Skip to content

Commit

Permalink
chore: update SBOM for Python 3.10
Browse files Browse the repository at this point in the history
  • Loading branch information
web-flow authored Oct 9, 2023
1 parent 2847879 commit 80a4f37
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 56 deletions.
75 changes: 41 additions & 34 deletions sbom/cve-bin-tool-py3.10.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:51b0461a-601d-40c8-9e2f-3fb74dd746ff",
"serialNumber": "urn:uuid:9536bb49-29db-4c9b-a066-230076147613",
"version": 1,
"metadata": {
"timestamp": "2023-10-02T00:42:50Z",
"timestamp": "2023-10-09T00:26:42Z",
"tools": {
"components": [
{
Expand Down Expand Up @@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
"version": "3.8.5",
"version": "3.8.6",
"supplier": {
"name": "NOASSERTION"
},
"cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
Expand All @@ -70,12 +74,12 @@
],
"externalReferences": [
{
"url": "https://pypi.org/project/aiohttp/3.8.5",
"url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
"purl": "pkg:pypi/aiohttp@3.8.5",
"purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
Expand All @@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
"supplier": {
"name": "NOASSERTION"
},
"cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
"supplier": {
"name": "NOASSERTION"
},
"cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
Expand Down Expand Up @@ -496,7 +508,7 @@
"name": "gsutil",
"version": "5.26",
"supplier": {
"name": "Google Inc.",
"name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
Expand Down Expand Up @@ -631,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
"name": "Google Inc.",
"name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
Expand Down Expand Up @@ -739,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
"name": "Google Inc.",
"name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
Expand Down Expand Up @@ -865,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
"name": "Google Inc.",
"name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
Expand Down Expand Up @@ -973,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
"name": "Sybren A. Stuvel",
"name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
Expand Down Expand Up @@ -1060,9 +1072,7 @@
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
"license": {
"expression": "Apache-2.0 OR BSD-3-Clause"
}
"expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
Expand Down Expand Up @@ -1359,6 +1369,10 @@
"bom-ref": "41-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
"supplier": {
"name": "NOASSERTION"
},
"cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
Expand Down Expand Up @@ -1462,11 +1476,11 @@
"type": "library",
"bom-ref": "45-rpds-py",
"name": "rpds-py",
"version": "0.10.3",
"version": "0.10.4",
"supplier": {
"name": "Julian Berman"
},
"cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
Expand All @@ -1478,18 +1492,18 @@
],
"externalReferences": [
{
"url": "https://pypi.org/project/rpds-py/0.10.3",
"url": "https://pypi.org/project/rpds-py/0.10.4",
"type": "distribution",
"comment": "Download location for component"
}
],
"purl": "pkg:pypi/rpds-py@0.10.3"
"purl": "pkg:pypi/rpds-py@0.10.4"
},
{
"type": "library",
"bom-ref": "46-lib4sbom",
"name": "lib4sbom",
"version": "0.4.3",
"version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
Expand All @@ -1498,7 +1512,7 @@
}
]
},
"cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
Expand All @@ -1510,12 +1524,12 @@
],
"externalReferences": [
{
"url": "https://pypi.org/project/lib4sbom/0.4.3",
"url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
"purl": "pkg:pypi/lib4sbom@0.4.3"
"purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
Expand Down Expand Up @@ -1604,9 +1618,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
"license": {
"expression": "BSD-2-Clause OR Apache-2.0"
}
"expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
Expand Down Expand Up @@ -1806,7 +1818,7 @@
"type": "library",
"bom-ref": "55-urllib3",
"name": "urllib3",
"version": "2.0.5",
"version": "2.0.6",
"supplier": {
"name": "Andrey Petrov",
"contact": [
Expand All @@ -1815,16 +1827,16 @@
}
]
},
"cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
"description": "HTTP library with thread-safe connection pooling, file post, and more.",
"externalReferences": [
{
"url": "https://pypi.org/project/urllib3/2.0.5",
"url": "https://pypi.org/project/urllib3/2.0.6",
"type": "distribution",
"comment": "Download location for component"
}
],
"purl": "pkg:pypi/urllib3@2.0.5"
"purl": "pkg:pypi/urllib3@2.0.6"
},
{
"type": "library",
Expand Down Expand Up @@ -2106,12 +2118,6 @@
}
],
"dependencies": [
{
"ref": "CDXRef-DOCUMENT",
"dependsOn": [
"1-cve-bin-tool"
]
},
{
"ref": "1-cve-bin-tool",
"dependsOn": [
Expand Down Expand Up @@ -2304,6 +2310,7 @@
{
"ref": "46-lib4sbom",
"dependsOn": [
"14-defusedxml",
"47-pyyaml",
"48-semantic-version"
]
Expand Down
45 changes: 23 additions & 22 deletions sbom/cve-bin-tool-py3.10.spdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-82ead980-e1fd-45b3-8d00-de095f71cc6a
DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-0e8ee6fa-c119-4a2f-87a9-ef0cb6121781
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
Created: 2023-10-02T00:41:34Z
Created: 2023-10-09T00:25:11Z
CreatorComment: <text>This document has been automatically generated.</text>
#####

Expand All @@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:

PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
PackageVersion: 3.8.5
PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: <text>aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Async http client/server framework (asyncio)</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####

PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
Expand All @@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
Expand Down Expand Up @@ -630,7 +630,7 @@ PackageName: markupsafe
SPDXID: SPDXRef-Package-41-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
Expand Down Expand Up @@ -687,32 +687,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*

PackageName: rpds-py
SPDXID: SPDXRef-Package-45-rpds-py
PackageVersion: 0.10.3
PackageVersion: 0.10.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.3
PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.4
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Python bindings to Rust's persistent data structures (rpds)</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.4
ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*
#####

PackageName: lib4sbom
SPDXID: SPDXRef-Package-46-lib4sbom
PackageVersion: 0.4.3
PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Software Bill of Material (SBOM) generator and consumer library</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####

PackageName: pyyaml
Expand Down Expand Up @@ -842,17 +842,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:

PackageName: urllib3
SPDXID: SPDXRef-Package-55-urllib3
PackageVersion: 2.0.5
PackageVersion: 2.0.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.5
PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: <text>HTTP library with thread-safe connection pooling, file post, and more.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.5
ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
#####

PackageName: rich
Expand Down Expand Up @@ -991,7 +991,6 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
Expand Down Expand Up @@ -1069,6 +1068,7 @@ Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
Relationship: SPDXRef-Package-43-jsonschema-specifications DEPENDS_ON SPDXRef-Package-44-referencing
Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-45-rpds-py
Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-6-attrs
Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-47-pyyaml
Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-48-semantic-version
Relationship: SPDXRef-Package-49-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
Expand All @@ -1084,3 +1084,4 @@ Relationship: SPDXRef-Package-57-markdown-it-py DEPENDS_ON SPDXRef-Package-58-md
Relationship: SPDXRef-Package-62-xmlschema DEPENDS_ON SPDXRef-Package-63-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool

0 comments on commit 80a4f37

Please sign in to comment.