From f3f7037dacb0fb16c2e534688e9d89a8b436b423 Mon Sep 17 00:00:00 2001 From: Sanskar Sharma Date: Thu, 26 Oct 2023 03:25:53 +0530 Subject: [PATCH 1/8] ci: github action for fuzz testing (#3467) --- .github/workflows/fuzzing.yml | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/fuzzing.yml diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml new file mode 100644 index 0000000000..d1ec198fd1 --- /dev/null +++ b/.github/workflows/fuzzing.yml @@ -0,0 +1,61 @@ +name: Fuzzing + +on: + schedule: + - cron: '0 7 * * 1' # Runs at 07:00 on monday every week + + workflow_dispatch: + +permissions: + contents: read + +jobs: + fuzzing: + name: Fuzzing + runs-on: ubuntu-22.04 + if: github.event.repository.fork == false + steps: + - name: Check out code + uses: actions/checkout@v2 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: 3.9 + + - name: Install Bazel + run: | + sudo apt-get update + sudo apt-get install -y wget + wget -c https://github.com/bazelbuild/bazelisk/releases/download/v1.18.0/bazelisk-linux-amd64 + chmod +x bazelisk-linux-amd64 + sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel + bazel --version + + - name: Install Fuzzing Dependencies + run: | + pip install --upgrade atheris + pip install --upgrade atheris-libprotobuf-mutator + pip install --upgrade protobuf + - name: Install Cve-bin-tool + run: | + python -m pip install --upgrade pip + python -m pip install --upgrade setuptools + python -m pip install --upgrade -r dev-requirements.txt + python -m pip install --upgrade . + + - name: Run Fuzzing + id: fuzzing + env: + PYTHONPATH: ${{ github.workspace }} + run: | + cd fuzz + export PYTHONPATH="$PYTHONPATH:/generated" + fuzzing_scripts=($(ls *.py)) + echo "Found Fuzzing scripts: ${fuzzing_scripts[@]}" + current_week=($(date -u +%U)) + echo "Current week number: $current_week" + at_index=$((($(date -u +%U) % ${#fuzzing_scripts[@]}))) + selected_script="${fuzzing_scripts[$at_index]}" + echo "Selected script: $selected_script" + timeout --preserve-status --signal=SIGINT 60m python $selected_script \ No newline at end of file From e58be271c15bcc1e308d718a2e723ae251c10f6a Mon Sep 17 00:00:00 2001 From: Pavel Belokon <88114764+pbelokon@users.noreply.github.com> Date: Wed, 25 Oct 2023 19:11:42 -0400 Subject: [PATCH 2/8] docs: docstrings for some of GAD_Source This adds docstrings just to GAD_Source.format_data (L253) and GAD_Source.get_cve_data (L329). Several functions remain that need docstrings. --- cve_bin_tool/data_sources/gad_source.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cve_bin_tool/data_sources/gad_source.py b/cve_bin_tool/data_sources/gad_source.py index c996a275f6..b19eec3834 100644 --- a/cve_bin_tool/data_sources/gad_source.py +++ b/cve_bin_tool/data_sources/gad_source.py @@ -251,6 +251,8 @@ def parse_range_string(self, range_string): return version_list def format_data(self, all_cve_entries): + """Formats data from a list of Common Vulnerabilities and Exposures (CVE) entries.""" + severity_data = [] affected_data = [] @@ -327,6 +329,8 @@ def format_data(self, all_cve_entries): return severity_data, affected_data async def get_cve_data(self): + """Asynchronously fetches and formats Common Vulnerabilities and Exposures (CVE) data.""" + # skip GAD if connection fails try: await self.fetch_cves() From 4bde7e8dde2b50a987952ccf3356fae4a9a774ec Mon Sep 17 00:00:00 2001 From: Anurag Nagpal <73398296+Anurag-Nagpal@users.noreply.github.com> Date: Fri, 27 Oct 2023 02:38:17 +0530 Subject: [PATCH 3/8] test: re-enable test_SBOM in test_cli.py (#3474) * test: re-enable test_SBOM in test_cli.py * correct assertion error in SBOM test * fix flake 8 linting issues --- cve_bin_tool/output_engine/__init__.py | 2 +- test/test_cli.py | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py index 224dcef6d4..0688eeea09 100644 --- a/cve_bin_tool/output_engine/__init__.py +++ b/cve_bin_tool/output_engine/__init__.py @@ -847,7 +847,7 @@ def generate_sbom( sbom_relationship = SBOMRelationship() # Create root package my_package.initialise() - root_package = f'CVEBINTOOL-{Path(sbom_root).name.replace(".","-")}' + root_package = f'CVEBINTOOL-{Path(sbom_root).name.replace(".", "-")}' parent = f"SBOM_{root_package}" my_package.set_name(root_package) my_package.set_type("application") diff --git a/test/test_cli.py b/test/test_cli.py index a9c6ff6d81..e4c619b77a 100644 --- a/test/test_cli.py +++ b/test/test_cli.py @@ -590,7 +590,6 @@ def test_EPSS_percentile(self, capsys, caplog): if my_test_filename_pathlib.exists(): my_test_filename_pathlib.unlink() - @pytest.mark.skip(reason="Needs database rebuild. Temporary fix.") def test_SBOM(self, caplog): # check sbom file option SBOM_PATH = Path(__file__).parent.resolve() / "sbom" @@ -609,7 +608,7 @@ def test_SBOM(self, caplog): assert ( "cve_bin_tool", logging.INFO, - "There are 3 products with known CVEs detected", + "There are 1 products with known CVEs detected", ) in caplog.record_tuples @pytest.mark.skipif(not LONG_TESTS(), reason="Skipping long tests") From 775a8b3b2db4f3a7acd4633f769d4da71eec3899 Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Mon, 30 Oct 2023 09:56:09 -0700 Subject: [PATCH 4/8] ci: skip running tests on bot-generated sboms (#3468) The earlier PR skipping tests caused issues with our branch protection rules and had to be disabled because it blocked merging of pull requests (if the tests were skipped, the PR could never be merged). This allows part of the job to run (so it'll pass branch protection checks) while skipping the install and running of tests on sbom jobs provided by our automated job. Note that this is the same code as I had in #3446 but I'm separating it out so it gets a proper code review from someone who is not me. Signed-off-by: Terri Oda --- .github/workflows/testing.yml | 48 +++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 9e1f8088f7..adc98f6875 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -74,6 +74,19 @@ jobs: with: python-version: ${{ matrix.python }} cache: 'pip' + + - name: "Skip tests if this is an automated sbom job" + env: + COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }} + run: | + if ${COMMIT_VAR} == true; then + echo "sbom=true" >> $GITHUB_ENV + echo "sbom set to true" + else + echo "sbom=false" >> $GITHUB_ENV + echo "sbom set to false" + fi + - name: Get date id: get-date run: | @@ -96,10 +109,13 @@ jobs: path: cache key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }} - name: Install cabextract + if: env.sbom == false run: sudo apt-get update && sudo apt-get install cabextract - name: Install OS dependencies for testing PDF + if: env.sbom == false run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev - name: Install pdftotext, reportlab and cve-bin-tool + if: env.sbom == false run: | python -m pip install --upgrade pip python -m pip install --upgrade setuptools @@ -109,11 +125,13 @@ jobs: python -m pip install --upgrade -r dev-requirements.txt python -m pip install --upgrade . - name: Try single CLI run of tool + if: env.sbom == false run: | [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out cp -r ~/.cache/cve-bin-tool cache - name: Run async tests + if: env.sbom == false run: > pytest -n 4 -v --ignore=test/test_cli.py @@ -122,6 +140,7 @@ jobs: --ignore=test/test_html.py --ignore=test/test_json.py - name: Run synchronous tests + if: env.sbom == false run: > pytest -v test/test_cli.py @@ -129,6 +148,15 @@ jobs: long_tests: name: Long tests on Python 3.10 + if: | + ! github.event.pull_request.user.login == 'github-actions[bot]' || + ! ( + startsWith(github.head_ref, 'chore-sbom-py') || + contains( + fromJSON('["chore-update-table","chore-precommit-config","chore-spdx-header"]'), + github.head_ref + ) + ) runs-on: ubuntu-22.04 timeout-minutes: 90 env: @@ -144,6 +172,19 @@ jobs: with: python-version: '3.10' cache: 'pip' + + - name: "Skip tests if this is an automated sbom job" + env: + COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }} + run: | + if ${COMMIT_VAR} == true; then + echo "sbom=true" >> $GITHUB_ENV + echo "sbom set to true" + else + echo "sbom=false" >> $GITHUB_ENV + echo "sbom set to false" + fi + - name: Get date id: get-date run: | @@ -182,10 +223,13 @@ jobs: if_true: '1' if_false: '0' - name: Install cabextract + if: env.sbom == false run: sudo apt-get update && sudo apt-get install cabextract - name: Install OS dependencies for testing PDF + if: env.sbom == false run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev - name: Install pdftotext, reportlab and cve-bin-tool + if: env.sbom == false run: | python -m pip install --upgrade pip python -m pip install --upgrade setuptools @@ -195,11 +239,13 @@ jobs: python -m pip install --upgrade -r dev-requirements.txt python -m pip install --editable . - name: Try single CLI run of tool + if: env.sbom == false run: | [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out cp -r ~/.cache/cve-bin-tool cache - name: Run async tests + if: env.sbom == false env: LONG_TESTS: ${{ steps.git-diff.outputs.value }} run: > @@ -210,6 +256,7 @@ jobs: --ignore=test/test_html.py --ignore=test/test_json.py - name: Run synchronous tests + if: env.sbom == false env: LONG_TESTS: ${{ steps.git-diff.outputs.value }} run: > @@ -217,6 +264,7 @@ jobs: test/test_cli.py test/test_cvedb.py - name: Upload code coverage to codecov + if: env.sbom == false uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 with: files: ./coverage.xml From 0e4b3dd605d1fe6b89e075c8928b4fd76bdbf771 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Mon, 30 Oct 2023 18:41:06 +0100 Subject: [PATCH 5/8] feat(checker): add zchunk (#3481) Signed-off-by: Fabrice Fontaine --- cve_bin_tool/checkers/__init__.py | 1 + cve_bin_tool/checkers/zchunk.py | 20 ++++++++++++++++++ .../zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz | Bin 0 -> 4754 bytes .../zchunk_1.1.9+ds1-1_amd64.deb.tar.gz | Bin 0 -> 4054 bytes test/test_data/zchunk.py | 20 ++++++++++++++++++ 5 files changed, 41 insertions(+) create mode 100644 cve_bin_tool/checkers/zchunk.py create mode 100644 test/condensed-downloads/zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz create mode 100644 test/condensed-downloads/zchunk_1.1.9+ds1-1_amd64.deb.tar.gz create mode 100644 test/test_data/zchunk.py diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py index b3cef68d16..93cc32fce4 100644 --- a/cve_bin_tool/checkers/__init__.py +++ b/cve_bin_tool/checkers/__init__.py @@ -339,6 +339,7 @@ "xscreensaver", "yasm", "zabbix", + "zchunk", "zeek", "zlib", "znc", diff --git a/cve_bin_tool/checkers/zchunk.py b/cve_bin_tool/checkers/zchunk.py new file mode 100644 index 0000000000..eacf7365bd --- /dev/null +++ b/cve_bin_tool/checkers/zchunk.py @@ -0,0 +1,20 @@ +# Copyright (C) 2023 Orange +# SPDX-License-Identifier: GPL-3.0-or-later + + +""" +CVE checker for zchunk + +https://www.cvedetails.com/product/163243/Zchunk-Zchunk.html?vendor_id=33326 + +""" +from __future__ import annotations + +from cve_bin_tool.checkers import Checker + + +class ZchunkChecker(Checker): + CONTAINS_PATTERNS: list[str] = [] + FILENAME_PATTERNS: list[str] = [] + VERSION_PATTERNS = [r"zchunk ([0-9]+\.[0-9]+\.[0-9]+)"] + VENDOR_PRODUCT = [("zchunk", "zchunk")] diff --git a/test/condensed-downloads/zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/zchunk-1.3.2-1.fc40.aarch64.rpm.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..48a27ed9c457d202a2d408c11ec985c66b8de8d7 GIT binary patch literal 4754 zcmV;D5^e1tiwFn-00002|9WF+b#7}dF)lMMGA%JKW@9ukE@5GEV`w%sE^=^fE_7jX z0PS3PTjI*nKliFJrd zbmkW}^UI%bc#bRE*!(a5%;P^>2iyPmuYdg;@CqqIucQn$Vd$oJmyl&!sV~eW9V?lJ zoujkx+}=EfZ=-Ifsf}hw?PgcmiZm_KXl$~83eFRCWH7rvivAL22QlWGx zshX|TbjQ`~(qZ1POsynW3{B(>&XJTmS*q%$Z0Ps&h$B~gnhjYuL9SS~3yzDFZIJC+ zlQLaRs%u6Qnx5;3#HMUJ8fbUA3;6y>j^;{+Rg(;@r5Ru~HFIGOiQhGAQbl$&;u6xd z4b7yBsWh6P$cAAlScoSyJCahrr6;p#>!w@fk3?FrHEf^X>Zb1Euw+#{IXHY*R_dCH zy_2!SJh_Hl5s%m#v*y;r)T(YfuEZr3rtv39u^Ko|Vu;~r+Aa3IZKJTTJJed(m8z|2 zeKmQdAPHG!*;q-948b!|sYLY_@?0fe;*X4(nsV!S4W1Pas!N#)AuZW)G?YzM){VXb zoSa~hVWBXZLGvguN~~jHPqtM+5o0N#&LnQSTYzWO{h+XsmomxpVt6|{2jj=Z!cO6c zUK5aV%WyNl1gCht!1EKH#n>*yb7NuJ@>mXv8###cli^wBXSuSyj5*~BC~H`3KF4xE zXR(~ca}C66#Q3WNd8^s6^;+F!lgbp!%w*DR&oX7VE}Lvq*HE+J%p|2|uEj{@*n|T~ z94RD|DaTgC)Sgtp@?42);M3w04pS}7G2gmOu}l|V046h4S6qCDWxE4h2%GrKNYG)~ zhU_YJrrkC19o1Bxmt_-%p|jX3zrq&Df{_;KW{q0J#x_H`ED$~;xgrIeHuS2l$dpf= z(j6unq!bA0E`$snq;h0*O+A*9b&T0N5r@!@QpW_?U|VQ zlpZybND${?6M6nJgElpKVQmdxjcC77_?$rUzHS3nsL)$cFlhpDG$s;sw}a}09jR!{ zLGd9`q|vZ!WCSUeWfFT(bgEYIYRI|T6itSxLMT2P#m(>*r$NqPkG3r**5%@Pkpa0-e%D}UeH>=xba>_U649?(GMG6yuVC^1;}sl_>_c%P zbq{wV`Y3$bj>Ae;f|Jo1Fh`eRFLiOKr#_vXXz-x7;GG_a?~{{bU>8cq60r5sCrIwM zVCt?Ehxqj@Tqn<9_3Rxi9WTQD)#KFFKKyE7nU&b10gvi3DBm2oYURK(rzb!eKZcXa z=Qq&#y7V4)+Yg{5(lEKk+8VaMnZ1H^Vxj^I3tQ0H-%G*H*cbSEYr>NB7HY-f7f3pF z{1~}%1(G;_YjzWosO4I+W_n3vFsifLi6m7#9VbzogGJK%Mj_$KHUFuJbFf^~fS0Vx zP92hJ$8vp{1_&{L;@O6TpVbc8qq8tIV%(SpjL5{wh%ecMLTZB(F&(-hE z98^8f2qyG(Gk6qlLzW<5w*u-54#a6%CSnuCQZ?8ul|C?z8wpG5tX)Tp8qg&ChV@T< zP!~28%wN$)HluaAs7`iSlK>EvrsR+qWs8D{5M8a&#Lo@F7J>nT`yQa@Cn9o}gM(Ey1Cg>{pqCj?K&<}~3#YkcnT|+=z&{E; zI%rU8TJYd$ZQnhto{YevmF>eY9-;!YOTZj#b1^`B|(SL!0xT~VqkwKG`L|lE=Q$s72vK;_N zRmTsQ`--#2#M$Z zYm6@SKi-p5jOAbpjeVs^E}U`^N`bLolCK!#mOtY8o}a(pF(Vuzqyxf~FeDSIEisrU8PU|sLz;c<5xa%yK1)-FuA zHc!CI)FD>T;CyBg)|7+_2lX*Hx0YeN?To@f$3*~fp~AKC2uG{<;eFw;#4=;r#m|*iAOHyZ%87{?FTge^?u@t^dy~K8gRC8QOnC z`|oeN_V0)A^qE7#RBb$p@&*64`{U%!2I{k-3p48wCGV}D`?K8^Q@nvH*n zm6%@_@jba^hNc7l#B*=q>){BD*DFg3Y&_&3Kc3@7V!081mNyDw4S8f4N^C^fm9%Kg z?aPQ+dD=8|m!V9_Cgi401E(c2w+xC);6~Pj4o+Rp%rDSoKAnLJ+rrW<+3`yQ$M4e5e0ZN97;@vMW@)Ls#RsraI>7D zQ$G_(@vqSjt}GKm;-3p9GgE8-;M(%5kf*>d;k?v@vuyjW3H#MF#9LoLx_CbYcdZPp zdI}sIzAwP+;mtkN6Rky9UP?mY^khr}+scCb25pPDx(UmfXvkUmheP+Xga ze5*MQtIbDgAI{#NOu@&Stp#9`0xQaOxqOp`%lLr}?Zv5en8DWpM&pyM@#nOPF4x64@r=Z{eVUKkFnIu-)SYzd?6T#xuK9LYx^!0|kLVP8XIw8B$MA z$T{EVGkM7aF<pseOE`8gk8f5$E!>f!yy6$a>DRGiZy<6BOKh-D~nkAl=+@EDrJV zTTpV#P{Z?G%S+9nm@P8qgK0XHu826Z=h z7Aq&R5r7lT&>EWQb_?_%m9FmdO&^h_dp3dahJ}-eYnflhPkAzsBP)u5ySr|9CKHFK zn-A(v#FevX$D$d2jZ>N?cvUPW7Au0|lwQwg39}z0Fp7)H=cfBr-Cf=#@`GY0Ds z`60?h6eZ@JQ>&pxGDPgwPu&TFU^3yObq*|rVo?AvVMH?U`=g#j9Mj8ilyC0oz&XD> z*;4eZhb&^YApk7W`b_|dX#Pw9kk4$vJ9Y!{o{5P{W#D9NF{HJQ4a>F37K|x^u%|8K92D$=Y-0uIv z?)jHD_YZ(^e9j*T4SU^%efU!VSG09*anPD#^x+t+p_wgc+^Q5rKOh8*gFpWt0<>k_ zZQ?hW*re(<_j}?MImTPzNe%i9{f1G`;2#Zz;^hq7I7@IlyX4T%JF&%|jq%hQN-dJ- z5AUE{mzQ$&*isBi2n@C)B0z^Zq;2U!b6HaQvN%GX^@L}(N9Y`cxo8D>e+ew9= zJ$mXApv_&ZH`Avj3t9vOBFV^QzPI0ZC_edL0*>fsPkO^@aVKGs->G4L9TW(MbvTWw z;{OWp!v2<*p9o)2_*?nXaq$u^xYrX0t+#a5la0V*h#d_Jh0ZOW+}#%=HXm7b=SQ~S z(*%G@%k}6v922T6qL>}QSaM{EBpSjGBbkuW>(P8WpYJ%BSxvlw8K%QRbpgh$rH^pB z6NlK=D!#~hkYcHF3>s5$cwG5jir>T8SsEUd7=neX>@-3W8Md?&ILgMfwOQDEw+80< z&G`|u^_vNZRbBAL(+AKV`L4n0=y4pD%=0-ooJ;SHU4yaW!RXN*oR7<}xtM_M2Me<2 zaTpohg^SKMJXrH^GCmLI-#&xfnFaHcRfN60Sy*0lj(5OYU@-D#d>W?m>+tqQDV@N& gyD;O;z06k(vf&c&j literal 0 HcmV?d00001 diff --git a/test/condensed-downloads/zchunk_1.1.9+ds1-1_amd64.deb.tar.gz b/test/condensed-downloads/zchunk_1.1.9+ds1-1_amd64.deb.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..10824bab7983b56baff2354606500b8362719437 GIT binary patch literal 4054 zcmZ{mWl$6jw}(k3ccm311eRQS>5c^iq+?kSmM%d;QE~y1aHXXL0ZA!|C8b-XV|PIs zB&4K~aQFV-nLBgqyB*5S15p4v-L$ zuy^owmVt;myEuwIbMPnHx4nKbty}MUf!881b=bO5-n+@Lx9-i3AO-M8KB4Cr9RWFjK!uP7JUSZf}t(lu)!YL0#eD>%h5urSLIk zLWbrNRr_bY3Ns&MTY~e_t`0)se8OHO55_ZnytF}%9U^TMjqq2QT{kR!VwG1*wch4o zWqTp&!Imn!O~c+r^s(u;LauH~cmu9|anH1P6WitJCRY!fRB8G@N}rNTjTZUc&4Lug zdsGzaQ#)2?>u^i#o3P%`;m`OjKMld5*1$TYttrM#d%CdrH-iFOu{xzo(*8O7RGDGx4xfB74`=B-{iN=_bOe z%oa*vIm(N3;it1t%)d;-il!V(Sgz-dn)9bk5yC7?P4tmVkue3$1z{6X6Fd_NpNQe4 zi{-VWIMSv|&u*D;?VF9w)!|pfy9%UOv1+XKRbNDy?+e)OnvB<9vS8mF@6)H~jz0FL z)#|#0B~~wKEDRn-3D~!2s_Xo22cknyGwb8m>luIL)V!GJm1%heke%xpQ$C*-%Taxb zufJ5y;j2Vs?FD7|qH0WX+w#P)mwF?1w;B##()+&;)+;x!@N=$AsBuJ#KQahX6lO_u z7m=;E)v`GRf;D&XzH`Nc?TS4phGjz(Rw^T>(HI0)FFkjo0DJM zW7&hQrs!E4|#XIhd(JAcFb4B2M&1$27h+3`QS6e5qN+2tC0B`9Y;++ zYduxoJ-SCQ5Cww?@z!_ovs!+~B-4jENlnA?uZ7;p*00f3%5ABKs#tcx>LvNRya%Wm zf>I7egt7+s!ZjW_0zbNM2x#&4)FYUbE;y)O`>$H`Q`kIU{v_{TIG0}G2{&>6P{|r} zUj*hfuB~OsIas$BFBt1}8NX2EDtLUH0YKI#yZ!+J3)TrTe`+wESe7Guw72`sMcBIP zP^P$OeN@psk~FJQ_EPowESdU3!70+tx{27iM*C=_5Q9gLiRAbBUK^-D-YhTsYf7em z6bpjyC6rts?o0kHbr8j{aglQF`JmO`oO5W&=;N`?ZWOghWuy_Cj?PanjX<)evyQ(( zzJXMW1uz+)wf#@BEGkm4C3{HZujsN!&cYhAg{md+*f$#6B5LzoW2|&H+%Lh2EBdvK z65BG33Cm0UJ;?rB;~@F6s`)_HOFrY_)^=-k1;OH#vr2gKL!EHBh8xhpPXlJpc-~w_ zhKMcVfWZJ;=AD9OyOkK!T7(BPSD1;6Z<+utQ5#uA*E(7NWcn-#F!xXLP>yas z3rL1bFXI26FY#j~wV(;bi94sv4Zz@A!DR5;(rR7>ia@TrEl<`@d(8K?GskwGlr_Xs zOm?Y1oxM&47A_-!uzEYUZ|)H&Wk#*28=TltB)H8?W9h;1Ql_?$bP7u&@yRdyt{L*b zag1YzAvwoZ%)|c3VtU306}0s?DlIg{YQ?51#iwmwpd*tSnx$AlL7oAJGDv1m`b5Lx zx9E~aOTIha=%0YuncE}xZn~$ciPP#++D#qluZ?!<(ipRyQZX`ROdeAe$r#g9>DGj0 z^rL~F`v@Ti30$>qFL+pQ>q0!Xx?K&=qpzzj(#6(B*v@0#XaI61U&AT=1tbupf}p@% z$ZLoqxI@3WMmU7%)+>z-FX!&?rsvLUiSO`$!)^6IlHk~ts4dd@?=F`Irr)nHKy3FW3+kMWR}|+UT3Hx>H`YZ2rKQ?{ZLe{J>_ZL^ z%iJo9&UgI2?Tx&fatgm6NFQ_O{i~Czt1u2q{>A{4B{Rt&1F2w7DDl)fXwBDuXU-F9 zpg+v6(mB-h7;=+>U&=h`R@RMw`Fj$=6tY#?SwprYMqdWX;P+GLsyHMDVaiFky z#_ByppWsk588DgBwCELAx`E~LdJzMEhwqD@BEKAe*Y-9VxeOyL`-pr+Cd5om9xq?i z5W2wSB8tRWg6j{J<jLxH8q5Zvb`Oc<$$(osaYNKBH|GRV-O!xaLZ16fi)3fFyRCDh#~!s zyi(OhECm&ZKVl`dzX!;xW(UfW(~KZX1c|FWNl7(6(Jj zgr8Qm7bYQN5e;dY93oq8#uF+V{n+ulkhjpk$WeE%n~SzSB;oCOVP6h3lG~S=D02oR z#??D4cVt$}>Ci5htNUn2$Nbz%L%G#u?2YmBnr@%${jX&^Q8iNpW)bbpM^MQTSbxa+ zLa|n_iZ3-)Hm))@^1;ysrSBnnUsuHfbkm9j9ndh4^d#^KglYzBxJsf`p3e2?lwQXRxoD8EeXxHbX0V^Tv12- zjJ04+^G3-cBwFY_7h0~HlOE{E_hs*Yi`w|62i~_TzWklbvi%NaYMl?ZGSy4Y zz*xozXVQ5kil#eIg-D={vbj~uQE&NGm=AhZRSt!}a299STPE$9+J2ds82RKLN zD^=-t<+5;;Qp_55iJ5&!GBxtpMsj_V90D%C{t`1kl{#Z%SZF74{hV=3P^6=PV*V+S zIp;*K+l}tL0&aZI@_t;j{mSZA>m-eb6ZLe$*zh$jlO&SCe<}p-L9Zcm_+%hg?sKqH zLyXD0^$`22m%Iz2FAzRQYPm}hJCnY)A?|YfmL1dX7_}Jj1^6OI(@w?)mMySs?s*Pt z9zo%y-3)=r5ZeX9ONq`CWZuU#5&ryL?P6$;?u@5BEOY3NDi>=!pS$Yw(5L?KrK&_@ zC*9plCi4m(6?jz2m~2LhT4>_#q^}yAih8ERIB79BK|bs%-)TK&@qToGRkj?XRRP(% z%=*~JX_p^lq8&8RcHC}vQs8^=xVtv`@ozVxv+$!?0*5=T#q9tbqfsI8^+$V0)k=nw zp8KgCD8&B>>JDGenF2k6`8Mw7?&@4Wjs5GX{CTKaiR1^Vz+kcF)*&;BWJ+u+4b(?_*F%{tv3uZGoD)S{C`6YT^ZGP6*fHFu`gb2xN(C_(rZG2{ zPBt&=Kv--Du|#`gzKq(9SI;T8VL#JC%N8ZxV{4VGq-mNLXJWDNy2`UIi!(!@!R66# zGlsx=XOHqO$_fkE{j-qiXB;EJY;g~JrDRJ+^T37^Xf=a zxsxVFb+xU>-9Ra$&_%D<;M9tY-^%^9k%(CK3RL@p&gwXXv-9IPO+raT2%T#)h23=* zz_o@({i*tOfm?x2!Sm-Iki}V=hqClhK#C~byYkPHOQ0Vlp?uQ*B35@_l!RY~MaEfp zObo9n_PdCW8t8${xy)WOW$3LhiR$y|{c4wJp^fX{vC%~?eLK8-ymHdkz4d}gQ|eB{%=~?@O7JHeLCsNT{U`OsdnccZEpm#Q1yT;E*xV0XfRDkaba=y z>2DUuG#aNq;M&mp2>v)5(?c(as2I#hqQpqW!di!(fIffjXS%w7BvcuHIWC9>iVtt_ z7DBB)bQabYQ-imq04n*}erQHnjjGqqG`Ah~QY)ufEZTWhjCHoAhF0SXa>MQgynzQ8 zV6p3cEY}1$;0W`~Un$;>@s<-EZwAnW=a@G@Y!ev7P6UzaYr!i%B0vA;yN*^NO4m%9 zq!m#pRWStF6IRCTKR9oYwNGthY-8FrgE_>ed_#2sZgynhaE zn+{lLGO58t?>jT$FT(VPS>f0}9jnNFg68_aa7~!Nt2PjT|3oKAcKov|`+phL|7rf) z(0|6Hno0r=uZl0e`rjpN?BPx~7nmRa)OIr5l>J4z6F7emV$TU5|10`wE)zTmoX9)> s)?4oF94h}pHWGjdgn#hwR;l{<3ZSrE@c-fPHZ=k0j@_RmDj*{I55K(vvH$=8 literal 0 HcmV?d00001 diff --git a/test/test_data/zchunk.py b/test/test_data/zchunk.py new file mode 100644 index 0000000000..428bdfd4cb --- /dev/null +++ b/test/test_data/zchunk.py @@ -0,0 +1,20 @@ +# Copyright (C) 2023 Orange +# SPDX-License-Identifier: GPL-3.0-or-later + +mapping_test_data = [ + {"product": "zchunk", "version": "1.1.9", "version_strings": ["zchunk 1.1.9"]} +] +package_test_data = [ + { + "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/z/", + "package_name": "zchunk-1.3.2-1.fc40.aarch64.rpm", + "product": "zchunk", + "version": "1.3.2", + }, + { + "url": "http://ftp.fr.debian.org/debian/pool/main/z/zchunk/", + "package_name": "zchunk_1.1.9+ds1-1_amd64.deb", + "product": "zchunk", + "version": "1.1.9", + }, +] From 5ad3ab1ba7afdf20b93eb10d43a0cbf9292a56e4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 10:42:42 -0700 Subject: [PATCH 6/8] chore: update SBOM for Python 3.9 (#3484) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 44 ++++++++++++++++++------------------ sbom/cve-bin-tool-py3.9.spdx | 44 ++++++++++++++++++------------------ 2 files changed, 44 insertions(+), 44 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index d135a0a590..c3e87d677c 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:138db72d-e281-405e-8689-ac86afcc138c", + "serialNumber": "urn:uuid:49e5ab23-133b-4db2-9fa2-6bb79a50ff57", "version": 1, "metadata": { - "timestamp": "2023-10-23T00:27:12Z", + "timestamp": "2023-10-30T00:26:16Z", "tools": { "components": [ { @@ -506,7 +506,7 @@ "type": "library", "bom-ref": "16-gsutil", "name": "gsutil", - "version": "5.26", + "version": "5.27", "supplier": { "name": "Google Inc .", "contact": [ @@ -515,7 +515,7 @@ } ] }, - "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*", "description": "A command line tool for interacting with cloud storage services.", "licenses": [ { @@ -527,12 +527,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/gsutil/5.26", + "url": "https://pypi.org/project/gsutil/5.27", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/gsutil@5.26", + "purl": "pkg:pypi/gsutil@5.27", "properties": [ { "name": "License Comments", @@ -1021,7 +1021,7 @@ "type": "library", "bom-ref": "31-pyopenssl", "name": "pyopenssl", - "version": "23.2.0", + "version": "23.3.0", "supplier": { "name": "The pyOpenSSL developers", "contact": [ @@ -1030,7 +1030,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*", "description": "Python wrapper module around the OpenSSL library", "licenses": [ { @@ -1042,12 +1042,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/pyOpenSSL/23.2.0", + "url": "https://pypi.org/project/pyOpenSSL/23.3.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyopenssl@23.2.0", + "purl": "pkg:pypi/pyopenssl@23.3.0", "properties": [ { "name": "License Comments", @@ -1059,7 +1059,7 @@ "type": "library", "bom-ref": "32-cryptography", "name": "cryptography", - "version": "41.0.4", + "version": "41.0.5", "supplier": { "name": "The Python Cryptographic Authority and individual contributors", "contact": [ @@ -1068,7 +1068,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*", "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.", "licenses": [ { @@ -1077,12 +1077,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cryptography/41.0.4", + "url": "https://pypi.org/project/cryptography/41.0.5", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cryptography@41.0.4" + "purl": "pkg:pypi/cryptography@41.0.5" }, { "type": "library", @@ -1266,7 +1266,7 @@ "type": "library", "bom-ref": "38-cachetools", "name": "cachetools", - "version": "5.3.1", + "version": "5.3.2", "supplier": { "name": "Thomas Kemmer", "contact": [ @@ -1275,7 +1275,7 @@ } ] }, - "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*", "description": "Extensible memoizing collections and decorators", "licenses": [ { @@ -1287,12 +1287,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cachetools/5.3.1", + "url": "https://pypi.org/project/cachetools/5.3.2", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cachetools@5.3.1" + "purl": "pkg:pypi/cachetools@5.3.2" }, { "type": "library", @@ -1715,7 +1715,7 @@ "type": "library", "bom-ref": "53-plotly", "name": "plotly", - "version": "5.17.0", + "version": "5.18.0", "supplier": { "name": "Chris P", "contact": [ @@ -1724,7 +1724,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1736,12 +1736,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.17.0", + "url": "https://pypi.org/project/plotly/5.18.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.17.0" + "purl": "pkg:pypi/plotly@5.18.0" }, { "type": "library", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index 8d59ebda6d..e62ee87320 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-44fef178-29ca-49aa-a90e-4e9fa1d6ed6d +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-156d1333-107b-45f2-9bab-245ab3e876cb LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-10-23T00:25:18Z +Created: 2023-10-30T00:24:47Z CreatorComment: This document has been automatically generated. ##### @@ -240,18 +240,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:* PackageName: gsutil SPDXID: SPDXRef-Package-16-gsutil -PackageVersion: 5.26 +PackageVersion: 5.27 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com) -PackageDownloadLocation: https://pypi.org/project/gsutil/5.26 +PackageDownloadLocation: https://pypi.org/project/gsutil/5.27 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A command line tool for interacting with cloud storage services. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.27 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:* ##### PackageName: argcomplete @@ -473,33 +473,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:* PackageName: pyopenssl SPDXID: SPDXRef-Package-31-pyopenssl -PackageVersion: 23.2.0 +PackageVersion: 23.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.2.0 +PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.3.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Python wrapper module around the OpenSSL library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:* ##### PackageName: cryptography SPDXID: SPDXRef-Package-32-cryptography -PackageVersion: 41.0.4 +PackageVersion: 41.0.5 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4 +PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.5 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause PackageCopyrightText: NOASSERTION PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.5 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:* ##### PackageName: cffi @@ -582,17 +582,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23 PackageName: cachetools SPDXID: SPDXRef-Package-38-cachetools -PackageVersion: 5.3.1 +PackageVersion: 5.3.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org) -PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.1 +PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.2 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Extensible memoizing collections and decorators -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:* ##### PackageName: monotonic @@ -809,17 +809,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-53-plotly -PackageVersion: 5.17.0 +PackageVersion: 5.18.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.18.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.18.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:* ##### PackageName: tenacity From 78565a4accf2b0ce7d6efe326a714994ce6cad47 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 10:43:18 -0700 Subject: [PATCH 7/8] chore: update SBOM for Python 3.10 (#3483) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.10.json | 44 +++++++++++++++++------------------ sbom/cve-bin-tool-py3.10.spdx | 44 +++++++++++++++++------------------ 2 files changed, 44 insertions(+), 44 deletions(-) diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json index 7d755743f6..a4f2c46d4d 100644 --- a/sbom/cve-bin-tool-py3.10.json +++ b/sbom/cve-bin-tool-py3.10.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:e5ac966f-751e-4e0c-9940-5db28eba09b6", + "serialNumber": "urn:uuid:11282881-19c0-4924-87ee-2ee2b2e5d6bf", "version": 1, "metadata": { - "timestamp": "2023-10-23T00:26:34Z", + "timestamp": "2023-10-30T00:25:51Z", "tools": { "components": [ { @@ -506,7 +506,7 @@ "type": "library", "bom-ref": "16-gsutil", "name": "gsutil", - "version": "5.26", + "version": "5.27", "supplier": { "name": "Google Inc .", "contact": [ @@ -515,7 +515,7 @@ } ] }, - "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*", "description": "A command line tool for interacting with cloud storage services.", "licenses": [ { @@ -527,12 +527,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/gsutil/5.26", + "url": "https://pypi.org/project/gsutil/5.27", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/gsutil@5.26", + "purl": "pkg:pypi/gsutil@5.27", "properties": [ { "name": "License Comments", @@ -1021,7 +1021,7 @@ "type": "library", "bom-ref": "31-pyopenssl", "name": "pyopenssl", - "version": "23.2.0", + "version": "23.3.0", "supplier": { "name": "The pyOpenSSL developers", "contact": [ @@ -1030,7 +1030,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*", "description": "Python wrapper module around the OpenSSL library", "licenses": [ { @@ -1042,12 +1042,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/pyOpenSSL/23.2.0", + "url": "https://pypi.org/project/pyOpenSSL/23.3.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyopenssl@23.2.0", + "purl": "pkg:pypi/pyopenssl@23.3.0", "properties": [ { "name": "License Comments", @@ -1059,7 +1059,7 @@ "type": "library", "bom-ref": "32-cryptography", "name": "cryptography", - "version": "41.0.4", + "version": "41.0.5", "supplier": { "name": "The Python Cryptographic Authority and individual contributors", "contact": [ @@ -1068,7 +1068,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*", "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.", "licenses": [ { @@ -1077,12 +1077,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cryptography/41.0.4", + "url": "https://pypi.org/project/cryptography/41.0.5", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cryptography@41.0.4" + "purl": "pkg:pypi/cryptography@41.0.5" }, { "type": "library", @@ -1266,7 +1266,7 @@ "type": "library", "bom-ref": "38-cachetools", "name": "cachetools", - "version": "5.3.1", + "version": "5.3.2", "supplier": { "name": "Thomas Kemmer", "contact": [ @@ -1275,7 +1275,7 @@ } ] }, - "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*", "description": "Extensible memoizing collections and decorators", "licenses": [ { @@ -1287,12 +1287,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cachetools/5.3.1", + "url": "https://pypi.org/project/cachetools/5.3.2", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cachetools@5.3.1" + "purl": "pkg:pypi/cachetools@5.3.2" }, { "type": "library", @@ -1667,7 +1667,7 @@ "type": "library", "bom-ref": "51-plotly", "name": "plotly", - "version": "5.17.0", + "version": "5.18.0", "supplier": { "name": "Chris P", "contact": [ @@ -1676,7 +1676,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1688,12 +1688,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.17.0", + "url": "https://pypi.org/project/plotly/5.18.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.17.0" + "purl": "pkg:pypi/plotly@5.18.0" }, { "type": "library", diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx index 0a5611f4c6..68f0a380ed 100644 --- a/sbom/cve-bin-tool-py3.10.spdx +++ b/sbom/cve-bin-tool-py3.10.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-e56edda7-59a7-425c-aef1-943456c21d03 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-a5211367-a3cc-462e-92ba-689359343aa7 LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-10-23T00:25:01Z +Created: 2023-10-30T00:24:33Z CreatorComment: This document has been automatically generated. ##### @@ -240,18 +240,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:* PackageName: gsutil SPDXID: SPDXRef-Package-16-gsutil -PackageVersion: 5.26 +PackageVersion: 5.27 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com) -PackageDownloadLocation: https://pypi.org/project/gsutil/5.26 +PackageDownloadLocation: https://pypi.org/project/gsutil/5.27 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A command line tool for interacting with cloud storage services. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.27 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:* ##### PackageName: argcomplete @@ -473,33 +473,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:* PackageName: pyopenssl SPDXID: SPDXRef-Package-31-pyopenssl -PackageVersion: 23.2.0 +PackageVersion: 23.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.2.0 +PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.3.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Python wrapper module around the OpenSSL library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:* ##### PackageName: cryptography SPDXID: SPDXRef-Package-32-cryptography -PackageVersion: 41.0.4 +PackageVersion: 41.0.5 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4 +PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.5 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause PackageCopyrightText: NOASSERTION PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.5 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:* ##### PackageName: cffi @@ -582,17 +582,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23 PackageName: cachetools SPDXID: SPDXRef-Package-38-cachetools -PackageVersion: 5.3.1 +PackageVersion: 5.3.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org) -PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.1 +PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.2 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Extensible memoizing collections and decorators -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:* ##### PackageName: monotonic @@ -779,17 +779,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-51-plotly -PackageVersion: 5.17.0 +PackageVersion: 5.18.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.18.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.18.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:* ##### PackageName: tenacity From 9459c053bedc4758dad12373f5520242608e9149 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 10:43:54 -0700 Subject: [PATCH 8/8] chore: update SBOM for Python 3.11 (#3446) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.11.json | 60 +++++++++++++++++------------------ sbom/cve-bin-tool-py3.11.spdx | 60 +++++++++++++++++------------------ 2 files changed, 60 insertions(+), 60 deletions(-) diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json index 22b452581f..f8f23688fa 100644 --- a/sbom/cve-bin-tool-py3.11.json +++ b/sbom/cve-bin-tool-py3.11.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:d207333a-18dd-4549-9979-6b7f093bf0f4", + "serialNumber": "urn:uuid:fd540fe5-735c-4d5a-add6-70ce9991d205", "version": 1, "metadata": { - "timestamp": "2023-10-16T00:26:13Z", + "timestamp": "2023-10-30T00:27:00Z", "tools": { "components": [ { @@ -218,7 +218,7 @@ "type": "library", "bom-ref": "7-charset-normalizer", "name": "charset-normalizer", - "version": "3.3.0", + "version": "3.3.1", "supplier": { "name": "Ahmed TAHRI", "contact": [ @@ -227,7 +227,7 @@ } ] }, - "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.1:*:*:*:*:*:*:*", "description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.", "licenses": [ { @@ -239,12 +239,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/charset-normalizer/3.3.0", + "url": "https://pypi.org/project/charset-normalizer/3.3.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/charset-normalizer@3.3.0" + "purl": "pkg:pypi/charset-normalizer@3.3.1" }, { "type": "library", @@ -506,7 +506,7 @@ "type": "library", "bom-ref": "16-gsutil", "name": "gsutil", - "version": "5.26", + "version": "5.27", "supplier": { "name": "Google Inc .", "contact": [ @@ -515,7 +515,7 @@ } ] }, - "cpe": "cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:*", "description": "A command line tool for interacting with cloud storage services.", "licenses": [ { @@ -527,12 +527,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/gsutil/5.26", + "url": "https://pypi.org/project/gsutil/5.27", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/gsutil@5.26", + "purl": "pkg:pypi/gsutil@5.27", "properties": [ { "name": "License Comments", @@ -1021,7 +1021,7 @@ "type": "library", "bom-ref": "31-pyopenssl", "name": "pyopenssl", - "version": "23.2.0", + "version": "23.3.0", "supplier": { "name": "The pyOpenSSL developers", "contact": [ @@ -1030,7 +1030,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:*", "description": "Python wrapper module around the OpenSSL library", "licenses": [ { @@ -1042,12 +1042,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/pyOpenSSL/23.2.0", + "url": "https://pypi.org/project/pyOpenSSL/23.3.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/pyopenssl@23.2.0", + "purl": "pkg:pypi/pyopenssl@23.3.0", "properties": [ { "name": "License Comments", @@ -1059,7 +1059,7 @@ "type": "library", "bom-ref": "32-cryptography", "name": "cryptography", - "version": "41.0.4", + "version": "41.0.5", "supplier": { "name": "The Python Cryptographic Authority and individual contributors", "contact": [ @@ -1068,7 +1068,7 @@ } ] }, - "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:*", "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.", "licenses": [ { @@ -1077,12 +1077,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cryptography/41.0.4", + "url": "https://pypi.org/project/cryptography/41.0.5", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cryptography@41.0.4" + "purl": "pkg:pypi/cryptography@41.0.5" }, { "type": "library", @@ -1266,7 +1266,7 @@ "type": "library", "bom-ref": "38-cachetools", "name": "cachetools", - "version": "5.3.1", + "version": "5.3.2", "supplier": { "name": "Thomas Kemmer", "contact": [ @@ -1275,7 +1275,7 @@ } ] }, - "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:*", "description": "Extensible memoizing collections and decorators", "licenses": [ { @@ -1287,12 +1287,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cachetools/5.3.1", + "url": "https://pypi.org/project/cachetools/5.3.2", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cachetools@5.3.1" + "purl": "pkg:pypi/cachetools@5.3.2" }, { "type": "library", @@ -1667,7 +1667,7 @@ "type": "library", "bom-ref": "51-plotly", "name": "plotly", - "version": "5.17.0", + "version": "5.18.0", "supplier": { "name": "Chris P", "contact": [ @@ -1676,7 +1676,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1688,12 +1688,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.17.0", + "url": "https://pypi.org/project/plotly/5.18.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.17.0" + "purl": "pkg:pypi/plotly@5.18.0" }, { "type": "library", @@ -1845,7 +1845,7 @@ "type": "library", "bom-ref": "56-urllib3", "name": "urllib3", - "version": "2.0.6", + "version": "2.0.7", "supplier": { "name": "Andrey Petrov", "contact": [ @@ -1854,16 +1854,16 @@ } ] }, - "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.7:*:*:*:*:*:*:*", "description": "HTTP library with thread-safe connection pooling, file post, and more.", "externalReferences": [ { - "url": "https://pypi.org/project/urllib3/2.0.6", + "url": "https://pypi.org/project/urllib3/2.0.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/urllib3@2.0.6" + "purl": "pkg:pypi/urllib3@2.0.7" }, { "type": "library", diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx index bb72066385..d657e274c4 100644 --- a/sbom/cve-bin-tool-py3.11.spdx +++ b/sbom/cve-bin-tool-py3.11.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-1630fc55-0869-4565-9fcd-5a9c2c3c3614 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-30721e1b-1104-43e5-8cca-937adefb7d03 LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-10-16T00:24:59Z +Created: 2023-10-30T00:25:17Z CreatorComment: This document has been automatically generated. ##### @@ -101,17 +101,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:23.1.0:*:*:*:*:* PackageName: charset-normalizer SPDXID: SPDXRef-Package-7-charset-normalizer -PackageVersion: 3.3.0 +PackageVersion: 3.3.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Ahmed TAHRI (ahmed.tahri@cloudnursery.dev) -PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.0 +PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.3.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/charset-normalizer@3.3.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_tahri:charset-normalizer:3.3.1:*:*:*:*:*:*:* ##### PackageName: multidict @@ -240,18 +240,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:nir_cohen:distro:1.8.0:*:*:*:*:*:*:* PackageName: gsutil SPDXID: SPDXRef-Package-16-gsutil -PackageVersion: 5.26 +PackageVersion: 5.27 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com) -PackageDownloadLocation: https://pypi.org/project/gsutil/5.26 +PackageDownloadLocation: https://pypi.org/project/gsutil/5.27 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A command line tool for interacting with cloud storage services. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.26 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.26:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.27 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.27:*:*:*:*:*:*:* ##### PackageName: argcomplete @@ -473,33 +473,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sybren_a._stuvel:rsa:4.7.2:*:*:*:*:*:* PackageName: pyopenssl SPDXID: SPDXRef-Package-31-pyopenssl -PackageVersion: 23.2.0 +PackageVersion: 23.3.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The pyOpenSSL developers (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.2.0 +PackageDownloadLocation: https://pypi.org/project/pyOpenSSL/23.3.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: pyOpenSSL declares Apache License, Version 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Python wrapper module around the OpenSSL library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.2.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.2.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyopenssl@23.3.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:23.3.0:*:*:*:*:*:*:* ##### PackageName: cryptography SPDXID: SPDXRef-Package-32-cryptography -PackageVersion: 41.0.4 +PackageVersion: 41.0.5 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org) -PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.4 +PackageDownloadLocation: https://pypi.org/project/cryptography/41.0.5 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause PackageCopyrightText: NOASSERTION PackageSummary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cryptography@41.0.5 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_python_cryptographic_authority_and_individual_contributors:cryptography:41.0.5:*:*:*:*:*:*:* ##### PackageName: cffi @@ -582,17 +582,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth:2.23 PackageName: cachetools SPDXID: SPDXRef-Package-38-cachetools -PackageVersion: 5.3.1 +PackageVersion: 5.3.2 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Thomas Kemmer (tkemmer@computer.org) -PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.1 +PackageDownloadLocation: https://pypi.org/project/cachetools/5.3.2 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Extensible memoizing collections and decorators -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/cachetools@5.3.2 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.3.2:*:*:*:*:*:*:* ##### PackageName: monotonic @@ -779,17 +779,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-51-plotly -PackageVersion: 5.17.0 +PackageVersion: 5.18.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.17.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.18.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.17.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.17.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.18.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.18.0:*:*:*:*:*:*:* ##### PackageName: tenacity @@ -857,17 +857,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*: PackageName: urllib3 SPDXID: SPDXRef-Package-56-urllib3 -PackageVersion: 2.0.6 +PackageVersion: 2.0.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net) -PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6 +PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.7 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: HTTP library with thread-safe connection pooling, file post, and more. -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.7:*:*:*:*:*:*:* ##### PackageName: rich