diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
new file mode 100644
index 0000000000..d1ec198fd1
--- /dev/null
+++ b/.github/workflows/fuzzing.yml
@@ -0,0 +1,61 @@
+name: Fuzzing
+
+on:
+ schedule:
+ - cron: '0 7 * * 1' # Runs at 07:00 on monday every week
+
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ fuzzing:
+ name: Fuzzing
+ runs-on: ubuntu-22.04
+ if: github.event.repository.fork == false
+ steps:
+ - name: Check out code
+ uses: actions/checkout@v2
+
+ - name: Set up Python
+ uses: actions/setup-python@v2
+ with:
+ python-version: 3.9
+
+ - name: Install Bazel
+ run: |
+ sudo apt-get update
+ sudo apt-get install -y wget
+ wget -c https://github.com/bazelbuild/bazelisk/releases/download/v1.18.0/bazelisk-linux-amd64
+ chmod +x bazelisk-linux-amd64
+ sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
+ bazel --version
+
+ - name: Install Fuzzing Dependencies
+ run: |
+ pip install --upgrade atheris
+ pip install --upgrade atheris-libprotobuf-mutator
+ pip install --upgrade protobuf
+ - name: Install Cve-bin-tool
+ run: |
+ python -m pip install --upgrade pip
+ python -m pip install --upgrade setuptools
+ python -m pip install --upgrade -r dev-requirements.txt
+ python -m pip install --upgrade .
+
+ - name: Run Fuzzing
+ id: fuzzing
+ env:
+ PYTHONPATH: ${{ github.workspace }}
+ run: |
+ cd fuzz
+ export PYTHONPATH="$PYTHONPATH:/generated"
+ fuzzing_scripts=($(ls *.py))
+ echo "Found Fuzzing scripts: ${fuzzing_scripts[@]}"
+ current_week=($(date -u +%U))
+ echo "Current week number: $current_week"
+ at_index=$((($(date -u +%U) % ${#fuzzing_scripts[@]})))
+ selected_script="${fuzzing_scripts[$at_index]}"
+ echo "Selected script: $selected_script"
+ timeout --preserve-status --signal=SIGINT 60m python $selected_script
\ No newline at end of file
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 9e1f8088f7..adc98f6875 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -74,6 +74,19 @@ jobs:
with:
python-version: ${{ matrix.python }}
cache: 'pip'
+
+ - name: "Skip tests if this is an automated sbom job"
+ env:
+ COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
+ run: |
+ if ${COMMIT_VAR} == true; then
+ echo "sbom=true" >> $GITHUB_ENV
+ echo "sbom set to true"
+ else
+ echo "sbom=false" >> $GITHUB_ENV
+ echo "sbom set to false"
+ fi
+
- name: Get date
id: get-date
run: |
@@ -96,10 +109,13 @@ jobs:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}
- name: Install cabextract
+ if: env.sbom == false
run: sudo apt-get update && sudo apt-get install cabextract
- name: Install OS dependencies for testing PDF
+ if: env.sbom == false
run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev
- name: Install pdftotext, reportlab and cve-bin-tool
+ if: env.sbom == false
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
@@ -109,11 +125,13 @@ jobs:
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --upgrade .
- name: Try single CLI run of tool
+ if: env.sbom == false
run: |
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
cp -r ~/.cache/cve-bin-tool cache
- name: Run async tests
+ if: env.sbom == false
run: >
pytest -n 4 -v
--ignore=test/test_cli.py
@@ -122,6 +140,7 @@ jobs:
--ignore=test/test_html.py
--ignore=test/test_json.py
- name: Run synchronous tests
+ if: env.sbom == false
run: >
pytest -v
test/test_cli.py
@@ -129,6 +148,15 @@ jobs:
long_tests:
name: Long tests on Python 3.10
+ if: |
+ ! github.event.pull_request.user.login == 'github-actions[bot]' ||
+ ! (
+ startsWith(github.head_ref, 'chore-sbom-py') ||
+ contains(
+ fromJSON('["chore-update-table","chore-precommit-config","chore-spdx-header"]'),
+ github.head_ref
+ )
+ )
runs-on: ubuntu-22.04
timeout-minutes: 90
env:
@@ -144,6 +172,19 @@ jobs:
with:
python-version: '3.10'
cache: 'pip'
+
+ - name: "Skip tests if this is an automated sbom job"
+ env:
+ COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
+ run: |
+ if ${COMMIT_VAR} == true; then
+ echo "sbom=true" >> $GITHUB_ENV
+ echo "sbom set to true"
+ else
+ echo "sbom=false" >> $GITHUB_ENV
+ echo "sbom set to false"
+ fi
+
- name: Get date
id: get-date
run: |
@@ -182,10 +223,13 @@ jobs:
if_true: '1'
if_false: '0'
- name: Install cabextract
+ if: env.sbom == false
run: sudo apt-get update && sudo apt-get install cabextract
- name: Install OS dependencies for testing PDF
+ if: env.sbom == false
run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev
- name: Install pdftotext, reportlab and cve-bin-tool
+ if: env.sbom == false
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
@@ -195,11 +239,13 @@ jobs:
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --editable .
- name: Try single CLI run of tool
+ if: env.sbom == false
run: |
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
cp -r ~/.cache/cve-bin-tool cache
- name: Run async tests
+ if: env.sbom == false
env:
LONG_TESTS: ${{ steps.git-diff.outputs.value }}
run: >
@@ -210,6 +256,7 @@ jobs:
--ignore=test/test_html.py
--ignore=test/test_json.py
- name: Run synchronous tests
+ if: env.sbom == false
env:
LONG_TESTS: ${{ steps.git-diff.outputs.value }}
run: >
@@ -217,6 +264,7 @@ jobs:
test/test_cli.py
test/test_cvedb.py
- name: Upload code coverage to codecov
+ if: env.sbom == false
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
files: ./coverage.xml
diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
index b3cef68d16..93cc32fce4 100644
--- a/cve_bin_tool/checkers/__init__.py
+++ b/cve_bin_tool/checkers/__init__.py
@@ -339,6 +339,7 @@
"xscreensaver",
"yasm",
"zabbix",
+ "zchunk",
"zeek",
"zlib",
"znc",
diff --git a/cve_bin_tool/checkers/zchunk.py b/cve_bin_tool/checkers/zchunk.py
new file mode 100644
index 0000000000..eacf7365bd
--- /dev/null
+++ b/cve_bin_tool/checkers/zchunk.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for zchunk
+
+https://www.cvedetails.com/product/163243/Zchunk-Zchunk.html?vendor_id=33326
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class ZchunkChecker(Checker):
+ CONTAINS_PATTERNS: list[str] = []
+ FILENAME_PATTERNS: list[str] = []
+ VERSION_PATTERNS = [r"zchunk ([0-9]+\.[0-9]+\.[0-9]+)"]
+ VENDOR_PRODUCT = [("zchunk", "zchunk")]
diff --git a/cve_bin_tool/data_sources/gad_source.py b/cve_bin_tool/data_sources/gad_source.py
index c996a275f6..b19eec3834 100644
--- a/cve_bin_tool/data_sources/gad_source.py
+++ b/cve_bin_tool/data_sources/gad_source.py
@@ -251,6 +251,8 @@ def parse_range_string(self, range_string):
return version_list
def format_data(self, all_cve_entries):
+ """Formats data from a list of Common Vulnerabilities and Exposures (CVE) entries."""
+
severity_data = []
affected_data = []
@@ -327,6 +329,8 @@ def format_data(self, all_cve_entries):
return severity_data, affected_data
async def get_cve_data(self):
+ """Asynchronously fetches and formats Common Vulnerabilities and Exposures (CVE) data."""
+
# skip GAD if connection fails
try:
await self.fetch_cves()
diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json
index 7d755743f6..a4f2c46d4d 100644
--- a/sbom/cve-bin-tool-py3.10.json
+++ b/sbom/cve-bin-tool-py3.10.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:e5ac966f-751e-4e0c-9940-5db28eba09b6",
+ "serialNumber": "urn:uuid:11282881-19c0-4924-87ee-2ee2b2e5d6bf",
"version": 1,
"metadata": {
- "timestamp": "2023-10-23T00:26:34Z",
+ "timestamp": "2023-10-30T00:25:51Z",
"tools": {
"components": [
{
@@ -506,7 +506,7 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.26",
+ "version": "5.27",
"supplier": {
"name": "Google Inc .",
"contact": [
@@ -515,7 +515,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -527,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.26",
+ "url": "https://pypi.org/project/gsutil/5.27",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.26",
+ "purl": "pkg:pypi/gsutil@5.27",
"properties": [
{
"name": "License Comments",
@@ -1021,7 +1021,7 @@
"type": "library",
"bom-ref": "31-pyopenssl",
"name": "pyopenssl",
- "version": "23.2.0",
+ "version": "23.3.0",
"supplier": {
"name": "The pyOpenSSL developers",
"contact": [
@@ -1030,7 +1030,7 @@
}
]
},
- "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*",
"description": "Python wrapper module around the OpenSSL library",
"licenses": [
{
@@ -1042,12 +1042,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/pyOpenSSL/23.2.0",
+ "url": "https://pypi.org/project/pyOpenSSL/23.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/pyopenssl@23.2.0",
+ "purl": "pkg:pypi/pyopenssl@23.3.0",
"properties": [
{
"name": "License Comments",
@@ -1059,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.4",
+ "version": "41.0.5",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1068,7 +1068,7 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
@@ -1077,12 +1077,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.4",
+ "url": "https://pypi.org/project/cryptography/41.0.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.4"
+ "purl": "pkg:pypi/cryptography@41.0.5"
},
{
"type": "library",
@@ -1266,7 +1266,7 @@
"type": "library",
"bom-ref": "38-cachetools",
"name": "cachetools",
- "version": "5.3.1",
+ "version": "5.3.2",
"supplier": {
"name": "Thomas Kemmer",
"contact": [
@@ -1275,7 +1275,7 @@
}
]
},
- "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*",
"description": "Extensible memoizing collections and decorators",
"licenses": [
{
@@ -1287,12 +1287,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cachetools/5.3.1",
+ "url": "https://pypi.org/project/cachetools/5.3.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cachetools@5.3.1"
+ "purl": "pkg:pypi/cachetools@5.3.2"
},
{
"type": "library",
@@ -1667,7 +1667,7 @@
"type": "library",
"bom-ref": "51-plotly",
"name": "plotly",
- "version": "5.17.0",
+ "version": "5.18.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1676,7 +1676,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1688,12 +1688,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.17.0",
+ "url": "https://pypi.org/project/plotly/5.18.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.17.0"
+ "purl": "pkg:pypi/plotly@5.18.0"
},
{
"type": "library",
diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx
index 0a5611f4c6..68f0a380ed 100644
--- a/sbom/cve-bin-tool-py3.10.spdx
+++ b/sbom/cve-bin-tool-py3.10.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-e56edda7-59a7-425c-aef1-943456c21d03
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-a5211367-a3cc-462e-92ba-689359343aa7
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-10-23T00:25:01Z
+Created: 2023-10-30T00:24:33Z
CreatorComment: This document has been automatically generated.
#####
@@ -240,18 +240,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.26
+PackageVersion: 5.27
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.27
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.27
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*
#####
PackageName: argcomplete
@@ -473,33 +473,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:*
PackageName: pyopenssl
SPDXID: SPDXRef-Package-31-pyopenssl
-PackageVersion: 23.2.0
+PackageVersion: 23.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.2.0
+PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.3.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Python wrapper module around the OpenSSL library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*
#####
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.4
+PackageVersion: 41.0.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.5
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*
#####
PackageName: cffi
@@ -582,17 +582,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23
PackageName: cachetools
SPDXID: SPDXRef-Package-38-cachetools
-PackageVersion: 5.3.1
+PackageVersion: 5.3.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org)
-PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.1
+PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.2
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Extensible memoizing collections and decorators
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*
#####
PackageName: monotonic
@@ -779,17 +779,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-51-plotly
-PackageVersion: 5.17.0
+PackageVersion: 5.18.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
+PackageDownloadLocation: https://pypi.org/project/plotly/5.18.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.18.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json
index 22b452581f..f8f23688fa 100644
--- a/sbom/cve-bin-tool-py3.11.json
+++ b/sbom/cve-bin-tool-py3.11.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:d207333a-18dd-4549-9979-6b7f093bf0f4",
+ "serialNumber": "urn:uuid:fd540fe5-735c-4d5a-add6-70ce9991d205",
"version": 1,
"metadata": {
- "timestamp": "2023-10-16T00:26:13Z",
+ "timestamp": "2023-10-30T00:27:00Z",
"tools": {
"components": [
{
@@ -218,7 +218,7 @@
"type": "library",
"bom-ref": "7-charset-normalizer",
"name": "charset-normalizer",
- "version": "3.3.0",
+ "version": "3.3.1",
"supplier": {
"name": "Ahmed TAHRI",
"contact": [
@@ -227,7 +227,7 @@
}
]
},
- "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.1:*:*:*:*:*:*:*",
"description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.",
"licenses": [
{
@@ -239,12 +239,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/charset-normalizer/3.3.0",
+ "url": "https://pypi.org/project/charset-normalizer/3.3.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/charset-normalizer@3.3.0"
+ "purl": "pkg:pypi/charset-normalizer@3.3.1"
},
{
"type": "library",
@@ -506,7 +506,7 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.26",
+ "version": "5.27",
"supplier": {
"name": "Google Inc .",
"contact": [
@@ -515,7 +515,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -527,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.26",
+ "url": "https://pypi.org/project/gsutil/5.27",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.26",
+ "purl": "pkg:pypi/gsutil@5.27",
"properties": [
{
"name": "License Comments",
@@ -1021,7 +1021,7 @@
"type": "library",
"bom-ref": "31-pyopenssl",
"name": "pyopenssl",
- "version": "23.2.0",
+ "version": "23.3.0",
"supplier": {
"name": "The pyOpenSSL developers",
"contact": [
@@ -1030,7 +1030,7 @@
}
]
},
- "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*",
"description": "Python wrapper module around the OpenSSL library",
"licenses": [
{
@@ -1042,12 +1042,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/pyOpenSSL/23.2.0",
+ "url": "https://pypi.org/project/pyOpenSSL/23.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/pyopenssl@23.2.0",
+ "purl": "pkg:pypi/pyopenssl@23.3.0",
"properties": [
{
"name": "License Comments",
@@ -1059,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.4",
+ "version": "41.0.5",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1068,7 +1068,7 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
@@ -1077,12 +1077,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.4",
+ "url": "https://pypi.org/project/cryptography/41.0.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.4"
+ "purl": "pkg:pypi/cryptography@41.0.5"
},
{
"type": "library",
@@ -1266,7 +1266,7 @@
"type": "library",
"bom-ref": "38-cachetools",
"name": "cachetools",
- "version": "5.3.1",
+ "version": "5.3.2",
"supplier": {
"name": "Thomas Kemmer",
"contact": [
@@ -1275,7 +1275,7 @@
}
]
},
- "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*",
"description": "Extensible memoizing collections and decorators",
"licenses": [
{
@@ -1287,12 +1287,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cachetools/5.3.1",
+ "url": "https://pypi.org/project/cachetools/5.3.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cachetools@5.3.1"
+ "purl": "pkg:pypi/cachetools@5.3.2"
},
{
"type": "library",
@@ -1667,7 +1667,7 @@
"type": "library",
"bom-ref": "51-plotly",
"name": "plotly",
- "version": "5.17.0",
+ "version": "5.18.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1676,7 +1676,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1688,12 +1688,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.17.0",
+ "url": "https://pypi.org/project/plotly/5.18.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.17.0"
+ "purl": "pkg:pypi/plotly@5.18.0"
},
{
"type": "library",
@@ -1845,7 +1845,7 @@
"type": "library",
"bom-ref": "56-urllib3",
"name": "urllib3",
- "version": "2.0.6",
+ "version": "2.0.7",
"supplier": {
"name": "Andrey Petrov",
"contact": [
@@ -1854,16 +1854,16 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.7:*:*:*:*:*:*:*",
"description": "HTTP library with thread-safe connection pooling, file post, and more.",
"externalReferences": [
{
- "url": "https://pypi.org/project/urllib3/2.0.6",
+ "url": "https://pypi.org/project/urllib3/2.0.7",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/urllib3@2.0.6"
+ "purl": "pkg:pypi/urllib3@2.0.7"
},
{
"type": "library",
diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx
index bb72066385..d657e274c4 100644
--- a/sbom/cve-bin-tool-py3.11.spdx
+++ b/sbom/cve-bin-tool-py3.11.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-1630fc55-0869-4565-9fcd-5a9c2c3c3614
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-30721e1b-1104-43e5-8cca-937adefb7d03
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-10-16T00:24:59Z
+Created: 2023-10-30T00:25:17Z
CreatorComment: This document has been automatically generated.
#####
@@ -101,17 +101,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:23.1.0:*:*:*:*:*
PackageName: charset-normalizer
SPDXID: SPDXRef-Package-7-charset-normalizer
-PackageVersion: 3.3.0
+PackageVersion: 3.3.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Ahmed TAHRI (ahmed.tahri@cloudnursery.dev)
-PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.0
+PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.1
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.1:*:*:*:*:*:*:*
#####
PackageName: multidict
@@ -240,18 +240,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.26
+PackageVersion: 5.27
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.27
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.27
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*
#####
PackageName: argcomplete
@@ -473,33 +473,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:*
PackageName: pyopenssl
SPDXID: SPDXRef-Package-31-pyopenssl
-PackageVersion: 23.2.0
+PackageVersion: 23.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.2.0
+PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.3.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Python wrapper module around the OpenSSL library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*
#####
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.4
+PackageVersion: 41.0.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.5
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*
#####
PackageName: cffi
@@ -582,17 +582,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23
PackageName: cachetools
SPDXID: SPDXRef-Package-38-cachetools
-PackageVersion: 5.3.1
+PackageVersion: 5.3.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org)
-PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.1
+PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.2
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Extensible memoizing collections and decorators
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*
#####
PackageName: monotonic
@@ -779,17 +779,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-51-plotly
-PackageVersion: 5.17.0
+PackageVersion: 5.18.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
+PackageDownloadLocation: https://pypi.org/project/plotly/5.18.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.18.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
@@ -857,17 +857,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:
PackageName: urllib3
SPDXID: SPDXRef-Package-56-urllib3
-PackageVersion: 2.0.6
+PackageVersion: 2.0.7
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.7
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.7
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.7:*:*:*:*:*:*:*
#####
PackageName: rich
diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json
index d135a0a590..c3e87d677c 100644
--- a/sbom/cve-bin-tool-py3.9.json
+++ b/sbom/cve-bin-tool-py3.9.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:138db72d-e281-405e-8689-ac86afcc138c",
+ "serialNumber": "urn:uuid:49e5ab23-133b-4db2-9fa2-6bb79a50ff57",
"version": 1,
"metadata": {
- "timestamp": "2023-10-23T00:27:12Z",
+ "timestamp": "2023-10-30T00:26:16Z",
"tools": {
"components": [
{
@@ -506,7 +506,7 @@
"type": "library",
"bom-ref": "16-gsutil",
"name": "gsutil",
- "version": "5.26",
+ "version": "5.27",
"supplier": {
"name": "Google Inc .",
"contact": [
@@ -515,7 +515,7 @@
}
]
},
- "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*",
"description": "A command line tool for interacting with cloud storage services.",
"licenses": [
{
@@ -527,12 +527,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/gsutil/5.26",
+ "url": "https://pypi.org/project/gsutil/5.27",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/gsutil@5.26",
+ "purl": "pkg:pypi/gsutil@5.27",
"properties": [
{
"name": "License Comments",
@@ -1021,7 +1021,7 @@
"type": "library",
"bom-ref": "31-pyopenssl",
"name": "pyopenssl",
- "version": "23.2.0",
+ "version": "23.3.0",
"supplier": {
"name": "The pyOpenSSL developers",
"contact": [
@@ -1030,7 +1030,7 @@
}
]
},
- "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*",
"description": "Python wrapper module around the OpenSSL library",
"licenses": [
{
@@ -1042,12 +1042,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/pyOpenSSL/23.2.0",
+ "url": "https://pypi.org/project/pyOpenSSL/23.3.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/pyopenssl@23.2.0",
+ "purl": "pkg:pypi/pyopenssl@23.3.0",
"properties": [
{
"name": "License Comments",
@@ -1059,7 +1059,7 @@
"type": "library",
"bom-ref": "32-cryptography",
"name": "cryptography",
- "version": "41.0.4",
+ "version": "41.0.5",
"supplier": {
"name": "The Python Cryptographic Authority and individual contributors",
"contact": [
@@ -1068,7 +1068,7 @@
}
]
},
- "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*",
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
@@ -1077,12 +1077,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cryptography/41.0.4",
+ "url": "https://pypi.org/project/cryptography/41.0.5",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cryptography@41.0.4"
+ "purl": "pkg:pypi/cryptography@41.0.5"
},
{
"type": "library",
@@ -1266,7 +1266,7 @@
"type": "library",
"bom-ref": "38-cachetools",
"name": "cachetools",
- "version": "5.3.1",
+ "version": "5.3.2",
"supplier": {
"name": "Thomas Kemmer",
"contact": [
@@ -1275,7 +1275,7 @@
}
]
},
- "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*",
"description": "Extensible memoizing collections and decorators",
"licenses": [
{
@@ -1287,12 +1287,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/cachetools/5.3.1",
+ "url": "https://pypi.org/project/cachetools/5.3.2",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/cachetools@5.3.1"
+ "purl": "pkg:pypi/cachetools@5.3.2"
},
{
"type": "library",
@@ -1715,7 +1715,7 @@
"type": "library",
"bom-ref": "53-plotly",
"name": "plotly",
- "version": "5.17.0",
+ "version": "5.18.0",
"supplier": {
"name": "Chris P",
"contact": [
@@ -1724,7 +1724,7 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*",
"description": "An open-source, interactive data visualization library for Python",
"licenses": [
{
@@ -1736,12 +1736,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/plotly/5.17.0",
+ "url": "https://pypi.org/project/plotly/5.18.0",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/plotly@5.17.0"
+ "purl": "pkg:pypi/plotly@5.18.0"
},
{
"type": "library",
diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx
index 8d59ebda6d..e62ee87320 100644
--- a/sbom/cve-bin-tool-py3.9.spdx
+++ b/sbom/cve-bin-tool-py3.9.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-44fef178-29ca-49aa-a90e-4e9fa1d6ed6d
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-156d1333-107b-45f2-9bab-245ab3e876cb
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-10-23T00:25:18Z
+Created: 2023-10-30T00:24:47Z
CreatorComment: This document has been automatically generated.
#####
@@ -240,18 +240,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:*
PackageName: gsutil
SPDXID: SPDXRef-Package-16-gsutil
-PackageVersion: 5.26
+PackageVersion: 5.27
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com)
-PackageDownloadLocation: https://pypi.org/project/gsutil/5.26
+PackageDownloadLocation: https://pypi.org/project/gsutil/5.27
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A command line tool for interacting with cloud storage services.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.27
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*
#####
PackageName: argcomplete
@@ -473,33 +473,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:*
PackageName: pyopenssl
SPDXID: SPDXRef-Package-31-pyopenssl
-PackageVersion: 23.2.0
+PackageVersion: 23.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.2.0
+PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.3.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Python wrapper module around the OpenSSL library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.2.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*
#####
PackageName: cryptography
SPDXID: SPDXRef-Package-32-cryptography
-PackageVersion: 41.0.4
+PackageVersion: 41.0.5
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4
+PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.5
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.5
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*
#####
PackageName: cffi
@@ -582,17 +582,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23
PackageName: cachetools
SPDXID: SPDXRef-Package-38-cachetools
-PackageVersion: 5.3.1
+PackageVersion: 5.3.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org)
-PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.1
+PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.2
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Extensible memoizing collections and decorators
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*
#####
PackageName: monotonic
@@ -809,17 +809,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
PackageName: plotly
SPDXID: SPDXRef-Package-53-plotly
-PackageVersion: 5.17.0
+PackageVersion: 5.18.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0
+PackageDownloadLocation: https://pypi.org/project/plotly/5.18.0
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source, interactive data visualization library for Python
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.18.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*
#####
PackageName: tenacity
diff --git a/test/condensed-downloads/zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz
new file mode 100644
index 0000000000..48a27ed9c4
Binary files /dev/null and b/test/condensed-downloads/zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz differ
diff --git a/test/condensed-downloads/zchunk_1.1.9+ds1-1_amd64.deb.tar.gz b/test/condensed-downloads/zchunk_1.1.9+ds1-1_amd64.deb.tar.gz
new file mode 100644
index 0000000000..10824bab79
Binary files /dev/null and b/test/condensed-downloads/zchunk_1.1.9+ds1-1_amd64.deb.tar.gz differ
diff --git a/test/test_cli.py b/test/test_cli.py
index a9c6ff6d81..e4c619b77a 100644
--- a/test/test_cli.py
+++ b/test/test_cli.py
@@ -590,7 +590,6 @@ def test_EPSS_percentile(self, capsys, caplog):
if my_test_filename_pathlib.exists():
my_test_filename_pathlib.unlink()
- @pytest.mark.skip(reason="Needs database rebuild. Temporary fix.")
def test_SBOM(self, caplog):
# check sbom file option
SBOM_PATH = Path(__file__).parent.resolve() / "sbom"
@@ -609,7 +608,7 @@ def test_SBOM(self, caplog):
assert (
"cve_bin_tool",
logging.INFO,
- "There are 3 products with known CVEs detected",
+ "There are 1 products with known CVEs detected",
) in caplog.record_tuples
@pytest.mark.skipif(not LONG_TESTS(), reason="Skipping long tests")
diff --git a/test/test_data/zchunk.py b/test/test_data/zchunk.py
new file mode 100644
index 0000000000..428bdfd4cb
--- /dev/null
+++ b/test/test_data/zchunk.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {"product": "zchunk", "version": "1.1.9", "version_strings": ["zchunk 1.1.9"]}
+]
+package_test_data = [
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/z/",
+ "package_name": "zchunk-1.3.2-1.fc40.aarch64.rpm",
+ "product": "zchunk",
+ "version": "1.3.2",
+ },
+ {
+ "url": "http://ftp.fr.debian.org/debian/pool/main/z/zchunk/",
+ "package_name": "zchunk_1.1.9+ds1-1_amd64.deb",
+ "product": "zchunk",
+ "version": "1.1.9",
+ },
+]