diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index 63fbf185a8..37358523e4 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -28,6 +28,7 @@ autoescape
autoextract
autoextracts
avahi
+axel
backend
backends
backport
@@ -77,6 +78,7 @@ checkername
chess
chris
chrony
+civetweb
clamav
cleartext
clnt
@@ -123,6 +125,7 @@ davfs
dbus
dearmor
debian
+debianutils
debuginfo
devops
dgst
@@ -136,6 +139,7 @@ dnsmasq
docstring
DOCTYPE
domoticz
+dosfstools
dovecot
downloading
doxygen
@@ -144,6 +148,7 @@ dropbear
dsa
dtls
e
+ed
elfutils
emacs
endoflife
@@ -192,7 +197,9 @@ ftpd
fuzzer
g
GAD
+gawk
gcc
+gdal
gdb
gdk
Gemfile
@@ -248,6 +255,7 @@ httpd
https
hunspell
hur
+hwloc
i
icecast
icu
@@ -369,6 +377,7 @@ mentoring
metabiswadeep
metadata
microsoft
+minetest
mingw
mini
minicom
@@ -379,9 +388,11 @@ mkdir
modsecurity
modulename
Molkree
+monit
mosquitto
motion
mozilla
+mpg
mpv
msgid
msgstr
@@ -389,6 +400,7 @@ msi
msmtp
msys
mtr
+mupdf
mutt
myfork
mypy
@@ -493,6 +505,7 @@ python
pythonapp
pyupgrade
qemu
+qpdf
Qqe
qt
quagga
@@ -518,6 +531,7 @@ reportlab
rhythmrx
Romi
rossburton
+rpm
rpmfile
rpmfind
RSD
@@ -583,6 +597,7 @@ taskbar
tcpdump
tcpreplay
templating
+terminology
terri
terriko
testfiles
@@ -605,6 +620,7 @@ triaging
trousers
tss
turbo
+twonky
u
ubuntu
udisks
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 525b19015e..06bcdd85b2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -20,39 +20,39 @@ updates:
# Scanning is disabled for files in /test/ to avoid false positives.
# These files are used for testing; vulnerable code is never installed or used.
-
- - package-ecosystem: cargo
- directory: /test/language_data
- schedule:
- interval: monthly
- ignore:
- - dependency-name: "*"
-
- - package-ecosystem: bundler
- directory: /test/language_data
- schedule:
- interval: monthly
- ignore:
- - dependency-name: "*"
-
- - package-ecosystem: gomod
- directory: /test/language_data
- schedule:
- interval: monthly
- ignore:
- - dependency-name: "*"
-
- - package-ecosystem: pip
- directory: /test/language_data
- schedule:
- interval: monthly
- ignore:
- - dependency-name: "*"
-
- - package-ecosystem: maven
- directory: /test/language_data
- schedule:
- interval: monthly
- ignore:
- - dependency-name: "*"
-
+# These are commented out because they caused problems with other automated checks
+
+# - package-ecosystem: cargo
+# directory: /test/language_data
+# schedule:
+# interval: monthly
+# ignore:
+# - dependency-name: "*"
+
+# - package-ecosystem: bundler
+# directory: /test/language_data
+# schedule:
+# interval: monthly
+# ignore:
+# - dependency-name: "*"
+
+# - package-ecosystem: gomod
+# directory: /test/language_data
+# schedule:
+# interval: monthly
+# ignore:
+# - dependency-name: "*"
+
+# - package-ecosystem: pip
+# directory: /test/language_data
+# schedule:
+# interval: monthly
+# ignore:
+# - dependency-name: "*"
+
+# - package-ecosystem: maven
+# directory: /test/language_data
+# schedule:
+# interval: monthly
+# ignore:
+# - dependency-name: "*"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d70e6a6b43..27a18e36d3 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -42,16 +42,16 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- name: Checkout repository
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
+ uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
+ uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index c70943bc06..4adfe58f76 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -14,11 +14,11 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: vapier/coverity-scan-action@cae3c096a2eb21c431961a49375ac17aea2670ce # v1.7.0
with:
email: ${{ secrets.COVERITY_SCAN_EMAIL }}
diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
index 41848c6453..024c875606 100644
--- a/.github/workflows/cve_scan.yml
+++ b/.github/workflows/cve_scan.yml
@@ -15,12 +15,12 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
cache: 'pip'
@@ -30,7 +30,7 @@ jobs:
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
- name: Get cached database
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 7bbc4c7838..fd3cc17386 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -17,11 +17,11 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- name: 'Checkout Repository'
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: 'Dependency Review'
- uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7 # v3.0.8
+ uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
diff --git a/.github/workflows/export_data.yml b/.github/workflows/export_data.yml
index 3b8fcf9a0f..26ff0cb823 100644
--- a/.github/workflows/export_data.yml
+++ b/.github/workflows/export_data.yml
@@ -26,13 +26,13 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index b5ca5be834..a3f3498f85 100644
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -19,12 +19,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
cache: 'pip'
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 1402558272..7997bfeda7 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -20,12 +20,12 @@ jobs:
tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy']
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
cache: 'pip'
@@ -46,5 +46,5 @@ jobs:
run: |
python -m pip install --upgrade gitlint
echo "$TITLE" | gitlint
- - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a
+ - uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index da6d487ea0..7d88dbd1ad 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -15,18 +15,19 @@ jobs:
contents: write # for peter-evans/create-pull-request to create branch
pull-requests: write # for peter-evans/create-pull-request to create a PR
name: Generate SBOM
+ if: github.repository == 'intel/cve-bin-tool' # for SBOM generation on forks
runs-on: ubuntu-22.04
strategy:
matrix:
python: ['3.8', '3.9', '3.10', '3.11']
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: ${{ matrix.python }}
cache: 'pip'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index ac29f1d533..5f7dca150c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -22,24 +22,24 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- name: "Checkout code"
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+ uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: "Upload artifact"
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index 971ed7c423..607baa5ac1 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -14,11 +14,11 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: check-spelling/check-spelling@d7cd2973c513e84354f9d6cf50a6417a628a78ce # v0.0.21
with:
post_comment: '0'
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index fe2d1b84a5..c874bed08d 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -26,12 +26,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
cache: 'pip'
@@ -56,12 +56,12 @@ jobs:
timeout-minutes: 60
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: ${{ matrix.python }}
cache: 'pip'
@@ -75,13 +75,13 @@ jobs:
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
- name: Get today's cached database
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
- name: Get yesterday's cached database if today's is not available
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
@@ -126,12 +126,12 @@ jobs:
LONG_TESTS: 1
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
@@ -145,13 +145,13 @@ jobs:
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
- name: Get today's cached database
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
- name: Get yesterday's cached database if today's is not available
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
@@ -223,12 +223,12 @@ jobs:
EXTERNAL_SYSTEM: 1
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
@@ -242,13 +242,13 @@ jobs:
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
- name: Get today's cached database
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
- name: Get yesterday's cached database if today's is not available
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
@@ -317,12 +317,12 @@ jobs:
PYTHONIOENCODING: 'utf8'
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
@@ -336,14 +336,14 @@ jobs:
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}"
- name: Get today's cached database
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
enableCrossOsArchive: true
- name: Get yesterday's cached database if today's is not available
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
@@ -387,12 +387,12 @@ jobs:
PYTHONIOENCODING: 'utf8'
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.9'
cache: 'pip'
@@ -406,14 +406,14 @@ jobs:
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}"
- name: Get today's cached database
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
enableCrossOsArchive: true
- name: Get yesterday's cached database if today's is not available
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
@@ -447,7 +447,7 @@ jobs:
test/test_cli.py
test/test_cvedb.py
- name: Cache conda
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
env:
# Increase to reset cache if requirements.txt file has not changed
CACHE_NUMBER: 0
diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml
index 0506542071..d29cca6aef 100644
--- a/.github/workflows/update-cache.yml
+++ b/.github/workflows/update-cache.yml
@@ -22,12 +22,12 @@ jobs:
timeout-minutes: 60
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
@@ -35,7 +35,7 @@ jobs:
id: get-date
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
- - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml
index 2b5ecf1053..a72ecfee11 100644
--- a/.github/workflows/update-js-dependencies.yml
+++ b/.github/workflows/update-js-dependencies.yml
@@ -22,13 +22,13 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
@@ -36,7 +36,7 @@ jobs:
run: python .github/workflows/update_js_dependencies.py
- name: Get cached Python packages
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
@@ -73,7 +73,7 @@ jobs:
output_html(TestOutputEngine.MOCK_OUTPUT, None, "", "", "", 3, 3, 0, None, None, open("test.html", "w"))'
- name: Upload mock report
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: HTML report
path: test.html
diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
index 950297c5a2..8ed89c4c8b 100644
--- a/.github/workflows/update-pre-commit.yml
+++ b/.github/workflows/update-pre-commit.yml
@@ -22,13 +22,13 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
diff --git a/.github/workflows/update-spdx-header.yml b/.github/workflows/update-spdx-header.yml
index cbff23bafb..760a3b15e2 100644
--- a/.github/workflows/update-spdx-header.yml
+++ b/.github/workflows/update-spdx-header.yml
@@ -23,11 +23,11 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Update spdx header
run: |
sed -i "s/[0-9]\{4\}/$(date +%Y)/" spdx_header.txt
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index eb6095fbbd..6a6f98a534 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -4,19 +4,19 @@ repos:
hooks:
- id: isort
-- repo: https://github.com/python/black
- rev: 23.3.0
+- repo: https://github.com/psf/black-pre-commit-mirror
+ rev: 23.9.1
hooks:
- id: black
- repo: https://github.com/asottile/pyupgrade
- rev: v3.7.0
+ rev: v3.10.1
hooks:
- id: pyupgrade
args: ["--py38-plus"]
- repo: https://github.com/pycqa/flake8
- rev: 6.0.0
+ rev: 6.1.0
hooks:
- id: flake8
exclude: ^fuzz/generated/
@@ -33,7 +33,7 @@ repos:
- id: gitlint
- repo: https://github.com/pre-commit/mirrors-mypy
- rev: v1.4.1
+ rev: v1.5.1
hooks:
- id: mypy
additional_dependencies:
diff --git a/.readthedocs.yml b/.readthedocs.yml
index 51114e0958..791aab023e 100644
--- a/.readthedocs.yml
+++ b/.readthedocs.yml
@@ -5,6 +5,12 @@
# Required
version: 2
+# Set the OS, Python version and other tools you might need
+build:
+ os: ubuntu-22.04
+ tools:
+ python: "3.10"
+
# Build documentation in the docs/ directory with Sphinx
sphinx:
configuration: doc/conf.py
@@ -19,6 +25,6 @@ formats:
# Optionally set the version of Python and requirements required to build your docs
python:
- version: 3.8
install:
- requirements: doc/requirements.txt
+
diff --git a/README.md b/README.md
index dc73cfffd0..76a270d14a 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# CVE Binary Tool quick start / README
-[](https://github.com/intel/cve-bin-tool/actions)
+[](https://github.com/intel/cve-bin-tool/actions)
[](https://codecov.io/gh/intel/cve-bin-tool)
[](https://gitter.im/cve-bin-tool/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
[](https://cve-bin-tool.readthedocs.io/en/latest/)
@@ -14,7 +14,7 @@ The CVE Binary Tool is a free, open source tool to help you find known vulnerabi
The tool has two main modes of operation:
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are 313 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are 330 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.
It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain.
@@ -256,7 +256,9 @@ Output:
note: don't use spaces between comma (',') and the output formats.
-c CVSS, --cvss CVSS minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
--epss-percentile
- minimum EPSS percentile of CVE range between 0 to 100 to report (default: 0)
+ minimum EPSS percentile of CVE range between 0 to 100 to report (input value can also be floating point) (default: 0)
+ --epss-probability
+ minimum EPSS probability of CVE range between 0 to 100 to report (input value can also be floating point) (default: 0)
-S {low,medium,high,critical}, --severity {low,medium,high,critical}
minimum CVE severity to report (default: low)
--no-0-cve-report only produce report when CVEs are found
@@ -437,55 +439,56 @@ This data source provides the CVEs for the CURL product.
The following checkers are available for finding components in binary files:
-
-| | | | Available checkers | | | |
-| --------------- | --------------- | ------------------ | ------------------ | --------------- | ------------ | ----------------- |
-| accountsservice | acpid | apache_http_server | apcupsd | apparmor | asn1c | assimp |
-| asterisk | atftp | avahi | bash | bind | binutils | bird |
-| bison | bluez | boinc | botan | bro | bubblewrap | busybox |
-| bwm_ng | bzip2 | c_ares | capnproto | ceph | chess | chrony |
-| clamav | collectd | commons_compress | connman | coreutils | cpio | cronie |
-| cryptsetup | cups | curl | cvs | darkhttpd | dav1d | davfs2 |
-| dbus | dhclient | dhcpcd | dhcpd | dmidecode | dnsmasq | domoticz |
-| dovecot | doxygen | dpkg | dropbear | e2fsprogs | elfutils | emacs |
-| enscript | exim | exiv2 | f2fs_tools | faad2 | fastd | ffmpeg |
-| file | firefox | flac | fluidsynth | freeradius | freerdp | fribidi |
-| frr | gcc | gdb | gdk_pixbuf | gimp | git | glib |
-| glibc | gmp | gnomeshell | gnupg | gnutls | gpgme | gpsd |
-| graphicsmagick | grub2 | gstreamer | gupnp | gvfs | gzip | haproxy |
-| harfbuzz | haserl | hdf5 | hostapd | hunspell | i2pd | icecast |
-| icu | iperf3 | ipmitool | ipsec_tools | iptables | irssi | iucode_tool |
-| jack2 | jacksondatabind | janus | jhead | json_c | kbd | keepalived |
-| kerberos | kexectools | kodi | kubernetes | ldns | lftp | libarchive |
-| libass | libbpg | libcoap | libconfuse | libcurl | libdb | libebml |
-| libexpat | libgcrypt | libgd | libgit2 | libical | libidn2 | libinput |
-| libjpeg | libjpeg_turbo | libksba | liblas | libmatroska | libmemcached | libmicrohttpd |
-| libmodbus | libnss | libpcap | libraw | librsvg | librsync | libsamplerate |
-| libseccomp | libsndfile | libsolv | libsoup | libsrtp | libssh | libssh2 |
-| libtasn1 | libtiff | libtomcrypt | libupnp | libvirt | libvncserver | libvorbis |
-| libxslt | lighttpd | linux_kernel | lldpd | logrotate | lua | luajit |
-| lxc | lynx | lz4 | mailx | mariadb | mdadm | memcached |
-| mini_httpd | minicom | minidlna | miniupnpc | miniupnpd | modsecurity | mosquitto |
-| motion | mpv | msmtp | mtr | mutt | mysql | nano |
-| nasm | nbd | ncurses | neon | nessus | netatalk | netkit_ftp |
-| netpbm | nettle | nghttp2 | nginx | ngircd | nmap | node |
-| ntfs_3g | ntp | ntpsec | open_iscsi | open_vm_tools | openafs | opencv |
-| openjpeg | openldap | opensc | openssh | openssl | openswan | openvpn |
-| p7zip | pango | patch | pcre | pcre2 | pcsc_lite | perl |
-| picocom | pigz | pixman | png | polarssl_fedora | poppler | postgresql |
-| ppp | privoxy | procps_ng | proftpd | pspp | pure_ftpd | putty |
-| python | qemu | qt | quagga | radare2 | radvd | raptor |
-| rauc | rdesktop | readline | rsync | rsyslog | rtl_433 | rtmpdump |
-| runc | rust | samba | sane_backends | sdl | seahorse | shadowsocks_libev |
-| sngrep | snort | sofia_sip | speex | spice | sqlite | squashfs |
-| squid | sslh | stellarium | strongswan | stunnel | subversion | sudo |
-| suricata | sylpheed | syslogng | sysstat | systemd | tcpdump | tcpreplay |
-| thrift | thttpd | thunderbird | timescaledb | tinyproxy | tor | tpm2_tss |
-| transmission | trousers | u_boot | udisks | unbound | unixodbc | upx |
-| util_linux | varnish | vim | vorbis_tools | vsftpd | webkitgtk | wget |
-| wireshark | wolfssl | wpa_supplicant | xerces | xml2 | xscreensaver | yasm |
-| zabbix | zeek | zlib | znc | zsh | | |
-
+| | | | Available checkers | | | |
+|----------------- |------------- |------------------ |--------------- |---------------- |-------------- |------------ |
+| accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp |
+| asterisk |atftp |avahi |axel |bash |bind |binutils |
+| bird |bison |bluez |boinc |botan |bro |bubblewrap |
+| busybox |bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |
+| chrony |civetweb |clamav |collectd |commons_compress |connman |coreutils |
+| cpio |cronie |cryptsetup |cups |curl |cvs |darkhttpd |
+| dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |dhcpd |
+| dmidecode |dnsmasq |domoticz |dosfstools |dovecot |doxygen |dpkg |
+| dropbear |e2fsprogs |ed |elfutils |emacs |enscript |exim |
+| exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |
+| flac |fluidsynth |freeradius |freerdp |fribidi |frr |gawk |
+| gcc |gdal |gdb |gdk_pixbuf |gimp |git |glib |
+| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd |
+| graphicsmagick |grep |grub2 |gstreamer |gupnp |gvfs |gzip |
+| haproxy |harfbuzz |haserl |hdf5 |hostapd |hunspell |hwloc |
+| i2pd |icecast |icu |iperf3 |ipmitool |ipsec_tools |iptables |
+| irssi |iucode_tool |jack2 |jacksondatabind |janus |jhead |json_c |
+| kbd |keepalived |kerberos |kexectools |kodi |kubernetes |ldns |
+| lftp |libarchive |libass |libbpg |libcoap |libconfuse |libcurl |
+| libdb |libebml |libexpat |libgcrypt |libgd |libgit2 |libical |
+| libidn2 |libinput |libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |
+| libmemcached |libmicrohttpd |libmodbus |libnss |libpcap |libraw |librsvg |
+| librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |libsrtp |
+| libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |
+| libvncserver |libvorbis |libxslt |lighttpd |linux_kernel |lldpd |logrotate |
+| lua |luajit |lxc |lynx |lz4 |mailx |mariadb |
+| mdadm |memcached |minetest |mini_httpd |minicom |minidlna |miniupnpc |
+| miniupnpd |modsecurity |monit |mosquitto |motion |mpg123 |mpv |
+| msmtp |mtr |mupdf |mutt |mysql |nano |nasm |
+| nbd |ncurses |neon |nessus |netatalk |netkit_ftp |netpbm |
+| nettle |nghttp2 |nginx |ngircd |nmap |node |ntfs_3g |
+| ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv |openjpeg |
+| openldap |opensc |openssh |openssl |openswan |openvpn |p7zip |
+| pango |patch |pcre |pcre2 |pcsc_lite |perl |picocom |
+| pigz |pixman |png |polarssl_fedora |poppler |postgresql |ppp |
+| privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty |python |
+| qemu |qpdf |qt |quagga |radare2 |radvd |raptor |
+| rauc |rdesktop |readline |rpm |rsync |rsyslog |rtl_433 |
+| rtmpdump |runc |rust |samba |sane_backends |sdl |seahorse |
+| shadowsocks_libev |sngrep |snort |sofia_sip |speex |spice |sqlite |
+| squashfs |squid |sslh |stellarium |strongswan |stunnel |subversion |
+| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |
+| tcpreplay |terminology |thrift |thttpd |thunderbird |timescaledb |tinyproxy |
+| tor |tpm2_tss |transmission |trousers |twonky_server |u_boot |udisks |
+| unbound |unixodbc |upx |util_linux |varnish |vim |vorbis_tools |
+| vsftpd |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |xerces |
+| xml2 |xscreensaver |yasm |zabbix |zeek |zlib |znc |
+| zsh | | | | | | |
All the checkers can be found in the checkers directory, as can the
diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
index 3cc42df48d..b3cef68d16 100644
--- a/cve_bin_tool/checkers/__init__.py
+++ b/cve_bin_tool/checkers/__init__.py
@@ -23,6 +23,7 @@
"asterisk",
"atftp",
"avahi",
+ "axel",
"bash",
"bind",
"binutils",
@@ -41,6 +42,7 @@
"ceph",
"chess",
"chrony",
+ "civetweb",
"clamav",
"collectd",
"commons_compress",
@@ -56,17 +58,20 @@
"dav1d",
"davfs2",
"dbus",
+ "debianutils",
"dhclient",
"dhcpcd",
"dhcpd",
"dmidecode",
"dnsmasq",
"domoticz",
+ "dosfstools",
"dovecot",
"doxygen",
"dpkg",
"dropbear",
"e2fsprogs",
+ "ed",
"elfutils",
"enscript",
"emacs",
@@ -84,7 +89,9 @@
"freerdp",
"fribidi",
"frr",
+ "gawk",
"gcc",
+ "gdal",
"gdb",
"gdk_pixbuf",
"gimp",
@@ -98,6 +105,7 @@
"gpgme",
"gpsd",
"graphicsmagick",
+ "grep",
"grub2",
"gstreamer",
"gupnp",
@@ -109,6 +117,7 @@
"hdf5",
"hostapd",
"hunspell",
+ "hwloc",
"i2pd",
"icecast",
"icu",
@@ -188,17 +197,21 @@
"mariadb",
"mdadm",
"memcached",
+ "minetest",
"mini_httpd",
"minicom",
"minidlna",
"miniupnpc",
"miniupnpd",
"modsecurity",
+ "monit",
"mosquitto",
"motion",
+ "mpg123",
"mpv",
"msmtp",
"mtr",
+ "mupdf",
"mutt",
"mysql",
"nano",
@@ -253,6 +266,7 @@
"putty",
"python",
"qemu",
+ "qpdf",
"qt",
"quagga",
"radare2",
@@ -261,6 +275,7 @@
"rauc",
"rdesktop",
"readline",
+ "rpm",
"rtl_433",
"rtmpdump",
"rsync",
@@ -293,6 +308,7 @@
"systemd",
"tcpdump",
"tcpreplay",
+ "terminology",
"thrift",
"thttpd",
"thunderbird",
@@ -302,6 +318,7 @@
"tpm2_tss",
"transmission",
"trousers",
+ "twonky_server",
"u_boot",
"udisks",
"unbound",
diff --git a/cve_bin_tool/checkers/axel.py b/cve_bin_tool/checkers/axel.py
new file mode 100644
index 0000000000..328b345110
--- /dev/null
+++ b/cve_bin_tool/checkers/axel.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for axel
+
+https://www.cvedetails.com/product/4969/Axel-Axel.html?vendor_id=2842
+https://www.cvedetails.com/product/87416/Axel-Project-Axel.html?vendor_id=23577
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class AxelChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"Axel/([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("axel", "axel"), ("axel_project", "axel")]
diff --git a/cve_bin_tool/checkers/bind.py b/cve_bin_tool/checkers/bind.py
index 3f90400151..18f3523186 100644
--- a/cve_bin_tool/checkers/bind.py
+++ b/cve_bin_tool/checkers/bind.py
@@ -19,9 +19,25 @@ class BindChecker(Checker):
# see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
# r"/bind9.xsl",
]
- FILENAME_PATTERNS = [r"named"]
+ FILENAME_PATTERNS = [
+ r"named",
+ r"liblwres\.so",
+ r"libdns([-_]?(\d+\.)+\d.*)?\.so",
+ r"libirs([-_]?(\d+\.)+\d.*)?\.so",
+ r"libisc([-_]?(\d+\.)+\d.*)?\.so",
+ r"libisccc([-_]?(\d+\.)+\d.*)?\.so",
+ r"libisccfg([-_]?(\d+\.)+\d.*)?\.so",
+ r"libns([-_]?(\d+\.)+\d.*)?\.so",
+ ]
VERSION_PATTERNS = [
r"version: BIND ([0-9]+\.[0-9]+\.[0-9]+)", # for .rpm, .tgz, etc.
r"(?:lib|/)bind[0-9]*-([0-9]+\.[0-9]+\.[0-9]+)", # for .deb
+ r"/bind9-([0-9]+\.[0-9]+\.[0-9]+)" # using buildpath if included
+ # If you trust the filenames to contain the right version number enable the following regular expressions:
+ # r"libisc-([0-9]+\.[0-9]+\.[0-9]+)", # for libisc
+ # r"libisccfg-([0-9]+\.[0-9]+\.[0-9]+)", # for libisccfg
+ # r"libisccc-([0-9]+\.[0-9]+\.[0-9]+)", #for libisccc
+ # r"libns-([0-9]+\.[0-9]+\.[0-9]+)", #for libns
+ # r"libdns-([0-9]+\.[0-9]+\.[0-9]+)" #for libdns
]
VENDOR_PRODUCT = [("isc", "bind")]
diff --git a/cve_bin_tool/checkers/civetweb.py b/cve_bin_tool/checkers/civetweb.py
new file mode 100644
index 0000000000..78790cb9b5
--- /dev/null
+++ b/cve_bin_tool/checkers/civetweb.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for civetweb
+
+https://www.cvedetails.com/product/47117/Civetweb-Project-Civetweb.html?vendor_id=18572
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class CivetwebChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"civetweb[A-Za-z /_,%:\(\)\-\r\n]*([0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("civetweb_project", "civetweb")]
diff --git a/cve_bin_tool/checkers/debianutils.py b/cve_bin_tool/checkers/debianutils.py
new file mode 100644
index 0000000000..07a80f80d4
--- /dev/null
+++ b/cve_bin_tool/checkers/debianutils.py
@@ -0,0 +1,36 @@
+# Copyright (C) 2023 SCHUTZWERK GmbH
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for debianutils
+
+References:
+https://salsa.debian.org/debian/debianutils
+
+"""
+
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class DebianutilsChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS = [
+ r"run-parts",
+ r"tempfile",
+ r"ischroot",
+ r"installkernel",
+ r"savelog",
+ r"which.debianutils",
+ r"add-shell",
+ r"remove-shell",
+ r"update-shells",
+ ]
+ VERSION_PATTERNS = [
+ r"\r?\nDebian run-parts program, version\s([0-9]+\.[0-9]+)",
+ r"\r?\ntempfile\s([0-9]+\.[0-9]+)",
+ r"\r?\nDebian ischroot, version\s([0-9]+\.[0-9]+)",
+ ]
+ VENDOR_PRODUCT = [("debian", "debianutils")]
diff --git a/cve_bin_tool/checkers/dosfstools.py b/cve_bin_tool/checkers/dosfstools.py
new file mode 100644
index 0000000000..9ce61604ac
--- /dev/null
+++ b/cve_bin_tool/checkers/dosfstools.py
@@ -0,0 +1,34 @@
+# Copyright (C) 2023 SCHUTZWERK GmbH
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for dosfstools
+https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa%3Adosfstools_project%3Adosfstools&status=FINAL
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class DosfstoolsChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS = [
+ r"dosfsck",
+ r"dosfslabel",
+ r"fatlabel",
+ r"fsck.fat",
+ r"fsck.msdos",
+ r"fsck.vfat",
+ r"mkdosfs",
+ r"mkfs.fat",
+ r"mkfs.msdos",
+ r"mkfs.vfat",
+ ]
+ VERSION_PATTERNS = [
+ r"fsck.fat (\d+\.\d+)",
+ r"mkfs.fat (\d+\.\d+)",
+ r"/dosfstools-(\d+\.\d+)", # match with buildpath if included
+ ]
+ VENDOR_PRODUCT = [("dosfstools_project", "dosfstools")]
diff --git a/cve_bin_tool/checkers/e2fsprogs.py b/cve_bin_tool/checkers/e2fsprogs.py
index 52e3b06985..748ca8a353 100644
--- a/cve_bin_tool/checkers/e2fsprogs.py
+++ b/cve_bin_tool/checkers/e2fsprogs.py
@@ -16,9 +16,41 @@
class E2FsprogsChecker(Checker):
CONTAINS_PATTERNS: list[str] = []
- FILENAME_PATTERNS: list[str] = []
+ FILENAME_PATTERNS = [
+ r"libe2p\.so",
+ r"libe2p\.so",
+ r"libext2fs\.so",
+ r"libext2fs\.so",
+ r"libcom_err\.so",
+ r"badblocks$",
+ r"debugfs$",
+ r"dumpe2fs$",
+ r"e2fsck$",
+ r"e2image$",
+ r"e2label$",
+ r"e2mmpstatus$",
+ r"e2undo$",
+ r"fsck\.ext2$",
+ r"fsck\.ext3$",
+ r"fsck\.ext4$",
+ r"logsave$",
+ r"mke2fs$",
+ r"mkfs\.ext2$",
+ r"mkfs\.ext3$",
+ r"mkfs\.ext4$",
+ r"resize2fs$",
+ r"tune2fs$",
+ r"hattr",
+ r"sattr",
+ r"e2freefrag",
+ r"e4crypt",
+ r"e4defrag",
+ r"filefrag",
+ r"mklost\+found",
+ ]
VERSION_PATTERNS = [
r"e2fsprogs\r?\n([0-9]+\.[0-9]+\.[0-9]+)",
+ r"e2fsprogs-([0-9]+\.[0-9]+\.[0-9]+)",
r"([0-9]+\.[0-9]+\.[0-9]+)\r?\nError: ext2fs",
r"EXT2FS Library version ([0-9]+\.[0-9]+\.[0-9]+)",
]
diff --git a/cve_bin_tool/checkers/ed.py b/cve_bin_tool/checkers/ed.py
new file mode 100644
index 0000000000..a0a0137569
--- /dev/null
+++ b/cve_bin_tool/checkers/ed.py
@@ -0,0 +1,23 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for ed
+
+https://www.cvedetails.com/product/1094/GNU-ED.html?vendor_id=72
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class EdChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [
+ r"([0-9]+\.[0-9]+)[A-Za-z0-9 '%\.\-\r\n]*GNU ed",
+ r"ed\.html[A-Za-z /:\.\r\n]*([0-9]+\.[0-9]+)",
+ ]
+ VENDOR_PRODUCT = [("gnu", "ed")]
diff --git a/cve_bin_tool/checkers/gawk.py b/cve_bin_tool/checkers/gawk.py
new file mode 100644
index 0000000000..c8f5c6017f
--- /dev/null
+++ b/cve_bin_tool/checkers/gawk.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2023 SCHUTZWERK GmbH
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+CVE checker for binutils
+
+References:
+http://savannah.gnu.org/projects/gawk/
+https://www.gnu.org/software/gawk/
+"""
+
+from cve_bin_tool.checkers import Checker
+
+
+class GawkChecker(Checker):
+ CONTAINS_PATTERNS = []
+ FILENAME_PATTERNS = [
+ r"gawk",
+ ]
+ VERSION_PATTERNS = [r"GNU Awk (\d+\.\d+\.\d+)"]
+ VENDOR_PRODUCT = [("gnu", "gawk")]
diff --git a/cve_bin_tool/checkers/gdal.py b/cve_bin_tool/checkers/gdal.py
new file mode 100644
index 0000000000..b24b559aee
--- /dev/null
+++ b/cve_bin_tool/checkers/gdal.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for gdal
+
+https://www.cvedetails.com/product/6063/Gdal-Gdal.html?vendor_id=3467
+https://www.cvedetails.com/product/75959/Osgeo-Gdal.html?vendor_id=21030
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class GdalChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"gdal-([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("gdal", "gdal"), ("osgeo", "gdal")]
diff --git a/cve_bin_tool/checkers/grep.py b/cve_bin_tool/checkers/grep.py
new file mode 100644
index 0000000000..efa2285e15
--- /dev/null
+++ b/cve_bin_tool/checkers/grep.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for grep
+
+https://www.cvedetails.com/product/23804/GNU-Grep.html?vendor_id=72
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class GrepChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"([0-9]+\.[0-9]+)\r?\nGNU grep", r"\r?\ngrep-([0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("gnu", "grep")]
diff --git a/cve_bin_tool/checkers/hostapd.py b/cve_bin_tool/checkers/hostapd.py
index 0c987289a4..2e829b4f70 100644
--- a/cve_bin_tool/checkers/hostapd.py
+++ b/cve_bin_tool/checkers/hostapd.py
@@ -18,7 +18,7 @@ class HostapdChecker(Checker):
CONTAINS_PATTERNS: list[str] = []
FILENAME_PATTERNS = [r"hostapd"]
VERSION_PATTERNS = [
- r"hostapd[_a-z]* v([0-9]+\.[0-9]+)",
+ r"\nhostapd[_a-z]* v([0-9]+\.[0-9]+)",
r"([0-9]+\.[0-9]+)[a-z-]*\r?\nhostapd",
]
VENDOR_PRODUCT = [("w1.fi", "hostapd")]
diff --git a/cve_bin_tool/checkers/hwloc.py b/cve_bin_tool/checkers/hwloc.py
new file mode 100644
index 0000000000..2bc86ebeb7
--- /dev/null
+++ b/cve_bin_tool/checkers/hwloc.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for hwloc
+
+https://www.cvedetails.com/product/160091/Open-mpi-Hwloc.html?vendor_id=32672
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class HwlocChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"hwloc[a-zA-Z/%#() \-\.\r\n]*([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("open-mpi", "hwloc")]
diff --git a/cve_bin_tool/checkers/iperf3.py b/cve_bin_tool/checkers/iperf3.py
index f27ac1a2d8..6deec9aa2f 100644
--- a/cve_bin_tool/checkers/iperf3.py
+++ b/cve_bin_tool/checkers/iperf3.py
@@ -6,6 +6,7 @@
CVE checker for iperf3
https://www.cvedetails.com/product/116968/Iperf3-Project-Iperf3.html?vendor_id=27537
+https://www.cvedetails.com/product/149314/ES-Iperf3.html?vendor_id=31562
"""
from __future__ import annotations
@@ -17,4 +18,4 @@ class Iperf3Checker(Checker):
CONTAINS_PATTERNS: list[str] = []
FILENAME_PATTERNS: list[str] = []
VERSION_PATTERNS = [r"iperf ([0-9]+\.[0-9]+\.?[0-9]*)"]
- VENDOR_PRODUCT = [("iperf3_project", "iperf3")]
+ VENDOR_PRODUCT = [("es", "iperf3"), ("iperf3_project", "iperf3")]
diff --git a/cve_bin_tool/checkers/minetest.py b/cve_bin_tool/checkers/minetest.py
new file mode 100644
index 0000000000..4e3f89ff29
--- /dev/null
+++ b/cve_bin_tool/checkers/minetest.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for minetest
+
+https://www.cvedetails.com/product/108535/Minetest-Minetest.html?vendor_id=26371
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class MinetestChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"minetest-([0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)?)"]
+ VENDOR_PRODUCT = [("minetest", "minetest")]
diff --git a/cve_bin_tool/checkers/monit.py b/cve_bin_tool/checkers/monit.py
new file mode 100644
index 0000000000..8d5994c1cf
--- /dev/null
+++ b/cve_bin_tool/checkers/monit.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for monit
+
+https://www.cvedetails.com/product/3156/Tildeslash-Monit.html?vendor_id=1848
+https://www.cvedetails.com/product/61321/Mmonit-Monit.html?vendor_id=14182
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class MonitChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"monit ([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("mmonit", "monit"), ("tildeslash", "monit")]
diff --git a/cve_bin_tool/checkers/mpg123.py b/cve_bin_tool/checkers/mpg123.py
new file mode 100644
index 0000000000..3875bd24ab
--- /dev/null
+++ b/cve_bin_tool/checkers/mpg123.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for mpg123
+
+https://www.cvedetails.com/product/3045/Mpg123-Mpg123.html?vendor_id=1781
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class Mpg123Checker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"mpg123\r?\n([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("mpg123", "mpg123")]
diff --git a/cve_bin_tool/checkers/mupdf.py b/cve_bin_tool/checkers/mupdf.py
new file mode 100644
index 0000000000..a46861c66d
--- /dev/null
+++ b/cve_bin_tool/checkers/mupdf.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for mupdf
+
+https://www.cvedetails.com/product/20840/Artifex-Mupdf.html?vendor_id=10846
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class MupdfChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"mupdf[A-Za-z '/:%\-\r\n]*([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("artifex", "mupdf")]
diff --git a/cve_bin_tool/checkers/openssh.py b/cve_bin_tool/checkers/openssh.py
index 683446d6ba..6329f910a8 100644
--- a/cve_bin_tool/checkers/openssh.py
+++ b/cve_bin_tool/checkers/openssh.py
@@ -7,6 +7,7 @@
References:
https://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97
+https://www.cvedetails.com/product/12081/Openssh-Openssh.html?vendor_id=7161
"""
from __future__ import annotations
@@ -29,4 +30,4 @@ class OpensshChecker(Checker):
r"sshd",
]
VERSION_PATTERNS = [r"\r?\nOpenSSH_([0-9]+\.[0-9]+(\.[0-9]+)?p[0-9]+)(?:\r?\n| )"]
- VENDOR_PRODUCT = [("openbsd", "openssh")]
+ VENDOR_PRODUCT = [("openbsd", "openssh"), ("openssh", "openssh")]
diff --git a/cve_bin_tool/checkers/qpdf.py b/cve_bin_tool/checkers/qpdf.py
new file mode 100644
index 0000000000..3091884f24
--- /dev/null
+++ b/cve_bin_tool/checkers/qpdf.py
@@ -0,0 +1,23 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for qpdf
+
+https://www.cvedetails.com/product/38012/Qpdf-Project-Qpdf.html?vendor_id=16505
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class QpdfChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [
+ r"QPDF decoding error warning\r?\n([0-9]+\.[0-9]+\.[0-9]+)",
+ r"qpdf-([0-9]+\.[0-9]+\.[0-9]+)",
+ ]
+ VENDOR_PRODUCT = [("qpdf_project", "qpdf")]
diff --git a/cve_bin_tool/checkers/rpm.py b/cve_bin_tool/checkers/rpm.py
new file mode 100644
index 0000000000..b61ec65583
--- /dev/null
+++ b/cve_bin_tool/checkers/rpm.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for rpm
+
+https://www.cvedetails.com/product/19571/RPM-RPM.html?vendor_id=5376
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class RpmChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"rpm[a-z]*\-([0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)?)"]
+ VENDOR_PRODUCT = [("rpm", "rpm")]
diff --git a/cve_bin_tool/checkers/samba.py b/cve_bin_tool/checkers/samba.py
index 87f8ce949c..c5049130ac 100644
--- a/cve_bin_tool/checkers/samba.py
+++ b/cve_bin_tool/checkers/samba.py
@@ -34,6 +34,6 @@ class SambaChecker(Checker):
]
VERSION_PATTERNS = [
r"SAMBA_([0-9]+\.[0-9]+\.[0-9]+)",
- r"samba/([0-9]+\.[0-9]+\.[0-9]+)",
+ r"samba[/-]([0-9]+\.[0-9]+\.[0-9]+)",
]
VENDOR_PRODUCT = [("samba", "samba")]
diff --git a/cve_bin_tool/checkers/tcpdump.py b/cve_bin_tool/checkers/tcpdump.py
index e6aaebfbce..c2679d42e1 100644
--- a/cve_bin_tool/checkers/tcpdump.py
+++ b/cve_bin_tool/checkers/tcpdump.py
@@ -19,8 +19,10 @@ class TcpdumpChecker(Checker):
# lookup_{emem,protoid} are static functions provided by tcpdump in addrtoname.c
VERSION_PATTERNS = [
r"tcpdump-([0-9]+\.[0-9]+\.[0-9]+)",
- r"([0-9]+\.[0-9]+\.[0-9]+)\r?\n[0-9a-f]*lookup_(?:emem|protoid)",
+ r"([0-9]+\.[0-9]+\.[0-9]+)[0-9a-zA-Z ,%:\r\n]*lookup_(?:emem|protoid)",
r"Running\r?\n([0-9]+\.[0-9]+\.[0-9]+)\r?\n0123456789",
r"tcpdump[0-9a-zA-Z ,!'%:_=\(\)\\\.\-\r\n]*\r?\n([0-9]+\.[0-9]+\.[0-9]+)",
+ r"([0-9]+\.[0-9]+\.[0-9]+)[0-9a-zA-Z ,%:\r\n]*lookup_(?:emem|protoid)",
+ r"version ([0-9]+\.[0-9]+\.[0-9]+)\r?\nSMI-library",
]
VENDOR_PRODUCT = [("tcpdump", "tcpdump")]
diff --git a/cve_bin_tool/checkers/terminology.py b/cve_bin_tool/checkers/terminology.py
new file mode 100644
index 0000000000..b9f8c501de
--- /dev/null
+++ b/cve_bin_tool/checkers/terminology.py
@@ -0,0 +1,23 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for terminology
+
+https://www.cvedetails.com/product/60929/Enlightenment-Terminology.html?vendor_id=1065
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class TerminologyChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [
+ r"([0-9]+\.[0-9]+\.[0-9]+)\r?\nterminology",
+ r"terminology ([0-9]+\.[0-9]+\.[0-9]+)",
+ ]
+ VENDOR_PRODUCT = [("enlightenment", "terminology")]
diff --git a/cve_bin_tool/checkers/twonky_server.py b/cve_bin_tool/checkers/twonky_server.py
new file mode 100644
index 0000000000..9ac1af5733
--- /dev/null
+++ b/cve_bin_tool/checkers/twonky_server.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for twonky_server
+
+https://www.cvedetails.com/product/70996/Lynxtechnology-Twonky-Server.html?vendor_id=21991
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class TwonkyServerChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"Product Name:Twonky, Version:([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("lynxtechnology", "twonky_server")]
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
index ec8257d24c..1c6046d1c2 100644
--- a/cve_bin_tool/cli.py
+++ b/cve_bin_tool/cli.py
@@ -82,7 +82,10 @@
class StringToListAction(argparse.Action):
+ """Convert comma-separated strings to lists."""
+
def __call__(self, parser, namespace, values, option_string=None):
+ """Parse and convert comma-separated values to a list."""
values = list(map(lambda val: val.strip(), values.split(",")))
setattr(namespace, self.dest, values)
@@ -272,6 +275,12 @@ def main(argv=None):
help="minimum epss percentile of CVE range between 0 to 100 to report (default: 0)",
default=0,
)
+ output_group.add_argument(
+ "--epss-probability",
+ action="store",
+ help="minimum epss probability of CVE range between 0 to 100 to report (default: 0)",
+ default=0,
+ )
output_group.add_argument(
"--no-0-cve-report",
action="store_true",
@@ -573,8 +582,14 @@ def main(argv=None):
score = int(args["cvss"])
epss_percentile = 0
- if float(args["epss_percentile"]) > 0:
+ if float(args["epss_percentile"]) > 0 or float(args["epss_percentile"]) < 100:
epss_percentile = float(args["epss_percentile"]) / 100
+ LOGGER.debug(f"epss percentile stored {epss_percentile}")
+
+ epss_probability = 0
+ if float(args["epss_probability"]) > 0 or float(args["epss_probability"]) < 100:
+ epss_probability = float(args["epss_probability"]) / 100
+ LOGGER.debug(f"epss probability stored {epss_probability}")
config_generate = set(args["generate_config"].split(","))
config_generate = [config_type.strip() for config_type in config_generate]
@@ -877,6 +892,7 @@ def main(argv=None):
with CVEScanner(
score=score,
epss_percentile=epss_percentile,
+ epss_probability=epss_probability,
check_exploits=args["exploits"],
exploits_list=cvedb_orig.get_exploits_list(),
disabled_sources=disabled_sources,
diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
index 2056aa592a..e2d4b22202 100644
--- a/cve_bin_tool/cve_scanner.py
+++ b/cve_bin_tool/cve_scanner.py
@@ -41,6 +41,7 @@ def __init__(
self,
score: int = 0,
epss_percentile: float = 0.0,
+ epss_probability: float = 0.0,
logger: Logger = None,
error_mode: ErrorMode = ErrorMode.TruncTrace,
check_exploits: bool = False,
@@ -51,6 +52,7 @@ def __init__(
self.error_mode = error_mode
self.score = score
self.epss_percentile = epss_percentile
+ self.epss_probability = epss_probability
self.products_with_cve = 0
self.products_without_cve = 0
self.all_cve_data = defaultdict(CVEData)
@@ -68,9 +70,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
# Prevent any queries resulting in CVEs with UNKNOWN score value
# being reported
- if self.score > 10:
- return
- if self.epss_percentile > 100:
+ if self.score > 10 or self.epss_probability > 1.0 or self.epss_percentile > 1.0:
return
if product_info.vendor == "UNKNOWN":
@@ -262,7 +262,9 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
)
# executing query to get metric for CVE
metric_result = self.metric(
- (row["cve_number"],), self.epss_percentile
+ (row["cve_number"],),
+ self.epss_percentile,
+ self.epss_probability,
)
# row_dict doesnt have metric as key. As it based on result from query on cve_severity table
# declaring row_dict[metric]
@@ -274,7 +276,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
value[1],
]
# checking if epss percentile filter is applied
- if self.epss_percentile:
+ if self.epss_percentile > 0.0 or self.epss_probability > 0.0:
# if epss filter is applied and condition is failed to satisfy row_dict["metric"] will be empty
if not row_dict["metric"]:
# continue to not include that particular cve
@@ -370,7 +372,7 @@ def affected(self):
for cve_data in self.all_cve_data
)
- def metric(self, cve_number, epss_percentile):
+ def metric(self, cve_number, epss_percentile, epss_probability):
"""The query needs to be executed separately because if it is executed using the same cursor, the search stops.
We need to create a separate connection and cursor for the query to be executed independently.
Finally, the function should return a dictionary with the metrics of a given CVE.
@@ -391,15 +393,29 @@ def metric(self, cve_number, epss_percentile):
# if metric is EPSS if metric field must represent EPSS percentile
if metric_name == "EPSS":
# comparing if EPSS percentile found in CVE is less then EPSS percentile return
- if float(metric_field) < epss_percentile:
- cur.close()
- conn.close()
- return met
+
+ # checks if both epss percentile and epss probaility are given. And if given they are greater than found in current CVE. if not it break loops and skips that CVE
+ if (
+ epss_probability
+ and epss_percentile
+ and (
+ float(metric_field) < float(epss_percentile)
+ or float(metric_score) < float(epss_probability)
+ )
+ ):
+ break
+ # checks if only epss percentile is given and if given then it should be higher than found epss percentile in current CVE. if not it break loops and skips that CVE
+ elif epss_percentile and float(metric_field) < epss_percentile:
+ break
+ # checks if only epss probability is given and if given then it should be higher than found epss probability in current CVE. if not it break loops and skips that CVE
+ elif epss_probability and float(metric_score) < epss_probability:
+ break
+
+ self.logger.debug(f"metrics found in CVE {cve_number} is {met}")
met[metric_name] = [
metric_score,
metric_field,
]
- self.logger.debug(f"metrics found in CVE {cve_number} is {met}")
cur.close()
conn.close()
return met
diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py
index 369e084d20..748dd74764 100644
--- a/cve_bin_tool/cvedb.py
+++ b/cve_bin_tool/cvedb.py
@@ -158,28 +158,31 @@ def __init__(
self.rollback_cache_backup()
def get_cve_count(self) -> int:
+ """Update the number of CVE entries if necessary and return the number of CVEs."""
if self.cve_count == -1:
# Force update
self.check_cve_entries()
return self.cve_count
def check_db_exists(self) -> bool:
+ """Return whether the database file exists or not."""
return self.dbpath.is_file()
def get_db_update_date(self) -> float:
+ """Determine the time the CVE database was last modified."""
# last time when CVE data was updated
if self.check_db_exists():
self.time_of_last_update = datetime.datetime.fromtimestamp(
self.dbpath.stat().st_mtime
)
return self.dbpath.stat().st_mtime
- # Shouldn't be happenning but just in case....
+ # Shouldn't be happening but just in case....
self.LOGGER.warning("Database not available. Using default date.")
self.time_of_last_update = datetime.datetime(2000, 1, 1)
return self.time_of_last_update.timestamp()
async def refresh(self) -> None:
- """Refresh the cve database and check for new version."""
+ """Refresh the CVE database and check for new version."""
# refresh the database
if not self.cachedir.is_dir():
@@ -192,6 +195,7 @@ async def refresh(self) -> None:
await self.get_data()
def refresh_cache_and_update_db(self) -> None:
+ """Refresh cached NVD and update CVE database with latest data."""
self.LOGGER.debug("Updating CVE data. This will take a few minutes.")
# refresh the nvd cache
run_coroutine(self.refresh())
@@ -273,7 +277,7 @@ def latest_schema(
return schema_latest
def check_cve_entries(self) -> bool:
- """Report if database has some CVE entries"""
+ """Report if database has some CVE entries."""
cursor = self.db_open_and_get_cursor()
cve_entries_check = "SELECT data_source, COUNT(*) as number FROM cve_severity GROUP BY data_source ORDER BY number DESC"
cursor.execute(cve_entries_check)
@@ -370,7 +374,7 @@ def table_schemas(self):
)
def init_database(self) -> None:
- """Initialize db tables used for storing cve/version data"""
+ """Initialize db tables used for storing cve/version data."""
cursor = self.db_open_and_get_cursor()
(
@@ -457,7 +461,7 @@ def populate_db(self) -> None:
self.populate_metrics()
# EPSS uses metrics table to get the EPSS metric id.
- # It can't be ran before creation of metrics table.
+ # It can't be run before creation of metrics table.
self.populate_epss()
self.store_epss_data()
@@ -490,6 +494,7 @@ def populate_db(self) -> None:
self.db_close()
def populate_severity(self, severity_data, cursor, data_source):
+ """Populate the database with CVE severities."""
insert_severity = self.INSERT_QUERIES["insert_severity"]
del_cve_range = "DELETE from cve_range where CVE_number=? and data_source=?"
@@ -534,7 +539,7 @@ def populate_severity(self, severity_data, cursor, data_source):
cursor.execute(del_cve_range, [cve["ID"], data_source])
def populate_cve_metrics(self, severity_data, cursor):
- """Adds data into CVE metrics table"""
+ """Adds data into CVE metrics table."""
insert_cve_metrics = self.INSERT_QUERIES["insert_cve_metrics"]
for cve in severity_data:
@@ -565,6 +570,7 @@ def populate_cve_metrics(self, severity_data, cursor):
LOGGER.info(f"Unable to insert data for {e}\n{cve}")
def populate_affected(self, affected_data, cursor, data_source):
+ """Populate database with affected versions."""
insert_cve_range = self.INSERT_QUERIES["insert_cve_range"]
try:
cursor.executemany(
@@ -635,6 +641,7 @@ def metric_finder(self, cursor, cve):
return metric
def clear_cached_data(self) -> None:
+ """Delete cachedir and old cachedir."""
self.create_cache_backup()
if self.cachedir.exists():
self.LOGGER.warning(f"Updating cachedir {self.cachedir}")
@@ -656,7 +663,7 @@ def get_vendor_product_pairs(self, package_names) -> list[dict[str, str]]:
"""
# For python package checkers we don't need the progress bar running
- if type(package_names) != list:
+ if type(package_names) is not list:
cursor.execute(query, [package_names])
vendors = list(map(lambda x: x[0], cursor.fetchall()))
@@ -756,7 +763,7 @@ def db_close(self) -> None:
self.connection = None
def create_cache_backup(self) -> None:
- """Creates a backup of the cachedir in case anything fails"""
+ """Creates a backup of the cachedir in case anything fails."""
if self.cachedir.exists():
self.LOGGER.debug(
f"Creating backup of cachedir {self.cachedir} at {self.backup_cachedir}"
@@ -765,6 +772,7 @@ def create_cache_backup(self) -> None:
shutil.copytree(self.cachedir, self.backup_cachedir)
def copy_db(self, filename, export=True):
+ """Copy database file to or from new path."""
self.db_close()
if export:
shutil.copy(self.dbpath, filename)
@@ -772,13 +780,13 @@ def copy_db(self, filename, export=True):
shutil.copy(filename, self.dbpath)
def remove_cache_backup(self) -> None:
- """Removes the backup if database was successfully loaded"""
+ """Removes the backup if database was successfully loaded."""
if self.backup_cachedir.exists():
self.LOGGER.debug(f"Removing backup cache from {self.backup_cachedir}")
shutil.rmtree(self.backup_cachedir)
def rollback_cache_backup(self) -> None:
- """Rollback the cachedir backup in case anything fails"""
+ """Rollback the cachedir backup in case anything fails."""
if (self.backup_cachedir / DBNAME).exists():
self.LOGGER.info("Rolling back the cache to its previous state")
if self.cachedir.exists():
@@ -786,11 +794,13 @@ def rollback_cache_backup(self) -> None:
shutil.move(self.backup_cachedir, self.cachedir)
def __del__(self) -> None:
+ """Rollback the cachedir backup in case anything fails."""
self.rollback_cache_backup()
# Methods to check and update exploits
def update_exploits(self):
+ """Get latest list of vulnerabilities from cisa.gov and add them to the exploits database table."""
url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
r = requests.get(url, timeout=300)
data = r.json()
@@ -801,6 +811,7 @@ def update_exploits(self):
self.populate_exploit_db(exploit_list)
def get_cache_exploits(self):
+ """Get exploits from database file."""
get_exploits = """
SELECT cve_number FROM cve_exploited
"""
@@ -811,12 +822,15 @@ def get_cache_exploits(self):
self.exploit_count = len(self.exploits_list)
def get_exploits_list(self):
+ """Return list of exploits."""
return self.exploits_list
def get_exploits_count(self) -> int:
+ """Return number of exploits."""
return self.exploit_count
def create_exploit_db(self):
+ """Create table of exploits in database if it does not already exist."""
cursor = self.db_open_and_get_cursor()
(_, _, create_exploit_table, _, _) = self.table_schemas()
cursor = self.db_open_and_get_cursor()
@@ -825,6 +839,7 @@ def create_exploit_db(self):
self.db_close()
def populate_exploit_db(self, exploits):
+ """Add exploits to the exploits database table."""
insert_exploit = self.INSERT_QUERIES["insert_exploit"]
cursor = self.db_open_and_get_cursor()
cursor.executemany(insert_exploit, exploits)
@@ -832,6 +847,7 @@ def populate_exploit_db(self, exploits):
self.db_close()
def store_epss_data(self):
+ """Insert Exploit Prediction Scoring System (EPSS) data into database."""
insert_cve_metrics = self.INSERT_QUERIES["insert_cve_metrics"]
cursor = self.db_open_and_get_cursor()
cursor.executemany(insert_cve_metrics, self.epss_data)
@@ -839,12 +855,14 @@ def store_epss_data(self):
self.db_close()
def dict_factory(self, cursor, row):
+ """Helper function for get_all_records_in_table function."""
d = {}
for idx, col in enumerate(cursor.description):
d[col[0]] = row[idx]
return d
def get_all_records_in_table(self, table_name):
+ """Return JSON of all records in a database table."""
cursor = self.db_open_and_get_cursor()
cursor.row_factory = self.dict_factory
cursor.execute(f"SELECT * FROM '{table_name}' ")
@@ -854,6 +872,7 @@ def get_all_records_in_table(self, table_name):
return json.dumps(results)
def delete_old_files_if_exists(self, path):
+ """Delete old CVE directories and metadata files."""
DIRECTORIES = [
"cve_exploited",
"cve_range",
@@ -870,6 +889,7 @@ def delete_old_files_if_exists(self, path):
Path.unlink(path / "metadata.json")
def db_to_json(self, path, private_key, passphrase):
+ """Create JSON of all records in all database tables."""
if private_key and not passphrase:
LOGGER.critical(
"You must provide the passphrase of the private key with --passphrase flag in order to use --pgp-sign flag"
@@ -993,6 +1013,7 @@ def db_to_json(self, path, private_key, passphrase):
shutil.rmtree(temp_gnupg_home)
def json_to_db(self, cursor, db_column, json_data):
+ """Insert records into database from JSON."""
columns = []
for data in json_data:
column = list(data.keys())
@@ -1019,6 +1040,7 @@ def json_to_db(self, cursor, db_column, json_data):
cursor.executemany(self.INSERT_QUERIES["insert_metrics"], values)
def json_to_db_wrapper(self, path, pubkey, ignore_signature, log_signature_error):
+ """Initialize the process wrapper to insert records into database from JSON."""
try:
path = Path(path)
if not (path / "metadata.json").is_file():
@@ -1056,7 +1078,7 @@ def json_to_db_wrapper(self, path, pubkey, ignore_signature, log_signature_error
is_signed = Path(path / "metadata.asc").exists()
if not is_signed:
LOGGER.warning(
- "Importing JSON data that is not signed, the JSON data might have been tampared with"
+ "Importing JSON data that is not signed, the JSON data might have been tampered with"
)
elif not pubkey and not ignore_signature:
LOGGER.critical(
@@ -1122,6 +1144,7 @@ def json_to_db_wrapper(self, path, pubkey, ignore_signature, log_signature_error
return -1
def fetch_from_mirror(self, mirror, pubkey, ignore_signature, log_signature_error):
+ """Get JSON information from download mirror."""
if not self.cachedir.exists():
self.cachedir.mkdir()
json_db = Fetch_JSON_DB(
diff --git a/cve_bin_tool/fetch_json_db.py b/cve_bin_tool/fetch_json_db.py
index cd505ed2c8..89c8a80fcb 100644
--- a/cve_bin_tool/fetch_json_db.py
+++ b/cve_bin_tool/fetch_json_db.py
@@ -41,6 +41,9 @@ def __init__(
log_signature_error,
error_mode: ErrorMode = ErrorMode.TruncTrace,
) -> None:
+ """
+ Initialize the Fetch_JSON_DB instance.
+ """
self.root = cache_dir / "json_data"
self.pubkey = pubkey
self.ignore_signature = ignore_signature
@@ -55,6 +58,9 @@ def __init__(
self.failed_count = 0
async def handle_download(self):
+ """
+ Manages the download process of JSON files from the mirror.
+ """
self.connector = aiohttp.TCPConnector(limit_per_host=10)
async with aiohttp.ClientSession(
connector=self.connector, headers=HTTP_HEADERS, trust_env=True
@@ -90,6 +96,9 @@ async def handle_download(self):
self.cleanup_directory()
def cleanup_directory(self):
+ """
+ Cleans up the directory structure and removes temporary files.
+ """
for directory in self.DIRECTORIES:
if (self.root / directory).exists():
shutil.rmtree(self.root / directory)
@@ -99,6 +108,9 @@ def cleanup_directory(self):
Path.unlink(self.root / "metadata.json")
def update_directory_structure(self):
+ """
+ Updates the directory structure for storing downloaded files.
+ """
if self.root.is_dir():
shutil.rmtree(self.root)
self.root.mkdir()
@@ -108,6 +120,9 @@ def update_directory_structure(self):
dir.mkdir()
def get_download_urls(self, session):
+ """
+ Retrieves the URLs for downloading JSON files from the mirror.
+ """
for key in self.metadata["db"]:
self.tasks.extend(
[
@@ -124,6 +139,9 @@ def get_download_urls(self, session):
)
def get_failed_downloads(self):
+ """
+ Identifies and logs unsuccessful download attempts.
+ """
db = {}
for key in self.metadata["db"]:
db[key] = []
@@ -133,6 +151,9 @@ def get_failed_downloads(self):
self.metadata["db"] = db
async def download_files(self, tasks, description):
+ """
+ Downloads files asynchronously from the mirror.
+ """
# error_mode.value will only be greater than 1 if quiet mode.
if self.error_mode.value > 1:
total_tasks = len(tasks)
@@ -157,6 +178,9 @@ async def download_files(self, tasks, description):
self.download_failed = True
async def get_metdata(self, session):
+ """
+ Fetches and stores metadata information from the mirror.
+ """
resp = await session.get(f"{self.mirror}/metadata.json")
resp.raise_for_status()
if resp.status == 200:
@@ -177,6 +201,9 @@ async def get_metdata(self, session):
self.is_signed = False
def verify_signature(self):
+ """
+ Checks the authenticity of downloaded metadata using signatures.
+ """
temp_gnupg_home = Path(tempfile.mkdtemp(prefix=".gnupg-"))
gpg = gnupg.GPG(gnupghome=temp_gnupg_home)
if self.pubkey:
diff --git a/cve_bin_tool/helper_script.py b/cve_bin_tool/helper_script.py
index 3c541f2406..54433c0eb4 100644
--- a/cve_bin_tool/helper_script.py
+++ b/cve_bin_tool/helper_script.py
@@ -10,6 +10,7 @@
from collections import ChainMap
from logging import Logger
from pathlib import Path
+from typing import MutableMapping
from rich import print as rprint
from rich.console import Console
@@ -134,8 +135,8 @@ def search_pattern(
file_content_list = file_content.split("\n")
version_pattern = rf".+{version_pattern}"
matches = []
- product_matches = []
- version_matches = []
+ product_matches: list[tuple[int, str]] = []
+ version_matches: list[tuple[int, str]] = []
for i, line in enumerate(file_content_list):
string_present = re.search(pattern, line, re.IGNORECASE)
@@ -147,9 +148,9 @@ def search_pattern(
self.multiline_pattern = False
continue
if string_present:
- product_matches.append([i, line.strip()])
+ product_matches.append((i, line.strip()))
if version_present:
- version_matches.append([i, line.strip()])
+ version_matches.append((i, line.strip()))
for product_line_number, product in product_matches:
matches.append(product)
@@ -270,6 +271,7 @@ def find_vendor_product(self) -> list[tuple[str, str]]:
cursor.execute(query, {"product": self.product_name})
data = cursor.fetchall()
+ CVEDB.db_close(self) # type: ignore
# checking if (vendor, product) was found in the database
if data:
@@ -288,32 +290,27 @@ def find_vendor_product(self) -> list[tuple[str, str]]:
)
WARNED = True # prevent same warning multiple times
return data # [('vendor', 'product')]
- else:
- if self.product_name:
- # removing numeric characters from the product_name
- if any(char.isdigit() for char in self.product_name):
- LOGGER.debug(
- f"removing digits from product_name={self.product_name}"
- )
- self.product_name = "".join(
- filter(lambda x: not x.isdigit(), self.product_name)
- )
- return self.find_vendor_product()
- else:
- # raise error and ask for product_name
- LOGGER.warning(
- textwrap.dedent(
- f"""
- =================================================================
- No match was found for "{self.product_name}" in database.
- Please check your file or try specifying the "product_name" also.
- =================================================================
- """
- )
+ elif self.product_name:
+ # removing numeric characters from the product_name
+ if any(char.isdigit() for char in self.product_name):
+ LOGGER.debug(f"removing digits from product_name={self.product_name}")
+ self.product_name = "".join(
+ filter(lambda x: not x.isdigit(), self.product_name)
+ )
+ return self.find_vendor_product()
+ else:
+ # raise error and ask for product_name
+ LOGGER.warning(
+ textwrap.dedent(
+ f"""
+ =================================================================
+ No match was found for "{self.product_name}" in database.
+ Please check your file or try specifying the "product_name" also.
+ =================================================================
+ """
)
- return []
-
- CVEDB.db_close(self) # type: ignore
+ )
+ return []
def output_single(self) -> None:
"""display beautiful output for Helper-Script"""
@@ -529,10 +526,11 @@ def main(argv=None) -> None:
action="store",
default=40,
)
-
with ErrorHandler(mode=ErrorMode.NoTrace):
raw_args = parser.parse_args(argv[1:])
- args = {key: value for key, value in vars(raw_args).items() if value}
+ args: MutableMapping[str, str] = {
+ key: value for key, value in vars(raw_args).items() if value
+ }
defaults = {key: parser.get_default(key) for key in vars(raw_args)}
args = ChainMap(args, defaults)
diff --git a/cve_bin_tool/log.py b/cve_bin_tool/log.py
index 85b7009275..82cdfe8545 100644
--- a/cve_bin_tool/log.py
+++ b/cve_bin_tool/log.py
@@ -7,14 +7,27 @@
from rich.logging import RichHandler
-# A log filter to filter out logs based on filter level
-# Any log above and equal the specified level will not be logged
class LevelFilter(logging.Filter):
+ """
+ Initialize the LevelFilter instance.
+ """
+
def __init__(self, level):
super().__init__()
self.level = level
def filter(self, record):
+ """
+ Filter out logs based on filter level
+
+ Args:
+ record (LogRecord): The log record to be filtered.
+
+ Returns:
+ bool: True if the log record's level is below the specified level,
+ indicating that it should be processed and logged; False otherwise,
+ indicating that it should be filtered out.
+ """
return record.levelno < self.level
diff --git a/cve_bin_tool/output_engine/console.py b/cve_bin_tool/output_engine/console.py
index c01e9f4c44..c5163ff503 100644
--- a/cve_bin_tool/output_engine/console.py
+++ b/cve_bin_tool/output_engine/console.py
@@ -119,7 +119,7 @@ def _output_console_nowrap(
table.add_column("UNKNWON CVEs Count")
table.add_column("TOTAL CVEs Count")
if all_product_data is not None:
- for product_data in all_product_data:
+ for product_data in sorted(all_product_data):
color = None
summary = get_cve_summary(
{product_data: all_cve_data[product_data]}, exploits
@@ -318,7 +318,11 @@ def validate_cell_length(cell_name, cell_type):
table.add_column("Product")
table.add_column("Version")
- products_with_cves = list(map(lambda x: x[1], all_cve_data))
+ products_with_cves = []
+ for product_info, cve_data in all_cve_data.items():
+ if len(cve_data["cves"]):
+ products_with_cves.append(product_info.product)
+
for product_data in all_product_data:
if (
all_product_data[product_data] == 0
diff --git a/cve_bin_tool/package_list_parser.py b/cve_bin_tool/package_list_parser.py
index f7be11e33f..6e00a2a040 100644
--- a/cve_bin_tool/package_list_parser.py
+++ b/cve_bin_tool/package_list_parser.py
@@ -36,6 +36,14 @@ def __init__(
logger: Logger = LOGGER.getChild("PackageListParser"),
error_mode=ErrorMode.TruncTrace,
) -> None:
+ """
+ Initialize the PackageListParser object.
+
+ Args:
+ input_file (str): The path to the input file containing a list of packages.
+ logger (Logger): An optional logger object for logging messages.
+ error_mode (ErrorMode): An optional error mode specifying how errors should be handled.
+ """
self.input_file = input_file
if self.__class__.__name__ != "PackageListParser":
@@ -50,6 +58,12 @@ def __init__(
self.package_names_without_vendor: List[Any] = []
def parse_list(self):
+ """
+ Parse the package list and return parsed package information.
+
+ Returns:
+ Dict[Any, Any]: A dictionary containing parsed package information.
+ """
input_file = self.input_file
self.check_file()
installed_packages = []
@@ -143,6 +157,12 @@ def parse_list(self):
return self.parsed_data_with_vendor
def add_vendor(self, vendor_package_pairs):
+ """
+ Add vendor information to package entries based on data retrieved from the CVE database.
+
+ Args:
+ vendor_package_pairs: A list of vendor-product pairs obtained from the CVE database.
+ """
for vendor_package_pair in vendor_package_pairs:
for package_name in self.package_names_without_vendor:
if vendor_package_pair["product"] == package_name["name"].replace(
@@ -154,6 +174,9 @@ def add_vendor(self, vendor_package_pairs):
break
def parse_data(self):
+ """
+ Parse package data and construct a dictionary with information about each installed package.
+ """
for row in self.package_names_with_vendor:
product_info = ProductInfo(
row["vendor"], row["name"].lower(), row["version"]
@@ -168,6 +191,9 @@ def parse_data(self):
self.parsed_data_with_vendor[product_info]["paths"] = {""}
def check_file(self):
+ """
+ Perform various checks on the input file to ensure its validity and compatibility with the system's package manager.
+ """
input_file = self.input_file
error_mode = self.error_mode
diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
index 54df71aebc..0dadb3b2b1 100644
--- a/cve_bin_tool/sbom_manager/__init__.py
+++ b/cve_bin_tool/sbom_manager/__init__.py
@@ -8,14 +8,15 @@
from pathlib import Path
import defusedxml.ElementTree as ET
+from lib4sbom.parser import SBOMParser
+from packageurl import PackageURL
from cve_bin_tool.cvedb import CVEDB
from cve_bin_tool.input_engine import TriageData
from cve_bin_tool.log import LOGGER
from cve_bin_tool.util import ProductInfo, Remarks
+from cve_bin_tool.validator import validate_cyclonedx, validate_spdx
-from .cyclonedx_parser import CycloneParser
-from .spdx_parser import SPDXParser
from .swid_parser import SWIDParser
@@ -47,15 +48,11 @@ def scan_file(self) -> dict[ProductInfo, TriageData]:
modules = []
try:
if Path(self.filename).exists():
- if self.type == "spdx":
- spdx = SPDXParser(self.validate)
- modules = spdx.parse(self.filename)
- elif self.type == "cyclonedx":
- cyclone = CycloneParser(self.validate)
- modules = cyclone.parse(self.filename)
- elif self.type == "swid":
+ if self.type == "swid":
swid = SWIDParser(self.validate)
modules = swid.parse(self.filename)
+ else:
+ modules = self.parse_sbom()
except (KeyError, FileNotFoundError, ET.ParseError) as e:
LOGGER.debug(e, exc_info=True)
@@ -100,6 +97,42 @@ def get_vendor(self, product: str) -> list:
vendorlist.append("UNKNOWN")
return vendorlist
+ def parse_sbom(self):
+ """parse SBOM, using PURL identifiers preferentially if found"""
+ # Set up SBOM parser
+ sbom_parser = SBOMParser(sbom_type=self.type)
+ # Load SBOM
+ sbom_parser.parse_file(self.filename)
+ modules = []
+ if self.validate and self.filename.endswith(".xml"):
+ # Only for XML files
+ if sbom_parser.get_type() == "spdx":
+ valid_xml = validate_spdx(self.filename)
+ else:
+ valid_xml = validate_cyclonedx(self.filename)
+ if not valid_xml:
+ return modules
+ packages = [x for x in sbom_parser.get_sbom()["packages"].values()]
+ LOGGER.debug(f"Parsed SBOM {self.filename} {packages}")
+ for package in packages:
+ purl_found = False
+ # If PURL record found, use this data in preference to package data
+ ext_ref = package.get("externalreference")
+ if ext_ref is not None:
+ for ref in ext_ref:
+ if ref[1] == "purl":
+ # Process purl identifier
+ purl_info = PackageURL.from_string(ref[2]).to_dict()
+ modules.append([purl_info["name"], purl_info["version"]])
+ purl_found = True
+ if not purl_found:
+ if package.get("version") is not None:
+ modules.append([package["name"], package["version"]])
+ else:
+ LOGGER.debug(f"No version found in {package}")
+ LOGGER.debug(f"Parsed SBOM {self.filename} {modules}")
+ return modules
+
if __name__ == "__main__":
import sys
diff --git a/dev-requirements.txt b/dev-requirements.txt
index a7b33fb258..f50e95bd2e 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -1,13 +1,13 @@
-black==23.7.0
+black==23.9.1
isort; python_version < "3.8"
isort==5.12.0; python_version >= "3.8"
pre-commit; python_version < "3.8"
-pre-commit==3.3.3; python_version >= "3.8"
+pre-commit==3.4.0; python_version >= "3.8"
flake8; python_version < "3.8"
flake8==6.1.0; python_version >= "3.8"
bandit==1.7.5
gitlint==v0.19.1
-mypy==v1.4.1
+mypy==v1.5.1
pytest>=7.2.0
pytest-xdist
pytest-cov
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
index 493ea1f1db..a2f3a9b043 100644
--- a/doc/MANUAL.md
+++ b/doc/MANUAL.md
@@ -40,6 +40,7 @@
- [-f {csv,json,console,html}, --format {csv,json,console,html}](#-f-csvjsonconsolehtml---format-csvjsonconsolehtml)
- [-c CVSS, --cvss CVSS](#-c-cvss---cvss-cvss)
- [--epss-percentile](#epss-percentile)
+ - [--epss-probability](#epss-probability)
- [-S {low,medium,high,critical}, --severity {low,medium,high,critical}](#-s-lowmediumhighcritical---severity-lowmediumhighcritical)
- [-A \[\-\\], --available-fix \[\-\\]](#-a-distro_name-distro_version_name---available-fix-distro_name-distro_version_name)
- [-b \[\-\\], --backport-fix \[\-\\]](#-b-distro_name-distro_version_name---backport-fix-distro_name-distro_version_name)
@@ -128,7 +129,9 @@ which is useful if you're trying the latest code from
note: don't use spaces between comma (',') and the output formats.
-c CVSS, --cvss CVSS minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
--epss-percentile minimum EPSS percentile of CVE range between 0 to 100 to report
- (default: 0)
+ (input value can also be floating point)(default: 0)
+ --epss-probability minimum EPSS probability of CVE range between 0 to 100 to report
+ (input value can also be floating point)(default: 0)
-S {low,medium,high,critical}, --severity {low,medium,high,critical}
minimum CVE severity to report (default: low)
--no-0-cve-report only produce report when CVEs are found
@@ -176,52 +179,55 @@ which is useful if you're trying the latest code from
| | | | Available checkers | | | |
-|--------------- |--------------- |------------------ |------------- |--------------- |------------ |----------------- |
+|----------------- |------------- |------------------ |--------------- |---------------- |-------------- |------------ |
| accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp |
-| asterisk |atftp |avahi |bash |bind |binutils |bird |
-| bison |bluez |boinc |botan |bro |bubblewrap |busybox |
-| bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |chrony |
-| clamav |collectd |commons_compress |connman |coreutils |cpio |cronie |
-| cryptsetup |cups |curl |cvs |darkhttpd |dav1d |davfs2 |
-| dbus |dhclient |dhcpcd |dhcpd |dmidecode |dnsmasq |domoticz |
-| dovecot |doxygen |dpkg |dropbear |e2fsprogs |elfutils |emacs |
-| enscript |exim |exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |
-| file |firefox |flac |fluidsynth |freeradius |freerdp |fribidi |
-| frr |gcc |gdb |gdk_pixbuf |gimp |git |glib |
+| asterisk |atftp |avahi |axel |bash |bind |binutils |
+| bird |bison |bluez |boinc |botan |bro |bubblewrap |
+| busybox |bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |
+| chrony |civetweb |clamav |collectd |commons_compress |connman |coreutils |
+| cpio |cronie |cryptsetup |cups |curl |cvs |darkhttpd |
+| dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |dhcpd |
+| dmidecode |dnsmasq |domoticz |dosfstools |dovecot |doxygen |dpkg |
+| dropbear |e2fsprogs |ed |elfutils |emacs |enscript |exim |
+| exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |
+| flac |fluidsynth |freeradius |freerdp |fribidi |frr |gawk |
+| gcc |gdal |gdb |gdk_pixbuf |gimp |git |glib |
| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd |
-| graphicsmagick |grub2 |gstreamer |gupnp |gvfs |gzip |haproxy |
-| harfbuzz |haserl |hdf5 |hostapd |hunspell |i2pd |icecast |
-| icu |iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool |
-| jack2 |jacksondatabind |janus |jhead |json_c |kbd |keepalived |
-| kerberos |kexectools |kodi |kubernetes |ldns |lftp |libarchive |
-| libass |libbpg |libcoap |libconfuse |libcurl |libdb |libebml |
-| libexpat |libgcrypt |libgd |libgit2 |libical |libidn2 |libinput |
-| libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |libmemcached |libmicrohttpd |
-| libmodbus |libnss |libpcap |libraw |librsvg |librsync |libsamplerate |
-| libseccomp |libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 |
-| libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |libvncserver |libvorbis |
-| libxslt |lighttpd |linux_kernel |lldpd |logrotate |lua |luajit |
-| lxc |lynx |lz4 |mailx |mariadb |mdadm |memcached |
-| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |modsecurity |mosquitto |
-| motion |mpv |msmtp |mtr |mutt |mysql |nano |
-| nasm |nbd |ncurses |neon |nessus |netatalk |netkit_ftp |
-| netpbm |nettle |nghttp2 |nginx |ngircd |nmap |node |
-| ntfs_3g |ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv |
-| openjpeg |openldap |opensc |openssh |openssl |openswan |openvpn |
-| p7zip |pango |patch |pcre |pcre2 |pcsc_lite |perl |
-| picocom |pigz |pixman |png |polarssl_fedora |poppler |postgresql |
-| ppp |privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty |
-| python |qemu |qt |quagga |radare2 |radvd |raptor |
-| rauc |rdesktop |readline |rsync |rsyslog |rtl_433 |rtmpdump |
-| runc |rust |samba |sane_backends |sdl |seahorse |shadowsocks_libev |
-| sngrep |snort |sofia_sip |speex |spice |sqlite |squashfs |
-| squid |sslh |stellarium |strongswan |stunnel |subversion |sudo |
-| suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |tcpreplay |
-| thrift |thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss |
-| transmission |trousers |u_boot |udisks |unbound |unixodbc |upx |
-| util_linux |varnish |vim |vorbis_tools |vsftpd |webkitgtk |wget |
-| wireshark |wolfssl |wpa_supplicant |xerces |xml2 |xscreensaver |yasm |
-| zabbix |zeek |zlib |znc |zsh | | |
+| graphicsmagick |grep |grub2 |gstreamer |gupnp |gvfs |gzip |
+| haproxy |harfbuzz |haserl |hdf5 |hostapd |hunspell |hwloc |
+| i2pd |icecast |icu |iperf3 |ipmitool |ipsec_tools |iptables |
+| irssi |iucode_tool |jack2 |jacksondatabind |janus |jhead |json_c |
+| kbd |keepalived |kerberos |kexectools |kodi |kubernetes |ldns |
+| lftp |libarchive |libass |libbpg |libcoap |libconfuse |libcurl |
+| libdb |libebml |libexpat |libgcrypt |libgd |libgit2 |libical |
+| libidn2 |libinput |libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |
+| libmemcached |libmicrohttpd |libmodbus |libnss |libpcap |libraw |librsvg |
+| librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |libsrtp |
+| libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |
+| libvncserver |libvorbis |libxslt |lighttpd |linux_kernel |lldpd |logrotate |
+| lua |luajit |lxc |lynx |lz4 |mailx |mariadb |
+| mdadm |memcached |minetest |mini_httpd |minicom |minidlna |miniupnpc |
+| miniupnpd |modsecurity |monit |mosquitto |motion |mpg123 |mpv |
+| msmtp |mtr |mupdf |mutt |mysql |nano |nasm |
+| nbd |ncurses |neon |nessus |netatalk |netkit_ftp |netpbm |
+| nettle |nghttp2 |nginx |ngircd |nmap |node |ntfs_3g |
+| ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv |openjpeg |
+| openldap |opensc |openssh |openssl |openswan |openvpn |p7zip |
+| pango |patch |pcre |pcre2 |pcsc_lite |perl |picocom |
+| pigz |pixman |png |polarssl_fedora |poppler |postgresql |ppp |
+| privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty |python |
+| qemu |qpdf |qt |quagga |radare2 |radvd |raptor |
+| rauc |rdesktop |readline |rpm |rsync |rsyslog |rtl_433 |
+| rtmpdump |runc |rust |samba |sane_backends |sdl |seahorse |
+| shadowsocks_libev |sngrep |snort |sofia_sip |speex |spice |sqlite |
+| squashfs |squid |sslh |stellarium |strongswan |stunnel |subversion |
+| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |
+| tcpreplay |terminology |thrift |thttpd |thunderbird |timescaledb |tinyproxy |
+| tor |tpm2_tss |transmission |trousers |twonky_server |u_boot |udisks |
+| unbound |unixodbc |upx |util_linux |varnish |vim |vorbis_tools |
+| vsftpd |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |xerces |
+| xml2 |xscreensaver |yasm |zabbix |zeek |zlib |znc |
+| zsh | | | | | | |
For a quick overview of usage and how it works, you can also see [the readme file](README.md).
@@ -949,7 +955,11 @@ This option specifies the minimum CVSS score (as integer in range 0 to 10) of th
### --epss-percentile
-this option specifies the minimum EPSS percentile of CVE range between 0 to 100 to report. The default value is 0 which results in all CVEs being reported.
+This option specifies the minimum EPSS percentile of CVE range between 0 to 100 to report. The default value is 0 which results in all CVEs being reported.
+
+### --epss-probability
+
+This option specifies the minimum EPSS probability of CVE range between o to 100 to report. The default value is 0 which result in all CVEs being reported.
### -S {low,medium,high,critical}, --severity {low,medium,high,critical}
diff --git a/doc/how_to_guides/sbom.md b/doc/how_to_guides/sbom.md
index e405d61009..231b849425 100644
--- a/doc/how_to_guides/sbom.md
+++ b/doc/how_to_guides/sbom.md
@@ -13,8 +13,8 @@ The cve-bin-tool supports SBOMs in the following formats
| SPDX | 2.2 | JSON |
| SPDX | 2.2 | YAML |
| SPDX | 2.2 | XML |
-| CycloneDX | 1.3 | XML |
-| CycloneDX | 1.3 | JSON |
+| CycloneDX | 1.3-1.5 | XML |
+| CycloneDX | 1.3-1.5 | JSON |
| SWID | See Note | XML |
Details of the formats for each of the supported SBOM formats are available for
diff --git a/doc/requirements.txt b/doc/requirements.txt
index 78b330c16f..595a1d571c 100644
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -1,4 +1,4 @@
-Sphinx==7.2.3
+Sphinx==7.2.6
sphinx_markdown_tables
myst_parser==2.0.0
sbom2doc
\ No newline at end of file
diff --git a/fuzz/fuzz_python_requirement_parser.py b/fuzz/fuzz_python_requirement_parser.py
new file mode 100644
index 0000000000..63b570d778
--- /dev/null
+++ b/fuzz/fuzz_python_requirement_parser.py
@@ -0,0 +1,55 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.python_requirements_pb2 as python_requirements_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+ from cve_bin_tool.parsers.python import PythonRequirementsParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def TestParseData(data):
+ try:
+ json_data = MessageToDict(
+ data, preserving_proto_field_name=True, including_default_value_fields=True
+ )
+
+ with open(file_path, "w") as f:
+ for dict in json_data.get("packages", []):
+ extras = ""
+ if len(dict["extras"]) > 0:
+ extras = f"[{','.join(dict['extras'])}]"
+
+ constraint = ""
+ if "version" in dict.keys():
+ constraint = f" == {dict['version']}"
+ elif "url" in dict.keys():
+ constraint = f"@{dict['url']}"
+
+ f.write(f"{dict['name']}{extras}{constraint}\n")
+
+ PRP = PythonRequirementsParser(cve_db, logger)
+ PRP.run_checker(file_path)
+
+ except SystemExit:
+ return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "requirements.txt")
+
+atheris_libprotobuf_mutator.Setup(
+ sys.argv, TestParseData, proto=python_requirements_pb2.PackageList
+)
+atheris.Fuzz()
diff --git a/fuzz/generated/python_requirements_pb2.py b/fuzz/generated/python_requirements_pb2.py
new file mode 100644
index 0000000000..ff81ba62a9
--- /dev/null
+++ b/fuzz/generated/python_requirements_pb2.py
@@ -0,0 +1,29 @@
+# Generated by the protocol buffer compiler. DO NOT EDIT!
+# source: fuzz/proto_files/python_requirements.proto
+"""Generated protocol buffer code."""
+from google.protobuf import descriptor as _descriptor
+from google.protobuf import descriptor_pool as _descriptor_pool
+from google.protobuf import symbol_database as _symbol_database
+from google.protobuf.internal import builder as _builder
+
+# @@protoc_insertion_point(imports)
+
+_sym_db = _symbol_database.Default()
+
+
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(
+ b'\n*fuzz/proto_files/python_requirements.proto"\x8e\x01\n\x0bPackageList\x12&\n\x08packages\x18\x01 \x03(\x0b\x32\x14.PackageList.Package\x1aW\n\x07Package\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x0e\n\x06\x65xtras\x18\x02 \x03(\t\x12\x11\n\x07version\x18\x03 \x01(\x02H\x00\x12\r\n\x03url\x18\x04 \x01(\tH\x00\x42\x0c\n\nconstraintb\x06proto3'
+)
+
+_globals = globals()
+_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
+_builder.BuildTopDescriptorsAndMessages(
+ DESCRIPTOR, "fuzz.proto_files.python_requirements_pb2", _globals
+)
+if _descriptor._USE_C_DESCRIPTORS == False:
+ DESCRIPTOR._options = None
+ _globals["_PACKAGELIST"]._serialized_start = 47
+ _globals["_PACKAGELIST"]._serialized_end = 189
+ _globals["_PACKAGELIST_PACKAGE"]._serialized_start = 102
+ _globals["_PACKAGELIST_PACKAGE"]._serialized_end = 189
+# @@protoc_insertion_point(module_scope)
diff --git a/fuzz/proto_files/python_requirements.proto b/fuzz/proto_files/python_requirements.proto
new file mode 100644
index 0000000000..272330d46f
--- /dev/null
+++ b/fuzz/proto_files/python_requirements.proto
@@ -0,0 +1,17 @@
+// Copyright (C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+message PackageList{
+ message Package{
+ string name = 1;
+ repeated string extras = 2;
+ oneof constraint{
+ float version = 3;
+ string url = 4;
+ }
+ }
+
+ repeated Package packages = 1;
+}
diff --git a/requirements.csv b/requirements.csv
index b4ba3b8da2..6bb20b3008 100644
--- a/requirements.csv
+++ b/requirements.csv
@@ -21,3 +21,4 @@ python_not_in_db,packaging
python_not_in_db,importlib_resources
vsajip_not_in_db,python-gnupg
anthonyharrison_not_in_db,lib4sbom
+the_purl_authors_not_in_db,packageurl-python
diff --git a/requirements.txt b/requirements.txt
index 45c67dc97e..bc6b438d4f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,8 +8,9 @@ importlib_metadata>=3.6; python_version < "3.10"
importlib_resources; python_version < "3.9"
jinja2>=2.11.3
jsonschema>=3.0.2
-lib4sbom>=0.3.0
+lib4sbom>=0.5.0
python-gnupg
+packageurl-python
packaging<22.0
plotly
pyyaml>=5.4
diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json
index 9ffa050535..b4c550e718 100644
--- a/sbom/cve-bin-tool-py3.10.json
+++ b/sbom/cve-bin-tool-py3.10.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:40d6248a-216c-4ad9-b692-0ba5b38f177f",
+ "serialNumber": "urn:uuid:d78de14f-40bb-450b-adbb-d4beb1f94ebd",
"version": 1,
"metadata": {
- "timestamp": "2023-08-21T00:24:46Z",
+ "timestamp": "2023-10-16T00:27:13Z",
"tools": {
"components": [
{
@@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.8.5",
+ "version": "3.8.6",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -70,12 +74,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.8.5",
+ "url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.8.5",
+ "purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
@@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
@@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
@@ -206,7 +218,7 @@
"type": "library",
"bom-ref": "7-charset-normalizer",
"name": "charset-normalizer",
- "version": "3.2.0",
+ "version": "3.3.0",
"supplier": {
"name": "Ahmed TAHRI",
"contact": [
@@ -215,7 +227,7 @@
}
]
},
- "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*",
"description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.",
"licenses": [
{
@@ -227,12 +239,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/charset-normalizer/3.2.0",
+ "url": "https://pypi.org/project/charset-normalizer/3.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/charset-normalizer@3.2.0"
+ "purl": "pkg:pypi/charset-normalizer@3.3.0"
},
{
"type": "library",
@@ -356,7 +368,7 @@
"type": "library",
"bom-ref": "12-soupsieve",
"name": "soupsieve",
- "version": "2.4.1",
+ "version": "2.5",
"supplier": {
"name": "Isaac Muse",
"contact": [
@@ -365,16 +377,16 @@
}
]
},
- "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*",
"description": "A modern CSS selector implementation for Beautiful Soup.",
"externalReferences": [
{
- "url": "https://pypi.org/project/soupsieve/2.4.1",
+ "url": "https://pypi.org/project/soupsieve/2.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/soupsieve@2.4.1"
+ "purl": "pkg:pypi/soupsieve@2.5"
},
{
"type": "library",
@@ -494,16 +506,16 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.25",
+ "version": "5.26",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -515,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.25",
+ "url": "https://pypi.org/project/gsutil/5.26",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.25",
+ "purl": "pkg:pypi/gsutil@5.26",
"properties": [
{
"name": "License Comments",
@@ -532,7 +544,7 @@
"type": "library",
"bom-ref": "17-argcomplete",
"name": "argcomplete",
- "version": "3.1.1",
+ "version": "3.1.2",
"supplier": {
"name": "Andrey Kislyuk",
"contact": [
@@ -541,7 +553,7 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*",
"description": "Bash tab completion for argparse",
"licenses": [
{
@@ -553,12 +565,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/argcomplete/3.1.1",
+ "url": "https://pypi.org/project/argcomplete/3.1.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/argcomplete@3.1.1",
+ "purl": "pkg:pypi/argcomplete@3.1.2",
"properties": [
{
"name": "License Comments",
@@ -602,11 +614,11 @@
"type": "library",
"bom-ref": "19-fasteners",
"name": "fasteners",
- "version": "0.18",
+ "version": "0.19",
"supplier": {
"name": "Joshua Harlow"
},
- "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*",
"description": "A python package that provides useful locks",
"licenses": [
{
@@ -618,18 +630,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/fasteners/0.18",
+ "url": "https://pypi.org/project/fasteners/0.19",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/fasteners@0.18",
- "properties": [
- {
- "name": "License Comments",
- "value": "fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression."
- }
- ]
+ "purl": "pkg:pypi/fasteners@0.19"
},
{
"type": "library",
@@ -637,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
@@ -745,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
@@ -871,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
@@ -979,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
- "name": "Sybren A. Stuvel",
+ "name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
@@ -1053,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.3",
+ "version": "41.0.4",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1062,29 +1068,27 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
- "license": {
- "expression": "Apache-2.0 OR BSD-3-Clause"
- }
+ "expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.3",
+ "url": "https://pypi.org/project/cryptography/41.0.4",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.3"
+ "purl": "pkg:pypi/cryptography@41.0.4"
},
{
"type": "library",
"bom-ref": "33-cffi",
"name": "cffi",
- "version": "1.15.1",
+ "version": "1.16.0",
"supplier": {
"name": "Armin Maciej Fijalkowski",
"contact": [
@@ -1093,7 +1097,7 @@
}
]
},
- "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*",
"description": "Foreign Function Interface for Python calling C code.",
"licenses": [
{
@@ -1105,12 +1109,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cffi/1.15.1",
+ "url": "https://pypi.org/project/cffi/1.16.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cffi@1.15.1"
+ "purl": "pkg:pypi/cffi@1.16.0"
},
{
"type": "library",
@@ -1224,7 +1228,7 @@
"type": "library",
"bom-ref": "37-google-auth",
"name": "google-auth",
- "version": "2.22.0",
+ "version": "2.23.3",
"supplier": {
"name": "Google Cloud Platform",
"contact": [
@@ -1233,7 +1237,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*",
"description": "Google Authentication Library",
"licenses": [
{
@@ -1245,12 +1249,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/google-auth/2.22.0",
+ "url": "https://pypi.org/project/google-auth/2.23.3",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/google-auth@2.22.0",
+ "purl": "pkg:pypi/google-auth@2.23.3",
"properties": [
{
"name": "License Comments",
@@ -1292,39 +1296,7 @@
},
{
"type": "library",
- "bom-ref": "39-urllib3",
- "name": "urllib3",
- "version": "1.26.16",
- "supplier": {
- "name": "Andrey Petrov",
- "contact": [
- {
- "email": "andrey.petrov@shazow.net"
- }
- ]
- },
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*",
- "description": "HTTP library with thread-safe connection pooling, file post, and more.",
- "licenses": [
- {
- "license": {
- "id": "MIT",
- "url": "https://opensource.org/licenses/MIT"
- }
- }
- ],
- "externalReferences": [
- {
- "url": "https://pypi.org/project/urllib3/1.26.16",
- "type": "distribution",
- "comment": "Download location for component"
- }
- ],
- "purl": "pkg:pypi/urllib3@1.26.16"
- },
- {
- "type": "library",
- "bom-ref": "40-monotonic",
+ "bom-ref": "39-monotonic",
"name": "monotonic",
"version": "1.6",
"supplier": {
@@ -1362,7 +1334,7 @@
},
{
"type": "library",
- "bom-ref": "41-jinja2",
+ "bom-ref": "40-jinja2",
"name": "jinja2",
"version": "3.1.2",
"supplier": {
@@ -1394,9 +1366,13 @@
},
{
"type": "library",
- "bom-ref": "42-markupsafe",
+ "bom-ref": "41-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
@@ -1417,13 +1393,13 @@
},
{
"type": "library",
- "bom-ref": "43-jsonschema",
+ "bom-ref": "42-jsonschema",
"name": "jsonschema",
- "version": "4.19.0",
+ "version": "4.19.1",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*",
"description": "An implementation of JSON Schema validation for Python",
"licenses": [
{
@@ -1435,16 +1411,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/jsonschema/4.19.0",
+ "url": "https://pypi.org/project/jsonschema/4.19.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/jsonschema@4.19.0"
+ "purl": "pkg:pypi/jsonschema@4.19.1"
},
{
"type": "library",
- "bom-ref": "44-jsonschema-specifications",
+ "bom-ref": "43-jsonschema-specifications",
"name": "jsonschema-specifications",
"version": "2023.7.1",
"supplier": {
@@ -1471,7 +1447,7 @@
},
{
"type": "library",
- "bom-ref": "45-referencing",
+ "bom-ref": "44-referencing",
"name": "referencing",
"version": "0.30.2",
"supplier": {
@@ -1498,13 +1474,13 @@
},
{
"type": "library",
- "bom-ref": "46-rpds-py",
+ "bom-ref": "45-rpds-py",
"name": "rpds-py",
- "version": "0.9.2",
+ "version": "0.10.6",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -1516,18 +1492,18 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.9.2",
+ "url": "https://pypi.org/project/rpds-py/0.10.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.9.2"
+ "purl": "pkg:pypi/rpds-py@0.10.6"
},
{
"type": "library",
- "bom-ref": "47-lib4sbom",
+ "bom-ref": "46-lib4sbom",
"name": "lib4sbom",
- "version": "0.4.3",
+ "version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -1536,7 +1512,7 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
@@ -1548,16 +1524,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/lib4sbom/0.4.3",
+ "url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.4.3"
+ "purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
- "bom-ref": "48-pyyaml",
+ "bom-ref": "47-pyyaml",
"name": "pyyaml",
"version": "6.0.1",
"supplier": {
@@ -1589,7 +1565,7 @@
},
{
"type": "library",
- "bom-ref": "49-semantic-version",
+ "bom-ref": "48-semantic-version",
"name": "semantic-version",
"version": "2.10.0",
"supplier": {
@@ -1625,6 +1601,33 @@
}
]
},
+ {
+ "type": "library",
+ "bom-ref": "49-packageurl-python",
+ "name": "packageurl-python",
+ "version": "0.11.2",
+ "supplier": {
+ "name": "the purl authors"
+ },
+ "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*",
+ "description": "A purl aka. Package URL parser and builder",
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT",
+ "url": "https://opensource.org/licenses/MIT"
+ }
+ }
+ ],
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/packageurl-python/0.11.2",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/packageurl-python@0.11.2"
+ },
{
"type": "library",
"bom-ref": "50-packaging",
@@ -1642,9 +1645,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
- "license": {
- "expression": "BSD-2-Clause OR Apache-2.0"
- }
+ "expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
@@ -1666,7 +1667,7 @@
"type": "library",
"bom-ref": "51-plotly",
"name": "plotly",
- "version": "5.16.1",
+ "version": "5.17.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1675,7 +1676,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1687,12 +1688,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.16.1",
+ "url": "https://pypi.org/project/plotly/5.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.16.1"
+ "purl": "pkg:pypi/plotly@5.17.0"
},
{
"type": "library",
@@ -1842,9 +1843,33 @@
},
{
"type": "library",
- "bom-ref": "56-rich",
+ "bom-ref": "56-urllib3",
+ "name": "urllib3",
+ "version": "2.0.6",
+ "supplier": {
+ "name": "Andrey Petrov",
+ "contact": [
+ {
+ "email": "andrey.petrov@shazow.net"
+ }
+ ]
+ },
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
+ "description": "HTTP library with thread-safe connection pooling, file post, and more.",
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/urllib3/2.0.6",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/urllib3@2.0.6"
+ },
+ {
+ "type": "library",
+ "bom-ref": "57-rich",
"name": "rich",
- "version": "13.5.2",
+ "version": "13.6.0",
"supplier": {
"name": "Will McGugan",
"contact": [
@@ -1853,7 +1878,7 @@
}
]
},
- "cpe": "cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*",
"description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal",
"licenses": [
{
@@ -1865,16 +1890,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rich/13.5.2",
+ "url": "https://pypi.org/project/rich/13.6.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rich@13.5.2"
+ "purl": "pkg:pypi/rich@13.6.0"
},
{
"type": "library",
- "bom-ref": "57-markdown-it-py",
+ "bom-ref": "58-markdown-it-py",
"name": "markdown-it-py",
"version": "3.0.0",
"supplier": {
@@ -1898,7 +1923,7 @@
},
{
"type": "library",
- "bom-ref": "58-mdurl",
+ "bom-ref": "59-mdurl",
"name": "mdurl",
"version": "0.1.2",
"supplier": {
@@ -1922,7 +1947,7 @@
},
{
"type": "library",
- "bom-ref": "59-pygments",
+ "bom-ref": "60-pygments",
"name": "pygments",
"version": "2.16.1",
"supplier": {
@@ -1954,7 +1979,7 @@
},
{
"type": "library",
- "bom-ref": "60-rpmfile",
+ "bom-ref": "61-rpmfile",
"name": "rpmfile",
"version": "1.1.1",
"supplier": {
@@ -1986,7 +2011,7 @@
},
{
"type": "library",
- "bom-ref": "61-toml",
+ "bom-ref": "62-toml",
"name": "toml",
"version": "0.10.2",
"supplier": {
@@ -2018,9 +2043,9 @@
},
{
"type": "library",
- "bom-ref": "62-xmlschema",
+ "bom-ref": "63-xmlschema",
"name": "xmlschema",
- "version": "2.4.0",
+ "version": "2.5.0",
"supplier": {
"name": "Davide Brunato",
"contact": [
@@ -2029,7 +2054,7 @@
}
]
},
- "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*",
"description": "An XML Schema validator and decoder",
"licenses": [
{
@@ -2041,16 +2066,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/xmlschema/2.4.0",
+ "url": "https://pypi.org/project/xmlschema/2.5.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/xmlschema@2.4.0"
+ "purl": "pkg:pypi/xmlschema@2.5.0"
},
{
"type": "library",
- "bom-ref": "63-elementpath",
+ "bom-ref": "64-elementpath",
"name": "elementpath",
"version": "4.1.5",
"supplier": {
@@ -2082,7 +2107,7 @@
},
{
"type": "library",
- "bom-ref": "64-zstandard",
+ "bom-ref": "65-zstandard",
"name": "zstandard",
"version": "0.21.0",
"supplier": {
@@ -2120,12 +2145,6 @@
}
],
"dependencies": [
- {
- "ref": "CDXRef-DOCUMENT",
- "dependsOn": [
- "1-cve-bin-tool"
- ]
- },
{
"ref": "1-cve-bin-tool",
"dependsOn": [
@@ -2135,20 +2154,21 @@
"14-defusedxml",
"15-distro",
"16-gsutil",
- "41-jinja2",
- "43-jsonschema",
- "47-lib4sbom",
+ "40-jinja2",
+ "42-jsonschema",
+ "46-lib4sbom",
+ "49-packageurl-python",
"50-packaging",
"51-plotly",
"53-python-gnupg",
- "48-pyyaml",
+ "47-pyyaml",
"54-requests",
- "56-rich",
- "60-rpmfile",
- "61-toml",
- "39-urllib3",
- "62-xmlschema",
- "64-zstandard"
+ "57-rich",
+ "61-rpmfile",
+ "62-toml",
+ "56-urllib3",
+ "63-xmlschema",
+ "65-zstandard"
]
},
{
@@ -2193,7 +2213,7 @@
"37-google-auth",
"22-google-reauth",
"25-httplib2",
- "40-monotonic",
+ "39-monotonic",
"31-pyopenssl",
"35-retry-decorator",
"24-six"
@@ -2284,44 +2304,43 @@
"dependsOn": [
"38-cachetools",
"29-pyasn1-modules",
- "30-rsa",
- "24-six",
- "39-urllib3"
+ "30-rsa"
]
},
{
- "ref": "41-jinja2",
+ "ref": "40-jinja2",
"dependsOn": [
- "42-markupsafe"
+ "41-markupsafe"
]
},
{
- "ref": "43-jsonschema",
+ "ref": "42-jsonschema",
"dependsOn": [
"6-attrs",
- "44-jsonschema-specifications",
- "45-referencing",
- "46-rpds-py"
+ "43-jsonschema-specifications",
+ "44-referencing",
+ "45-rpds-py"
]
},
{
- "ref": "44-jsonschema-specifications",
+ "ref": "43-jsonschema-specifications",
"dependsOn": [
- "45-referencing"
+ "44-referencing"
]
},
{
- "ref": "45-referencing",
+ "ref": "44-referencing",
"dependsOn": [
"6-attrs",
- "46-rpds-py"
+ "45-rpds-py"
]
},
{
- "ref": "47-lib4sbom",
+ "ref": "46-lib4sbom",
"dependsOn": [
- "48-pyyaml",
- "49-semantic-version"
+ "14-defusedxml",
+ "47-pyyaml",
+ "48-semantic-version"
]
},
{
@@ -2343,26 +2362,26 @@
"55-certifi",
"7-charset-normalizer",
"10-idna",
- "39-urllib3"
+ "56-urllib3"
]
},
{
- "ref": "56-rich",
+ "ref": "57-rich",
"dependsOn": [
- "57-markdown-it-py",
- "59-pygments"
+ "58-markdown-it-py",
+ "60-pygments"
]
},
{
- "ref": "57-markdown-it-py",
+ "ref": "58-markdown-it-py",
"dependsOn": [
- "58-mdurl"
+ "59-mdurl"
]
},
{
- "ref": "62-xmlschema",
+ "ref": "63-xmlschema",
"dependsOn": [
- "63-elementpath"
+ "64-elementpath"
]
}
]
diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx
index dd1c5fdfd5..8d6486b3cb 100644
--- a/sbom/cve-bin-tool-py3.10.spdx
+++ b/sbom/cve-bin-tool-py3.10.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-f3c8b150-3c4b-4802-8882-7b512c33d04c
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-e07c80b5-e167-4b52-b7ba-f83622c7a409
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-08-21T00:23:15Z
+Created: 2023-10-16T00:25:39Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####
PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -101,17 +101,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:23.1.0:*:*:*:*:*
PackageName: charset-normalizer
SPDXID: SPDXRef-Package-7-charset-normalizer
-PackageVersion: 3.2.0
+PackageVersion: 3.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ahmed TAHRI (ahmed.tahri@cloudnursery.dev)
-PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.2.0
+PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*
#####
PackageName: multidict
@@ -177,17 +177,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.12
PackageName: soupsieve
SPDXID: SPDXRef-Package-12-soupsieve
-PackageVersion: 2.4.1
+PackageVersion: 2.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Isaac Muse (use@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/soupsieve/2.4.1
+PackageDownloadLocation: https://pypi.org/project/soupsieve/2.5
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: A modern CSS selector implementation for Beautiful Soup.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.4.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*
#####
PackageName: cvss
@@ -240,34 +240,34 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.25
+PackageVersion: 5.26
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.25
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.25
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
#####
PackageName: argcomplete
SPDXID: SPDXRef-Package-17-argcomplete
-PackageVersion: 3.1.1
+PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.1
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.2
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Bash tab completion for argparse
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*
#####
PackageName: crcmod
@@ -287,18 +287,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ray_buvel:crcmod:1.7:*:*:*:*:*:*:*
PackageName: fasteners
SPDXID: SPDXRef-Package-19-fasteners
-PackageVersion: 0.18
+PackageVersion: 0.19
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Joshua Harlow
-PackageDownloadLocation: https://pypi.org/project/fasteners/0.18
+PackageDownloadLocation: https://pypi.org/project/fasteners/0.19
FilesAnalyzed: false
-PackageLicenseDeclared: NOASSERTION
+PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
-PackageLicenseComments: fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A python package that provides useful locks
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.18
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.19
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*
#####
PackageName: gcs-oauth2-boto-plugin
@@ -490,32 +489,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.3
+PackageVersion: 41.0.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.3
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
#####
PackageName: cffi
SPDXID: SPDXRef-Package-33-cffi
-PackageVersion: 1.15.1
+PackageVersion: 1.16.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.15.1
+PackageDownloadLocation: https://pypi.org/project/cffi/1.16.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Foreign Function Interface for Python calling C code.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.15.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.16.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*
#####
PackageName: pycparser
@@ -567,18 +566,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*
PackageName: google-auth
SPDXID: SPDXRef-Package-37-google-auth
-PackageVersion: 2.22.0
+PackageVersion: 2.23.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Google Cloud Platform (googleapis-packages@google.com)
-PackageDownloadLocation: https://pypi.org/project/google-auth/2.22.0
+PackageDownloadLocation: https://pypi.org/project/google-auth/2.23.3
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: google-auth declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Google Authentication Library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.22.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.23.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*
#####
PackageName: cachetools
@@ -596,23 +595,8 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
#####
-PackageName: urllib3
-SPDXID: SPDXRef-Package-39-urllib3
-PackageVersion: 1.26.16
-PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/1.26.16
-FilesAnalyzed: false
-PackageLicenseDeclared: MIT
-PackageLicenseConcluded: MIT
-PackageCopyrightText: NOASSERTION
-PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@1.26.16
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*
-#####
-
PackageName: monotonic
-SPDXID: SPDXRef-Package-40-monotonic
+SPDXID: SPDXRef-Package-39-monotonic
PackageVersion: 1.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ori Livneh (ori@wikimedia.org)
@@ -628,7 +612,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ori_livneh:monotonic:1.6:*:*:*:*:*:*:*
#####
PackageName: jinja2
-SPDXID: SPDXRef-Package-41-jinja2
+SPDXID: SPDXRef-Package-40-jinja2
PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
@@ -643,10 +627,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.1.2:*:*:*:*:*:
#####
PackageName: markupsafe
-SPDXID: SPDXRef-Package-42-markupsafe
+SPDXID: SPDXRef-Package-41-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
@@ -657,22 +641,22 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3
#####
PackageName: jsonschema
-SPDXID: SPDXRef-Package-43-jsonschema
-PackageVersion: 4.19.0
+SPDXID: SPDXRef-Package-42-jsonschema
+PackageVersion: 4.19.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0
+PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.1
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An implementation of JSON Schema validation for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*
#####
PackageName: jsonschema-specifications
-SPDXID: SPDXRef-Package-44-jsonschema-specifications
+SPDXID: SPDXRef-Package-43-jsonschema-specifications
PackageVersion: 2023.7.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -687,7 +671,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema-specification
#####
PackageName: referencing
-SPDXID: SPDXRef-Package-45-referencing
+SPDXID: SPDXRef-Package-44-referencing
PackageVersion: 0.30.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -702,37 +686,37 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
#####
PackageName: rpds-py
-SPDXID: SPDXRef-Package-46-rpds-py
-PackageVersion: 0.9.2
+SPDXID: SPDXRef-Package-45-rpds-py
+PackageVersion: 0.10.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.9.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.6
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.9.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*
#####
PackageName: lib4sbom
-SPDXID: SPDXRef-Package-47-lib4sbom
-PackageVersion: 0.4.3
+SPDXID: SPDXRef-Package-46-lib4sbom
+PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####
PackageName: pyyaml
-SPDXID: SPDXRef-Package-48-pyyaml
+SPDXID: SPDXRef-Package-47-pyyaml
PackageVersion: 6.0.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Kirill Simonov (xi@resolvent.net)
@@ -747,7 +731,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:
#####
PackageName: semantic-version
-SPDXID: SPDXRef-Package-49-semantic-version
+SPDXID: SPDXRef-Package-48-semantic-version
PackageVersion: 2.10.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Raphael Barrois (raphael.barrois+semver@polytechnique.org)
@@ -762,6 +746,21 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/semantic-version@2.10.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.0:*:*:*:*:*:*:*
#####
+PackageName: packageurl-python
+SPDXID: SPDXRef-Package-49-packageurl-python
+PackageVersion: 0.11.2
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: the purl authors
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.11.2
+FilesAnalyzed: false
+PackageLicenseDeclared: MIT
+PackageLicenseConcluded: MIT
+PackageCopyrightText: NOASSERTION
+PackageSummary: A purl aka. Package URL parser and builder
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.11.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*
+#####
+
PackageName: packaging
SPDXID: SPDXRef-Package-50-packaging
PackageVersion: 21.3
@@ -780,17 +779,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-51-plotly
-PackageVersion: 5.16.1
+PackageVersion: 5.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1
+PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
@@ -856,23 +855,38 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2023.7.22
ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:*:*:*:*
#####
+PackageName: urllib3
+SPDXID: SPDXRef-Package-56-urllib3
+PackageVersion: 2.0.6
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
+FilesAnalyzed: false
+PackageLicenseDeclared: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
+#####
+
PackageName: rich
-SPDXID: SPDXRef-Package-56-rich
-PackageVersion: 13.5.2
+SPDXID: SPDXRef-Package-57-rich
+PackageVersion: 13.6.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/rich/13.5.2
+PackageDownloadLocation: https://pypi.org/project/rich/13.6.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.5.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.6.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*
#####
PackageName: markdown-it-py
-SPDXID: SPDXRef-Package-57-markdown-it-py
+SPDXID: SPDXRef-Package-58-markdown-it-py
PackageVersion: 3.0.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris Sewell (chrisj_sewell@hotmail.com)
@@ -887,7 +901,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_sewell:markdown-it-py:3.0.0:*:*:
#####
PackageName: mdurl
-SPDXID: SPDXRef-Package-58-mdurl
+SPDXID: SPDXRef-Package-59-mdurl
PackageVersion: 0.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Taneli Hukkinen (hukkin@users.noreply.github.com)
@@ -902,7 +916,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:taneli_hukkinen:mdurl:0.1.2:*:*:*:*:*:
#####
PackageName: pygments
-SPDXID: SPDXRef-Package-59-pygments
+SPDXID: SPDXRef-Package-60-pygments
PackageVersion: 2.16.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Georg Brandl (georg@python.org)
@@ -917,7 +931,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.16.1:*:*:*:*:*
#####
PackageName: rpmfile
-SPDXID: SPDXRef-Package-60-rpmfile
+SPDXID: SPDXRef-Package-61-rpmfile
PackageVersion: 1.1.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Sean Ross (srossross@gmail.com)
@@ -932,7 +946,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:1.1.1:*:*:*:*:*:*:*
#####
PackageName: toml
-SPDXID: SPDXRef-Package-61-toml
+SPDXID: SPDXRef-Package-62-toml
PackageVersion: 0.10.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: William Pearson (uiri@xqz.ca)
@@ -947,22 +961,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*:
#####
PackageName: xmlschema
-SPDXID: SPDXRef-Package-62-xmlschema
-PackageVersion: 2.4.0
+SPDXID: SPDXRef-Package-63-xmlschema
+PackageVersion: 2.5.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
-PackageDownloadLocation: https://pypi.org/project/xmlschema/2.4.0
+PackageDownloadLocation: https://pypi.org/project/xmlschema/2.5.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An XML Schema validator and decoder
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.4.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.5.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*
#####
PackageName: elementpath
-SPDXID: SPDXRef-Package-63-elementpath
+SPDXID: SPDXRef-Package-64-elementpath
PackageVersion: 4.1.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
@@ -977,7 +991,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.1.5:*:*:*
#####
PackageName: zstandard
-SPDXID: SPDXRef-Package-64-zstandard
+SPDXID: SPDXRef-Package-65-zstandard
PackageVersion: 0.21.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com)
@@ -992,27 +1006,27 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-15-distro
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-16-gsutil
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-2-aiohttp
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-41-jinja2
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-43-jsonschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-47-lib4sbom
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-48-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-40-jinja2
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-42-jsonschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-46-lib4sbom
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-47-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-49-packageurl-python
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-50-packaging
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-51-plotly
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-53-python-gnupg
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-54-requests
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-56-rich
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-60-rpmfile
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-61-toml
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-62-xmlschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-64-zstandard
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-56-urllib3
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-57-rich
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-61-rpmfile
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-62-toml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-63-xmlschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-65-zstandard
Relationship: SPDXRef-Package-11-beautifulsoup4 DEPENDS_ON SPDXRef-Package-12-soupsieve
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-17-argcomplete
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-18-crcmod
@@ -1025,7 +1039,7 @@ Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-31-pyopenssl
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-35-retry-decorator
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-36-google-apitools
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-37-google-auth
-Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-40-monotonic
+Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-39-monotonic
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-3-aiosignal
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-4-frozenlist
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-5-async-timeout
@@ -1059,31 +1073,31 @@ Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-19-f
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-25-httplib2
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-27-oauth2client
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-29-pyasn1-modules
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-30-rsa
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-38-cachetools
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-41-jinja2 DEPENDS_ON SPDXRef-Package-42-markupsafe
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-44-jsonschema-specifications
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-45-referencing
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-46-rpds-py
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-44-jsonschema-specifications DEPENDS_ON SPDXRef-Package-45-referencing
-Relationship: SPDXRef-Package-45-referencing DEPENDS_ON SPDXRef-Package-46-rpds-py
-Relationship: SPDXRef-Package-45-referencing DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-47-lib4sbom DEPENDS_ON SPDXRef-Package-48-pyyaml
-Relationship: SPDXRef-Package-47-lib4sbom DEPENDS_ON SPDXRef-Package-49-semantic-version
+Relationship: SPDXRef-Package-40-jinja2 DEPENDS_ON SPDXRef-Package-41-markupsafe
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-43-jsonschema-specifications
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-44-referencing
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-45-rpds-py
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-43-jsonschema-specifications DEPENDS_ON SPDXRef-Package-44-referencing
+Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-45-rpds-py
+Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-47-pyyaml
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-48-semantic-version
Relationship: SPDXRef-Package-50-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
Relationship: SPDXRef-Package-51-plotly DEPENDS_ON SPDXRef-Package-50-packaging
Relationship: SPDXRef-Package-51-plotly DEPENDS_ON SPDXRef-Package-52-tenacity
Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-10-idna
-Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-39-urllib3
Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-55-certifi
+Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-56-urllib3
Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-7-charset-normalizer
-Relationship: SPDXRef-Package-56-rich DEPENDS_ON SPDXRef-Package-57-markdown-it-py
-Relationship: SPDXRef-Package-56-rich DEPENDS_ON SPDXRef-Package-59-pygments
-Relationship: SPDXRef-Package-57-markdown-it-py DEPENDS_ON SPDXRef-Package-58-mdurl
-Relationship: SPDXRef-Package-62-xmlschema DEPENDS_ON SPDXRef-Package-63-elementpath
+Relationship: SPDXRef-Package-57-rich DEPENDS_ON SPDXRef-Package-58-markdown-it-py
+Relationship: SPDXRef-Package-57-rich DEPENDS_ON SPDXRef-Package-60-pygments
+Relationship: SPDXRef-Package-58-markdown-it-py DEPENDS_ON SPDXRef-Package-59-mdurl
+Relationship: SPDXRef-Package-63-xmlschema DEPENDS_ON SPDXRef-Package-64-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool
diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json
index 7cbc8d328d..22b452581f 100644
--- a/sbom/cve-bin-tool-py3.11.json
+++ b/sbom/cve-bin-tool-py3.11.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:33c23464-882c-4482-baa5-4438bfcbfa09",
+ "serialNumber": "urn:uuid:d207333a-18dd-4549-9979-6b7f093bf0f4",
"version": 1,
"metadata": {
- "timestamp": "2023-08-21T00:24:27Z",
+ "timestamp": "2023-10-16T00:26:13Z",
"tools": {
"components": [
{
@@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.8.5",
+ "version": "3.8.6",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -70,12 +74,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.8.5",
+ "url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.8.5",
+ "purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
@@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
@@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
@@ -206,7 +218,7 @@
"type": "library",
"bom-ref": "7-charset-normalizer",
"name": "charset-normalizer",
- "version": "3.2.0",
+ "version": "3.3.0",
"supplier": {
"name": "Ahmed TAHRI",
"contact": [
@@ -215,7 +227,7 @@
}
]
},
- "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*",
"description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.",
"licenses": [
{
@@ -227,12 +239,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/charset-normalizer/3.2.0",
+ "url": "https://pypi.org/project/charset-normalizer/3.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/charset-normalizer@3.2.0"
+ "purl": "pkg:pypi/charset-normalizer@3.3.0"
},
{
"type": "library",
@@ -356,7 +368,7 @@
"type": "library",
"bom-ref": "12-soupsieve",
"name": "soupsieve",
- "version": "2.4.1",
+ "version": "2.5",
"supplier": {
"name": "Isaac Muse",
"contact": [
@@ -365,16 +377,16 @@
}
]
},
- "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*",
"description": "A modern CSS selector implementation for Beautiful Soup.",
"externalReferences": [
{
- "url": "https://pypi.org/project/soupsieve/2.4.1",
+ "url": "https://pypi.org/project/soupsieve/2.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/soupsieve@2.4.1"
+ "purl": "pkg:pypi/soupsieve@2.5"
},
{
"type": "library",
@@ -494,16 +506,16 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.25",
+ "version": "5.26",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -515,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.25",
+ "url": "https://pypi.org/project/gsutil/5.26",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.25",
+ "purl": "pkg:pypi/gsutil@5.26",
"properties": [
{
"name": "License Comments",
@@ -532,7 +544,7 @@
"type": "library",
"bom-ref": "17-argcomplete",
"name": "argcomplete",
- "version": "3.1.1",
+ "version": "3.1.2",
"supplier": {
"name": "Andrey Kislyuk",
"contact": [
@@ -541,7 +553,7 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*",
"description": "Bash tab completion for argparse",
"licenses": [
{
@@ -553,12 +565,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/argcomplete/3.1.1",
+ "url": "https://pypi.org/project/argcomplete/3.1.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/argcomplete@3.1.1",
+ "purl": "pkg:pypi/argcomplete@3.1.2",
"properties": [
{
"name": "License Comments",
@@ -602,11 +614,11 @@
"type": "library",
"bom-ref": "19-fasteners",
"name": "fasteners",
- "version": "0.18",
+ "version": "0.19",
"supplier": {
"name": "Joshua Harlow"
},
- "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*",
"description": "A python package that provides useful locks",
"licenses": [
{
@@ -618,18 +630,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/fasteners/0.18",
+ "url": "https://pypi.org/project/fasteners/0.19",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/fasteners@0.18",
- "properties": [
- {
- "name": "License Comments",
- "value": "fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression."
- }
- ]
+ "purl": "pkg:pypi/fasteners@0.19"
},
{
"type": "library",
@@ -637,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
@@ -745,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
@@ -871,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
@@ -979,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
- "name": "Sybren A. Stuvel",
+ "name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
@@ -1053,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.3",
+ "version": "41.0.4",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1062,29 +1068,27 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
- "license": {
- "expression": "Apache-2.0 OR BSD-3-Clause"
- }
+ "expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.3",
+ "url": "https://pypi.org/project/cryptography/41.0.4",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.3"
+ "purl": "pkg:pypi/cryptography@41.0.4"
},
{
"type": "library",
"bom-ref": "33-cffi",
"name": "cffi",
- "version": "1.15.1",
+ "version": "1.16.0",
"supplier": {
"name": "Armin Maciej Fijalkowski",
"contact": [
@@ -1093,7 +1097,7 @@
}
]
},
- "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*",
"description": "Foreign Function Interface for Python calling C code.",
"licenses": [
{
@@ -1105,12 +1109,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cffi/1.15.1",
+ "url": "https://pypi.org/project/cffi/1.16.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cffi@1.15.1"
+ "purl": "pkg:pypi/cffi@1.16.0"
},
{
"type": "library",
@@ -1224,7 +1228,7 @@
"type": "library",
"bom-ref": "37-google-auth",
"name": "google-auth",
- "version": "2.22.0",
+ "version": "2.23.3",
"supplier": {
"name": "Google Cloud Platform",
"contact": [
@@ -1233,7 +1237,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*",
"description": "Google Authentication Library",
"licenses": [
{
@@ -1245,12 +1249,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/google-auth/2.22.0",
+ "url": "https://pypi.org/project/google-auth/2.23.3",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/google-auth@2.22.0",
+ "purl": "pkg:pypi/google-auth@2.23.3",
"properties": [
{
"name": "License Comments",
@@ -1292,39 +1296,7 @@
},
{
"type": "library",
- "bom-ref": "39-urllib3",
- "name": "urllib3",
- "version": "1.26.16",
- "supplier": {
- "name": "Andrey Petrov",
- "contact": [
- {
- "email": "andrey.petrov@shazow.net"
- }
- ]
- },
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*",
- "description": "HTTP library with thread-safe connection pooling, file post, and more.",
- "licenses": [
- {
- "license": {
- "id": "MIT",
- "url": "https://opensource.org/licenses/MIT"
- }
- }
- ],
- "externalReferences": [
- {
- "url": "https://pypi.org/project/urllib3/1.26.16",
- "type": "distribution",
- "comment": "Download location for component"
- }
- ],
- "purl": "pkg:pypi/urllib3@1.26.16"
- },
- {
- "type": "library",
- "bom-ref": "40-monotonic",
+ "bom-ref": "39-monotonic",
"name": "monotonic",
"version": "1.6",
"supplier": {
@@ -1362,7 +1334,7 @@
},
{
"type": "library",
- "bom-ref": "41-jinja2",
+ "bom-ref": "40-jinja2",
"name": "jinja2",
"version": "3.1.2",
"supplier": {
@@ -1394,9 +1366,13 @@
},
{
"type": "library",
- "bom-ref": "42-markupsafe",
+ "bom-ref": "41-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
@@ -1417,13 +1393,13 @@
},
{
"type": "library",
- "bom-ref": "43-jsonschema",
+ "bom-ref": "42-jsonschema",
"name": "jsonschema",
- "version": "4.19.0",
+ "version": "4.19.1",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*",
"description": "An implementation of JSON Schema validation for Python",
"licenses": [
{
@@ -1435,16 +1411,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/jsonschema/4.19.0",
+ "url": "https://pypi.org/project/jsonschema/4.19.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/jsonschema@4.19.0"
+ "purl": "pkg:pypi/jsonschema@4.19.1"
},
{
"type": "library",
- "bom-ref": "44-jsonschema-specifications",
+ "bom-ref": "43-jsonschema-specifications",
"name": "jsonschema-specifications",
"version": "2023.7.1",
"supplier": {
@@ -1471,7 +1447,7 @@
},
{
"type": "library",
- "bom-ref": "45-referencing",
+ "bom-ref": "44-referencing",
"name": "referencing",
"version": "0.30.2",
"supplier": {
@@ -1498,13 +1474,13 @@
},
{
"type": "library",
- "bom-ref": "46-rpds-py",
+ "bom-ref": "45-rpds-py",
"name": "rpds-py",
- "version": "0.9.2",
+ "version": "0.10.6",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -1516,18 +1492,18 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.9.2",
+ "url": "https://pypi.org/project/rpds-py/0.10.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.9.2"
+ "purl": "pkg:pypi/rpds-py@0.10.6"
},
{
"type": "library",
- "bom-ref": "47-lib4sbom",
+ "bom-ref": "46-lib4sbom",
"name": "lib4sbom",
- "version": "0.4.3",
+ "version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -1536,7 +1512,7 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
@@ -1548,16 +1524,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/lib4sbom/0.4.3",
+ "url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.4.3"
+ "purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
- "bom-ref": "48-pyyaml",
+ "bom-ref": "47-pyyaml",
"name": "pyyaml",
"version": "6.0.1",
"supplier": {
@@ -1589,7 +1565,7 @@
},
{
"type": "library",
- "bom-ref": "49-semantic-version",
+ "bom-ref": "48-semantic-version",
"name": "semantic-version",
"version": "2.10.0",
"supplier": {
@@ -1625,6 +1601,33 @@
}
]
},
+ {
+ "type": "library",
+ "bom-ref": "49-packageurl-python",
+ "name": "packageurl-python",
+ "version": "0.11.2",
+ "supplier": {
+ "name": "the purl authors"
+ },
+ "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*",
+ "description": "A purl aka. Package URL parser and builder",
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT",
+ "url": "https://opensource.org/licenses/MIT"
+ }
+ }
+ ],
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/packageurl-python/0.11.2",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/packageurl-python@0.11.2"
+ },
{
"type": "library",
"bom-ref": "50-packaging",
@@ -1642,9 +1645,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
- "license": {
- "expression": "BSD-2-Clause OR Apache-2.0"
- }
+ "expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
@@ -1666,7 +1667,7 @@
"type": "library",
"bom-ref": "51-plotly",
"name": "plotly",
- "version": "5.16.1",
+ "version": "5.17.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1675,7 +1676,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1687,12 +1688,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.16.1",
+ "url": "https://pypi.org/project/plotly/5.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.16.1"
+ "purl": "pkg:pypi/plotly@5.17.0"
},
{
"type": "library",
@@ -1842,9 +1843,33 @@
},
{
"type": "library",
- "bom-ref": "56-rich",
+ "bom-ref": "56-urllib3",
+ "name": "urllib3",
+ "version": "2.0.6",
+ "supplier": {
+ "name": "Andrey Petrov",
+ "contact": [
+ {
+ "email": "andrey.petrov@shazow.net"
+ }
+ ]
+ },
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
+ "description": "HTTP library with thread-safe connection pooling, file post, and more.",
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/urllib3/2.0.6",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/urllib3@2.0.6"
+ },
+ {
+ "type": "library",
+ "bom-ref": "57-rich",
"name": "rich",
- "version": "13.5.2",
+ "version": "13.6.0",
"supplier": {
"name": "Will McGugan",
"contact": [
@@ -1853,7 +1878,7 @@
}
]
},
- "cpe": "cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*",
"description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal",
"licenses": [
{
@@ -1865,16 +1890,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rich/13.5.2",
+ "url": "https://pypi.org/project/rich/13.6.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rich@13.5.2"
+ "purl": "pkg:pypi/rich@13.6.0"
},
{
"type": "library",
- "bom-ref": "57-markdown-it-py",
+ "bom-ref": "58-markdown-it-py",
"name": "markdown-it-py",
"version": "3.0.0",
"supplier": {
@@ -1898,7 +1923,7 @@
},
{
"type": "library",
- "bom-ref": "58-mdurl",
+ "bom-ref": "59-mdurl",
"name": "mdurl",
"version": "0.1.2",
"supplier": {
@@ -1922,7 +1947,7 @@
},
{
"type": "library",
- "bom-ref": "59-pygments",
+ "bom-ref": "60-pygments",
"name": "pygments",
"version": "2.16.1",
"supplier": {
@@ -1954,7 +1979,7 @@
},
{
"type": "library",
- "bom-ref": "60-rpmfile",
+ "bom-ref": "61-rpmfile",
"name": "rpmfile",
"version": "1.1.1",
"supplier": {
@@ -1986,7 +2011,7 @@
},
{
"type": "library",
- "bom-ref": "61-toml",
+ "bom-ref": "62-toml",
"name": "toml",
"version": "0.10.2",
"supplier": {
@@ -2018,9 +2043,9 @@
},
{
"type": "library",
- "bom-ref": "62-xmlschema",
+ "bom-ref": "63-xmlschema",
"name": "xmlschema",
- "version": "2.4.0",
+ "version": "2.5.0",
"supplier": {
"name": "Davide Brunato",
"contact": [
@@ -2029,7 +2054,7 @@
}
]
},
- "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*",
"description": "An XML Schema validator and decoder",
"licenses": [
{
@@ -2041,16 +2066,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/xmlschema/2.4.0",
+ "url": "https://pypi.org/project/xmlschema/2.5.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/xmlschema@2.4.0"
+ "purl": "pkg:pypi/xmlschema@2.5.0"
},
{
"type": "library",
- "bom-ref": "63-elementpath",
+ "bom-ref": "64-elementpath",
"name": "elementpath",
"version": "4.1.5",
"supplier": {
@@ -2082,7 +2107,7 @@
},
{
"type": "library",
- "bom-ref": "64-zstandard",
+ "bom-ref": "65-zstandard",
"name": "zstandard",
"version": "0.21.0",
"supplier": {
@@ -2120,12 +2145,6 @@
}
],
"dependencies": [
- {
- "ref": "CDXRef-DOCUMENT",
- "dependsOn": [
- "1-cve-bin-tool"
- ]
- },
{
"ref": "1-cve-bin-tool",
"dependsOn": [
@@ -2135,20 +2154,21 @@
"14-defusedxml",
"15-distro",
"16-gsutil",
- "41-jinja2",
- "43-jsonschema",
- "47-lib4sbom",
+ "40-jinja2",
+ "42-jsonschema",
+ "46-lib4sbom",
+ "49-packageurl-python",
"50-packaging",
"51-plotly",
"53-python-gnupg",
- "48-pyyaml",
+ "47-pyyaml",
"54-requests",
- "56-rich",
- "60-rpmfile",
- "61-toml",
- "39-urllib3",
- "62-xmlschema",
- "64-zstandard"
+ "57-rich",
+ "61-rpmfile",
+ "62-toml",
+ "56-urllib3",
+ "63-xmlschema",
+ "65-zstandard"
]
},
{
@@ -2193,7 +2213,7 @@
"37-google-auth",
"22-google-reauth",
"25-httplib2",
- "40-monotonic",
+ "39-monotonic",
"31-pyopenssl",
"35-retry-decorator",
"24-six"
@@ -2284,44 +2304,43 @@
"dependsOn": [
"38-cachetools",
"29-pyasn1-modules",
- "30-rsa",
- "24-six",
- "39-urllib3"
+ "30-rsa"
]
},
{
- "ref": "41-jinja2",
+ "ref": "40-jinja2",
"dependsOn": [
- "42-markupsafe"
+ "41-markupsafe"
]
},
{
- "ref": "43-jsonschema",
+ "ref": "42-jsonschema",
"dependsOn": [
"6-attrs",
- "44-jsonschema-specifications",
- "45-referencing",
- "46-rpds-py"
+ "43-jsonschema-specifications",
+ "44-referencing",
+ "45-rpds-py"
]
},
{
- "ref": "44-jsonschema-specifications",
+ "ref": "43-jsonschema-specifications",
"dependsOn": [
- "45-referencing"
+ "44-referencing"
]
},
{
- "ref": "45-referencing",
+ "ref": "44-referencing",
"dependsOn": [
"6-attrs",
- "46-rpds-py"
+ "45-rpds-py"
]
},
{
- "ref": "47-lib4sbom",
+ "ref": "46-lib4sbom",
"dependsOn": [
- "48-pyyaml",
- "49-semantic-version"
+ "14-defusedxml",
+ "47-pyyaml",
+ "48-semantic-version"
]
},
{
@@ -2343,26 +2362,26 @@
"55-certifi",
"7-charset-normalizer",
"10-idna",
- "39-urllib3"
+ "56-urllib3"
]
},
{
- "ref": "56-rich",
+ "ref": "57-rich",
"dependsOn": [
- "57-markdown-it-py",
- "59-pygments"
+ "58-markdown-it-py",
+ "60-pygments"
]
},
{
- "ref": "57-markdown-it-py",
+ "ref": "58-markdown-it-py",
"dependsOn": [
- "58-mdurl"
+ "59-mdurl"
]
},
{
- "ref": "62-xmlschema",
+ "ref": "63-xmlschema",
"dependsOn": [
- "63-elementpath"
+ "64-elementpath"
]
}
]
diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx
index 3adf7af277..bb72066385 100644
--- a/sbom/cve-bin-tool-py3.11.spdx
+++ b/sbom/cve-bin-tool-py3.11.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-bcd56c00-be42-440a-a897-e5280804ea21
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-1630fc55-0869-4565-9fcd-5a9c2c3c3614
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-08-21T00:23:05Z
+Created: 2023-10-16T00:24:59Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####
PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -101,17 +101,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:23.1.0:*:*:*:*:*
PackageName: charset-normalizer
SPDXID: SPDXRef-Package-7-charset-normalizer
-PackageVersion: 3.2.0
+PackageVersion: 3.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ahmed TAHRI (ahmed.tahri@cloudnursery.dev)
-PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.2.0
+PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*
#####
PackageName: multidict
@@ -177,17 +177,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.12
PackageName: soupsieve
SPDXID: SPDXRef-Package-12-soupsieve
-PackageVersion: 2.4.1
+PackageVersion: 2.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Isaac Muse (use@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/soupsieve/2.4.1
+PackageDownloadLocation: https://pypi.org/project/soupsieve/2.5
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: A modern CSS selector implementation for Beautiful Soup.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.4.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*
#####
PackageName: cvss
@@ -240,34 +240,34 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.25
+PackageVersion: 5.26
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.25
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.25
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
#####
PackageName: argcomplete
SPDXID: SPDXRef-Package-17-argcomplete
-PackageVersion: 3.1.1
+PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.1
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.2
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Bash tab completion for argparse
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*
#####
PackageName: crcmod
@@ -287,18 +287,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ray_buvel:crcmod:1.7:*:*:*:*:*:*:*
PackageName: fasteners
SPDXID: SPDXRef-Package-19-fasteners
-PackageVersion: 0.18
+PackageVersion: 0.19
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Joshua Harlow
-PackageDownloadLocation: https://pypi.org/project/fasteners/0.18
+PackageDownloadLocation: https://pypi.org/project/fasteners/0.19
FilesAnalyzed: false
-PackageLicenseDeclared: NOASSERTION
+PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
-PackageLicenseComments: fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A python package that provides useful locks
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.18
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.19
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*
#####
PackageName: gcs-oauth2-boto-plugin
@@ -490,32 +489,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.3
+PackageVersion: 41.0.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.3
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
#####
PackageName: cffi
SPDXID: SPDXRef-Package-33-cffi
-PackageVersion: 1.15.1
+PackageVersion: 1.16.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.15.1
+PackageDownloadLocation: https://pypi.org/project/cffi/1.16.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Foreign Function Interface for Python calling C code.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.15.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.16.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*
#####
PackageName: pycparser
@@ -567,18 +566,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*
PackageName: google-auth
SPDXID: SPDXRef-Package-37-google-auth
-PackageVersion: 2.22.0
+PackageVersion: 2.23.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Google Cloud Platform (googleapis-packages@google.com)
-PackageDownloadLocation: https://pypi.org/project/google-auth/2.22.0
+PackageDownloadLocation: https://pypi.org/project/google-auth/2.23.3
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: google-auth declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Google Authentication Library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.22.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.23.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*
#####
PackageName: cachetools
@@ -596,23 +595,8 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
#####
-PackageName: urllib3
-SPDXID: SPDXRef-Package-39-urllib3
-PackageVersion: 1.26.16
-PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/1.26.16
-FilesAnalyzed: false
-PackageLicenseDeclared: MIT
-PackageLicenseConcluded: MIT
-PackageCopyrightText: NOASSERTION
-PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@1.26.16
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*
-#####
-
PackageName: monotonic
-SPDXID: SPDXRef-Package-40-monotonic
+SPDXID: SPDXRef-Package-39-monotonic
PackageVersion: 1.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ori Livneh (ori@wikimedia.org)
@@ -628,7 +612,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ori_livneh:monotonic:1.6:*:*:*:*:*:*:*
#####
PackageName: jinja2
-SPDXID: SPDXRef-Package-41-jinja2
+SPDXID: SPDXRef-Package-40-jinja2
PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
@@ -643,10 +627,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.1.2:*:*:*:*:*:
#####
PackageName: markupsafe
-SPDXID: SPDXRef-Package-42-markupsafe
+SPDXID: SPDXRef-Package-41-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
@@ -657,22 +641,22 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3
#####
PackageName: jsonschema
-SPDXID: SPDXRef-Package-43-jsonschema
-PackageVersion: 4.19.0
+SPDXID: SPDXRef-Package-42-jsonschema
+PackageVersion: 4.19.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0
+PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.1
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An implementation of JSON Schema validation for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*
#####
PackageName: jsonschema-specifications
-SPDXID: SPDXRef-Package-44-jsonschema-specifications
+SPDXID: SPDXRef-Package-43-jsonschema-specifications
PackageVersion: 2023.7.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -687,7 +671,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema-specification
#####
PackageName: referencing
-SPDXID: SPDXRef-Package-45-referencing
+SPDXID: SPDXRef-Package-44-referencing
PackageVersion: 0.30.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -702,37 +686,37 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
#####
PackageName: rpds-py
-SPDXID: SPDXRef-Package-46-rpds-py
-PackageVersion: 0.9.2
+SPDXID: SPDXRef-Package-45-rpds-py
+PackageVersion: 0.10.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.9.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.6
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.9.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*
#####
PackageName: lib4sbom
-SPDXID: SPDXRef-Package-47-lib4sbom
-PackageVersion: 0.4.3
+SPDXID: SPDXRef-Package-46-lib4sbom
+PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####
PackageName: pyyaml
-SPDXID: SPDXRef-Package-48-pyyaml
+SPDXID: SPDXRef-Package-47-pyyaml
PackageVersion: 6.0.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Kirill Simonov (xi@resolvent.net)
@@ -747,7 +731,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:
#####
PackageName: semantic-version
-SPDXID: SPDXRef-Package-49-semantic-version
+SPDXID: SPDXRef-Package-48-semantic-version
PackageVersion: 2.10.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Raphael Barrois (raphael.barrois+semver@polytechnique.org)
@@ -762,6 +746,21 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/semantic-version@2.10.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.0:*:*:*:*:*:*:*
#####
+PackageName: packageurl-python
+SPDXID: SPDXRef-Package-49-packageurl-python
+PackageVersion: 0.11.2
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: the purl authors
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.11.2
+FilesAnalyzed: false
+PackageLicenseDeclared: MIT
+PackageLicenseConcluded: MIT
+PackageCopyrightText: NOASSERTION
+PackageSummary: A purl aka. Package URL parser and builder
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.11.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*
+#####
+
PackageName: packaging
SPDXID: SPDXRef-Package-50-packaging
PackageVersion: 21.3
@@ -780,17 +779,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-51-plotly
-PackageVersion: 5.16.1
+PackageVersion: 5.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1
+PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
@@ -856,23 +855,38 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2023.7.22
ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:*:*:*:*
#####
+PackageName: urllib3
+SPDXID: SPDXRef-Package-56-urllib3
+PackageVersion: 2.0.6
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
+FilesAnalyzed: false
+PackageLicenseDeclared: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
+#####
+
PackageName: rich
-SPDXID: SPDXRef-Package-56-rich
-PackageVersion: 13.5.2
+SPDXID: SPDXRef-Package-57-rich
+PackageVersion: 13.6.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/rich/13.5.2
+PackageDownloadLocation: https://pypi.org/project/rich/13.6.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.5.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.6.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*
#####
PackageName: markdown-it-py
-SPDXID: SPDXRef-Package-57-markdown-it-py
+SPDXID: SPDXRef-Package-58-markdown-it-py
PackageVersion: 3.0.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris Sewell (chrisj_sewell@hotmail.com)
@@ -887,7 +901,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_sewell:markdown-it-py:3.0.0:*:*:
#####
PackageName: mdurl
-SPDXID: SPDXRef-Package-58-mdurl
+SPDXID: SPDXRef-Package-59-mdurl
PackageVersion: 0.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Taneli Hukkinen (hukkin@users.noreply.github.com)
@@ -902,7 +916,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:taneli_hukkinen:mdurl:0.1.2:*:*:*:*:*:
#####
PackageName: pygments
-SPDXID: SPDXRef-Package-59-pygments
+SPDXID: SPDXRef-Package-60-pygments
PackageVersion: 2.16.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Georg Brandl (georg@python.org)
@@ -917,7 +931,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.16.1:*:*:*:*:*
#####
PackageName: rpmfile
-SPDXID: SPDXRef-Package-60-rpmfile
+SPDXID: SPDXRef-Package-61-rpmfile
PackageVersion: 1.1.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Sean Ross (srossross@gmail.com)
@@ -932,7 +946,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:1.1.1:*:*:*:*:*:*:*
#####
PackageName: toml
-SPDXID: SPDXRef-Package-61-toml
+SPDXID: SPDXRef-Package-62-toml
PackageVersion: 0.10.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: William Pearson (uiri@xqz.ca)
@@ -947,22 +961,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*:
#####
PackageName: xmlschema
-SPDXID: SPDXRef-Package-62-xmlschema
-PackageVersion: 2.4.0
+SPDXID: SPDXRef-Package-63-xmlschema
+PackageVersion: 2.5.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
-PackageDownloadLocation: https://pypi.org/project/xmlschema/2.4.0
+PackageDownloadLocation: https://pypi.org/project/xmlschema/2.5.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An XML Schema validator and decoder
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.4.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.5.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*
#####
PackageName: elementpath
-SPDXID: SPDXRef-Package-63-elementpath
+SPDXID: SPDXRef-Package-64-elementpath
PackageVersion: 4.1.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
@@ -977,7 +991,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.1.5:*:*:*
#####
PackageName: zstandard
-SPDXID: SPDXRef-Package-64-zstandard
+SPDXID: SPDXRef-Package-65-zstandard
PackageVersion: 0.21.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com)
@@ -992,27 +1006,27 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-15-distro
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-16-gsutil
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-2-aiohttp
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-41-jinja2
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-43-jsonschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-47-lib4sbom
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-48-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-40-jinja2
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-42-jsonschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-46-lib4sbom
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-47-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-49-packageurl-python
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-50-packaging
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-51-plotly
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-53-python-gnupg
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-54-requests
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-56-rich
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-60-rpmfile
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-61-toml
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-62-xmlschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-64-zstandard
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-56-urllib3
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-57-rich
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-61-rpmfile
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-62-toml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-63-xmlschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-65-zstandard
Relationship: SPDXRef-Package-11-beautifulsoup4 DEPENDS_ON SPDXRef-Package-12-soupsieve
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-17-argcomplete
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-18-crcmod
@@ -1025,7 +1039,7 @@ Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-31-pyopenssl
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-35-retry-decorator
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-36-google-apitools
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-37-google-auth
-Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-40-monotonic
+Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-39-monotonic
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-3-aiosignal
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-4-frozenlist
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-5-async-timeout
@@ -1059,31 +1073,31 @@ Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-19-f
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-25-httplib2
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-27-oauth2client
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-29-pyasn1-modules
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-30-rsa
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-38-cachetools
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-41-jinja2 DEPENDS_ON SPDXRef-Package-42-markupsafe
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-44-jsonschema-specifications
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-45-referencing
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-46-rpds-py
-Relationship: SPDXRef-Package-43-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-44-jsonschema-specifications DEPENDS_ON SPDXRef-Package-45-referencing
-Relationship: SPDXRef-Package-45-referencing DEPENDS_ON SPDXRef-Package-46-rpds-py
-Relationship: SPDXRef-Package-45-referencing DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-47-lib4sbom DEPENDS_ON SPDXRef-Package-48-pyyaml
-Relationship: SPDXRef-Package-47-lib4sbom DEPENDS_ON SPDXRef-Package-49-semantic-version
+Relationship: SPDXRef-Package-40-jinja2 DEPENDS_ON SPDXRef-Package-41-markupsafe
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-43-jsonschema-specifications
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-44-referencing
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-45-rpds-py
+Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-43-jsonschema-specifications DEPENDS_ON SPDXRef-Package-44-referencing
+Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-45-rpds-py
+Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-47-pyyaml
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-48-semantic-version
Relationship: SPDXRef-Package-50-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
Relationship: SPDXRef-Package-51-plotly DEPENDS_ON SPDXRef-Package-50-packaging
Relationship: SPDXRef-Package-51-plotly DEPENDS_ON SPDXRef-Package-52-tenacity
Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-10-idna
-Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-39-urllib3
Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-55-certifi
+Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-56-urllib3
Relationship: SPDXRef-Package-54-requests DEPENDS_ON SPDXRef-Package-7-charset-normalizer
-Relationship: SPDXRef-Package-56-rich DEPENDS_ON SPDXRef-Package-57-markdown-it-py
-Relationship: SPDXRef-Package-56-rich DEPENDS_ON SPDXRef-Package-59-pygments
-Relationship: SPDXRef-Package-57-markdown-it-py DEPENDS_ON SPDXRef-Package-58-mdurl
-Relationship: SPDXRef-Package-62-xmlschema DEPENDS_ON SPDXRef-Package-63-elementpath
+Relationship: SPDXRef-Package-57-rich DEPENDS_ON SPDXRef-Package-58-markdown-it-py
+Relationship: SPDXRef-Package-57-rich DEPENDS_ON SPDXRef-Package-60-pygments
+Relationship: SPDXRef-Package-58-markdown-it-py DEPENDS_ON SPDXRef-Package-59-mdurl
+Relationship: SPDXRef-Package-63-xmlschema DEPENDS_ON SPDXRef-Package-64-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool
diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json
index c0c754a1a3..b2bbad7108 100644
--- a/sbom/cve-bin-tool-py3.8.json
+++ b/sbom/cve-bin-tool-py3.8.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:7e796cf0-1893-469d-9ab0-aed8324e772a",
+ "serialNumber": "urn:uuid:5c8e6736-a96f-4572-a16a-14efc5051995",
"version": 1,
"metadata": {
- "timestamp": "2023-08-21T00:24:57Z",
+ "timestamp": "2023-10-16T00:26:54Z",
"tools": {
"components": [
{
@@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.8.5",
+ "version": "3.8.6",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -70,12 +74,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.8.5",
+ "url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.8.5",
+ "purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
@@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
@@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
@@ -206,7 +218,7 @@
"type": "library",
"bom-ref": "7-charset-normalizer",
"name": "charset-normalizer",
- "version": "3.2.0",
+ "version": "3.3.0",
"supplier": {
"name": "Ahmed TAHRI",
"contact": [
@@ -215,7 +227,7 @@
}
]
},
- "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*",
"description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.",
"licenses": [
{
@@ -227,12 +239,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/charset-normalizer/3.2.0",
+ "url": "https://pypi.org/project/charset-normalizer/3.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/charset-normalizer@3.2.0"
+ "purl": "pkg:pypi/charset-normalizer@3.3.0"
},
{
"type": "library",
@@ -356,7 +368,7 @@
"type": "library",
"bom-ref": "12-soupsieve",
"name": "soupsieve",
- "version": "2.4.1",
+ "version": "2.5",
"supplier": {
"name": "Isaac Muse",
"contact": [
@@ -365,16 +377,16 @@
}
]
},
- "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*",
"description": "A modern CSS selector implementation for Beautiful Soup.",
"externalReferences": [
{
- "url": "https://pypi.org/project/soupsieve/2.4.1",
+ "url": "https://pypi.org/project/soupsieve/2.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/soupsieve@2.4.1"
+ "purl": "pkg:pypi/soupsieve@2.5"
},
{
"type": "library",
@@ -494,16 +506,16 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.25",
+ "version": "5.26",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -515,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.25",
+ "url": "https://pypi.org/project/gsutil/5.26",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.25",
+ "purl": "pkg:pypi/gsutil@5.26",
"properties": [
{
"name": "License Comments",
@@ -532,7 +544,7 @@
"type": "library",
"bom-ref": "17-argcomplete",
"name": "argcomplete",
- "version": "3.1.1",
+ "version": "3.1.2",
"supplier": {
"name": "Andrey Kislyuk",
"contact": [
@@ -541,7 +553,7 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*",
"description": "Bash tab completion for argparse",
"licenses": [
{
@@ -553,12 +565,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/argcomplete/3.1.1",
+ "url": "https://pypi.org/project/argcomplete/3.1.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/argcomplete@3.1.1",
+ "purl": "pkg:pypi/argcomplete@3.1.2",
"properties": [
{
"name": "License Comments",
@@ -602,11 +614,11 @@
"type": "library",
"bom-ref": "19-fasteners",
"name": "fasteners",
- "version": "0.18",
+ "version": "0.19",
"supplier": {
"name": "Joshua Harlow"
},
- "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*",
"description": "A python package that provides useful locks",
"licenses": [
{
@@ -618,18 +630,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/fasteners/0.18",
+ "url": "https://pypi.org/project/fasteners/0.19",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/fasteners@0.18",
- "properties": [
- {
- "name": "License Comments",
- "value": "fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression."
- }
- ]
+ "purl": "pkg:pypi/fasteners@0.19"
},
{
"type": "library",
@@ -637,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
@@ -745,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
@@ -871,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
@@ -979,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
- "name": "Sybren A. Stuvel",
+ "name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
@@ -1053,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.3",
+ "version": "41.0.4",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1062,29 +1068,27 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
- "license": {
- "expression": "Apache-2.0 OR BSD-3-Clause"
- }
+ "expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.3",
+ "url": "https://pypi.org/project/cryptography/41.0.4",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.3"
+ "purl": "pkg:pypi/cryptography@41.0.4"
},
{
"type": "library",
"bom-ref": "33-cffi",
"name": "cffi",
- "version": "1.15.1",
+ "version": "1.16.0",
"supplier": {
"name": "Armin Maciej Fijalkowski",
"contact": [
@@ -1093,7 +1097,7 @@
}
]
},
- "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*",
"description": "Foreign Function Interface for Python calling C code.",
"licenses": [
{
@@ -1105,12 +1109,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cffi/1.15.1",
+ "url": "https://pypi.org/project/cffi/1.16.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cffi@1.15.1"
+ "purl": "pkg:pypi/cffi@1.16.0"
},
{
"type": "library",
@@ -1224,7 +1228,7 @@
"type": "library",
"bom-ref": "37-google-auth",
"name": "google-auth",
- "version": "2.22.0",
+ "version": "2.23.3",
"supplier": {
"name": "Google Cloud Platform",
"contact": [
@@ -1233,7 +1237,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*",
"description": "Google Authentication Library",
"licenses": [
{
@@ -1245,12 +1249,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/google-auth/2.22.0",
+ "url": "https://pypi.org/project/google-auth/2.23.3",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/google-auth@2.22.0",
+ "purl": "pkg:pypi/google-auth@2.23.3",
"properties": [
{
"name": "License Comments",
@@ -1292,39 +1296,7 @@
},
{
"type": "library",
- "bom-ref": "39-urllib3",
- "name": "urllib3",
- "version": "1.26.16",
- "supplier": {
- "name": "Andrey Petrov",
- "contact": [
- {
- "email": "andrey.petrov@shazow.net"
- }
- ]
- },
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*",
- "description": "HTTP library with thread-safe connection pooling, file post, and more.",
- "licenses": [
- {
- "license": {
- "id": "MIT",
- "url": "https://opensource.org/licenses/MIT"
- }
- }
- ],
- "externalReferences": [
- {
- "url": "https://pypi.org/project/urllib3/1.26.16",
- "type": "distribution",
- "comment": "Download location for component"
- }
- ],
- "purl": "pkg:pypi/urllib3@1.26.16"
- },
- {
- "type": "library",
- "bom-ref": "40-monotonic",
+ "bom-ref": "39-monotonic",
"name": "monotonic",
"version": "1.6",
"supplier": {
@@ -1362,11 +1334,11 @@
},
{
"type": "library",
- "bom-ref": "41-importlib-metadata",
+ "bom-ref": "40-importlib-metadata",
"name": "importlib-metadata",
"version": "6.8.0",
"supplier": {
- "name": "Jason R. Coombs",
+ "name": "Jason R . Coombs",
"contact": [
{
"email": "jaraco@jaraco.com"
@@ -1386,33 +1358,33 @@
},
{
"type": "library",
- "bom-ref": "42-zipp",
+ "bom-ref": "41-zipp",
"name": "zipp",
- "version": "3.16.2",
+ "version": "3.17.0",
"supplier": {
- "name": "Jason R. Coombs",
+ "name": "Jason R . Coombs",
"contact": [
{
"email": "jaraco@jaraco.com"
}
]
},
- "cpe": "cpe:2.3:a:jason_r._coombs:zipp:3.16.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:jason_r._coombs:zipp:3.17.0:*:*:*:*:*:*:*",
"description": "Backport of pathlib-compatible object wrapper for zip files",
"externalReferences": [
{
- "url": "https://pypi.org/project/zipp/3.16.2",
+ "url": "https://pypi.org/project/zipp/3.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/zipp@3.16.2"
+ "purl": "pkg:pypi/zipp@3.17.0"
},
{
"type": "library",
- "bom-ref": "43-importlib-resources",
+ "bom-ref": "42-importlib-resources",
"name": "importlib-resources",
- "version": "6.0.1",
+ "version": "6.1.0",
"supplier": {
"name": "Barry Warsaw",
"contact": [
@@ -1421,20 +1393,20 @@
}
]
},
- "cpe": "cpe:2.3:a:barry_warsaw:importlib-resources:6.0.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:barry_warsaw:importlib-resources:6.1.0:*:*:*:*:*:*:*",
"description": "Read resources from Python packages",
"externalReferences": [
{
- "url": "https://pypi.org/project/importlib-resources/6.0.1",
+ "url": "https://pypi.org/project/importlib-resources/6.1.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/importlib-resources@6.0.1"
+ "purl": "pkg:pypi/importlib-resources@6.1.0"
},
{
"type": "library",
- "bom-ref": "44-jinja2",
+ "bom-ref": "43-jinja2",
"name": "jinja2",
"version": "3.1.2",
"supplier": {
@@ -1466,9 +1438,13 @@
},
{
"type": "library",
- "bom-ref": "45-markupsafe",
+ "bom-ref": "44-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
@@ -1489,13 +1465,13 @@
},
{
"type": "library",
- "bom-ref": "46-jsonschema",
+ "bom-ref": "45-jsonschema",
"name": "jsonschema",
- "version": "4.19.0",
+ "version": "4.19.1",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*",
"description": "An implementation of JSON Schema validation for Python",
"licenses": [
{
@@ -1507,16 +1483,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/jsonschema/4.19.0",
+ "url": "https://pypi.org/project/jsonschema/4.19.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/jsonschema@4.19.0"
+ "purl": "pkg:pypi/jsonschema@4.19.1"
},
{
"type": "library",
- "bom-ref": "47-jsonschema-specifications",
+ "bom-ref": "46-jsonschema-specifications",
"name": "jsonschema-specifications",
"version": "2023.7.1",
"supplier": {
@@ -1543,7 +1519,7 @@
},
{
"type": "library",
- "bom-ref": "48-referencing",
+ "bom-ref": "47-referencing",
"name": "referencing",
"version": "0.30.2",
"supplier": {
@@ -1570,13 +1546,13 @@
},
{
"type": "library",
- "bom-ref": "49-rpds-py",
+ "bom-ref": "48-rpds-py",
"name": "rpds-py",
- "version": "0.9.2",
+ "version": "0.10.6",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -1588,16 +1564,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.9.2",
+ "url": "https://pypi.org/project/rpds-py/0.10.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.9.2"
+ "purl": "pkg:pypi/rpds-py@0.10.6"
},
{
"type": "library",
- "bom-ref": "50-pkgutil-resolve-name",
+ "bom-ref": "49-pkgutil-resolve-name",
"name": "pkgutil-resolve-name",
"version": "1.3.10",
"supplier": {
@@ -1621,9 +1597,9 @@
},
{
"type": "library",
- "bom-ref": "51-lib4sbom",
+ "bom-ref": "50-lib4sbom",
"name": "lib4sbom",
- "version": "0.4.3",
+ "version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -1632,7 +1608,7 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
@@ -1644,16 +1620,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/lib4sbom/0.4.3",
+ "url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.4.3"
+ "purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
- "bom-ref": "52-pyyaml",
+ "bom-ref": "51-pyyaml",
"name": "pyyaml",
"version": "6.0.1",
"supplier": {
@@ -1685,7 +1661,7 @@
},
{
"type": "library",
- "bom-ref": "53-semantic-version",
+ "bom-ref": "52-semantic-version",
"name": "semantic-version",
"version": "2.10.0",
"supplier": {
@@ -1721,6 +1697,33 @@
}
]
},
+ {
+ "type": "library",
+ "bom-ref": "53-packageurl-python",
+ "name": "packageurl-python",
+ "version": "0.11.2",
+ "supplier": {
+ "name": "the purl authors"
+ },
+ "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*",
+ "description": "A purl aka. Package URL parser and builder",
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT",
+ "url": "https://opensource.org/licenses/MIT"
+ }
+ }
+ ],
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/packageurl-python/0.11.2",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/packageurl-python@0.11.2"
+ },
{
"type": "library",
"bom-ref": "54-packaging",
@@ -1738,9 +1741,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
- "license": {
- "expression": "BSD-2-Clause OR Apache-2.0"
- }
+ "expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
@@ -1762,7 +1763,7 @@
"type": "library",
"bom-ref": "55-plotly",
"name": "plotly",
- "version": "5.16.1",
+ "version": "5.17.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1771,7 +1772,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1783,12 +1784,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.16.1",
+ "url": "https://pypi.org/project/plotly/5.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.16.1"
+ "purl": "pkg:pypi/plotly@5.17.0"
},
{
"type": "library",
@@ -1938,9 +1939,33 @@
},
{
"type": "library",
- "bom-ref": "60-rich",
+ "bom-ref": "60-urllib3",
+ "name": "urllib3",
+ "version": "2.0.6",
+ "supplier": {
+ "name": "Andrey Petrov",
+ "contact": [
+ {
+ "email": "andrey.petrov@shazow.net"
+ }
+ ]
+ },
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
+ "description": "HTTP library with thread-safe connection pooling, file post, and more.",
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/urllib3/2.0.6",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/urllib3@2.0.6"
+ },
+ {
+ "type": "library",
+ "bom-ref": "61-rich",
"name": "rich",
- "version": "13.5.2",
+ "version": "13.6.0",
"supplier": {
"name": "Will McGugan",
"contact": [
@@ -1949,7 +1974,7 @@
}
]
},
- "cpe": "cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*",
"description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal",
"licenses": [
{
@@ -1961,16 +1986,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rich/13.5.2",
+ "url": "https://pypi.org/project/rich/13.6.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rich@13.5.2"
+ "purl": "pkg:pypi/rich@13.6.0"
},
{
"type": "library",
- "bom-ref": "61-markdown-it-py",
+ "bom-ref": "62-markdown-it-py",
"name": "markdown-it-py",
"version": "3.0.0",
"supplier": {
@@ -1994,7 +2019,7 @@
},
{
"type": "library",
- "bom-ref": "62-mdurl",
+ "bom-ref": "63-mdurl",
"name": "mdurl",
"version": "0.1.2",
"supplier": {
@@ -2018,7 +2043,7 @@
},
{
"type": "library",
- "bom-ref": "63-pygments",
+ "bom-ref": "64-pygments",
"name": "pygments",
"version": "2.16.1",
"supplier": {
@@ -2050,9 +2075,9 @@
},
{
"type": "library",
- "bom-ref": "64-typing-extensions",
+ "bom-ref": "65-typing-extensions",
"name": "typing-extensions",
- "version": "4.7.1",
+ "version": "4.8.0",
"supplier": {
"name": "Guido van Jukka ukasz Michael",
"contact": [
@@ -2061,20 +2086,20 @@
}
]
},
- "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.7.1:*:*:*:*:*:*:*",
- "description": "Backported and Experimental Type Hints for Python 3.7+",
+ "cpe": "cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.8.0:*:*:*:*:*:*:*",
+ "description": "Backported and Experimental Type Hints for Python 3.8+",
"externalReferences": [
{
- "url": "https://pypi.org/project/typing_extensions/4.7.1",
+ "url": "https://pypi.org/project/typing_extensions/4.8.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/typing-extensions@4.7.1"
+ "purl": "pkg:pypi/typing-extensions@4.8.0"
},
{
"type": "library",
- "bom-ref": "65-rpmfile",
+ "bom-ref": "66-rpmfile",
"name": "rpmfile",
"version": "1.1.1",
"supplier": {
@@ -2106,7 +2131,7 @@
},
{
"type": "library",
- "bom-ref": "66-toml",
+ "bom-ref": "67-toml",
"name": "toml",
"version": "0.10.2",
"supplier": {
@@ -2138,9 +2163,9 @@
},
{
"type": "library",
- "bom-ref": "67-xmlschema",
+ "bom-ref": "68-xmlschema",
"name": "xmlschema",
- "version": "2.4.0",
+ "version": "2.5.0",
"supplier": {
"name": "Davide Brunato",
"contact": [
@@ -2149,7 +2174,7 @@
}
]
},
- "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*",
"description": "An XML Schema validator and decoder",
"licenses": [
{
@@ -2161,16 +2186,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/xmlschema/2.4.0",
+ "url": "https://pypi.org/project/xmlschema/2.5.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/xmlschema@2.4.0"
+ "purl": "pkg:pypi/xmlschema@2.5.0"
},
{
"type": "library",
- "bom-ref": "68-elementpath",
+ "bom-ref": "69-elementpath",
"name": "elementpath",
"version": "4.1.5",
"supplier": {
@@ -2202,7 +2227,7 @@
},
{
"type": "library",
- "bom-ref": "69-zstandard",
+ "bom-ref": "70-zstandard",
"name": "zstandard",
"version": "0.21.0",
"supplier": {
@@ -2240,12 +2265,6 @@
}
],
"dependencies": [
- {
- "ref": "CDXRef-DOCUMENT",
- "dependsOn": [
- "1-cve-bin-tool"
- ]
- },
{
"ref": "1-cve-bin-tool",
"dependsOn": [
@@ -2255,22 +2274,23 @@
"14-defusedxml",
"15-distro",
"16-gsutil",
- "41-importlib-metadata",
- "43-importlib-resources",
- "44-jinja2",
- "46-jsonschema",
- "51-lib4sbom",
+ "40-importlib-metadata",
+ "42-importlib-resources",
+ "43-jinja2",
+ "45-jsonschema",
+ "50-lib4sbom",
+ "53-packageurl-python",
"54-packaging",
"55-plotly",
"57-python-gnupg",
- "52-pyyaml",
+ "51-pyyaml",
"58-requests",
- "60-rich",
- "65-rpmfile",
- "66-toml",
- "39-urllib3",
- "67-xmlschema",
- "69-zstandard"
+ "61-rich",
+ "66-rpmfile",
+ "67-toml",
+ "60-urllib3",
+ "68-xmlschema",
+ "70-zstandard"
]
},
{
@@ -2315,7 +2335,7 @@
"37-google-auth",
"22-google-reauth",
"25-httplib2",
- "40-monotonic",
+ "39-monotonic",
"31-pyopenssl",
"35-retry-decorator",
"24-six"
@@ -2406,59 +2426,58 @@
"dependsOn": [
"38-cachetools",
"29-pyasn1-modules",
- "30-rsa",
- "24-six",
- "39-urllib3"
+ "30-rsa"
]
},
{
- "ref": "41-importlib-metadata",
+ "ref": "40-importlib-metadata",
"dependsOn": [
- "42-zipp"
+ "41-zipp"
]
},
{
- "ref": "43-importlib-resources",
+ "ref": "42-importlib-resources",
"dependsOn": [
- "42-zipp"
+ "41-zipp"
]
},
{
- "ref": "44-jinja2",
+ "ref": "43-jinja2",
"dependsOn": [
- "45-markupsafe"
+ "44-markupsafe"
]
},
{
- "ref": "46-jsonschema",
+ "ref": "45-jsonschema",
"dependsOn": [
"6-attrs",
- "43-importlib-resources",
- "47-jsonschema-specifications",
- "50-pkgutil-resolve-name",
- "48-referencing",
- "49-rpds-py"
+ "42-importlib-resources",
+ "46-jsonschema-specifications",
+ "49-pkgutil-resolve-name",
+ "47-referencing",
+ "48-rpds-py"
]
},
{
- "ref": "47-jsonschema-specifications",
+ "ref": "46-jsonschema-specifications",
"dependsOn": [
- "43-importlib-resources",
- "48-referencing"
+ "42-importlib-resources",
+ "47-referencing"
]
},
{
- "ref": "48-referencing",
+ "ref": "47-referencing",
"dependsOn": [
"6-attrs",
- "49-rpds-py"
+ "48-rpds-py"
]
},
{
- "ref": "51-lib4sbom",
+ "ref": "50-lib4sbom",
"dependsOn": [
- "52-pyyaml",
- "53-semantic-version"
+ "14-defusedxml",
+ "51-pyyaml",
+ "52-semantic-version"
]
},
{
@@ -2480,27 +2499,27 @@
"59-certifi",
"7-charset-normalizer",
"10-idna",
- "39-urllib3"
+ "60-urllib3"
]
},
{
- "ref": "60-rich",
+ "ref": "61-rich",
"dependsOn": [
- "61-markdown-it-py",
- "63-pygments",
- "64-typing-extensions"
+ "62-markdown-it-py",
+ "64-pygments",
+ "65-typing-extensions"
]
},
{
- "ref": "61-markdown-it-py",
+ "ref": "62-markdown-it-py",
"dependsOn": [
- "62-mdurl"
+ "63-mdurl"
]
},
{
- "ref": "67-xmlschema",
+ "ref": "68-xmlschema",
"dependsOn": [
- "68-elementpath"
+ "69-elementpath"
]
}
]
diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx
index ce10044836..733879de83 100644
--- a/sbom/cve-bin-tool-py3.8.spdx
+++ b/sbom/cve-bin-tool-py3.8.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-584a60f5-f0d9-462b-858c-0070d12cc6d5
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-4902c24e-90c5-48ae-83e2-c79044c03259
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-08-21T00:23:23Z
+Created: 2023-10-16T00:25:20Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####
PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -101,17 +101,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:23.1.0:*:*:*:*:*
PackageName: charset-normalizer
SPDXID: SPDXRef-Package-7-charset-normalizer
-PackageVersion: 3.2.0
+PackageVersion: 3.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ahmed TAHRI (ahmed.tahri@cloudnursery.dev)
-PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.2.0
+PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*
#####
PackageName: multidict
@@ -177,17 +177,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.12
PackageName: soupsieve
SPDXID: SPDXRef-Package-12-soupsieve
-PackageVersion: 2.4.1
+PackageVersion: 2.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Isaac Muse (use@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/soupsieve/2.4.1
+PackageDownloadLocation: https://pypi.org/project/soupsieve/2.5
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: A modern CSS selector implementation for Beautiful Soup.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.4.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*
#####
PackageName: cvss
@@ -240,34 +240,34 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.25
+PackageVersion: 5.26
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.25
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.25
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
#####
PackageName: argcomplete
SPDXID: SPDXRef-Package-17-argcomplete
-PackageVersion: 3.1.1
+PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.1
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.2
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Bash tab completion for argparse
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*
#####
PackageName: crcmod
@@ -287,18 +287,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ray_buvel:crcmod:1.7:*:*:*:*:*:*:*
PackageName: fasteners
SPDXID: SPDXRef-Package-19-fasteners
-PackageVersion: 0.18
+PackageVersion: 0.19
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Joshua Harlow
-PackageDownloadLocation: https://pypi.org/project/fasteners/0.18
+PackageDownloadLocation: https://pypi.org/project/fasteners/0.19
FilesAnalyzed: false
-PackageLicenseDeclared: NOASSERTION
+PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
-PackageLicenseComments: fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A python package that provides useful locks
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.18
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.19
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*
#####
PackageName: gcs-oauth2-boto-plugin
@@ -490,32 +489,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.3
+PackageVersion: 41.0.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.3
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
#####
PackageName: cffi
SPDXID: SPDXRef-Package-33-cffi
-PackageVersion: 1.15.1
+PackageVersion: 1.16.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.15.1
+PackageDownloadLocation: https://pypi.org/project/cffi/1.16.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Foreign Function Interface for Python calling C code.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.15.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.16.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*
#####
PackageName: pycparser
@@ -567,18 +566,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*
PackageName: google-auth
SPDXID: SPDXRef-Package-37-google-auth
-PackageVersion: 2.22.0
+PackageVersion: 2.23.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Google Cloud Platform (googleapis-packages@google.com)
-PackageDownloadLocation: https://pypi.org/project/google-auth/2.22.0
+PackageDownloadLocation: https://pypi.org/project/google-auth/2.23.3
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: google-auth declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Google Authentication Library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.22.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.23.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*
#####
PackageName: cachetools
@@ -596,23 +595,8 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
#####
-PackageName: urllib3
-SPDXID: SPDXRef-Package-39-urllib3
-PackageVersion: 1.26.16
-PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/1.26.16
-FilesAnalyzed: false
-PackageLicenseDeclared: MIT
-PackageLicenseConcluded: MIT
-PackageCopyrightText: NOASSERTION
-PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@1.26.16
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*
-#####
-
PackageName: monotonic
-SPDXID: SPDXRef-Package-40-monotonic
+SPDXID: SPDXRef-Package-39-monotonic
PackageVersion: 1.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ori Livneh (ori@wikimedia.org)
@@ -628,7 +612,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ori_livneh:monotonic:1.6:*:*:*:*:*:*:*
#####
PackageName: importlib-metadata
-SPDXID: SPDXRef-Package-41-importlib-metadata
+SPDXID: SPDXRef-Package-40-importlib-metadata
PackageVersion: 6.8.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Jason R. Coombs (jaraco@jaraco.com)
@@ -643,37 +627,37 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:importlib-metadata:6.8
#####
PackageName: zipp
-SPDXID: SPDXRef-Package-42-zipp
-PackageVersion: 3.16.2
+SPDXID: SPDXRef-Package-41-zipp
+PackageVersion: 3.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Jason R. Coombs (jaraco@jaraco.com)
-PackageDownloadLocation: https://pypi.org/project/zipp/3.16.2
+PackageDownloadLocation: https://pypi.org/project/zipp/3.17.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: Backport of pathlib-compatible object wrapper for zip files
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zipp@3.16.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:zipp:3.16.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zipp@3.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:zipp:3.17.0:*:*:*:*:*:*:*
#####
PackageName: importlib-resources
-SPDXID: SPDXRef-Package-43-importlib-resources
-PackageVersion: 6.0.1
+SPDXID: SPDXRef-Package-42-importlib-resources
+PackageVersion: 6.1.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Barry Warsaw (barry@python.org)
-PackageDownloadLocation: https://pypi.org/project/importlib-resources/6.0.1
+PackageDownloadLocation: https://pypi.org/project/importlib-resources/6.1.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: Read resources from Python packages
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/importlib-resources@6.0.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:barry_warsaw:importlib-resources:6.0.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/importlib-resources@6.1.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:barry_warsaw:importlib-resources:6.1.0:*:*:*:*:*:*:*
#####
PackageName: jinja2
-SPDXID: SPDXRef-Package-44-jinja2
+SPDXID: SPDXRef-Package-43-jinja2
PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
@@ -688,10 +672,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.1.2:*:*:*:*:*:
#####
PackageName: markupsafe
-SPDXID: SPDXRef-Package-45-markupsafe
+SPDXID: SPDXRef-Package-44-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
@@ -702,22 +686,22 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3
#####
PackageName: jsonschema
-SPDXID: SPDXRef-Package-46-jsonschema
-PackageVersion: 4.19.0
+SPDXID: SPDXRef-Package-45-jsonschema
+PackageVersion: 4.19.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0
+PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.1
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An implementation of JSON Schema validation for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*
#####
PackageName: jsonschema-specifications
-SPDXID: SPDXRef-Package-47-jsonschema-specifications
+SPDXID: SPDXRef-Package-46-jsonschema-specifications
PackageVersion: 2023.7.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -732,7 +716,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema-specification
#####
PackageName: referencing
-SPDXID: SPDXRef-Package-48-referencing
+SPDXID: SPDXRef-Package-47-referencing
PackageVersion: 0.30.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -747,22 +731,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
#####
PackageName: rpds-py
-SPDXID: SPDXRef-Package-49-rpds-py
-PackageVersion: 0.9.2
+SPDXID: SPDXRef-Package-48-rpds-py
+PackageVersion: 0.10.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.9.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.6
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.9.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*
#####
PackageName: pkgutil-resolve-name
-SPDXID: SPDXRef-Package-50-pkgutil-resolve-name
+SPDXID: SPDXRef-Package-49-pkgutil-resolve-name
PackageVersion: 1.3.10
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk)
@@ -777,22 +761,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:pkgutil-resolve-name:1.3.1
#####
PackageName: lib4sbom
-SPDXID: SPDXRef-Package-51-lib4sbom
-PackageVersion: 0.4.3
+SPDXID: SPDXRef-Package-50-lib4sbom
+PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####
PackageName: pyyaml
-SPDXID: SPDXRef-Package-52-pyyaml
+SPDXID: SPDXRef-Package-51-pyyaml
PackageVersion: 6.0.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Kirill Simonov (xi@resolvent.net)
@@ -807,7 +791,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:
#####
PackageName: semantic-version
-SPDXID: SPDXRef-Package-53-semantic-version
+SPDXID: SPDXRef-Package-52-semantic-version
PackageVersion: 2.10.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Raphael Barrois (raphael.barrois+semver@polytechnique.org)
@@ -822,6 +806,21 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/semantic-version@2.10.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.0:*:*:*:*:*:*:*
#####
+PackageName: packageurl-python
+SPDXID: SPDXRef-Package-53-packageurl-python
+PackageVersion: 0.11.2
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: the purl authors
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.11.2
+FilesAnalyzed: false
+PackageLicenseDeclared: MIT
+PackageLicenseConcluded: MIT
+PackageCopyrightText: NOASSERTION
+PackageSummary: A purl aka. Package URL parser and builder
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.11.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*
+#####
+
PackageName: packaging
SPDXID: SPDXRef-Package-54-packaging
PackageVersion: 21.3
@@ -840,17 +839,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-55-plotly
-PackageVersion: 5.16.1
+PackageVersion: 5.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1
+PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
@@ -916,23 +915,38 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2023.7.22
ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:*:*:*:*
#####
+PackageName: urllib3
+SPDXID: SPDXRef-Package-60-urllib3
+PackageVersion: 2.0.6
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
+FilesAnalyzed: false
+PackageLicenseDeclared: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
+#####
+
PackageName: rich
-SPDXID: SPDXRef-Package-60-rich
-PackageVersion: 13.5.2
+SPDXID: SPDXRef-Package-61-rich
+PackageVersion: 13.6.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/rich/13.5.2
+PackageDownloadLocation: https://pypi.org/project/rich/13.6.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.5.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.6.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*
#####
PackageName: markdown-it-py
-SPDXID: SPDXRef-Package-61-markdown-it-py
+SPDXID: SPDXRef-Package-62-markdown-it-py
PackageVersion: 3.0.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris Sewell (chrisj_sewell@hotmail.com)
@@ -947,7 +961,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_sewell:markdown-it-py:3.0.0:*:*:
#####
PackageName: mdurl
-SPDXID: SPDXRef-Package-62-mdurl
+SPDXID: SPDXRef-Package-63-mdurl
PackageVersion: 0.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Taneli Hukkinen (hukkin@users.noreply.github.com)
@@ -962,7 +976,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:taneli_hukkinen:mdurl:0.1.2:*:*:*:*:*:
#####
PackageName: pygments
-SPDXID: SPDXRef-Package-63-pygments
+SPDXID: SPDXRef-Package-64-pygments
PackageVersion: 2.16.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Georg Brandl (georg@python.org)
@@ -977,22 +991,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.16.1:*:*:*:*:*
#####
PackageName: typing-extensions
-SPDXID: SPDXRef-Package-64-typing-extensions
-PackageVersion: 4.7.1
+SPDXID: SPDXRef-Package-65-typing-extensions
+PackageVersion: 4.8.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Guido van Jukka ukasz Michael (levkivskyi@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/typing_extensions/4.7.1
+PackageDownloadLocation: https://pypi.org/project/typing_extensions/4.8.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
-PackageSummary: Backported and Experimental Type Hints for Python 3.7+
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/typing-extensions@4.7.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.7.1:*:*:*:*:*:*:*
+PackageSummary: Backported and Experimental Type Hints for Python 3.8+
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/typing-extensions@4.8.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:guido_van_jukka_ukasz_michael:typing-extensions:4.8.0:*:*:*:*:*:*:*
#####
PackageName: rpmfile
-SPDXID: SPDXRef-Package-65-rpmfile
+SPDXID: SPDXRef-Package-66-rpmfile
PackageVersion: 1.1.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Sean Ross (srossross@gmail.com)
@@ -1007,7 +1021,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:1.1.1:*:*:*:*:*:*:*
#####
PackageName: toml
-SPDXID: SPDXRef-Package-66-toml
+SPDXID: SPDXRef-Package-67-toml
PackageVersion: 0.10.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: William Pearson (uiri@xqz.ca)
@@ -1022,22 +1036,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*:
#####
PackageName: xmlschema
-SPDXID: SPDXRef-Package-67-xmlschema
-PackageVersion: 2.4.0
+SPDXID: SPDXRef-Package-68-xmlschema
+PackageVersion: 2.5.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
-PackageDownloadLocation: https://pypi.org/project/xmlschema/2.4.0
+PackageDownloadLocation: https://pypi.org/project/xmlschema/2.5.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An XML Schema validator and decoder
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.4.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.5.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*
#####
PackageName: elementpath
-SPDXID: SPDXRef-Package-68-elementpath
+SPDXID: SPDXRef-Package-69-elementpath
PackageVersion: 4.1.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
@@ -1052,7 +1066,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.1.5:*:*:*
#####
PackageName: zstandard
-SPDXID: SPDXRef-Package-69-zstandard
+SPDXID: SPDXRef-Package-70-zstandard
PackageVersion: 0.21.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com)
@@ -1067,29 +1081,29 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-15-distro
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-16-gsutil
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-2-aiohttp
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-41-importlib-metadata
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-43-importlib-resources
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-44-jinja2
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-46-jsonschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-51-lib4sbom
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-52-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-40-importlib-metadata
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-42-importlib-resources
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-43-jinja2
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-45-jsonschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-50-lib4sbom
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-51-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-53-packageurl-python
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-54-packaging
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-55-plotly
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-57-python-gnupg
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-58-requests
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-60-rich
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-65-rpmfile
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-66-toml
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-67-xmlschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-69-zstandard
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-60-urllib3
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-61-rich
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-66-rpmfile
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-67-toml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-68-xmlschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-70-zstandard
Relationship: SPDXRef-Package-11-beautifulsoup4 DEPENDS_ON SPDXRef-Package-12-soupsieve
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-17-argcomplete
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-18-crcmod
@@ -1102,7 +1116,7 @@ Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-31-pyopenssl
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-35-retry-decorator
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-36-google-apitools
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-37-google-auth
-Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-40-monotonic
+Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-39-monotonic
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-3-aiosignal
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-4-frozenlist
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-5-async-timeout
@@ -1136,37 +1150,37 @@ Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-19-f
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-25-httplib2
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-27-oauth2client
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-29-pyasn1-modules
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-30-rsa
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-38-cachetools
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-41-importlib-metadata DEPENDS_ON SPDXRef-Package-42-zipp
-Relationship: SPDXRef-Package-43-importlib-resources DEPENDS_ON SPDXRef-Package-42-zipp
-Relationship: SPDXRef-Package-44-jinja2 DEPENDS_ON SPDXRef-Package-45-markupsafe
-Relationship: SPDXRef-Package-46-jsonschema DEPENDS_ON SPDXRef-Package-43-importlib-resources
-Relationship: SPDXRef-Package-46-jsonschema DEPENDS_ON SPDXRef-Package-47-jsonschema-specifications
-Relationship: SPDXRef-Package-46-jsonschema DEPENDS_ON SPDXRef-Package-48-referencing
-Relationship: SPDXRef-Package-46-jsonschema DEPENDS_ON SPDXRef-Package-49-rpds-py
-Relationship: SPDXRef-Package-46-jsonschema DEPENDS_ON SPDXRef-Package-50-pkgutil-resolve-name
-Relationship: SPDXRef-Package-46-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-47-jsonschema-specifications DEPENDS_ON SPDXRef-Package-43-importlib-resources
-Relationship: SPDXRef-Package-47-jsonschema-specifications DEPENDS_ON SPDXRef-Package-48-referencing
-Relationship: SPDXRef-Package-48-referencing DEPENDS_ON SPDXRef-Package-49-rpds-py
-Relationship: SPDXRef-Package-48-referencing DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-51-lib4sbom DEPENDS_ON SPDXRef-Package-52-pyyaml
-Relationship: SPDXRef-Package-51-lib4sbom DEPENDS_ON SPDXRef-Package-53-semantic-version
+Relationship: SPDXRef-Package-40-importlib-metadata DEPENDS_ON SPDXRef-Package-41-zipp
+Relationship: SPDXRef-Package-42-importlib-resources DEPENDS_ON SPDXRef-Package-41-zipp
+Relationship: SPDXRef-Package-43-jinja2 DEPENDS_ON SPDXRef-Package-44-markupsafe
+Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-42-importlib-resources
+Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-46-jsonschema-specifications
+Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-47-referencing
+Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-48-rpds-py
+Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-49-pkgutil-resolve-name
+Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-46-jsonschema-specifications DEPENDS_ON SPDXRef-Package-42-importlib-resources
+Relationship: SPDXRef-Package-46-jsonschema-specifications DEPENDS_ON SPDXRef-Package-47-referencing
+Relationship: SPDXRef-Package-47-referencing DEPENDS_ON SPDXRef-Package-48-rpds-py
+Relationship: SPDXRef-Package-47-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-50-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
+Relationship: SPDXRef-Package-50-lib4sbom DEPENDS_ON SPDXRef-Package-51-pyyaml
+Relationship: SPDXRef-Package-50-lib4sbom DEPENDS_ON SPDXRef-Package-52-semantic-version
Relationship: SPDXRef-Package-54-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
Relationship: SPDXRef-Package-55-plotly DEPENDS_ON SPDXRef-Package-54-packaging
Relationship: SPDXRef-Package-55-plotly DEPENDS_ON SPDXRef-Package-56-tenacity
Relationship: SPDXRef-Package-58-requests DEPENDS_ON SPDXRef-Package-10-idna
-Relationship: SPDXRef-Package-58-requests DEPENDS_ON SPDXRef-Package-39-urllib3
Relationship: SPDXRef-Package-58-requests DEPENDS_ON SPDXRef-Package-59-certifi
+Relationship: SPDXRef-Package-58-requests DEPENDS_ON SPDXRef-Package-60-urllib3
Relationship: SPDXRef-Package-58-requests DEPENDS_ON SPDXRef-Package-7-charset-normalizer
-Relationship: SPDXRef-Package-60-rich DEPENDS_ON SPDXRef-Package-61-markdown-it-py
-Relationship: SPDXRef-Package-60-rich DEPENDS_ON SPDXRef-Package-63-pygments
-Relationship: SPDXRef-Package-60-rich DEPENDS_ON SPDXRef-Package-64-typing-extensions
-Relationship: SPDXRef-Package-61-markdown-it-py DEPENDS_ON SPDXRef-Package-62-mdurl
-Relationship: SPDXRef-Package-67-xmlschema DEPENDS_ON SPDXRef-Package-68-elementpath
+Relationship: SPDXRef-Package-61-rich DEPENDS_ON SPDXRef-Package-62-markdown-it-py
+Relationship: SPDXRef-Package-61-rich DEPENDS_ON SPDXRef-Package-64-pygments
+Relationship: SPDXRef-Package-61-rich DEPENDS_ON SPDXRef-Package-65-typing-extensions
+Relationship: SPDXRef-Package-62-markdown-it-py DEPENDS_ON SPDXRef-Package-63-mdurl
+Relationship: SPDXRef-Package-68-xmlschema DEPENDS_ON SPDXRef-Package-69-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool
diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json
index c0db5e2a39..47093b9c44 100644
--- a/sbom/cve-bin-tool-py3.9.json
+++ b/sbom/cve-bin-tool-py3.9.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:25f4b876-a973-4954-b768-39c090ff8a2f",
+ "serialNumber": "urn:uuid:f8741d95-ca5d-4436-bc12-d7db351c2830",
"version": 1,
"metadata": {
- "timestamp": "2023-08-21T00:24:23Z",
+ "timestamp": "2023-10-16T00:26:27Z",
"tools": {
"components": [
{
@@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.8.5",
+ "version": "3.8.6",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -70,12 +74,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.8.5",
+ "url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.8.5",
+ "purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
@@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
@@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
@@ -206,7 +218,7 @@
"type": "library",
"bom-ref": "7-charset-normalizer",
"name": "charset-normalizer",
- "version": "3.2.0",
+ "version": "3.3.0",
"supplier": {
"name": "Ahmed TAHRI",
"contact": [
@@ -215,7 +227,7 @@
}
]
},
- "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*",
"description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.",
"licenses": [
{
@@ -227,12 +239,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/charset-normalizer/3.2.0",
+ "url": "https://pypi.org/project/charset-normalizer/3.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/charset-normalizer@3.2.0"
+ "purl": "pkg:pypi/charset-normalizer@3.3.0"
},
{
"type": "library",
@@ -356,7 +368,7 @@
"type": "library",
"bom-ref": "12-soupsieve",
"name": "soupsieve",
- "version": "2.4.1",
+ "version": "2.5",
"supplier": {
"name": "Isaac Muse",
"contact": [
@@ -365,16 +377,16 @@
}
]
},
- "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*",
"description": "A modern CSS selector implementation for Beautiful Soup.",
"externalReferences": [
{
- "url": "https://pypi.org/project/soupsieve/2.4.1",
+ "url": "https://pypi.org/project/soupsieve/2.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/soupsieve@2.4.1"
+ "purl": "pkg:pypi/soupsieve@2.5"
},
{
"type": "library",
@@ -494,16 +506,16 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.25",
+ "version": "5.26",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -515,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.25",
+ "url": "https://pypi.org/project/gsutil/5.26",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.25",
+ "purl": "pkg:pypi/gsutil@5.26",
"properties": [
{
"name": "License Comments",
@@ -532,7 +544,7 @@
"type": "library",
"bom-ref": "17-argcomplete",
"name": "argcomplete",
- "version": "3.1.1",
+ "version": "3.1.2",
"supplier": {
"name": "Andrey Kislyuk",
"contact": [
@@ -541,7 +553,7 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*",
"description": "Bash tab completion for argparse",
"licenses": [
{
@@ -553,12 +565,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/argcomplete/3.1.1",
+ "url": "https://pypi.org/project/argcomplete/3.1.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/argcomplete@3.1.1",
+ "purl": "pkg:pypi/argcomplete@3.1.2",
"properties": [
{
"name": "License Comments",
@@ -602,11 +614,11 @@
"type": "library",
"bom-ref": "19-fasteners",
"name": "fasteners",
- "version": "0.18",
+ "version": "0.19",
"supplier": {
"name": "Joshua Harlow"
},
- "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*",
"description": "A python package that provides useful locks",
"licenses": [
{
@@ -618,18 +630,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/fasteners/0.18",
+ "url": "https://pypi.org/project/fasteners/0.19",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/fasteners@0.18",
- "properties": [
- {
- "name": "License Comments",
- "value": "fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression."
- }
- ]
+ "purl": "pkg:pypi/fasteners@0.19"
},
{
"type": "library",
@@ -637,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
@@ -745,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
@@ -871,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
@@ -979,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
- "name": "Sybren A. Stuvel",
+ "name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
@@ -1053,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.3",
+ "version": "41.0.4",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1062,29 +1068,27 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
- "license": {
- "expression": "Apache-2.0 OR BSD-3-Clause"
- }
+ "expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.3",
+ "url": "https://pypi.org/project/cryptography/41.0.4",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.3"
+ "purl": "pkg:pypi/cryptography@41.0.4"
},
{
"type": "library",
"bom-ref": "33-cffi",
"name": "cffi",
- "version": "1.15.1",
+ "version": "1.16.0",
"supplier": {
"name": "Armin Maciej Fijalkowski",
"contact": [
@@ -1093,7 +1097,7 @@
}
]
},
- "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*",
"description": "Foreign Function Interface for Python calling C code.",
"licenses": [
{
@@ -1105,12 +1109,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cffi/1.15.1",
+ "url": "https://pypi.org/project/cffi/1.16.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cffi@1.15.1"
+ "purl": "pkg:pypi/cffi@1.16.0"
},
{
"type": "library",
@@ -1224,7 +1228,7 @@
"type": "library",
"bom-ref": "37-google-auth",
"name": "google-auth",
- "version": "2.22.0",
+ "version": "2.23.3",
"supplier": {
"name": "Google Cloud Platform",
"contact": [
@@ -1233,7 +1237,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*",
"description": "Google Authentication Library",
"licenses": [
{
@@ -1245,12 +1249,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/google-auth/2.22.0",
+ "url": "https://pypi.org/project/google-auth/2.23.3",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/google-auth@2.22.0",
+ "purl": "pkg:pypi/google-auth@2.23.3",
"properties": [
{
"name": "License Comments",
@@ -1292,39 +1296,7 @@
},
{
"type": "library",
- "bom-ref": "39-urllib3",
- "name": "urllib3",
- "version": "1.26.16",
- "supplier": {
- "name": "Andrey Petrov",
- "contact": [
- {
- "email": "andrey.petrov@shazow.net"
- }
- ]
- },
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*",
- "description": "HTTP library with thread-safe connection pooling, file post, and more.",
- "licenses": [
- {
- "license": {
- "id": "MIT",
- "url": "https://opensource.org/licenses/MIT"
- }
- }
- ],
- "externalReferences": [
- {
- "url": "https://pypi.org/project/urllib3/1.26.16",
- "type": "distribution",
- "comment": "Download location for component"
- }
- ],
- "purl": "pkg:pypi/urllib3@1.26.16"
- },
- {
- "type": "library",
- "bom-ref": "40-monotonic",
+ "bom-ref": "39-monotonic",
"name": "monotonic",
"version": "1.6",
"supplier": {
@@ -1362,11 +1334,11 @@
},
{
"type": "library",
- "bom-ref": "41-importlib-metadata",
+ "bom-ref": "40-importlib-metadata",
"name": "importlib-metadata",
"version": "6.8.0",
"supplier": {
- "name": "Jason R. Coombs",
+ "name": "Jason R . Coombs",
"contact": [
{
"email": "jaraco@jaraco.com"
@@ -1386,31 +1358,31 @@
},
{
"type": "library",
- "bom-ref": "42-zipp",
+ "bom-ref": "41-zipp",
"name": "zipp",
- "version": "3.16.2",
+ "version": "3.17.0",
"supplier": {
- "name": "Jason R. Coombs",
+ "name": "Jason R . Coombs",
"contact": [
{
"email": "jaraco@jaraco.com"
}
]
},
- "cpe": "cpe:2.3:a:jason_r._coombs:zipp:3.16.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:jason_r._coombs:zipp:3.17.0:*:*:*:*:*:*:*",
"description": "Backport of pathlib-compatible object wrapper for zip files",
"externalReferences": [
{
- "url": "https://pypi.org/project/zipp/3.16.2",
+ "url": "https://pypi.org/project/zipp/3.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/zipp@3.16.2"
+ "purl": "pkg:pypi/zipp@3.17.0"
},
{
"type": "library",
- "bom-ref": "43-jinja2",
+ "bom-ref": "42-jinja2",
"name": "jinja2",
"version": "3.1.2",
"supplier": {
@@ -1442,9 +1414,13 @@
},
{
"type": "library",
- "bom-ref": "44-markupsafe",
+ "bom-ref": "43-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
@@ -1465,13 +1441,13 @@
},
{
"type": "library",
- "bom-ref": "45-jsonschema",
+ "bom-ref": "44-jsonschema",
"name": "jsonschema",
- "version": "4.19.0",
+ "version": "4.19.1",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*",
"description": "An implementation of JSON Schema validation for Python",
"licenses": [
{
@@ -1483,16 +1459,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/jsonschema/4.19.0",
+ "url": "https://pypi.org/project/jsonschema/4.19.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/jsonschema@4.19.0"
+ "purl": "pkg:pypi/jsonschema@4.19.1"
},
{
"type": "library",
- "bom-ref": "46-jsonschema-specifications",
+ "bom-ref": "45-jsonschema-specifications",
"name": "jsonschema-specifications",
"version": "2023.7.1",
"supplier": {
@@ -1519,7 +1495,7 @@
},
{
"type": "library",
- "bom-ref": "47-referencing",
+ "bom-ref": "46-referencing",
"name": "referencing",
"version": "0.30.2",
"supplier": {
@@ -1546,13 +1522,13 @@
},
{
"type": "library",
- "bom-ref": "48-rpds-py",
+ "bom-ref": "47-rpds-py",
"name": "rpds-py",
- "version": "0.9.2",
+ "version": "0.10.6",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -1564,18 +1540,18 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.9.2",
+ "url": "https://pypi.org/project/rpds-py/0.10.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.9.2"
+ "purl": "pkg:pypi/rpds-py@0.10.6"
},
{
"type": "library",
- "bom-ref": "49-lib4sbom",
+ "bom-ref": "48-lib4sbom",
"name": "lib4sbom",
- "version": "0.4.3",
+ "version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -1584,7 +1560,7 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
@@ -1596,16 +1572,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/lib4sbom/0.4.3",
+ "url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.4.3"
+ "purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
- "bom-ref": "50-pyyaml",
+ "bom-ref": "49-pyyaml",
"name": "pyyaml",
"version": "6.0.1",
"supplier": {
@@ -1637,7 +1613,7 @@
},
{
"type": "library",
- "bom-ref": "51-semantic-version",
+ "bom-ref": "50-semantic-version",
"name": "semantic-version",
"version": "2.10.0",
"supplier": {
@@ -1673,6 +1649,33 @@
}
]
},
+ {
+ "type": "library",
+ "bom-ref": "51-packageurl-python",
+ "name": "packageurl-python",
+ "version": "0.11.2",
+ "supplier": {
+ "name": "the purl authors"
+ },
+ "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*",
+ "description": "A purl aka. Package URL parser and builder",
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT",
+ "url": "https://opensource.org/licenses/MIT"
+ }
+ }
+ ],
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/packageurl-python/0.11.2",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/packageurl-python@0.11.2"
+ },
{
"type": "library",
"bom-ref": "52-packaging",
@@ -1690,9 +1693,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
- "license": {
- "expression": "BSD-2-Clause OR Apache-2.0"
- }
+ "expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
@@ -1714,7 +1715,7 @@
"type": "library",
"bom-ref": "53-plotly",
"name": "plotly",
- "version": "5.16.1",
+ "version": "5.17.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1723,7 +1724,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1735,12 +1736,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.16.1",
+ "url": "https://pypi.org/project/plotly/5.17.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.16.1"
+ "purl": "pkg:pypi/plotly@5.17.0"
},
{
"type": "library",
@@ -1890,9 +1891,33 @@
},
{
"type": "library",
- "bom-ref": "58-rich",
+ "bom-ref": "58-urllib3",
+ "name": "urllib3",
+ "version": "2.0.6",
+ "supplier": {
+ "name": "Andrey Petrov",
+ "contact": [
+ {
+ "email": "andrey.petrov@shazow.net"
+ }
+ ]
+ },
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
+ "description": "HTTP library with thread-safe connection pooling, file post, and more.",
+ "externalReferences": [
+ {
+ "url": "https://pypi.org/project/urllib3/2.0.6",
+ "type": "distribution",
+ "comment": "Download location for component"
+ }
+ ],
+ "purl": "pkg:pypi/urllib3@2.0.6"
+ },
+ {
+ "type": "library",
+ "bom-ref": "59-rich",
"name": "rich",
- "version": "13.5.2",
+ "version": "13.6.0",
"supplier": {
"name": "Will McGugan",
"contact": [
@@ -1901,7 +1926,7 @@
}
]
},
- "cpe": "cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*",
"description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal",
"licenses": [
{
@@ -1913,16 +1938,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rich/13.5.2",
+ "url": "https://pypi.org/project/rich/13.6.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rich@13.5.2"
+ "purl": "pkg:pypi/rich@13.6.0"
},
{
"type": "library",
- "bom-ref": "59-markdown-it-py",
+ "bom-ref": "60-markdown-it-py",
"name": "markdown-it-py",
"version": "3.0.0",
"supplier": {
@@ -1946,7 +1971,7 @@
},
{
"type": "library",
- "bom-ref": "60-mdurl",
+ "bom-ref": "61-mdurl",
"name": "mdurl",
"version": "0.1.2",
"supplier": {
@@ -1970,7 +1995,7 @@
},
{
"type": "library",
- "bom-ref": "61-pygments",
+ "bom-ref": "62-pygments",
"name": "pygments",
"version": "2.16.1",
"supplier": {
@@ -2002,7 +2027,7 @@
},
{
"type": "library",
- "bom-ref": "62-rpmfile",
+ "bom-ref": "63-rpmfile",
"name": "rpmfile",
"version": "1.1.1",
"supplier": {
@@ -2034,7 +2059,7 @@
},
{
"type": "library",
- "bom-ref": "63-toml",
+ "bom-ref": "64-toml",
"name": "toml",
"version": "0.10.2",
"supplier": {
@@ -2066,9 +2091,9 @@
},
{
"type": "library",
- "bom-ref": "64-xmlschema",
+ "bom-ref": "65-xmlschema",
"name": "xmlschema",
- "version": "2.4.0",
+ "version": "2.5.0",
"supplier": {
"name": "Davide Brunato",
"contact": [
@@ -2077,7 +2102,7 @@
}
]
},
- "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*",
"description": "An XML Schema validator and decoder",
"licenses": [
{
@@ -2089,16 +2114,16 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/xmlschema/2.4.0",
+ "url": "https://pypi.org/project/xmlschema/2.5.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/xmlschema@2.4.0"
+ "purl": "pkg:pypi/xmlschema@2.5.0"
},
{
"type": "library",
- "bom-ref": "65-elementpath",
+ "bom-ref": "66-elementpath",
"name": "elementpath",
"version": "4.1.5",
"supplier": {
@@ -2130,7 +2155,7 @@
},
{
"type": "library",
- "bom-ref": "66-zstandard",
+ "bom-ref": "67-zstandard",
"name": "zstandard",
"version": "0.21.0",
"supplier": {
@@ -2168,12 +2193,6 @@
}
],
"dependencies": [
- {
- "ref": "CDXRef-DOCUMENT",
- "dependsOn": [
- "1-cve-bin-tool"
- ]
- },
{
"ref": "1-cve-bin-tool",
"dependsOn": [
@@ -2183,21 +2202,22 @@
"14-defusedxml",
"15-distro",
"16-gsutil",
- "41-importlib-metadata",
- "43-jinja2",
- "45-jsonschema",
- "49-lib4sbom",
+ "40-importlib-metadata",
+ "42-jinja2",
+ "44-jsonschema",
+ "48-lib4sbom",
+ "51-packageurl-python",
"52-packaging",
"53-plotly",
"55-python-gnupg",
- "50-pyyaml",
+ "49-pyyaml",
"56-requests",
- "58-rich",
- "62-rpmfile",
- "63-toml",
- "39-urllib3",
- "64-xmlschema",
- "66-zstandard"
+ "59-rich",
+ "63-rpmfile",
+ "64-toml",
+ "58-urllib3",
+ "65-xmlschema",
+ "67-zstandard"
]
},
{
@@ -2242,7 +2262,7 @@
"37-google-auth",
"22-google-reauth",
"25-httplib2",
- "40-monotonic",
+ "39-monotonic",
"31-pyopenssl",
"35-retry-decorator",
"24-six"
@@ -2333,50 +2353,49 @@
"dependsOn": [
"38-cachetools",
"29-pyasn1-modules",
- "30-rsa",
- "24-six",
- "39-urllib3"
+ "30-rsa"
]
},
{
- "ref": "41-importlib-metadata",
+ "ref": "40-importlib-metadata",
"dependsOn": [
- "42-zipp"
+ "41-zipp"
]
},
{
- "ref": "43-jinja2",
+ "ref": "42-jinja2",
"dependsOn": [
- "44-markupsafe"
+ "43-markupsafe"
]
},
{
- "ref": "45-jsonschema",
+ "ref": "44-jsonschema",
"dependsOn": [
"6-attrs",
- "46-jsonschema-specifications",
- "47-referencing",
- "48-rpds-py"
+ "45-jsonschema-specifications",
+ "46-referencing",
+ "47-rpds-py"
]
},
{
- "ref": "46-jsonschema-specifications",
+ "ref": "45-jsonschema-specifications",
"dependsOn": [
- "47-referencing"
+ "46-referencing"
]
},
{
- "ref": "47-referencing",
+ "ref": "46-referencing",
"dependsOn": [
"6-attrs",
- "48-rpds-py"
+ "47-rpds-py"
]
},
{
- "ref": "49-lib4sbom",
+ "ref": "48-lib4sbom",
"dependsOn": [
- "50-pyyaml",
- "51-semantic-version"
+ "14-defusedxml",
+ "49-pyyaml",
+ "50-semantic-version"
]
},
{
@@ -2398,26 +2417,26 @@
"57-certifi",
"7-charset-normalizer",
"10-idna",
- "39-urllib3"
+ "58-urllib3"
]
},
{
- "ref": "58-rich",
+ "ref": "59-rich",
"dependsOn": [
- "59-markdown-it-py",
- "61-pygments"
+ "60-markdown-it-py",
+ "62-pygments"
]
},
{
- "ref": "59-markdown-it-py",
+ "ref": "60-markdown-it-py",
"dependsOn": [
- "60-mdurl"
+ "61-mdurl"
]
},
{
- "ref": "64-xmlschema",
+ "ref": "65-xmlschema",
"dependsOn": [
- "65-elementpath"
+ "66-elementpath"
]
}
]
diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx
index 096a9f3836..a94040dd36 100644
--- a/sbom/cve-bin-tool-py3.9.spdx
+++ b/sbom/cve-bin-tool-py3.9.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-b9a15a46-447a-4198-bd2f-2b8bfe931ec9
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-f9e7fcb4-0ce9-42f9-b926-8a5c80ddcb73
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-08-21T00:23:04Z
+Created: 2023-10-16T00:25:02Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####
PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -101,17 +101,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:23.1.0:*:*:*:*:*
PackageName: charset-normalizer
SPDXID: SPDXRef-Package-7-charset-normalizer
-PackageVersion: 3.2.0
+PackageVersion: 3.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ahmed TAHRI (ahmed.tahri@cloudnursery.dev)
-PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.2.0
+PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*
#####
PackageName: multidict
@@ -177,17 +177,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.12
PackageName: soupsieve
SPDXID: SPDXRef-Package-12-soupsieve
-PackageVersion: 2.4.1
+PackageVersion: 2.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Isaac Muse (use@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/soupsieve/2.4.1
+PackageDownloadLocation: https://pypi.org/project/soupsieve/2.5
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: A modern CSS selector implementation for Beautiful Soup.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.4.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.4.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.5:*:*:*:*:*:*:*
#####
PackageName: cvss
@@ -240,34 +240,34 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.25
+PackageVersion: 5.26
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.25
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.25
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.25:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
#####
PackageName: argcomplete
SPDXID: SPDXRef-Package-17-argcomplete
-PackageVersion: 3.1.1
+PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.1
+PackageDownloadLocation: https://pypi.org/project/argcomplete/3.1.2
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Bash tab completion for argparse
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/argcomplete@3.1.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_kislyuk:argcomplete:3.1.2:*:*:*:*:*:*:*
#####
PackageName: crcmod
@@ -287,18 +287,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ray_buvel:crcmod:1.7:*:*:*:*:*:*:*
PackageName: fasteners
SPDXID: SPDXRef-Package-19-fasteners
-PackageVersion: 0.18
+PackageVersion: 0.19
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Joshua Harlow
-PackageDownloadLocation: https://pypi.org/project/fasteners/0.18
+PackageDownloadLocation: https://pypi.org/project/fasteners/0.19
FilesAnalyzed: false
-PackageLicenseDeclared: NOASSERTION
+PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
-PackageLicenseComments: fasteners declares ASL 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A python package that provides useful locks
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.18
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.18:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/fasteners@0.19
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:joshua_harlow:fasteners:0.19:*:*:*:*:*:*:*
#####
PackageName: gcs-oauth2-boto-plugin
@@ -490,32 +489,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.3
+PackageVersion: 41.0.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.3
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
#####
PackageName: cffi
SPDXID: SPDXRef-Package-33-cffi
-PackageVersion: 1.15.1
+PackageVersion: 1.16.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.15.1
+PackageDownloadLocation: https://pypi.org/project/cffi/1.16.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Foreign Function Interface for Python calling C code.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.15.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.15.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cffi@1.16.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.16.0:*:*:*:*:*:*:*
#####
PackageName: pycparser
@@ -567,18 +566,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*
PackageName: google-auth
SPDXID: SPDXRef-Package-37-google-auth
-PackageVersion: 2.22.0
+PackageVersion: 2.23.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Google Cloud Platform (googleapis-packages@google.com)
-PackageDownloadLocation: https://pypi.org/project/google-auth/2.22.0
+PackageDownloadLocation: https://pypi.org/project/google-auth/2.23.3
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: google-auth declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Google Authentication Library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.22.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.22.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth@2.23.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23.3:*:*:*:*:*:*:*
#####
PackageName: cachetools
@@ -596,23 +595,8 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
#####
-PackageName: urllib3
-SPDXID: SPDXRef-Package-39-urllib3
-PackageVersion: 1.26.16
-PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/1.26.16
-FilesAnalyzed: false
-PackageLicenseDeclared: MIT
-PackageLicenseConcluded: MIT
-PackageCopyrightText: NOASSERTION
-PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@1.26.16
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:1.26.16:*:*:*:*:*:*:*
-#####
-
PackageName: monotonic
-SPDXID: SPDXRef-Package-40-monotonic
+SPDXID: SPDXRef-Package-39-monotonic
PackageVersion: 1.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ori Livneh (ori@wikimedia.org)
@@ -628,7 +612,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ori_livneh:monotonic:1.6:*:*:*:*:*:*:*
#####
PackageName: importlib-metadata
-SPDXID: SPDXRef-Package-41-importlib-metadata
+SPDXID: SPDXRef-Package-40-importlib-metadata
PackageVersion: 6.8.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Jason R. Coombs (jaraco@jaraco.com)
@@ -643,22 +627,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:importlib-metadata:6.8
#####
PackageName: zipp
-SPDXID: SPDXRef-Package-42-zipp
-PackageVersion: 3.16.2
+SPDXID: SPDXRef-Package-41-zipp
+PackageVersion: 3.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Jason R. Coombs (jaraco@jaraco.com)
-PackageDownloadLocation: https://pypi.org/project/zipp/3.16.2
+PackageDownloadLocation: https://pypi.org/project/zipp/3.17.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: Backport of pathlib-compatible object wrapper for zip files
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zipp@3.16.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:zipp:3.16.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zipp@3.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:zipp:3.17.0:*:*:*:*:*:*:*
#####
PackageName: jinja2
-SPDXID: SPDXRef-Package-43-jinja2
+SPDXID: SPDXRef-Package-42-jinja2
PackageVersion: 3.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
@@ -673,10 +657,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.1.2:*:*:*:*:*:
#####
PackageName: markupsafe
-SPDXID: SPDXRef-Package-44-markupsafe
+SPDXID: SPDXRef-Package-43-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
@@ -687,22 +671,22 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3
#####
PackageName: jsonschema
-SPDXID: SPDXRef-Package-45-jsonschema
-PackageVersion: 4.19.0
+SPDXID: SPDXRef-Package-44-jsonschema
+PackageVersion: 4.19.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0
+PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.1
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An implementation of JSON Schema validation for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.1:*:*:*:*:*:*:*
#####
PackageName: jsonschema-specifications
-SPDXID: SPDXRef-Package-46-jsonschema-specifications
+SPDXID: SPDXRef-Package-45-jsonschema-specifications
PackageVersion: 2023.7.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -717,7 +701,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema-specification
#####
PackageName: referencing
-SPDXID: SPDXRef-Package-47-referencing
+SPDXID: SPDXRef-Package-46-referencing
PackageVersion: 0.30.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
@@ -732,37 +716,37 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
#####
PackageName: rpds-py
-SPDXID: SPDXRef-Package-48-rpds-py
-PackageVersion: 0.9.2
+SPDXID: SPDXRef-Package-47-rpds-py
+PackageVersion: 0.10.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.9.2
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.6
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.9.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.6:*:*:*:*:*:*:*
#####
PackageName: lib4sbom
-SPDXID: SPDXRef-Package-49-lib4sbom
-PackageVersion: 0.4.3
+SPDXID: SPDXRef-Package-48-lib4sbom
+PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####
PackageName: pyyaml
-SPDXID: SPDXRef-Package-50-pyyaml
+SPDXID: SPDXRef-Package-49-pyyaml
PackageVersion: 6.0.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Kirill Simonov (xi@resolvent.net)
@@ -777,7 +761,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.1:*:*:*:*:*:
#####
PackageName: semantic-version
-SPDXID: SPDXRef-Package-51-semantic-version
+SPDXID: SPDXRef-Package-50-semantic-version
PackageVersion: 2.10.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Raphael Barrois (raphael.barrois+semver@polytechnique.org)
@@ -792,6 +776,21 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/semantic-version@2.10.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10.0:*:*:*:*:*:*:*
#####
+PackageName: packageurl-python
+SPDXID: SPDXRef-Package-51-packageurl-python
+PackageVersion: 0.11.2
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: the purl authors
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.11.2
+FilesAnalyzed: false
+PackageLicenseDeclared: MIT
+PackageLicenseConcluded: MIT
+PackageCopyrightText: NOASSERTION
+PackageSummary: A purl aka. Package URL parser and builder
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.11.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.11.2:*:*:*:*:*:*:*
+#####
+
PackageName: packaging
SPDXID: SPDXRef-Package-52-packaging
PackageVersion: 21.3
@@ -810,17 +809,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-53-plotly
-PackageVersion: 5.16.1
+PackageVersion: 5.17.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1
+PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
@@ -886,23 +885,38 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2023.7.22
ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:*:*:*:*
#####
+PackageName: urllib3
+SPDXID: SPDXRef-Package-58-urllib3
+PackageVersion: 2.0.6
+PrimaryPackagePurpose: LIBRARY
+PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
+FilesAnalyzed: false
+PackageLicenseDeclared: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
+#####
+
PackageName: rich
-SPDXID: SPDXRef-Package-58-rich
-PackageVersion: 13.5.2
+SPDXID: SPDXRef-Package-59-rich
+PackageVersion: 13.6.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/rich/13.5.2
+PackageDownloadLocation: https://pypi.org/project/rich/13.6.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.5.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.5.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@13.6.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.6.0:*:*:*:*:*:*:*
#####
PackageName: markdown-it-py
-SPDXID: SPDXRef-Package-59-markdown-it-py
+SPDXID: SPDXRef-Package-60-markdown-it-py
PackageVersion: 3.0.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris Sewell (chrisj_sewell@hotmail.com)
@@ -917,7 +931,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_sewell:markdown-it-py:3.0.0:*:*:
#####
PackageName: mdurl
-SPDXID: SPDXRef-Package-60-mdurl
+SPDXID: SPDXRef-Package-61-mdurl
PackageVersion: 0.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Taneli Hukkinen (hukkin@users.noreply.github.com)
@@ -932,7 +946,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:taneli_hukkinen:mdurl:0.1.2:*:*:*:*:*:
#####
PackageName: pygments
-SPDXID: SPDXRef-Package-61-pygments
+SPDXID: SPDXRef-Package-62-pygments
PackageVersion: 2.16.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Georg Brandl (georg@python.org)
@@ -947,7 +961,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.16.1:*:*:*:*:*
#####
PackageName: rpmfile
-SPDXID: SPDXRef-Package-62-rpmfile
+SPDXID: SPDXRef-Package-63-rpmfile
PackageVersion: 1.1.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Sean Ross (srossross@gmail.com)
@@ -962,7 +976,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:1.1.1:*:*:*:*:*:*:*
#####
PackageName: toml
-SPDXID: SPDXRef-Package-63-toml
+SPDXID: SPDXRef-Package-64-toml
PackageVersion: 0.10.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: William Pearson (uiri@xqz.ca)
@@ -977,22 +991,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:william_pearson:toml:0.10.2:*:*:*:*:*:
#####
PackageName: xmlschema
-SPDXID: SPDXRef-Package-64-xmlschema
-PackageVersion: 2.4.0
+SPDXID: SPDXRef-Package-65-xmlschema
+PackageVersion: 2.5.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
-PackageDownloadLocation: https://pypi.org/project/xmlschema/2.4.0
+PackageDownloadLocation: https://pypi.org/project/xmlschema/2.5.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An XML Schema validator and decoder
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.4.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.4.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@2.5.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:2.5.0:*:*:*:*:*:*:*
#####
PackageName: elementpath
-SPDXID: SPDXRef-Package-65-elementpath
+SPDXID: SPDXRef-Package-66-elementpath
PackageVersion: 4.1.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato (brunato@sissa.it)
@@ -1007,7 +1021,7 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.1.5:*:*:*
#####
PackageName: zstandard
-SPDXID: SPDXRef-Package-66-zstandard
+SPDXID: SPDXRef-Package-67-zstandard
PackageVersion: 0.21.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Gregory Szorc (gregory.szorc@gmail.com)
@@ -1022,28 +1036,28 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-15-distro
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-16-gsutil
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-2-aiohttp
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-41-importlib-metadata
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-43-jinja2
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-45-jsonschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-49-lib4sbom
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-50-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-40-importlib-metadata
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-42-jinja2
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-44-jsonschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-48-lib4sbom
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-49-pyyaml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-51-packageurl-python
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-52-packaging
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-53-plotly
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-55-python-gnupg
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-56-requests
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-58-rich
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-62-rpmfile
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-63-toml
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-64-xmlschema
-Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-66-zstandard
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-58-urllib3
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-59-rich
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-63-rpmfile
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-64-toml
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-65-xmlschema
+Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-67-zstandard
Relationship: SPDXRef-Package-11-beautifulsoup4 DEPENDS_ON SPDXRef-Package-12-soupsieve
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-17-argcomplete
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-18-crcmod
@@ -1056,7 +1070,7 @@ Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-31-pyopenssl
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-35-retry-decorator
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-36-google-apitools
Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-37-google-auth
-Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-40-monotonic
+Relationship: SPDXRef-Package-16-gsutil DEPENDS_ON SPDXRef-Package-39-monotonic
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-3-aiosignal
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-4-frozenlist
Relationship: SPDXRef-Package-2-aiohttp DEPENDS_ON SPDXRef-Package-5-async-timeout
@@ -1090,32 +1104,32 @@ Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-19-f
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-25-httplib2
Relationship: SPDXRef-Package-36-google-apitools DEPENDS_ON SPDXRef-Package-27-oauth2client
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-24-six
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-29-pyasn1-modules
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-30-rsa
Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-38-cachetools
-Relationship: SPDXRef-Package-37-google-auth DEPENDS_ON SPDXRef-Package-39-urllib3
-Relationship: SPDXRef-Package-41-importlib-metadata DEPENDS_ON SPDXRef-Package-42-zipp
-Relationship: SPDXRef-Package-43-jinja2 DEPENDS_ON SPDXRef-Package-44-markupsafe
-Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-46-jsonschema-specifications
-Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-47-referencing
-Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-48-rpds-py
-Relationship: SPDXRef-Package-45-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-46-jsonschema-specifications DEPENDS_ON SPDXRef-Package-47-referencing
-Relationship: SPDXRef-Package-47-referencing DEPENDS_ON SPDXRef-Package-48-rpds-py
-Relationship: SPDXRef-Package-47-referencing DEPENDS_ON SPDXRef-Package-6-attrs
-Relationship: SPDXRef-Package-49-lib4sbom DEPENDS_ON SPDXRef-Package-50-pyyaml
-Relationship: SPDXRef-Package-49-lib4sbom DEPENDS_ON SPDXRef-Package-51-semantic-version
+Relationship: SPDXRef-Package-40-importlib-metadata DEPENDS_ON SPDXRef-Package-41-zipp
+Relationship: SPDXRef-Package-42-jinja2 DEPENDS_ON SPDXRef-Package-43-markupsafe
+Relationship: SPDXRef-Package-44-jsonschema DEPENDS_ON SPDXRef-Package-45-jsonschema-specifications
+Relationship: SPDXRef-Package-44-jsonschema DEPENDS_ON SPDXRef-Package-46-referencing
+Relationship: SPDXRef-Package-44-jsonschema DEPENDS_ON SPDXRef-Package-47-rpds-py
+Relationship: SPDXRef-Package-44-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-45-jsonschema-specifications DEPENDS_ON SPDXRef-Package-46-referencing
+Relationship: SPDXRef-Package-46-referencing DEPENDS_ON SPDXRef-Package-47-rpds-py
+Relationship: SPDXRef-Package-46-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-48-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
+Relationship: SPDXRef-Package-48-lib4sbom DEPENDS_ON SPDXRef-Package-49-pyyaml
+Relationship: SPDXRef-Package-48-lib4sbom DEPENDS_ON SPDXRef-Package-50-semantic-version
Relationship: SPDXRef-Package-52-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
Relationship: SPDXRef-Package-53-plotly DEPENDS_ON SPDXRef-Package-52-packaging
Relationship: SPDXRef-Package-53-plotly DEPENDS_ON SPDXRef-Package-54-tenacity
Relationship: SPDXRef-Package-56-requests DEPENDS_ON SPDXRef-Package-10-idna
-Relationship: SPDXRef-Package-56-requests DEPENDS_ON SPDXRef-Package-39-urllib3
Relationship: SPDXRef-Package-56-requests DEPENDS_ON SPDXRef-Package-57-certifi
+Relationship: SPDXRef-Package-56-requests DEPENDS_ON SPDXRef-Package-58-urllib3
Relationship: SPDXRef-Package-56-requests DEPENDS_ON SPDXRef-Package-7-charset-normalizer
-Relationship: SPDXRef-Package-58-rich DEPENDS_ON SPDXRef-Package-59-markdown-it-py
-Relationship: SPDXRef-Package-58-rich DEPENDS_ON SPDXRef-Package-61-pygments
-Relationship: SPDXRef-Package-59-markdown-it-py DEPENDS_ON SPDXRef-Package-60-mdurl
-Relationship: SPDXRef-Package-64-xmlschema DEPENDS_ON SPDXRef-Package-65-elementpath
+Relationship: SPDXRef-Package-59-rich DEPENDS_ON SPDXRef-Package-60-markdown-it-py
+Relationship: SPDXRef-Package-59-rich DEPENDS_ON SPDXRef-Package-62-pygments
+Relationship: SPDXRef-Package-60-markdown-it-py DEPENDS_ON SPDXRef-Package-61-mdurl
+Relationship: SPDXRef-Package-65-xmlschema DEPENDS_ON SPDXRef-Package-66-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool
diff --git a/test/condensed-downloads/axel-2.17.11-5.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/axel-2.17.11-5.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..aba384aa68
Binary files /dev/null and b/test/condensed-downloads/axel-2.17.11-5.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/axel-2.17.6-r1.apk.tar.gz b/test/condensed-downloads/axel-2.17.6-r1.apk.tar.gz
new file mode 100644
index 0000000000..7766a65688
Binary files /dev/null and b/test/condensed-downloads/axel-2.17.6-r1.apk.tar.gz differ
diff --git a/test/condensed-downloads/axel_2.16.1-4_amd64.deb.tar.gz b/test/condensed-downloads/axel_2.16.1-4_amd64.deb.tar.gz
new file mode 100644
index 0000000000..799d14c2f1
Binary files /dev/null and b/test/condensed-downloads/axel_2.16.1-4_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/civetweb-1.16-2.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/civetweb-1.16-2.fc40.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..b0abfb5cd9
Binary files /dev/null and b/test/condensed-downloads/civetweb-1.16-2.fc40.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/debianutils_5.7-0.4_amd64.deb.tar.gz b/test/condensed-downloads/debianutils_5.7-0.4_amd64.deb.tar.gz
new file mode 100644
index 0000000000..2daf459c22
Binary files /dev/null and b/test/condensed-downloads/debianutils_5.7-0.4_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/dosfstools_4.2-1_amd64.deb.tar.gz b/test/condensed-downloads/dosfstools_4.2-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..6379263eba
Binary files /dev/null and b/test/condensed-downloads/dosfstools_4.2-1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/dosfstools_4.2-1build3_amd64.deb.tar.gz b/test/condensed-downloads/dosfstools_4.2-1build3_amd64.deb.tar.gz
new file mode 100644
index 0000000000..d4051d4315
Binary files /dev/null and b/test/condensed-downloads/dosfstools_4.2-1build3_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/ed-1.15-r0.apk.tar.gz b/test/condensed-downloads/ed-1.15-r0.apk.tar.gz
new file mode 100644
index 0000000000..efe9a83e90
Binary files /dev/null and b/test/condensed-downloads/ed-1.15-r0.apk.tar.gz differ
diff --git a/test/condensed-downloads/ed-1.19-4.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/ed-1.19-4.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..e936458424
Binary files /dev/null and b/test/condensed-downloads/ed-1.19-4.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/ed_1.15-1_amd64.deb.tar.gz b/test/condensed-downloads/ed_1.15-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..afcdf089bf
Binary files /dev/null and b/test/condensed-downloads/ed_1.15-1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/gawk_5.2.1-2_amd64.deb.tar.gz b/test/condensed-downloads/gawk_5.2.1-2_amd64.deb.tar.gz
new file mode 100644
index 0000000000..cac74b62f6
Binary files /dev/null and b/test/condensed-downloads/gawk_5.2.1-2_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/gdal-3.7.1-6.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/gdal-3.7.1-6.fc40.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..6883b7106e
Binary files /dev/null and b/test/condensed-downloads/gdal-3.7.1-6.fc40.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/grep-3.11-5.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/grep-3.11-5.fc40.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..b2b9db0873
Binary files /dev/null and b/test/condensed-downloads/grep-3.11-5.fc40.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/grep_3.3-1_amd64.deb.tar.gz b/test/condensed-downloads/grep_3.3-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..24aa20667b
Binary files /dev/null and b/test/condensed-downloads/grep_3.3-1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/grep_3.3-1_x86_64.ipk.tar.gz b/test/condensed-downloads/grep_3.3-1_x86_64.ipk.tar.gz
new file mode 100644
index 0000000000..58b81802f7
Binary files /dev/null and b/test/condensed-downloads/grep_3.3-1_x86_64.ipk.tar.gz differ
diff --git a/test/condensed-downloads/hwloc-2.9.0-7.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/hwloc-2.9.0-7.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..774a0c08d5
Binary files /dev/null and b/test/condensed-downloads/hwloc-2.9.0-7.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/libcivetweb1_1.13+dfsg-5_amd64.deb.tar.gz b/test/condensed-downloads/libcivetweb1_1.13+dfsg-5_amd64.deb.tar.gz
new file mode 100644
index 0000000000..b7bf234a49
Binary files /dev/null and b/test/condensed-downloads/libcivetweb1_1.13+dfsg-5_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/libgdal20_2.4.0+dfsg-1+b1_amd64.deb.tar.gz b/test/condensed-downloads/libgdal20_2.4.0+dfsg-1+b1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..975189b9b5
Binary files /dev/null and b/test/condensed-downloads/libgdal20_2.4.0+dfsg-1+b1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/libhwloc15_2.4.1+dfsg-1_amd64.deb.tar.gz b/test/condensed-downloads/libhwloc15_2.4.1+dfsg-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..0c63ebcb9e
Binary files /dev/null and b/test/condensed-downloads/libhwloc15_2.4.1+dfsg-1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/libhwloc_2.0.3-2_x86_64.ipk.tar.gz b/test/condensed-downloads/libhwloc_2.0.3-2_x86_64.ipk.tar.gz
new file mode 100644
index 0000000000..0d19618fd0
Binary files /dev/null and b/test/condensed-downloads/libhwloc_2.0.3-2_x86_64.ipk.tar.gz differ
diff --git a/test/condensed-downloads/libqpdf21_8.4.0-2_amd64.deb.tar.gz b/test/condensed-downloads/libqpdf21_8.4.0-2_amd64.deb.tar.gz
new file mode 100644
index 0000000000..5cd2ba4592
Binary files /dev/null and b/test/condensed-downloads/libqpdf21_8.4.0-2_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/librpm8_4.14.2.1+dfsg1-1_amd64.deb.tar.gz b/test/condensed-downloads/librpm8_4.14.2.1+dfsg1-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..15da75ea70
Binary files /dev/null and b/test/condensed-downloads/librpm8_4.14.2.1+dfsg1-1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/minetest-5.7.0-2.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/minetest-5.7.0-2.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..46ed596311
Binary files /dev/null and b/test/condensed-downloads/minetest-5.7.0-2.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/minetest_0.4.17.1+repack-1+deb10u1_amd64.deb.tar.gz b/test/condensed-downloads/minetest_0.4.17.1+repack-1+deb10u1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..129f3b32e5
Binary files /dev/null and b/test/condensed-downloads/minetest_0.4.17.1+repack-1+deb10u1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/monit-5.26.0-r2.apk.tar.gz b/test/condensed-downloads/monit-5.26.0-r2.apk.tar.gz
new file mode 100644
index 0000000000..8f9f945d51
Binary files /dev/null and b/test/condensed-downloads/monit-5.26.0-r2.apk.tar.gz differ
diff --git a/test/condensed-downloads/monit-5.32.0-5.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/monit-5.32.0-5.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..b931709b07
Binary files /dev/null and b/test/condensed-downloads/monit-5.32.0-5.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/monit_5.26.0-1_x86_64.ipk.tar.gz b/test/condensed-downloads/monit_5.26.0-1_x86_64.ipk.tar.gz
new file mode 100644
index 0000000000..3b239b36c5
Binary files /dev/null and b/test/condensed-downloads/monit_5.26.0-1_x86_64.ipk.tar.gz differ
diff --git a/test/condensed-downloads/monit_5.27.1-1~bpo10+1_amd64.deb.tar.gz b/test/condensed-downloads/monit_5.27.1-1~bpo10+1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..00b2445181
Binary files /dev/null and b/test/condensed-downloads/monit_5.27.1-1~bpo10+1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/mpg123-1.25.13-r0.apk.tar.gz b/test/condensed-downloads/mpg123-1.25.13-r0.apk.tar.gz
new file mode 100644
index 0000000000..d30c5dfb7f
Binary files /dev/null and b/test/condensed-downloads/mpg123-1.25.13-r0.apk.tar.gz differ
diff --git a/test/condensed-downloads/mpg123-1.31.3-2.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/mpg123-1.31.3-2.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..604c614245
Binary files /dev/null and b/test/condensed-downloads/mpg123-1.31.3-2.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/mpg123_1.25.10-2_amd64.deb.tar.gz b/test/condensed-downloads/mpg123_1.25.10-2_amd64.deb.tar.gz
new file mode 100644
index 0000000000..a2e9146b40
Binary files /dev/null and b/test/condensed-downloads/mpg123_1.25.10-2_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/mpg123_1.25.13-2_x86_64.ipk.tar.gz b/test/condensed-downloads/mpg123_1.25.13-2_x86_64.ipk.tar.gz
new file mode 100644
index 0000000000..3f8bcebd24
Binary files /dev/null and b/test/condensed-downloads/mpg123_1.25.13-2_x86_64.ipk.tar.gz differ
diff --git a/test/condensed-downloads/mupdf-1.22.2-3.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/mupdf-1.22.2-3.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..d0bf800a9d
Binary files /dev/null and b/test/condensed-downloads/mupdf-1.22.2-3.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/mupdf-tools-1.16.1-r1.apk.tar.gz b/test/condensed-downloads/mupdf-tools-1.16.1-r1.apk.tar.gz
new file mode 100644
index 0000000000..34f1ff27c9
Binary files /dev/null and b/test/condensed-downloads/mupdf-tools-1.16.1-r1.apk.tar.gz differ
diff --git a/test/condensed-downloads/mupdf_1.14.0+ds1-4+deb10u3_amd64.deb.tar.gz b/test/condensed-downloads/mupdf_1.14.0+ds1-4+deb10u3_amd64.deb.tar.gz
new file mode 100644
index 0000000000..8d544810a3
Binary files /dev/null and b/test/condensed-downloads/mupdf_1.14.0+ds1-4+deb10u3_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/qpdf-11.5.0-1.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/qpdf-11.5.0-1.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..88a15d54e9
Binary files /dev/null and b/test/condensed-downloads/qpdf-11.5.0-1.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/rpm-4.18.92-3.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/rpm-4.18.92-3.fc40.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..88cf85dcb2
Binary files /dev/null and b/test/condensed-downloads/rpm-4.18.92-3.fc40.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/tcpdump_4.99.4-3_mips64el.deb.tar.gz b/test/condensed-downloads/tcpdump_4.99.4-3_mips64el.deb.tar.gz
new file mode 100644
index 0000000000..6b0f9e3cd0
Binary files /dev/null and b/test/condensed-downloads/tcpdump_4.99.4-3_mips64el.deb.tar.gz differ
diff --git a/test/condensed-downloads/terminology-1.13.0-3.fc39.aarch64.rpm.tar.gz b/test/condensed-downloads/terminology-1.13.0-3.fc39.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..09ea4be524
Binary files /dev/null and b/test/condensed-downloads/terminology-1.13.0-3.fc39.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/terminology_1.3.2-1_amd64.deb.tar.gz b/test/condensed-downloads/terminology_1.3.2-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..68769511b9
Binary files /dev/null and b/test/condensed-downloads/terminology_1.3.2-1_amd64.deb.tar.gz differ
diff --git a/test/condensed-downloads/twonky-x86-64-glibc-2.22-8.5.2.zip.tar.gz b/test/condensed-downloads/twonky-x86-64-glibc-2.22-8.5.2.zip.tar.gz
new file mode 100644
index 0000000000..790f49449a
Binary files /dev/null and b/test/condensed-downloads/twonky-x86-64-glibc-2.22-8.5.2.zip.tar.gz differ
diff --git a/test/language_data/pom.xml b/test/language_data/pom.xml
index 3a1b13e093..d1d2f902ca 100644
--- a/test/language_data/pom.xml
+++ b/test/language_data/pom.xml
@@ -28,9 +28,9 @@
- commons-io
- commons-io
- 2.11.0
+ jmeter
+ jmeter
+ 5.1
org.apache.maven
@@ -62,9 +62,9 @@
test
- commons-io
- commons-io
- 2.11.0
+ jmeter
+ jmeter
+ 5.1
org.hamcrest
@@ -505,4 +505,5 @@
-
\ No newline at end of file
+
+
diff --git a/test/test_checkers.py b/test/test_checkers.py
index 65080256a3..10ffb136ce 100644
--- a/test/test_checkers.py
+++ b/test/test_checkers.py
@@ -29,11 +29,11 @@ class MyChecker(Checker):
VENDOR_PRODUCT = [("myvendor", "myproduct")]
IGNORE_PATTERNS = [r"ignore"]
- assert type(MyChecker.CONTAINS_PATTERNS[0]) == Pattern
- assert type(MyChecker.VERSION_PATTERNS[0]) == Pattern
- assert type(MyChecker.FILENAME_PATTERNS[0]) == Pattern
- assert type(MyChecker.VENDOR_PRODUCT[0]) == VendorProductPair
- assert type(MyChecker.IGNORE_PATTERNS[0]) == Pattern
+ assert type(MyChecker.CONTAINS_PATTERNS[0]) is Pattern
+ assert type(MyChecker.VERSION_PATTERNS[0]) is Pattern
+ assert type(MyChecker.FILENAME_PATTERNS[0]) is Pattern
+ assert type(MyChecker.VENDOR_PRODUCT[0]) is VendorProductPair
+ assert type(MyChecker.IGNORE_PATTERNS[0]) is Pattern
def test_no_vpkg(self):
with pytest.raises(AssertionError) as e:
@@ -125,6 +125,13 @@ def setup_class(cls):
("xerces", "libxerces-c.so", ["xerces"]),
("xml2", "libxml2.so.0", ["xml2"]),
("zlib", "libz.so.0", ["zlib"]),
+ ("bind", "libbind9-9.16.37-Debian.so", ["bind"]),
+ ("bind", "libdns-9.16.37-Debian.so", ["bind"]),
+ ("bind", "libirs-9.16.37-Debian.so", ["bind"]),
+ ("bind", "libisc-9.16.37-Debian.so", ["bind"]),
+ ("bind", "libisccc-9.16.37-Debian.so", ["bind"]),
+ ("bind", "libisccfg-9.16.37-Debian.so", ["bind"]),
+ ("bind", "libns-9.16.37-Debian.so", ["bind"]),
],
)
def test_filename_is(self, checker_name, file_name, expected_results):
diff --git a/test/test_cli.py b/test/test_cli.py
index f9e31c9c34..a9c6ff6d81 100644
--- a/test/test_cli.py
+++ b/test/test_cli.py
@@ -484,6 +484,58 @@ def test_CVSS_score(self, capsys, caplog):
my_test_filename_pathlib.unlink()
caplog.clear()
+ def test_EPSS_probability(self, capsys, caplog):
+ """scan with EPSS probability to ensure only CVEs above score threshold are reported
+ Checks cannot placed on epss probability value as the value changes everyday
+ """
+
+ my_test_filename = "epss_probability.csv"
+ my_test_filename_pathlib = Path(my_test_filename)
+
+ # Check command line parameters. Less than 0 result in default behaviour.
+ if my_test_filename_pathlib.exists():
+ my_test_filename_pathlib.unlink()
+ with caplog.at_level(logging.DEBUG):
+ main(
+ [
+ "cve-bin-tool",
+ "-x",
+ "--epss-probability",
+ "-12",
+ "-f",
+ "csv",
+ "-o",
+ my_test_filename,
+ str(Path(self.tempdir) / CURL_7_20_0_RPM),
+ ]
+ )
+ # Verify that some CVEs with a severity of Medium are reported
+ # Checks cannot placed on epss probability value as the value changes everyday.
+ assert self.check_string_in_file(my_test_filename, "MEDIUM")
+ caplog.clear()
+ if my_test_filename_pathlib.exists():
+ my_test_filename_pathlib.unlink()
+ with caplog.at_level(logging.DEBUG):
+ main(
+ [
+ "cve-bin-tool",
+ "-x",
+ "--epss-probability",
+ "110",
+ "-f",
+ "csv",
+ "-o",
+ my_test_filename,
+ str(Path(self.tempdir) / CURL_7_20_0_RPM),
+ ]
+ )
+ # Verify that no CVEs are reported
+ with open(my_test_filename_pathlib) as fd:
+ assert not fd.read().split("\n")[1]
+ caplog.clear()
+ if my_test_filename_pathlib.exists():
+ my_test_filename_pathlib.unlink()
+
def test_EPSS_percentile(self, capsys, caplog):
"""scan with EPSS percentile to ensure only CVEs above score threshold are reported
Checks cannot placed on epss percentile value as the value changes everyday
@@ -514,7 +566,7 @@ def test_EPSS_percentile(self, capsys, caplog):
assert self.check_string_in_file(my_test_filename, "MEDIUM")
caplog.clear()
- # Check command line parameters. >10 results in no CVEs being reported (Maximum CVSS score is 10)
+ # Check command line parameters. >10 results in no CVEs being reported (Maximum EPSS percentile is 100)
if my_test_filename_pathlib.exists():
my_test_filename_pathlib.unlink()
with caplog.at_level(logging.DEBUG):
diff --git a/test/test_data/axel.py b/test/test_data/axel.py
new file mode 100644
index 0000000000..07a12b0522
--- /dev/null
+++ b/test/test_data/axel.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "axel", "version": "2.16.1", "version_strings": ["Axel/2.16.1"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/a/",
+ "package_name": "axel-2.17.11-5.fc39.aarch64.rpm",
+ "product": "axel",
+ "version": "2.17.11",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/a/axel/",
+ "package_name": "axel_2.16.1-4_amd64.deb",
+ "product": "axel",
+ "version": "2.16.1",
+ },
+ {
+ "url": "http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+ "package_name": "axel-2.17.6-r1.apk",
+ "product": "axel",
+ "version": "2.17.6",
+ },
+]
diff --git a/test/test_data/ceph.py b/test/test_data/ceph.py
index 6b8e96ac27..16524d6a60 100644
--- a/test/test_data/ceph.py
+++ b/test/test_data/ceph.py
@@ -24,6 +24,6 @@
"package_name": "ceph-15.2.17-1-aarch64.pkg.tar.xz",
"product": "ceph",
"version": "15.2.17",
- "other_products": ["gcc", "lua"],
+ "other_products": ["civetweb", "gcc", "lua"],
},
]
diff --git a/test/test_data/civetweb.py b/test/test_data/civetweb.py
new file mode 100644
index 0000000000..ebbc98a12e
--- /dev/null
+++ b/test/test_data/civetweb.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "civetweb", "version": "1.13", "version_strings": ["civetweb-%s\n1.13"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/c/",
+ "package_name": "civetweb-1.16-2.fc40.aarch64.rpm",
+ "product": "civetweb",
+ "version": "1.16",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/c/civetweb/",
+ "package_name": "libcivetweb1_1.13+dfsg-5_amd64.deb",
+ "product": "civetweb",
+ "version": "1.13",
+ },
+]
diff --git a/test/test_data/debianutils.py b/test/test_data/debianutils.py
new file mode 100644
index 0000000000..803fd1f09a
--- /dev/null
+++ b/test/test_data/debianutils.py
@@ -0,0 +1,22 @@
+# Copyright (C) 2023 SCHUTZWERK GmbH
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {
+ "product": "debianutils",
+ "version": "5.13",
+ "version_strings": [
+ "Debian run-parts program, version 5.13",
+ "tempfile 5.13",
+ "Debian ischroot, version 5.13",
+ ],
+ }
+]
+package_test_data = [
+ {
+ "url": "http://ftp.us.debian.org/debian/pool/main/d/debianutils/",
+ "package_name": "debianutils_5.7-0.4_amd64.deb",
+ "product": "debianutils",
+ "version": "5.7",
+ }
+]
diff --git a/test/test_data/dosfstools.py b/test/test_data/dosfstools.py
new file mode 100644
index 0000000000..40ecad2436
--- /dev/null
+++ b/test/test_data/dosfstools.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2023 SCHUTZWERK GmbH
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+mapping_test_data = [
+ {
+ "product": "dosfstools",
+ "version": "4.2",
+ "version_strings": ["mkfs.fat 4.2 (2021-01-31)"],
+ }
+]
+
+package_test_data = [
+ {
+ "url": "http://ftp.de.debian.org/debian/pool/main/d/dosfstools/",
+ "package_name": "dosfstools_4.2-1_amd64.deb",
+ "product": "dosfstools",
+ "version": "4.2",
+ },
+ {
+ "url": "http://de.archive.ubuntu.com/ubuntu/pool/main/d/dosfstools/",
+ "package_name": "dosfstools_4.2-1build3_amd64.deb",
+ "product": "dosfstools",
+ "version": "4.2",
+ },
+]
diff --git a/test/test_data/e2fsprogs.py b/test/test_data/e2fsprogs.py
index 4e28562675..7778ddb3d0 100644
--- a/test/test_data/e2fsprogs.py
+++ b/test/test_data/e2fsprogs.py
@@ -7,6 +7,11 @@
"version": "1.46.5",
"version_strings": ["e2fsprogs\n1.46.5"],
},
+ {
+ "product": "e2fsprogs",
+ "version": "1.46.5",
+ "version_strings": ["e2fsprogs-1.46.5"],
+ },
{
"product": "e2fsprogs",
"version": "1.44.5",
diff --git a/test/test_data/ed.py b/test/test_data/ed.py
new file mode 100644
index 0000000000..1d625753f9
--- /dev/null
+++ b/test/test_data/ed.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "ed", "version": "1.15", "version_strings": ["1.15\nGNU ed"]},
+ {"product": "ed", "version": "1.19", "version_strings": ["ed.html\n1.19"]},
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/e/",
+ "package_name": "ed-1.19-4.fc39.aarch64.rpm",
+ "product": "ed",
+ "version": "1.19",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/e/ed/",
+ "package_name": "ed_1.15-1_amd64.deb",
+ "product": "ed",
+ "version": "1.15",
+ },
+ {
+ "url": "http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+ "package_name": "ed-1.15-r0.apk",
+ "product": "ed",
+ "version": "1.15",
+ },
+]
diff --git a/test/test_data/gawk.py b/test/test_data/gawk.py
new file mode 100644
index 0000000000..fe47802909
--- /dev/null
+++ b/test/test_data/gawk.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 SCHUTZWERK GmbH
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+mapping_test_data = [
+ {
+ "product": "gawk",
+ "version": "5.2.1",
+ "version_strings": ["GNU Awk 5.2.1"],
+ }
+]
+
+package_test_data = [
+ {
+ "url": "http://ftp.de.debian.org/debian/pool/main/g/gawk/",
+ "package_name": "gawk_5.2.1-2_amd64.deb",
+ "product": "gawk",
+ "version": "5.2.1",
+ }
+]
diff --git a/test/test_data/gdal.py b/test/test_data/gdal.py
new file mode 100644
index 0000000000..74e4438f35
--- /dev/null
+++ b/test/test_data/gdal.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "gdal", "version": "2.4.0", "version_strings": ["gdal-2.4.0"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/g/",
+ "package_name": "gdal-3.7.1-6.fc40.aarch64.rpm",
+ "product": "gdal",
+ "version": "3.7.1",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/g/gdal/",
+ "package_name": "libgdal20_2.4.0+dfsg-1+b1_amd64.deb",
+ "product": "gdal",
+ "version": "2.4.0",
+ "other_products": ["libtiff"],
+ },
+]
diff --git a/test/test_data/grep.py b/test/test_data/grep.py
new file mode 100644
index 0000000000..f0a7eaa15b
--- /dev/null
+++ b/test/test_data/grep.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "grep", "version": "3.3", "version_strings": ["3.3\nGNU grep"]},
+ {"product": "grep", "version": "3.11", "version_strings": ["grep-3.11"]},
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/g/",
+ "package_name": "grep-3.11-5.fc40.aarch64.rpm",
+ "product": "grep",
+ "version": "3.11",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/g/grep/",
+ "package_name": "grep_3.3-1_amd64.deb",
+ "product": "grep",
+ "version": "3.3",
+ },
+ {
+ "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+ "package_name": "grep_3.3-1_x86_64.ipk",
+ "product": "grep",
+ "version": "3.3",
+ },
+]
diff --git a/test/test_data/hwloc.py b/test/test_data/hwloc.py
new file mode 100644
index 0000000000..4a145e7220
--- /dev/null
+++ b/test/test_data/hwloc.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "hwloc", "version": "2.4.1", "version_strings": ["hwloc\n2.4.1"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/h/",
+ "package_name": "hwloc-2.9.0-7.fc39.aarch64.rpm",
+ "product": "hwloc",
+ "version": "2.9.0",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/h/hwloc/",
+ "package_name": "libhwloc15_2.4.1+dfsg-1_amd64.deb",
+ "product": "hwloc",
+ "version": "2.4.1",
+ },
+ {
+ "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+ "package_name": "libhwloc_2.0.3-2_x86_64.ipk",
+ "product": "hwloc",
+ "version": "2.0.3",
+ },
+]
diff --git a/test/test_data/minetest.py b/test/test_data/minetest.py
new file mode 100644
index 0000000000..29ad423d33
--- /dev/null
+++ b/test/test_data/minetest.py
@@ -0,0 +1,24 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {
+ "product": "minetest",
+ "version": "0.4.17.1",
+ "version_strings": ["minetest-0.4.17.1"],
+ }
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/m/",
+ "package_name": "minetest-5.7.0-2.fc39.aarch64.rpm",
+ "product": "minetest",
+ "version": "5.7.0",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/m/minetest/",
+ "package_name": "minetest_0.4.17.1+repack-1+deb10u1_amd64.deb",
+ "product": "minetest",
+ "version": "0.4.17.1",
+ },
+]
diff --git a/test/test_data/monit.py b/test/test_data/monit.py
new file mode 100644
index 0000000000..90adf9acb7
--- /dev/null
+++ b/test/test_data/monit.py
@@ -0,0 +1,32 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "monit", "version": "5.27.1", "version_strings": ["monit 5.27.1"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/m/",
+ "package_name": "monit-5.32.0-5.fc39.aarch64.rpm",
+ "product": "monit",
+ "version": "5.32.0",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/m/monit/",
+ "package_name": "monit_5.27.1-1~bpo10+1_amd64.deb",
+ "product": "monit",
+ "version": "5.27.1",
+ },
+ {
+ "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+ "package_name": "monit_5.26.0-1_x86_64.ipk",
+ "product": "monit",
+ "version": "5.26.0",
+ },
+ {
+ "url": "http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+ "package_name": "monit-5.26.0-r2.apk",
+ "product": "monit",
+ "version": "5.26.0",
+ },
+]
diff --git a/test/test_data/mpg123.py b/test/test_data/mpg123.py
new file mode 100644
index 0000000000..c0b677ddc3
--- /dev/null
+++ b/test/test_data/mpg123.py
@@ -0,0 +1,32 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "mpg123", "version": "1.25.10", "version_strings": ["mpg123\n1.25.10"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/m/",
+ "package_name": "mpg123-1.31.3-2.fc39.aarch64.rpm",
+ "product": "mpg123",
+ "version": "1.31.3",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/m/mpg123/",
+ "package_name": "mpg123_1.25.10-2_amd64.deb",
+ "product": "mpg123",
+ "version": "1.25.10",
+ },
+ {
+ "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+ "package_name": "mpg123_1.25.13-2_x86_64.ipk",
+ "product": "mpg123",
+ "version": "1.25.13",
+ },
+ {
+ "url": "http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+ "package_name": "mpg123-1.25.13-r0.apk",
+ "product": "mpg123",
+ "version": "1.25.13",
+ },
+]
diff --git a/test/test_data/mupdf.py b/test/test_data/mupdf.py
new file mode 100644
index 0000000000..d0f0593876
--- /dev/null
+++ b/test/test_data/mupdf.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "mupdf", "version": "1.14.0", "version_strings": ["mupdf\n1.14.0"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/m/",
+ "package_name": "mupdf-1.22.2-3.fc39.aarch64.rpm",
+ "product": "mupdf",
+ "version": "1.22.2",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/m/mupdf/",
+ "package_name": "mupdf_1.14.0+ds1-4+deb10u3_amd64.deb",
+ "product": "mupdf",
+ "version": "1.14.0",
+ },
+ {
+ "url": "http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+ "package_name": "mupdf-tools-1.16.1-r1.apk",
+ "product": "mupdf",
+ "version": "1.16.1",
+ },
+]
diff --git a/test/test_data/qpdf.py b/test/test_data/qpdf.py
new file mode 100644
index 0000000000..358aeaeeb7
--- /dev/null
+++ b/test/test_data/qpdf.py
@@ -0,0 +1,25 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {
+ "product": "qpdf",
+ "version": "8.4.0",
+ "version_strings": ["QPDF decoding error warning\n8.4.0"],
+ },
+ {"product": "qpdf", "version": "11.5.0", "version_strings": ["qpdf-11.5.0"]},
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/q/",
+ "package_name": "qpdf-11.5.0-1.fc39.aarch64.rpm",
+ "product": "qpdf",
+ "version": "11.5.0",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/q/qpdf/",
+ "package_name": "libqpdf21_8.4.0-2_amd64.deb",
+ "product": "qpdf",
+ "version": "8.4.0",
+ },
+]
diff --git a/test/test_data/rpm.py b/test/test_data/rpm.py
new file mode 100644
index 0000000000..1f8c9ca677
--- /dev/null
+++ b/test/test_data/rpm.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "rpm", "version": "4.14.2.1", "version_strings": ["rpmpopt-4.14.2.1"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/r/",
+ "package_name": "rpm-4.18.92-3.fc40.aarch64.rpm",
+ "product": "rpm",
+ "version": "4.18.92",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/r/rpm/",
+ "package_name": "librpm8_4.14.2.1+dfsg1-1_amd64.deb",
+ "product": "rpm",
+ "version": "4.14.2.1",
+ },
+]
diff --git a/test/test_data/tcpdump.py b/test/test_data/tcpdump.py
index 4d33c2e5e2..4a213248ae 100644
--- a/test/test_data/tcpdump.py
+++ b/test/test_data/tcpdump.py
@@ -24,6 +24,11 @@
"version_strings": ["Running\n4.9.2\n0123456789"],
},
{"product": "tcpdump", "version": "4.1.1", "version_strings": ["tcpdump\n4.1.1"]},
+ {
+ "product": "tcpdump",
+ "version": "4.99.4",
+ "version_strings": ["version 4.99.4\nSMI-library"],
+ },
]
package_test_data = [
{
@@ -44,6 +49,12 @@
"product": "tcpdump",
"version": "4.9.3",
},
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/t/tcpdump/",
+ "package_name": "tcpdump_4.99.4-3_mips64el.deb",
+ "product": "tcpdump",
+ "version": "4.99.4",
+ },
{
"url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/base/",
"package_name": "tcpdump_4.9.3-3_x86_64.ipk",
diff --git a/test/test_data/terminology.py b/test/test_data/terminology.py
new file mode 100644
index 0000000000..aba5e7b5d1
--- /dev/null
+++ b/test/test_data/terminology.py
@@ -0,0 +1,29 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {
+ "product": "terminology",
+ "version": "1.3.2",
+ "version_strings": ["1.3.2\nterminology"],
+ },
+ {
+ "product": "terminology",
+ "version": "1.13.0",
+ "version_strings": ["terminology 1.13.0"],
+ },
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/t/",
+ "package_name": "terminology-1.13.0-3.fc39.aarch64.rpm",
+ "product": "terminology",
+ "version": "1.13.0",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/t/terminology/",
+ "package_name": "terminology_1.3.2-1_amd64.deb",
+ "product": "terminology",
+ "version": "1.3.2",
+ },
+]
diff --git a/test/test_data/twonky_server.py b/test/test_data/twonky_server.py
new file mode 100644
index 0000000000..3e6b9055af
--- /dev/null
+++ b/test/test_data/twonky_server.py
@@ -0,0 +1,19 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {
+ "product": "twonky_server",
+ "version": "8.5.2",
+ "version_strings": ["Product Name:Twonky, Version:8.5.2"],
+ }
+]
+package_test_data = [
+ {
+ "url": "https://download.twonky.com/8.5.2/",
+ "package_name": "twonky-x86-64-glibc-2.22-8.5.2.zip",
+ "product": "twonky_server",
+ "version": "8.5.2",
+ "other_products": ["libjpeg"],
+ },
+]
diff --git a/test/test_language_scanner.py b/test/test_language_scanner.py
index 0384191277..b0966ec910 100644
--- a/test/test_language_scanner.py
+++ b/test/test_language_scanner.py
@@ -165,7 +165,7 @@ def setup_class(cls):
@pytest.mark.parametrize(
"filename, product_list",
- (((str(TEST_FILE_PATH / "pom.xml")), ["commons-io", "hamcrest"]),),
+ (((str(TEST_FILE_PATH / "pom.xml")), ["jmeter", "hamcrest"]),),
)
def test_java_package(self, filename: str, product_list: set[str]) -> None:
scanner = VersionScanner()
diff --git a/test/test_sbom.py b/test/test_sbom.py
index eab0ad0cbf..813516da7f 100644
--- a/test/test_sbom.py
+++ b/test/test_sbom.py
@@ -31,10 +31,6 @@ class TestSBOM:
"default": {"remarks": Remarks.NewFound, "comments": "", "severity": ""},
"paths": {""},
},
- ProductInfo(vendor="apache", product="jena", version="3.12.0"): {
- "default": {"remarks": Remarks.NewFound, "comments": "", "severity": ""},
- "paths": {""},
- },
ProductInfo(vendor="saxon", product="saxon", version="8.8"): {
"default": {"remarks": Remarks.NewFound, "comments": "", "severity": ""},
"paths": {""},