language", @@ -3320,7 +3326,7 @@ "type": "library", "bom-ref": "68-xmlschema", "name": "xmlschema", - "version": "3.4.2", + "version": "3.4.3", "supplier": { "name": "Davide Brunato", "contact": [ @@ -3329,7 +3335,7 @@ } ] }, - "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:*", "description": "An XML Schema validator and decoder", "licenses": [ { @@ -3347,12 +3353,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/xmlschema/3.4.2/#files", + "url": "https://pypi.org/project/xmlschema/3.4.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/xmlschema@3.4.2", + "purl": "pkg:pypi/xmlschema@3.4.3", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.12.spdx b/sbom/cve-bin-tool-py3.12.spdx index d5dd7e4fb8..785cc63656 100644 --- a/sbom/cve-bin-tool-py3.12.spdx +++ b/sbom/cve-bin-tool-py3.12.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-8092be7a-891d-43e8-92da-4f3a027149cf +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-6d5d65ce-7ee4-477d-bfcf-c94432e85cfb LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-10-28T00:38:09Z +Created: 2024-11-04T00:36:55Z CreatorComment: This document has been automatically generated. ##### @@ -98,6 +98,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Hynek Schlawack (hs@ox.cx) PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0/#files FilesAnalyzed: false +PackageChecksum: SHA1: 6771a04893780166e4b7826b63599f43ac30d00a PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -125,18 +126,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.1.0:*:*:*:* PackageName: yarl SPDXID: SPDXRef-8-yarl -PackageVersion: 1.16.0 +PackageVersion: 1.17.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.16.0/#files +PackageDownloadLocation: https://pypi.org/project/yarl/1.17.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/yarl PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.16.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.16.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.17.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.17.1:*:*:*:*:*:*:* ##### PackageName: idna @@ -205,10 +206,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:* PackageName: cvss SPDXID: SPDXRef-13-cvss -PackageVersion: 3.2 +PackageVersion: 3.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com) -PackageDownloadLocation: https://pypi.org/project/cvss/3.2/#files +PackageDownloadLocation: https://pypi.org/project/cvss/3.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/RedHatProductSecurity/cvss PackageLicenseDeclared: NOASSERTION @@ -216,8 +217,8 @@ PackageLicenseConcluded: LGPL-3.0-or-later PackageLicenseComments: cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: CVSS2/3/4 library with interactive calculator for Python 2 and Python 3 -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.3:*:*:*:*:*:*:* ##### PackageName: defusedxml @@ -782,19 +783,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-47-rpds-py -PackageVersion: 0.20.0 +PackageVersion: 0.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageChecksum: SHA1: fac4daa73aacf2df7b4341d51f0c24f5f80aa03d PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -899,18 +899,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-54-rich -PackageVersion: 13.9.3 +PackageVersion: 13.9.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.9.3/#files +PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.9.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -971,6 +971,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files FilesAnalyzed: false +PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1113,33 +1114,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-67-setuptools -PackageVersion: 75.2.0 +PackageVersion: 75.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/75.2.0/#files +PackageDownloadLocation: https://pypi.org/project/setuptools/75.3.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@75.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.3.0:*:*:*:*:*:*:* ##### PackageName: xmlschema SPDXID: SPDXRef-68-xmlschema -PackageVersion: 3.4.2 +PackageVersion: 3.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Davide Brunato (brunato@sissa.it) -PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.2/#files +PackageDownloadLocation: https://pypi.org/project/xmlschema/3.4.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/sissaschool/xmlschema PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An XML Schema validator and decoder -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/xmlschema@3.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:3.4.3:*:*:*:*:*:*:* ##### PackageName: elementpath From 8da67fa38e048038ac2b36acc42ea90693070eee Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:26:38 +0000 Subject: [PATCH 06/19] chore: update pre-commit config (#4545) * chore: update pre-commit config * chore: older black for py3.8 --------- Co-authored-by: GitHub Co-authored-by: Terri Oda --- .pre-commit-config.yaml | 6 +++--- dev-requirements.txt | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5e194bd6b9..8a14acb674 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,13 +15,13 @@ repos: exclude: ^fuzz/generated/ - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.8.0 + rev: 24.10.0 hooks: - id: black exclude: ^fuzz/generated/ - repo: https://github.com/asottile/pyupgrade - rev: v3.17.0 + rev: v3.19.0 hooks: - id: pyupgrade exclude: ^fuzz/generated/ @@ -46,7 +46,7 @@ repos: - id: gitlint - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.11.2 + rev: v1.13.0 hooks: - id: mypy additional_dependencies: diff --git a/dev-requirements.txt b/dev-requirements.txt index 676d73734d..d98d7977bb 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -1,14 +1,15 @@ -black==24.8.0 +black==24.10.0; python_version > "3.8" +black==24.8.0; python_version <= "3.8" isort; python_version < "3.8" isort==5.13.2; python_version >= "3.8" pre-commit; python_version <= "3.8" -pre-commit==3.8.0; python_version > "3.8" +pre-commit==4.0.1; python_version > "3.8" flake8; python_version < "3.8" flake8==7.1.1; python_version >= "3.8" bandit==1.7.10 gitlint==v0.19.1 interrogate -mypy==v1.11.2 +mypy==v1.13.0 pytest>=7.2.0 pytest-xdist pytest-cov From f5b160980e6ae87fd867cb89bf4d481400b57829 Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Wed, 6 Nov 2024 09:24:11 -0800 Subject: [PATCH 07/19] ci: switch default runners and timeouts (#4556) An experiment to see if we can fix some periodic test fails and timeouts in longtests and the cve_scan job. Signed-off-by: Terri Oda --- .github/workflows/cve_scan.yml | 5 +++-- .github/workflows/testing.yml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml index 212af4496b..3ce69d8833 100644 --- a/.github/workflows/cve_scan.yml +++ b/.github/workflows/cve_scan.yml @@ -12,8 +12,9 @@ permissions: jobs: cve_scan: name: CVE scan on dependencies - runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }} - timeout-minutes: 30 + # runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }} + runs-on: 'ubuntu-latest' + timeout-minutes: 60 steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index b74a2a89d5..651c378eb6 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -197,7 +197,7 @@ jobs: github.head_ref ) ) - runs-on: 'ubuntu-latest' + runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }} timeout-minutes: 120 env: LONG_TESTS: 1 From 505bcf044cb263f473703669b713c1ee54bd4f11 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 18:59:51 +0000 Subject: [PATCH 08/19] chore: update SBOM for Python 3.11 (#4560) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.11.json | 61 ++++++++++++++++++----------------- sbom/cve-bin-tool-py3.11.spdx | 36 +++++++++++---------- 2 files changed, 51 insertions(+), 46 deletions(-) diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json index 1ab4cf5700..5ba8175fb4 100644 --- a/sbom/cve-bin-tool-py3.11.json +++ b/sbom/cve-bin-tool-py3.11.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:d41bd464-c594-4908-998a-aa31f02d37f2", + "serialNumber": "urn:uuid:427b46ae-e987-4f40-8517-9a8d3fcec56e", "version": 1, "metadata": { - "timestamp": "2024-11-04T00:39:27Z", + "timestamp": "2024-11-11T00:37:40Z", "lifecycles": [ { "phase": "build" @@ -541,6 +541,12 @@ }, "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:*", "description": "A modern CSS selector implementation for Beautiful Soup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "f974ea7e2e70cc940e1bda98b815f5a68eb43990" + } + ], "externalReferences": [ { "url": "https://github.com/facelessuser/soupsieve", @@ -2142,6 +2148,12 @@ "name": "markupsafe", "version": "3.0.2", "description": "Safely add untrusted strings to HTML/XML markup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "28ace20b140d15c083e1cbc163ee6b7778ba098c" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/markupsafe/3.0.2/#files", @@ -2307,7 +2319,7 @@ "type": "library", "bom-ref": "47-rpds-py", "name": "rpds-py", - "version": "0.20.1", + "version": "0.21.0", "supplier": { "name": "Julian Berman", "contact": [ @@ -2316,17 +2328,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "licenses": [ - { - "license": { - "id": "MIT", - "url": "https://opensource.org/licenses/MIT", - "acknowledgement": "concluded" - } - } - ], "externalReferences": [ { "url": "https://github.com/crate-py/rpds", @@ -2334,12 +2337,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.1/#files", + "url": "https://pypi.org/project/rpds-py/0.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.1", + "purl": "pkg:pypi/rpds-py@0.21.0", "properties": [ { "name": "language", @@ -2671,6 +2674,12 @@ }, "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", + "hashes": [ + { + "alg": "SHA-1", + "content": "43d3b04725ab9731727fb1126e35980c62f32377" + } + ], "licenses": [ { "license": { @@ -2864,7 +2873,7 @@ "type": "library", "bom-ref": "58-packaging", "name": "packaging", - "version": "24.1", + "version": "24.2", "supplier": { "name": "Donald Stufft", "contact": [ @@ -2873,22 +2882,16 @@ } ] }, - "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", - "hashes": [ - { - "alg": "SHA-1", - "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/packaging/24.1/#files", + "url": "https://pypi.org/project/packaging/24.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packaging@24.1", + "purl": "pkg:pypi/packaging@24.2", "properties": [ { "name": "language", @@ -3422,7 +3425,7 @@ "type": "library", "bom-ref": "70-zipp", "name": "zipp", - "version": "3.20.2", + "version": "3.21.0", "supplier": { "name": "Jason R .", "contact": [ @@ -3431,16 +3434,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.2/#files", + "url": "https://pypi.org/project/zipp/3.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.2", + "purl": "pkg:pypi/zipp@3.21.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx index 17f485a570..272ff4e086 100644 --- a/sbom/cve-bin-tool-py3.11.spdx +++ b/sbom/cve-bin-tool-py3.11.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-42a5440d-e497-4f5a-8c23-5f4cbc506669 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-efe4b143-b05c-44c4-852e-b6b21a68340f LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-11-04T00:38:31Z +Created: 2024-11-11T00:37:01Z CreatorComment: This document has been automatically generated. ##### @@ -196,6 +196,7 @@ PackageSupplier: Person: Isaac Muse (Isaac.Muse@gmail.com) PackageDownloadLocation: https://pypi.org/project/soupsieve/2.6/#files FilesAnalyzed: false PackageHomePage: https://github.com/facelessuser/soupsieve +PackageChecksum: SHA1: f974ea7e2e70cc940e1bda98b815f5a68eb43990 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -723,6 +724,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/markupsafe/3.0.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: 28ace20b140d15c083e1cbc163ee6b7778ba098c PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageLicenseComments: markupsafe declares Copyright 2010 Pallets which is not currently a valid SPDX License identifier or expression. @@ -783,18 +785,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-47-rpds-py -PackageVersion: 0.20.1 +PackageVersion: 0.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.21.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageLicenseDeclared: MIT -PackageLicenseConcluded: MIT +PackageLicenseDeclared: NOASSERTION +PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -905,6 +907,7 @@ PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich +PackageChecksum: SHA1: 43d3b04725ab9731727fb1126e35980c62f32377 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -966,18 +969,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.18.0:*:*:*:*:* PackageName: packaging SPDXID: SPDXRef-58-packaging -PackageVersion: 24.1 +PackageVersion: 24.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) -PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files +PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files FilesAnalyzed: false -PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Core utilities for Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:* ##### PackageName: plotly @@ -1161,17 +1163,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.6.0:*:*:* PackageName: zipp SPDXID: SPDXRef-70-zipp -PackageVersion: 3.20.2 +PackageVersion: 3.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.2/#files +PackageDownloadLocation: https://pypi.org/project/zipp/3.21.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:* ##### PackageName: zstandard From 58235bea62c81bb845e53652ddc2c8eca96886d5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 19:01:02 +0000 Subject: [PATCH 09/19] chore: update SBOM for Python 3.9 (#4564) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 67 ++++++++++++++++++++---------------- sbom/cve-bin-tool-py3.9.spdx | 37 +++++++++++--------- 2 files changed, 58 insertions(+), 46 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index d9f6feaf78..2f66f324d6 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:cf0e1889-1a11-4eb0-90b5-58e1bd7cf8fb", + "serialNumber": "urn:uuid:b533a6a5-37a1-49d0-ac98-ad45000656d8", "version": 1, "metadata": { - "timestamp": "2024-11-04T00:39:04Z", + "timestamp": "2024-11-11T00:38:15Z", "lifecycles": [ { "phase": "build" @@ -417,6 +417,12 @@ }, "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.12.2:*:*:*:*:*:*:*", "description": "Backported and Experimental Type Hints for Python 3.8+", + "hashes": [ + { + "alg": "SHA-1", + "content": "e1250ff869e7ee5ad05170d8a4b65469f13801c3" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/typing-extensions/4.12.2/#files", @@ -633,6 +639,12 @@ }, "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:*", "description": "A modern CSS selector implementation for Beautiful Soup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "f974ea7e2e70cc940e1bda98b815f5a68eb43990" + } + ], "externalReferences": [ { "url": "https://github.com/facelessuser/soupsieve", @@ -2237,7 +2249,7 @@ "type": "library", "bom-ref": "45-zipp", "name": "zipp", - "version": "3.20.2", + "version": "3.21.0", "supplier": { "name": "Jason R .", "contact": [ @@ -2246,16 +2258,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.2/#files", + "url": "https://pypi.org/project/zipp/3.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.2", + "purl": "pkg:pypi/zipp@3.21.0", "properties": [ { "name": "language", @@ -2308,6 +2320,12 @@ "name": "markupsafe", "version": "3.0.2", "description": "Safely add untrusted strings to HTML/XML markup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "28ace20b140d15c083e1cbc163ee6b7778ba098c" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/markupsafe/3.0.2/#files", @@ -2473,7 +2491,7 @@ "type": "library", "bom-ref": "51-rpds-py", "name": "rpds-py", - "version": "0.20.1", + "version": "0.21.0", "supplier": { "name": "Julian Berman", "contact": [ @@ -2482,17 +2500,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "licenses": [ - { - "license": { - "id": "MIT", - "url": "https://opensource.org/licenses/MIT", - "acknowledgement": "concluded" - } - } - ], "externalReferences": [ { "url": "https://github.com/crate-py/rpds", @@ -2500,12 +2509,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.1/#files", + "url": "https://pypi.org/project/rpds-py/0.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.1", + "purl": "pkg:pypi/rpds-py@0.21.0", "properties": [ { "name": "language", @@ -2837,6 +2846,12 @@ }, "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", + "hashes": [ + { + "alg": "SHA-1", + "content": "43d3b04725ab9731727fb1126e35980c62f32377" + } + ], "licenses": [ { "license": { @@ -3030,7 +3045,7 @@ "type": "library", "bom-ref": "62-packaging", "name": "packaging", - "version": "24.1", + "version": "24.2", "supplier": { "name": "Donald Stufft", "contact": [ @@ -3039,22 +3054,16 @@ } ] }, - "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", - "hashes": [ - { - "alg": "SHA-1", - "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/packaging/24.1/#files", + "url": "https://pypi.org/project/packaging/24.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packaging@24.1", + "purl": "pkg:pypi/packaging@24.2", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index f90e2a7e85..e3fee52bd3 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-9f3d8833-874a-4b8d-97a0-34ac23a6561e +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-9649f957-449f-4148-b2c1-9a5ec28d0ff8 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-11-04T00:38:06Z +Created: 2024-11-11T00:37:24Z CreatorComment: This document has been automatically generated. ##### @@ -149,6 +149,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Guido van Jukka ukasz Michael (levkivskyi@gmail.com) PackageDownloadLocation: https://pypi.org/project/typing-extensions/4.12.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: e1250ff869e7ee5ad05170d8a4b65469f13801c3 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -229,6 +230,7 @@ PackageSupplier: Person: Isaac Muse (Isaac.Muse@gmail.com) PackageDownloadLocation: https://pypi.org/project/soupsieve/2.6/#files FilesAnalyzed: false PackageHomePage: https://github.com/facelessuser/soupsieve +PackageChecksum: SHA1: f974ea7e2e70cc940e1bda98b815f5a68eb43990 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -752,17 +754,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.5.0:*:*: PackageName: zipp SPDXID: SPDXRef-45-zipp -PackageVersion: 3.20.2 +PackageVersion: 3.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.2/#files +PackageDownloadLocation: https://pypi.org/project/zipp/3.21.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:* ##### PackageName: jinja2 @@ -787,6 +789,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/markupsafe/3.0.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: 28ace20b140d15c083e1cbc163ee6b7778ba098c PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageLicenseComments: markupsafe declares Copyright 2010 Pallets which is not currently a valid SPDX License identifier or expression. @@ -847,18 +850,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-51-rpds-py -PackageVersion: 0.20.1 +PackageVersion: 0.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.21.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageLicenseDeclared: MIT -PackageLicenseConcluded: MIT +PackageLicenseDeclared: NOASSERTION +PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -969,6 +972,7 @@ PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich +PackageChecksum: SHA1: 43d3b04725ab9731727fb1126e35980c62f32377 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -1030,18 +1034,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.18.0:*:*:*:*:* PackageName: packaging SPDXID: SPDXRef-62-packaging -PackageVersion: 24.1 +PackageVersion: 24.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) -PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files +PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files FilesAnalyzed: false -PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Core utilities for Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:* ##### PackageName: plotly From dfcfff7783f286003d9161782891f8b411393604 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 19:02:28 +0000 Subject: [PATCH 10/19] chore: update SBOM for Python 3.8 (#4563) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.8.json | 42 +++++++++++++++++++++++++----------- sbom/cve-bin-tool-py3.8.spdx | 17 +++++++++------ 2 files changed, 40 insertions(+), 19 deletions(-) diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json index 4079d26ba9..8e6c4b88f2 100644 --- a/sbom/cve-bin-tool-py3.8.json +++ b/sbom/cve-bin-tool-py3.8.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:b70c8919-aa47-439d-9ce3-c84a2d16b633", + "serialNumber": "urn:uuid:09185e60-2171-4493-a4fd-eaadb9d689b9", "version": 1, "metadata": { - "timestamp": "2024-11-04T00:37:54Z", + "timestamp": "2024-11-11T00:37:58Z", "lifecycles": [ { "phase": "build" @@ -417,6 +417,12 @@ }, "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.12.2:*:*:*:*:*:*:*", "description": "Backported and Experimental Type Hints for Python 3.8+", + "hashes": [ + { + "alg": "SHA-1", + "content": "e1250ff869e7ee5ad05170d8a4b65469f13801c3" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/typing-extensions/4.12.2/#files", @@ -639,6 +645,12 @@ }, "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:*", "description": "A modern CSS selector implementation for Beautiful Soup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "f974ea7e2e70cc940e1bda98b815f5a68eb43990" + } + ], "externalReferences": [ { "url": "https://github.com/facelessuser/soupsieve", @@ -2288,6 +2300,12 @@ }, "cpe": "cpe:2.3:a:barry_warsaw:importlib-resources:6.4.5:*:*:*:*:*:*:*", "description": "Read resources from Python packages", + "hashes": [ + { + "alg": "SHA-1", + "content": "284148b005b57031a354402c446473f53cab2c49" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/importlib-resources/6.4.5/#files", @@ -2957,6 +2975,12 @@ }, "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", + "hashes": [ + { + "alg": "SHA-1", + "content": "43d3b04725ab9731727fb1126e35980c62f32377" + } + ], "licenses": [ { "license": { @@ -3150,7 +3174,7 @@ "type": "library", "bom-ref": "64-packaging", "name": "packaging", - "version": "24.1", + "version": "24.2", "supplier": { "name": "Donald Stufft", "contact": [ @@ -3159,22 +3183,16 @@ } ] }, - "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", - "hashes": [ - { - "alg": "SHA-1", - "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/packaging/24.1/#files", + "url": "https://pypi.org/project/packaging/24.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packaging@24.1", + "purl": "pkg:pypi/packaging@24.2", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx index c2f86ce550..c66cbe5150 100644 --- a/sbom/cve-bin-tool-py3.8.spdx +++ b/sbom/cve-bin-tool-py3.8.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-549306a2-498d-4c40-9fba-23e2d0d32c42 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-7d29612d-e195-4775-b376-646cc2514ac4 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-11-04T00:36:57Z +Created: 2024-11-11T00:36:58Z CreatorComment: This document has been automatically generated. ##### @@ -149,6 +149,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Guido van Jukka ukasz Michael (levkivskyi@gmail.com) PackageDownloadLocation: https://pypi.org/project/typing-extensions/4.12.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: e1250ff869e7ee5ad05170d8a4b65469f13801c3 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -230,6 +231,7 @@ PackageSupplier: Person: Isaac Muse (Isaac.Muse@gmail.com) PackageDownloadLocation: https://pypi.org/project/soupsieve/2.6/#files FilesAnalyzed: false PackageHomePage: https://github.com/facelessuser/soupsieve +PackageChecksum: SHA1: f974ea7e2e70cc940e1bda98b815f5a68eb43990 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -773,6 +775,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Barry Warsaw (barry@python.org) PackageDownloadLocation: https://pypi.org/project/importlib-resources/6.4.5/#files FilesAnalyzed: false +PackageChecksum: SHA1: 284148b005b57031a354402c446473f53cab2c49 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -1002,6 +1005,7 @@ PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich +PackageChecksum: SHA1: 43d3b04725ab9731727fb1126e35980c62f32377 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -1063,18 +1067,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.18.0:*:*:*:*:* PackageName: packaging SPDXID: SPDXRef-64-packaging -PackageVersion: 24.1 +PackageVersion: 24.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) -PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files +PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files FilesAnalyzed: false -PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Core utilities for Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:* ##### PackageName: plotly From 59680eecec7abafe77b3d6247c11a7357f46a651 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:03:28 -0800 Subject: [PATCH 11/19] chore(deps): bump conda-incubator/setup-miniconda from 3.0.4 to 3.1.0 (#4566) Bumps [conda-incubator/setup-miniconda](https://github.com/conda-incubator/setup-miniconda) from 3.0.4 to 3.1.0. - [Release notes](https://github.com/conda-incubator/setup-miniconda/releases) - [Changelog](https://github.com/conda-incubator/setup-miniconda/blob/main/CHANGELOG.md) - [Commits](https://github.com/conda-incubator/setup-miniconda/compare/a4260408e20b96e80095f42ff7f1a15b27dd94ca...d2e6a045a86077fb6cad6f5adf368e9076ddaa8d) --- updated-dependencies: - dependency-name: conda-incubator/setup-miniconda dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 651c378eb6..f6dd40f734 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -566,7 +566,7 @@ jobs: path: ~/conda_pkgs_dir key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{ hashFiles('requirements.txt') }} - - uses: conda-incubator/setup-miniconda@a4260408e20b96e80095f42ff7f1a15b27dd94ca # v3.0.4 + - uses: conda-incubator/setup-miniconda@d2e6a045a86077fb6cad6f5adf368e9076ddaa8d # v3.1.0 with: auto-update-conda: true activate-environment: pdftotext From 0499d4e0dc53cdbee0fdc177995d9c988a092d5b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 19:03:44 +0000 Subject: [PATCH 12/19] chore: update SBOM for Python 3.10 (#4562) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.10.json | 67 ++++++++++++++++++++--------------- sbom/cve-bin-tool-py3.10.spdx | 37 ++++++++++--------- 2 files changed, 58 insertions(+), 46 deletions(-) diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json index a6e3c0437d..11e8b80d5a 100644 --- a/sbom/cve-bin-tool-py3.10.json +++ b/sbom/cve-bin-tool-py3.10.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:888833a5-aabf-426e-88d8-8eb73ab2cb9d", + "serialNumber": "urn:uuid:9d8b3f1e-c984-4279-a86b-50bcec4fda9b", "version": 1, "metadata": { - "timestamp": "2024-11-04T00:38:13Z", + "timestamp": "2024-11-11T00:37:52Z", "lifecycles": [ { "phase": "build" @@ -417,6 +417,12 @@ }, "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.12.2:*:*:*:*:*:*:*", "description": "Backported and Experimental Type Hints for Python 3.8+", + "hashes": [ + { + "alg": "SHA-1", + "content": "e1250ff869e7ee5ad05170d8a4b65469f13801c3" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/typing-extensions/4.12.2/#files", @@ -633,6 +639,12 @@ }, "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:*", "description": "A modern CSS selector implementation for Beautiful Soup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "f974ea7e2e70cc940e1bda98b815f5a68eb43990" + } + ], "externalReferences": [ { "url": "https://github.com/facelessuser/soupsieve", @@ -2234,6 +2246,12 @@ "name": "markupsafe", "version": "3.0.2", "description": "Safely add untrusted strings to HTML/XML markup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "28ace20b140d15c083e1cbc163ee6b7778ba098c" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/markupsafe/3.0.2/#files", @@ -2399,7 +2417,7 @@ "type": "library", "bom-ref": "49-rpds-py", "name": "rpds-py", - "version": "0.20.1", + "version": "0.21.0", "supplier": { "name": "Julian Berman", "contact": [ @@ -2408,17 +2426,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "licenses": [ - { - "license": { - "id": "MIT", - "url": "https://opensource.org/licenses/MIT", - "acknowledgement": "concluded" - } - } - ], "externalReferences": [ { "url": "https://github.com/crate-py/rpds", @@ -2426,12 +2435,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.1/#files", + "url": "https://pypi.org/project/rpds-py/0.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.1", + "purl": "pkg:pypi/rpds-py@0.21.0", "properties": [ { "name": "language", @@ -2763,6 +2772,12 @@ }, "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", + "hashes": [ + { + "alg": "SHA-1", + "content": "43d3b04725ab9731727fb1126e35980c62f32377" + } + ], "licenses": [ { "license": { @@ -2956,7 +2971,7 @@ "type": "library", "bom-ref": "60-packaging", "name": "packaging", - "version": "24.1", + "version": "24.2", "supplier": { "name": "Donald Stufft", "contact": [ @@ -2965,22 +2980,16 @@ } ] }, - "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", - "hashes": [ - { - "alg": "SHA-1", - "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/packaging/24.1/#files", + "url": "https://pypi.org/project/packaging/24.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packaging@24.1", + "purl": "pkg:pypi/packaging@24.2", "properties": [ { "name": "language", @@ -3572,7 +3581,7 @@ "type": "library", "bom-ref": "73-zipp", "name": "zipp", - "version": "3.20.2", + "version": "3.21.0", "supplier": { "name": "Jason R .", "contact": [ @@ -3581,16 +3590,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.2/#files", + "url": "https://pypi.org/project/zipp/3.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.2", + "purl": "pkg:pypi/zipp@3.21.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx index 7b519501da..3450e18661 100644 --- a/sbom/cve-bin-tool-py3.10.spdx +++ b/sbom/cve-bin-tool-py3.10.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-3b2a6d00-6777-463e-bce6-aac435fde0eb +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-fbb1f496-d598-4256-ad86-451dd81c5ec2 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-11-04T00:37:10Z +Created: 2024-11-11T00:37:01Z CreatorComment: This document has been automatically generated. ##### @@ -149,6 +149,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Guido van Jukka ukasz Michael (levkivskyi@gmail.com) PackageDownloadLocation: https://pypi.org/project/typing-extensions/4.12.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: e1250ff869e7ee5ad05170d8a4b65469f13801c3 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -229,6 +230,7 @@ PackageSupplier: Person: Isaac Muse (Isaac.Muse@gmail.com) PackageDownloadLocation: https://pypi.org/project/soupsieve/2.6/#files FilesAnalyzed: false PackageHomePage: https://github.com/facelessuser/soupsieve +PackageChecksum: SHA1: f974ea7e2e70cc940e1bda98b815f5a68eb43990 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -756,6 +758,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/markupsafe/3.0.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: 28ace20b140d15c083e1cbc163ee6b7778ba098c PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageLicenseComments: markupsafe declares Copyright 2010 Pallets which is not currently a valid SPDX License identifier or expression. @@ -816,18 +819,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-49-rpds-py -PackageVersion: 0.20.1 +PackageVersion: 0.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.21.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageLicenseDeclared: MIT -PackageLicenseConcluded: MIT +PackageLicenseDeclared: NOASSERTION +PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -938,6 +941,7 @@ PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich +PackageChecksum: SHA1: 43d3b04725ab9731727fb1126e35980c62f32377 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -999,18 +1003,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.18.0:*:*:*:*:* PackageName: packaging SPDXID: SPDXRef-60-packaging -PackageVersion: 24.1 +PackageVersion: 24.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) -PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files +PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files FilesAnalyzed: false -PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Core utilities for Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:* ##### PackageName: plotly @@ -1211,17 +1214,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.6.0:*:*:* PackageName: zipp SPDXID: SPDXRef-73-zipp -PackageVersion: 3.20.2 +PackageVersion: 3.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.2/#files +PackageDownloadLocation: https://pypi.org/project/zipp/3.21.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:* ##### PackageName: zstandard From 9213882091af3bfa35fb4c26bd5e1ac98897d9f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:04:12 -0800 Subject: [PATCH 13/19] chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1 (#4565) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.0 to 3.27.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/662472033e021d55d94146f66f6058822b0b39fd...4f3212b61783c3c68e8309a0f18a699764811cda) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9c0c72cf4a..aa82ed9ecf 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,7 +51,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -76,4 +76,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 From 43dd144a91be2091f91782d792ff5f9fcf040910 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 19:04:59 +0000 Subject: [PATCH 14/19] chore: update SBOM for Python 3.12 (#4561) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.12.json | 61 ++++++++++++++++++----------------- sbom/cve-bin-tool-py3.12.spdx | 36 +++++++++++---------- 2 files changed, 51 insertions(+), 46 deletions(-) diff --git a/sbom/cve-bin-tool-py3.12.json b/sbom/cve-bin-tool-py3.12.json index 78cbb8c8a1..60821f01a1 100644 --- a/sbom/cve-bin-tool-py3.12.json +++ b/sbom/cve-bin-tool-py3.12.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:06a39a94-1422-40df-893c-b488d152ad6c", + "serialNumber": "urn:uuid:473bf76a-fad4-4e1d-858c-96c7fb94c47b", "version": 1, "metadata": { - "timestamp": "2024-11-04T00:37:49Z", + "timestamp": "2024-11-11T00:37:48Z", "lifecycles": [ { "phase": "build" @@ -541,6 +541,12 @@ }, "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:*", "description": "A modern CSS selector implementation for Beautiful Soup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "f974ea7e2e70cc940e1bda98b815f5a68eb43990" + } + ], "externalReferences": [ { "url": "https://github.com/facelessuser/soupsieve", @@ -2142,6 +2148,12 @@ "name": "markupsafe", "version": "3.0.2", "description": "Safely add untrusted strings to HTML/XML markup.", + "hashes": [ + { + "alg": "SHA-1", + "content": "28ace20b140d15c083e1cbc163ee6b7778ba098c" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/markupsafe/3.0.2/#files", @@ -2307,7 +2319,7 @@ "type": "library", "bom-ref": "47-rpds-py", "name": "rpds-py", - "version": "0.20.1", + "version": "0.21.0", "supplier": { "name": "Julian Berman", "contact": [ @@ -2316,17 +2328,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "licenses": [ - { - "license": { - "id": "MIT", - "url": "https://opensource.org/licenses/MIT", - "acknowledgement": "concluded" - } - } - ], "externalReferences": [ { "url": "https://github.com/crate-py/rpds", @@ -2334,12 +2337,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.20.1/#files", + "url": "https://pypi.org/project/rpds-py/0.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.20.1", + "purl": "pkg:pypi/rpds-py@0.21.0", "properties": [ { "name": "language", @@ -2671,6 +2674,12 @@ }, "cpe": "cpe:2.3:a:will_mcgugan:rich:13.9.4:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", + "hashes": [ + { + "alg": "SHA-1", + "content": "43d3b04725ab9731727fb1126e35980c62f32377" + } + ], "licenses": [ { "license": { @@ -2864,7 +2873,7 @@ "type": "library", "bom-ref": "58-packaging", "name": "packaging", - "version": "24.1", + "version": "24.2", "supplier": { "name": "Donald Stufft", "contact": [ @@ -2873,22 +2882,16 @@ } ] }, - "cpe": "cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:*", "description": "Core utilities for Python packages", - "hashes": [ - { - "alg": "SHA-1", - "content": "85442b8032cb7bae72866dfd7782234a98dd2fb7" - } - ], "externalReferences": [ { - "url": "https://pypi.org/project/packaging/24.1/#files", + "url": "https://pypi.org/project/packaging/24.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/packaging@24.1", + "purl": "pkg:pypi/packaging@24.2", "properties": [ { "name": "language", @@ -3422,7 +3425,7 @@ "type": "library", "bom-ref": "70-zipp", "name": "zipp", - "version": "3.20.2", + "version": "3.21.0", "supplier": { "name": "Jason R .", "contact": [ @@ -3431,16 +3434,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.2/#files", + "url": "https://pypi.org/project/zipp/3.21.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.2", + "purl": "pkg:pypi/zipp@3.21.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.12.spdx b/sbom/cve-bin-tool-py3.12.spdx index 785cc63656..132341bedb 100644 --- a/sbom/cve-bin-tool-py3.12.spdx +++ b/sbom/cve-bin-tool-py3.12.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-6d5d65ce-7ee4-477d-bfcf-c94432e85cfb +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-780d67c5-e334-4774-85fc-7ad1e1961493 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-11-04T00:36:55Z +Created: 2024-11-11T00:37:00Z CreatorComment: This document has been automatically generated. ##### @@ -196,6 +196,7 @@ PackageSupplier: Person: Isaac Muse (Isaac.Muse@gmail.com) PackageDownloadLocation: https://pypi.org/project/soupsieve/2.6/#files FilesAnalyzed: false PackageHomePage: https://github.com/facelessuser/soupsieve +PackageChecksum: SHA1: f974ea7e2e70cc940e1bda98b815f5a68eb43990 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -723,6 +724,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION PackageDownloadLocation: https://pypi.org/project/markupsafe/3.0.2/#files FilesAnalyzed: false +PackageChecksum: SHA1: 28ace20b140d15c083e1cbc163ee6b7778ba098c PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageLicenseComments: markupsafe declares Copyright 2010 Pallets which is not currently a valid SPDX License identifier or expression. @@ -783,18 +785,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-47-rpds-py -PackageVersion: 0.20.1 +PackageVersion: 0.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.1/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.21.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageLicenseDeclared: MIT -PackageLicenseConcluded: MIT +PackageLicenseDeclared: NOASSERTION +PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:* ##### PackageName: lib4sbom @@ -905,6 +907,7 @@ PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) PackageDownloadLocation: https://pypi.org/project/rich/13.9.4/#files FilesAnalyzed: false PackageHomePage: https://github.com/Textualize/rich +PackageChecksum: SHA1: 43d3b04725ab9731727fb1126e35980c62f32377 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION @@ -966,18 +969,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.18.0:*:*:*:*:* PackageName: packaging SPDXID: SPDXRef-58-packaging -PackageVersion: 24.1 +PackageVersion: 24.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Donald Stufft (donald@stufft.io) -PackageDownloadLocation: https://pypi.org/project/packaging/24.1/#files +PackageDownloadLocation: https://pypi.org/project/packaging/24.2/#files FilesAnalyzed: false -PackageChecksum: SHA1: 85442b8032cb7bae72866dfd7782234a98dd2fb7 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Core utilities for Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/packaging@24.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.2:*:*:*:*:*:*:* ##### PackageName: plotly @@ -1161,17 +1163,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.6.0:*:*:* PackageName: zipp SPDXID: SPDXRef-70-zipp -PackageVersion: 3.20.2 +PackageVersion: 3.21.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.2/#files +PackageDownloadLocation: https://pypi.org/project/zipp/3.21.0/#files FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.21.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.21.0:*:*:*:*:*:*:* ##### PackageName: zstandard From 6918c32f225f614866ddf112cc322c167d463210 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:06:32 -0800 Subject: [PATCH 15/19] chore(deps): bump actions/setup-python from 5.2.0 to 5.3.0 (#4555) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5.2.0...v5.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-wheel.yml | 2 +- .github/workflows/cve_scan.yml | 2 +- .github/workflows/formatting.yml | 2 +- .github/workflows/fuzzing.yml | 2 +- .github/workflows/linting.yml | 2 +- .github/workflows/sbom.yml | 2 +- .github/workflows/testing.yml | 10 +++++----- .github/workflows/update-cache.yml | 2 +- .github/workflows/update-js-dependencies.yml | 2 +- .github/workflows/update-pre-commit.yml | 2 +- .github/workflows/validate-yml.yml | 2 +- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml index 8072d5fc17..f2b0195499 100644 --- a/.github/workflows/build-wheel.yml +++ b/.github/workflows/build-wheel.yml @@ -28,7 +28,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml index 3ce69d8833..c97248eeb3 100644 --- a/.github/workflows/cve_scan.yml +++ b/.github/workflows/cve_scan.yml @@ -22,7 +22,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml index dc99b6d2e2..5ef52b7699 100644 --- a/.github/workflows/formatting.yml +++ b/.github/workflows/formatting.yml @@ -24,7 +24,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 478c5a8b42..b4fb4a9fcb 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v5.2.0 + uses: actions/setup-python@v5.3.0 with: python-version: 3.9 diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 48f759c58e..c4737601f6 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 05fe91de08..1d42ac5baa 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -27,7 +27,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python }} cache: 'pip' diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index f6dd40f734..6ed476bcb6 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -49,7 +49,7 @@ jobs: pypi.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' @@ -108,7 +108,7 @@ jobs: www.sqlite.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python }} cache: 'pip' @@ -240,7 +240,7 @@ jobs: www.sqlite.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.10' cache: 'pip' @@ -397,7 +397,7 @@ jobs: www.sqlite.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.10' cache: 'pip' @@ -503,7 +503,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.12' cache: 'pip' diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml index 7e77e1ecf1..fa2c93fae7 100644 --- a/.github/workflows/update-cache.yml +++ b/.github/workflows/update-cache.yml @@ -31,7 +31,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml index d4921f0f4d..f2b3fc0bd9 100644 --- a/.github/workflows/update-js-dependencies.yml +++ b/.github/workflows/update-js-dependencies.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml index 23a58da58f..2b3be9cf39 100644 --- a/.github/workflows/update-pre-commit.yml +++ b/.github/workflows/update-pre-commit.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' diff --git a/.github/workflows/validate-yml.yml b/.github/workflows/validate-yml.yml index 477aba9b85..b4bd97f31d 100644 --- a/.github/workflows/validate-yml.yml +++ b/.github/workflows/validate-yml.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' From 377b9ca36529259048d4b8886ac34d2b20b0c6a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:06:58 -0800 Subject: [PATCH 16/19] chore(deps): bump actions/dependency-review-action from 4.3.5 to 4.4.0 (#4554) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.3.5 to 4.4.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/a6993e2c61fd5dc440b409aa1d6904921c5e1894...4081bf99e2866ebe428fc0477b69eb4fcda7220a) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 717e3e7f10..d99c952123 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5 + uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 From 97569385065b84d536b749155ef46fac632683ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:08:49 -0800 Subject: [PATCH 17/19] chore(deps): bump check-spelling/check-spelling from 0.0.22 to 0.0.24 (#4553) Bumps [check-spelling/check-spelling](https://github.com/check-spelling/check-spelling) from 0.0.22 to 0.0.24. - [Release notes](https://github.com/check-spelling/check-spelling/releases) - [Changelog](https://github.com/check-spelling/check-spelling/blob/main/gh-release-downloader) - [Commits](https://github.com/check-spelling/check-spelling/compare/v0.0.22...v0.0.24) --- updated-dependencies: - dependency-name: check-spelling/check-spelling dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/spelling.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index fd7d1d7d4b..2dec16dcae 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -19,7 +19,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: check-spelling/check-spelling@v0.0.22 + - uses: check-spelling/check-spelling@v0.0.24 with: extra_dictionaries: cspell:python/src/python/python.txt From 9712d5cfed57445b9e6462fac28042d8a4b24e9d Mon Sep 17 00:00:00 2001 From: anchita20 Date: Wed, 13 Nov 2024 01:09:59 +0530 Subject: [PATCH 18/19] docs: add docstrings to parsers/env.py and format changes (#4552) * Fixes #4539 --- cve_bin_tool/parsers/env.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/cve_bin_tool/parsers/env.py b/cve_bin_tool/parsers/env.py index 536f681752..e4cb15a55c 100644 --- a/cve_bin_tool/parsers/env.py +++ b/cve_bin_tool/parsers/env.py @@ -15,6 +15,12 @@ @dataclasses.dataclass class EnvNamespaceConfig: + """ + Configuration details for environment namespace in the CVE Bin tool + Attributes: + CVE ID associated with this namespace, vendor name, product name, version of the product, file path where product is located + """ + ad_hoc_cve_id: str vendor: str product: str @@ -24,6 +30,12 @@ class EnvNamespaceConfig: @dataclasses.dataclass class EnvConfig: + """ + Configuration for multiple environment namespaces + Attributes: + A dictionary mapping namespace names to their configurations + """ + namespaces: dict[str, EnvNamespaceConfig] @@ -40,6 +52,13 @@ class EnvParser(Parser): @staticmethod def parse_file_contents(contents): + """ + Parse the contents of an environment configuration file + Args: + contents(str): textual content of environment configuration file + Returns: + EnvConfig: EnvConfig instance containing parsed namespace configurations + """ lines = list( [ line From dafb9da81b0bf8832b5f0ec920cd9860ae11caa7 Mon Sep 17 00:00:00 2001 From: weichslgartner Date: Tue, 12 Nov 2024 23:19:52 +0100 Subject: [PATCH 19/19] fix: csv output under Windows with correct newlines (#4557) (#4558) * fixes #4557 --- cve_bin_tool/output_engine/__init__.py | 5 ++++- test/test_output_engine.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py index a697785d1f..0de9c28a2e 100644 --- a/cve_bin_tool/output_engine/__init__.py +++ b/cve_bin_tool/output_engine/__init__.py @@ -882,7 +882,10 @@ def output_file(self, output_type="console"): with open(self.filename, "wb") as f: self.output_cves(f, output_type) else: - with open(self.filename, "w", encoding="utf8") as f: + # if type is csv, file should be opened with newline='' + # see https://docs.python.org/3/library/csv.html#csv.writer + newline = "" if output_type == "csv" else None + with open(self.filename, mode="w", newline=newline, encoding="utf8") as f: self.output_cves(f, output_type) def check_file_path(self, filepath: str, output_type: str, prefix: str = "output"): diff --git a/test/test_output_engine.py b/test/test_output_engine.py index 5510738a9f..5a65e5c4cd 100644 --- a/test/test_output_engine.py +++ b/test/test_output_engine.py @@ -1270,6 +1270,16 @@ def test_output_file(self): self.assertEqual(contains_filename, True) self.assertEqual(contains_msg, True) + def test_csv_output_file(self): + self.output_engine.output_file(output_type="csv") + filename = Path(self.output_engine.filename) + n_cves = sum(len(c["cves"]) for c in self.MOCK_OUTPUT.values()) + with filename.open(newline="", mode="r") as f: + n_lines = len(f.read().splitlines()) + # cvs file should have one line per cve plus a header line + assert n_lines == n_cves + 1 + filename.unlink() + def test_output_file_wrapper(self): """Test file generation logic in output_file_wrapper""" logger = logging.getLogger()