From e2aa1a57bad1b97c551cbc31691c3b212bd80e70 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 20:12:34 +0000 Subject: [PATCH] chore: update SBOM for Python 3.9 (#4610) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 106 +++++++++++++++++------------------ sbom/cve-bin-tool-py3.9.spdx | 61 ++++++++++---------- 2 files changed, 82 insertions(+), 85 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index bab3241bc9..fc9b5dcb0f 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:776dd2f8-4200-429f-a71b-22e3b595f38e", + "serialNumber": "urn:uuid:f196410b-e7b4-45b7-be50-2cd9fa1e4b4d", "version": 1, "metadata": { - "timestamp": "2024-12-02T00:41:54Z", + "timestamp": "2024-12-09T00:41:21Z", "lifecycles": [ { "phase": "build" @@ -79,7 +79,7 @@ "type": "library", "bom-ref": "2-aiohttp", "name": "aiohttp", - "version": "3.11.9", + "version": "3.11.10", "description": "Async http client/server framework (asyncio)", "licenses": [ { @@ -97,12 +97,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/aiohttp/3.11.9/#files", + "url": "https://pypi.org/project/aiohttp/3.11.10/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/aiohttp@3.11.9", + "purl": "pkg:pypi/aiohttp@3.11.10", "properties": [ { "name": "language", @@ -114,7 +114,7 @@ }, { "name": "package_release_date", - "value": "2024-12-01T23:26:48.000Z" + "value": "2024-12-05T23:51:02.000Z" } ] }, @@ -553,6 +553,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-12-01T20:32:32.000Z" } ] }, @@ -921,7 +925,7 @@ "type": "library", "bom-ref": "19-gsutil", "name": "gsutil", - "version": "5.31", + "version": "5.32", "supplier": { "name": "Google Inc .", "contact": [ @@ -930,7 +934,7 @@ } ] }, - "cpe": "cpe:2.3:a:google_inc.:gsutil:5.31:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:google_inc.:gsutil:5.32:*:*:*:*:*:*:*", "description": "A command line tool for interacting with cloud storage services.", "licenses": [ { @@ -948,12 +952,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/gsutil/5.31/#files", + "url": "https://pypi.org/project/gsutil/5.32/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/gsutil@5.31", + "purl": "pkg:pypi/gsutil@5.32", "properties": [ { "name": "language", @@ -965,7 +969,7 @@ }, { "name": "package_release_date", - "value": "2024-10-10T15:59:06.000Z" + "value": "2024-12-04T14:56:46.000Z" } ] }, @@ -973,7 +977,7 @@ "type": "library", "bom-ref": "20-argcomplete", "name": "argcomplete", - "version": "3.5.1", + "version": "3.5.2", "supplier": { "name": "Andrey Kislyuk", "contact": [ @@ -982,8 +986,14 @@ } ] }, - "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.2:*:*:*:*:*:*:*", "description": "Bash tab completion for argparse", + "hashes": [ + { + "alg": "SHA-1", + "content": "fa88f807ee3f1d1c5b2647ca3c38fd3e0349dbfc" + } + ], "licenses": [ { "license": { @@ -1000,12 +1010,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/argcomplete/3.5.1/#files", + "url": "https://pypi.org/project/argcomplete/3.5.2/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/argcomplete@3.5.1", + "purl": "pkg:pypi/argcomplete@3.5.2", "properties": [ { "name": "language", @@ -1017,7 +1027,7 @@ }, { "name": "package_release_date", - "value": "2024-10-07T04:00:36.000Z" + "value": "2024-12-06T18:24:27.000Z" } ] }, @@ -1506,7 +1516,7 @@ "type": "library", "bom-ref": "30-six", "name": "six", - "version": "1.16.0", + "version": "1.17.0", "supplier": { "name": "Benjamin Peterson", "contact": [ @@ -1515,14 +1525,8 @@ } ] }, - "cpe": "cpe:2.3:a:benjamin_peterson:six:1.16.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:benjamin_peterson:six:1.17.0:*:*:*:*:*:*:*", "description": "Python 2 and 3 compatibility utilities", - "hashes": [ - { - "alg": "SHA-1", - "content": "65486e4383f9f411da95937451205d3c7b61b9e1" - } - ], "licenses": [ { "license": { @@ -1539,12 +1543,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/six/1.16.0/#files", + "url": "https://pypi.org/project/six/1.17.0/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/six@1.16.0", + "purl": "pkg:pypi/six@1.17.0", "properties": [ { "name": "language", @@ -1556,7 +1560,7 @@ }, { "name": "package_release_date", - "value": "2021-05-05T14:18:17.000Z" + "value": "2024-12-04T17:35:26.000Z" } ] }, @@ -1893,7 +1897,7 @@ "type": "library", "bom-ref": "37-pyopenssl", "name": "pyopenssl", - "version": "24.3.0", + "version": "24.2.1", "supplier": { "name": "The pyOpenSSL developers", "contact": [ @@ -1902,7 +1906,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.3.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.2.1:*:*:*:*:*:*:*", "description": "Python wrapper module around the OpenSSL library", "licenses": [ { @@ -1920,12 +1924,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/pyopenssl/24.3.0/#files", + "url": "https://pypi.org/project/pyopenssl/24.2.1/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyopenssl@24.3.0", + "purl": "pkg:pypi/pyopenssl@24.2.1", "properties": [ { "name": "language", @@ -1934,10 +1938,6 @@ { "name": "python_version", "value": "3.9.20" - }, - { - "name": "package_release_date", - "value": "2024-11-27T20:43:21.000Z" } ] }, @@ -1945,7 +1945,7 @@ "type": "library", "bom-ref": "38-cryptography", "name": "cryptography", - "version": "44.0.0", + "version": "43.0.3", "supplier": { "name": "The cryptography developers The Python Cryptographic Authority and individual contributors", "contact": [ @@ -1954,7 +1954,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:44.0.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.3:*:*:*:*:*:*:*", "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.", "licenses": [ { @@ -1968,12 +1968,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/cryptography/44.0.0/#files", + "url": "https://pypi.org/project/cryptography/43.0.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cryptography@44.0.0", + "purl": "pkg:pypi/cryptography@43.0.3", "properties": [ { "name": "language", @@ -1982,10 +1982,6 @@ { "name": "python_version", "value": "3.9.20" - }, - { - "name": "package_release_date", - "value": "2024-11-27T18:05:55.000Z" } ] }, @@ -2585,7 +2581,7 @@ "type": "library", "bom-ref": "51-rpds-py", "name": "rpds-py", - "version": "0.21.0", + "version": "0.22.3", "supplier": { "name": "Julian Berman", "contact": [ @@ -2594,14 +2590,8 @@ } ] }, - "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.22.3:*:*:*:*:*:*:*", "description": "Python bindings to Rust's persistent data structures (rpds)", - "hashes": [ - { - "alg": "SHA-1", - "content": "73581d8dfc56a24eac6ee32c83e6759b4506bb71" - } - ], "externalReferences": [ { "url": "https://github.com/crate-py/rpds", @@ -2609,12 +2599,12 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/rpds-py/0.21.0/#files", + "url": "https://pypi.org/project/rpds-py/0.22.3/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rpds-py@0.21.0", + "purl": "pkg:pypi/rpds-py@0.22.3", "properties": [ { "name": "language", @@ -2626,7 +2616,7 @@ }, { "name": "package_release_date", - "value": "2024-11-06T13:57:41.000Z" + "value": "2024-12-04T15:31:31.000Z" } ] }, @@ -2675,6 +2665,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-09-18T21:36:24.000Z" } ] }, @@ -2839,6 +2833,10 @@ { "name": "python_version", "value": "3.9.20" + }, + { + "name": "package_release_date", + "value": "2024-08-29T20:36:52.000Z" } ] }, diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index db64b97d7f..0ea6f31d91 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-fd502d23-ddda-46a2-92c0-86c59d9fd3e7 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-634a9368-ed3e-4f65-9676-93d8052f2d0d LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.3 -Created: 2024-12-02T00:41:00Z +Created: 2024-12-09T00:40:29Z CreatorComment: This document has been automatically generated. ##### @@ -27,17 +27,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:* PackageName: aiohttp SPDXID: SPDXRef-2-aiohttp -PackageVersion: 3.11.9 +PackageVersion: 3.11.10 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.9/#files +PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.10/#files FilesAnalyzed: false PackageHomePage: https://github.com/aio-libs/aiohttp PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Async http client/server framework (asyncio) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.11.9 +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/aiohttp@3.11.10 ##### PackageName: aiohappyeyeballs @@ -309,10 +309,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:tomas_aparicio:filetype:1.2.0:*:*:*:*: PackageName: gsutil SPDXID: SPDXRef-19-gsutil -PackageVersion: 5.31 +PackageVersion: 5.32 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com) -PackageDownloadLocation: https://pypi.org/project/gsutil/5.31/#files +PackageDownloadLocation: https://pypi.org/project/gsutil/5.32/#files FilesAnalyzed: false PackageHomePage: https://cloud.google.com/storage/docs/gsutil PackageLicenseDeclared: NOASSERTION @@ -320,25 +320,26 @@ PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A command line tool for interacting with cloud storage services. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/gsutil@5.31 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.31:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/gsutil@5.32 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.32:*:*:*:*:*:*:* ##### PackageName: argcomplete SPDXID: SPDXRef-20-argcomplete -PackageVersion: 3.5.1 +PackageVersion: 3.5.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com) -PackageDownloadLocation: https://pypi.org/project/argcomplete/3.5.1/#files +PackageDownloadLocation: https://pypi.org/project/argcomplete/3.5.2/#files FilesAnalyzed: false PackageHomePage: https://github.com/kislyuk/argcomplete +PackageChecksum: SHA1: fa88f807ee3f1d1c5b2647ca3c38fd3e0349dbfc PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Bash tab completion for argparse -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.5.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/argcomplete@3.5.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.5.2:*:*:*:*:*:*:* ##### PackageName: crcmod @@ -496,19 +497,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:* PackageName: six SPDXID: SPDXRef-30-six -PackageVersion: 1.16.0 +PackageVersion: 1.17.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Benjamin Peterson (benjamin@python.org) -PackageDownloadLocation: https://pypi.org/project/six/1.16.0/#files +PackageDownloadLocation: https://pypi.org/project/six/1.17.0/#files FilesAnalyzed: false PackageHomePage: https://github.com/benjaminp/six -PackageChecksum: SHA1: 65486e4383f9f411da95937451205d3c7b61b9e1 PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Python 2 and 3 compatibility utilities -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/six@1.16.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:benjamin_peterson:six:1.16.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/six@1.17.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:benjamin_peterson:six:1.17.0:*:*:*:*:*:*:* ##### PackageName: google-auth-httplib2 @@ -618,10 +618,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:oauth2client:4.1.3:*:*:*:* PackageName: pyopenssl SPDXID: SPDXRef-37-pyopenssl -PackageVersion: 24.3.0 +PackageVersion: 24.2.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/pyopenssl/24.3.0/#files +PackageDownloadLocation: https://pypi.org/project/pyopenssl/24.2.1/#files FilesAnalyzed: false PackageHomePage: https://pyopenssl.org/ PackageLicenseDeclared: NOASSERTION @@ -629,24 +629,24 @@ PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: pyopenssl declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Python wrapper module around the OpenSSL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyopenssl@24.3.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.3.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/pyopenssl@24.2.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.2.1:*:*:*:*:*:*:* ##### PackageName: cryptography SPDXID: SPDXRef-38-cryptography -PackageVersion: 44.0.0 +PackageVersion: 43.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The cryptography developers The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/cryptography/44.0.0/#files +PackageDownloadLocation: https://pypi.org/project/cryptography/43.0.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/pyca/cryptography PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause PackageCopyrightText: NOASSERTION PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cryptography@44.0.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:44.0.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cryptography@43.0.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.3:*:*:*:*:*:*:* ##### PackageName: cffi @@ -850,19 +850,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:* PackageName: rpds-py SPDXID: SPDXRef-51-rpds-py -PackageVersion: 0.21.0 +PackageVersion: 0.22.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com) -PackageDownloadLocation: https://pypi.org/project/rpds-py/0.21.0/#files +PackageDownloadLocation: https://pypi.org/project/rpds-py/0.22.3/#files FilesAnalyzed: false PackageHomePage: https://github.com/crate-py/rpds -PackageChecksum: SHA1: 73581d8dfc56a24eac6ee32c83e6759b4506bb71 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Python bindings to Rust's persistent data structures (rpds) -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.21.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.21.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rpds-py@0.22.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.22.3:*:*:*:*:*:*:* ##### PackageName: lib4sbom