diff --git a/sbom/cve-bin-tool-py3.12.json b/sbom/cve-bin-tool-py3.12.json
index 21b0083702..4039f738e1 100644
--- a/sbom/cve-bin-tool-py3.12.json
+++ b/sbom/cve-bin-tool-py3.12.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
- "serialNumber": "urn:uuid:42803ee0-c89b-4dfb-8bea-285783cb9e51",
+ "serialNumber": "urn:uuid:4694dd69-8037-4433-ae2c-5099609c2529",
"version": 1,
"metadata": {
- "timestamp": "2024-08-05T00:34:41Z",
+ "timestamp": "2024-08-12T00:35:39Z",
"lifecycles": [
{
"phase": "build"
@@ -15,7 +15,7 @@
"components": [
{
"name": "sbom4python",
- "version": "0.11.0",
+ "version": "0.11.1",
"type": "application"
}
]
@@ -74,7 +74,7 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.10.1",
+ "version": "3.10.3",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -87,12 +87,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.10.1",
+ "url": "https://pypi.org/project/aiohttp/3.10.3",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.10.1",
+ "purl": "pkg:pypi/aiohttp@3.10.3",
"properties": [
{
"name": "language",
@@ -108,7 +108,7 @@
"type": "library",
"bom-ref": "3-aiohappyeyeballs",
"name": "aiohappyeyeballs",
- "version": "2.3.4",
+ "version": "2.3.5",
"supplier": {
"name": "J. Nick Koston",
"contact": [
@@ -117,12 +117,18 @@
}
]
},
- "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.4:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.5:*:*:*:*:*:*:*",
"description": "Happy Eyeballs for asyncio",
+ "hashes": [
+ {
+ "alg": "SHA-1",
+ "content": "01595bbda3380154cc4e72702a1f82502a15940a"
+ }
+ ],
"licenses": [
{
"license": {
- "id": "PSF-2.0",
+ "id": "Python-2.0",
"url": "https://opensource.org/licenses/Python-2.0",
"acknowledgement": "concluded"
}
@@ -130,12 +136,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohappyeyeballs/2.3.4",
+ "url": "https://pypi.org/project/aiohappyeyeballs/2.3.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohappyeyeballs@2.3.4",
+ "purl": "pkg:pypi/aiohappyeyeballs@2.3.5",
"properties": [
{
"name": "language",
@@ -224,7 +230,7 @@
"type": "library",
"bom-ref": "6-attrs",
"name": "attrs",
- "version": "24.1.0",
+ "version": "24.2.0",
"supplier": {
"name": "Hynek Schlawack",
"contact": [
@@ -233,16 +239,16 @@
}
]
},
- "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.1.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*",
"description": "Classes Without Boilerplate",
"externalReferences": [
{
- "url": "https://pypi.org/project/attrs/24.1.0",
+ "url": "https://pypi.org/project/attrs/24.2.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/attrs@24.1.0",
+ "purl": "pkg:pypi/attrs@24.2.0",
"properties": [
{
"name": "language",
@@ -712,7 +718,7 @@
"type": "library",
"bom-ref": "17-argcomplete",
"name": "argcomplete",
- "version": "3.4.0",
+ "version": "3.5.0",
"supplier": {
"name": "Andrey Kislyuk",
"contact": [
@@ -721,7 +727,7 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.4.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.0:*:*:*:*:*:*:*",
"description": "Bash tab completion for argparse",
"licenses": [
{
@@ -734,12 +740,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/argcomplete/3.4.0",
+ "url": "https://pypi.org/project/argcomplete/3.5.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/argcomplete@3.4.0",
+ "purl": "pkg:pypi/argcomplete@3.5.0",
"properties": [
{
"name": "language",
@@ -1576,7 +1582,7 @@
"type": "library",
"bom-ref": "36-cffi",
"name": "cffi",
- "version": "1.16.0",
+ "version": "1.17.0",
"supplier": {
"name": "Armin Maciej Fijalkowski",
"contact": [
@@ -1585,14 +1591,8 @@
}
]
},
- "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.0:*:*:*:*:*:*:*",
"description": "Foreign Function Interface for Python calling C code.",
- "hashes": [
- {
- "alg": "SHA-1",
- "content": "ba44abd69cf6f0f1cc90db34cd067275dc10fc71"
- }
- ],
"licenses": [
{
"license": {
@@ -1604,12 +1604,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cffi/1.16.0",
+ "url": "https://pypi.org/project/cffi/1.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cffi@1.16.0",
+ "purl": "pkg:pypi/cffi@1.17.0",
"properties": [
{
"name": "language",
@@ -1997,11 +1997,11 @@
"type": "library",
"bom-ref": "46-rpds-py",
"name": "rpds-py",
- "version": "0.19.1",
+ "version": "0.20.0",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.19.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -2014,12 +2014,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.19.1",
+ "url": "https://pypi.org/project/rpds-py/0.20.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.19.1",
+ "purl": "pkg:pypi/rpds-py@0.20.0",
"properties": [
{
"name": "language",
@@ -2078,7 +2078,7 @@
"type": "library",
"bom-ref": "48-pyyaml",
"name": "pyyaml",
- "version": "6.0.1",
+ "version": "6.0.2",
"supplier": {
"name": "Kirill Simonov",
"contact": [
@@ -2087,14 +2087,8 @@
}
]
},
- "cpe": "cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:kirill_simonov:pyyaml:6.0.2:*:*:*:*:*:*:*",
"description": "YAML parser and emitter for Python",
- "hashes": [
- {
- "alg": "SHA-1",
- "content": "c42fa3bff1eabdb64763bb1526d9ea1ccb708479"
- }
- ],
"licenses": [
{
"license": {
@@ -2106,12 +2100,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/pyyaml/6.0.1",
+ "url": "https://pypi.org/project/pyyaml/6.0.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/pyyaml@6.0.1",
+ "purl": "pkg:pypi/pyyaml@6.0.2",
"properties": [
{
"name": "language",
@@ -3001,7 +2995,41 @@
},
{
"type": "library",
- "bom-ref": "69-zstandard",
+ "bom-ref": "69-zipp",
+ "name": "zipp",
+ "version": "3.20.0",
+ "supplier": {
+ "name": "Jason R .",
+ "contact": [
+ {
+ "email": "jaraco@jaraco.com"
+ }
+ ]
+ },
+ "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*",
+ "description": "Backport of pathlib-compatible object wrapper for zip files",
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/zipp/3.20.0",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/zipp@3.20.0",
+ "properties": [
+ {
+ "name": "language",
+ "value": "Python"
+ },
+ {
+ "name": "python_version",
+ "value": "3.12.4"
+ }
+ ]
+ },
+ {
+ "type": "library",
+ "bom-ref": "70-zstandard",
"name": "zstandard",
"version": "0.23.0",
"supplier": {
@@ -3075,7 +3103,8 @@
"66-setuptools",
"64-urllib3",
"67-xmlschema",
- "69-zstandard"
+ "69-zipp",
+ "70-zstandard"
]
},
{
diff --git a/sbom/cve-bin-tool-py3.12.spdx b/sbom/cve-bin-tool-py3.12.spdx
index 98501c9ba8..042cf1a21f 100644
--- a/sbom/cve-bin-tool-py3.12.spdx
+++ b/sbom/cve-bin-tool-py3.12.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-9d2497ce-dad5-46ac-b3f6-584adacf8fd7
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-db1e7c13-c57f-4b56-8302-f4fb0a0b00d6
LicenseListVersion: 3.22
-Creator: Tool: sbom4python-0.11.0
-Created: 2024-08-05T00:33:38Z
+Creator: Tool: sbom4python-0.11.1
+Created: 2024-08-12T00:34:17Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,32 +26,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.3.1.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.10.1
+PackageVersion: 3.10.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.1
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.10.3
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.1
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.10.3
#####
PackageName: aiohappyeyeballs
SPDXID: SPDXRef-Package-3-aiohappyeyeballs
-PackageVersion: 2.3.4
+PackageVersion: 2.3.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: J. Nick Koston (nick@koston.org)
-PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.3.4
+PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.3.5
FilesAnalyzed: false
-PackageLicenseDeclared: PSF-2.0
-PackageLicenseConcluded: PSF-2.0
+PackageChecksum: SHA1: 01595bbda3380154cc4e72702a1f82502a15940a
+PackageLicenseDeclared: Python-2.0
+PackageLicenseConcluded: Python-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Happy Eyeballs for asyncio
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.3.4
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.4:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohappyeyeballs@2.3.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.3.5:*:*:*:*:*:*:*
#####
PackageName: aiosignal
@@ -86,17 +87,17 @@ ExternalRef: PACKAGE_MANAGER purl pkg:pypi/frozenlist@1.4.1
PackageName: attrs
SPDXID: SPDXRef-Package-6-attrs
-PackageVersion: 24.1.0
+PackageVersion: 24.2.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Hynek Schlawack (hs@ox.cx)
-PackageDownloadLocation: https://pypi.org/project/attrs/24.1.0
+PackageDownloadLocation: https://pypi.org/project/attrs/24.2.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: Classes Without Boilerplate
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/attrs@24.1.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:24.1.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/attrs@24.2.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:24.2.0:*:*:*:*:*:*:*
#####
PackageName: multidict
@@ -264,18 +265,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.30:*:*:*:*:*:*:*
PackageName: argcomplete
SPDXID: SPDXRef-Package-17-argcomplete
-PackageVersion: 3.4.0
+PackageVersion: 3.5.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.4.0
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.5.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Bash tab completion for argparse
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.4.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.4.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.5.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.0:*:*:*:*:*:*:*
#####
PackageName: crcmod
@@ -569,18 +570,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python
PackageName: cffi
SPDXID: SPDXRef-Package-36-cffi
-PackageVersion: 1.16.0
+PackageVersion: 1.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.16.0
+PackageDownloadLocation: https://pypi.org/project/cffi/1.17.0
FilesAnalyzed: false
-PackageChecksum: SHA1: ba44abd69cf6f0f1cc90db34cd067275dc10fc71
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Foreign Function Interface for Python calling C code.
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cffi@1.16.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cffi@1.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.0:*:*:*:*:*:*:*
#####
PackageName: pycparser
@@ -726,17 +726,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:*
PackageName: rpds-py
SPDXID: SPDXRef-Package-46-rpds-py
-PackageVersion: 0.19.1
+PackageVersion: 0.20.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.19.1
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.20.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.19.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.19.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.20.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:*:*:*
#####
PackageName: lib4sbom
@@ -756,18 +756,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.2:*:*:*:
PackageName: pyyaml
SPDXID: SPDXRef-Package-48-pyyaml
-PackageVersion: 6.0.1
+PackageVersion: 6.0.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Kirill Simonov (xi@resolvent.net)
-PackageDownloadLocation: https://pypi.org/project/pyyaml/6.0.1
+PackageDownloadLocation: https://pypi.org/project/pyyaml/6.0.2
FilesAnalyzed: false
-PackageChecksum: SHA1: c42fa3bff1eabdb64763bb1526d9ea1ccb708479
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: YAML parser and emitter for Python
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyyaml@6.0.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyyaml@6.0.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.2:*:*:*:*:*:*:*
#####
PackageName: semantic-version
@@ -1084,8 +1083,23 @@ ExternalRef: PACKAGE_MANAGER purl pkg:pypi/elementpath@4.4.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.4.0:*:*:*:*:*:*:*
#####
+PackageName: zipp
+SPDXID: SPDXRef-Package-69-zipp
+PackageVersion: 3.20.0
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Organization: Jason R. (jaraco@jaraco.com)
+PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0
+FilesAnalyzed: false
+PackageLicenseDeclared: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageSummary: Backport of pathlib-compatible object wrapper for zip files
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*
+#####
+
PackageName: zstandard
-SPDXID: SPDXRef-Package-69-zstandard
+SPDXID: SPDXRef-Package-70-zstandard
PackageVersion: 0.23.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com)
@@ -1123,7 +1137,8 @@ Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-64-urlli
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-65-rpmfile
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-66-setuptools
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-67-xmlschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-69-zstandard
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-69-zipp
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-70-zstandard
Relationship: SPDXRef-Package-10-beautifulsoup4 DEPENDS_ON SPDXRef-Package-11-soupsieve
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-17-argcomplete
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-18-crcmod