chore: update SBOM for Python 3.10 (#4426)

Co-authored-by: GitHub <noreply@github.com>
intel · Sep 9, 2024 · cc7d140 · cc7d140
1 parent aad8ae9
commit cc7d140
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 59 deletions.
diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:54f89c33-a2a1-4926-b839-2599401ff6fe",
+  "serialNumber": "urn:uuid:f0863954-72a3-495f-a132-02cb8af709ed",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-09-02T00:35:34Z",
+    "timestamp": "2024-09-09T00:38:12Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -31,7 +31,7 @@
       "type": "application",
       "bom-ref": "1-cve-bin-tool",
       "name": "cve-bin-tool",
-      "version": "3.4rc1",
+      "version": "3.4",
       "supplier": {
         "name": "Terri Oda",
         "contact": [
@@ -40,7 +40,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:*:*",
       "description": "CVE Binary Checker Tool",
       "licenses": [
         {
@@ -53,12 +53,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cve-bin-tool/3.4rc1",
+          "url": "https://pypi.org/project/cve-bin-tool/3.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cve-bin-tool@3.4rc1",
+      "purl": "pkg:pypi/cve-bin-tool@3.4",
       "properties": [
         {
           "name": "language",
@@ -362,7 +362,7 @@
       "type": "library",
       "bom-ref": "9-yarl",
       "name": "yarl",
-      "version": "1.9.7",
+      "version": "1.11.0",
       "supplier": {
         "name": "Andrew Svetlov",
         "contact": [
@@ -371,7 +371,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.11.0:*:*:*:*:*:*:*",
       "description": "Yet another URL library",
       "licenses": [
         {
@@ -384,12 +384,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/yarl/1.9.7",
+          "url": "https://pypi.org/project/yarl/1.11.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/yarl@1.9.7",
+      "purl": "pkg:pypi/yarl@1.11.0",
       "properties": [
         {
           "name": "language",
@@ -522,7 +522,7 @@
       "type": "library",
       "bom-ref": "13-cvss",
       "name": "cvss",
-      "version": "3.1",
+      "version": "3.2",
       "supplier": {
         "name": "Stanislav Red Hat Product Security",
         "contact": [
@@ -531,14 +531,8 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*",
       "description": "CVSS2/3/4 library with interactive calculator for Python 2 and Python 3",
-      "hashes": [
-        {
-          "alg": "SHA-1",
-          "content": "e4cf69bea6bcfa1cbc38dca13b9ec8bf3363a475"
-        }
-      ],
       "licenses": [
         {
           "license": {
@@ -550,12 +544,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cvss/3.1",
+          "url": "https://pypi.org/project/cvss/3.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cvss@3.1",
+      "purl": "pkg:pypi/cvss@3.2",
       "properties": [
         {
           "name": "language",
@@ -1580,7 +1574,7 @@
       "type": "library",
       "bom-ref": "36-cryptography",
       "name": "cryptography",
-      "version": "43.0.0",
+      "version": "43.0.1",
       "supplier": {
         "name": "The cryptography developers The Python Cryptographic Authority and individual contributors",
         "contact": [
@@ -1589,7 +1583,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.1:*:*:*:*:*:*:*",
       "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
       "licenses": [
         {
@@ -1598,12 +1592,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cryptography/43.0.0",
+          "url": "https://pypi.org/project/cryptography/43.0.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cryptography@43.0.0",
+      "purl": "pkg:pypi/cryptography@43.0.1",
       "properties": [
         {
           "name": "language",
@@ -1619,7 +1613,7 @@
       "type": "library",
       "bom-ref": "37-cffi",
       "name": "cffi",
-      "version": "1.17.0",
+      "version": "1.17.1",
       "supplier": {
         "name": "Armin Maciej Fijalkowski",
         "contact": [
@@ -1628,7 +1622,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.1:*:*:*:*:*:*:*",
       "description": "Foreign Function Interface for Python calling C code.",
       "licenses": [
         {
@@ -1641,12 +1635,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/cffi/1.17.0",
+          "url": "https://pypi.org/project/cffi/1.17.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/cffi@1.17.0",
+      "purl": "pkg:pypi/cffi@1.17.1",
       "properties": [
         {
           "name": "language",
@@ -2920,7 +2914,7 @@
       "type": "library",
       "bom-ref": "67-setuptools",
       "name": "setuptools",
-      "version": "74.0.0",
+      "version": "74.1.2",
       "supplier": {
         "name": "Python Packaging Authority",
         "contact": [
@@ -2929,16 +2923,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.1.2:*:*:*:*:*:*:*",
       "description": "Easily download, build, install, upgrade, and uninstall Python packages",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/setuptools/74.0.0",
+          "url": "https://pypi.org/project/setuptools/74.1.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/setuptools@74.0.0",
+      "purl": "pkg:pypi/setuptools@74.1.2",
       "properties": [
         {
           "name": "language",

diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx
@@ -2,26 +2,26 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-a62995ad-3aeb-4e13-9e6a-812e4226470c
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-90208a36-79fa-4a19-993d-5c3096d4d517
 LicenseListVersion: 3.22
 Creator: Tool: sbom4python-0.11.1
-Created: 2024-09-02T00:34:20Z
+Created: 2024-09-09T00:36:57Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
 PackageName: cve-bin-tool
 SPDXID: SPDXRef-Package-1-cve-bin-tool
-PackageVersion: 3.4rc1
+PackageVersion: 3.4
 PrimaryPackagePurpose: APPLICATION
 PackageSupplier: Person: Terri Oda (terri.oda@intel.com)
-PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc1
+PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4
 FilesAnalyzed: false
 PackageLicenseDeclared: GPL-3.0-or-later
 PackageLicenseConcluded: GPL-3.0-or-later
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>CVE Binary Checker Tool</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:*:*
 ##### 
 
 PackageName: aiohttp
@@ -136,17 +136,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.5:*:*:*:*
 
 PackageName: yarl
 SPDXID: SPDXRef-Package-9-yarl
-PackageVersion: 1.9.7
+PackageVersion: 1.11.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/yarl/1.9.7
+PackageDownloadLocation: https://pypi.org/project/yarl/1.11.0
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Yet another URL library</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.7
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.11.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.11.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: idna
@@ -198,19 +198,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.6:*:*:*:*:*:*:*
 
 PackageName: cvss
 SPDXID: SPDXRef-Package-13-cvss
-PackageVersion: 3.1
+PackageVersion: 3.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Stanislav Red Hat Product Security (skontar@redhat.com)
-PackageDownloadLocation: https://pypi.org/project/cvss/3.1
+PackageDownloadLocation: https://pypi.org/project/cvss/3.2
 FilesAnalyzed: false
-PackageChecksum: SHA1: e4cf69bea6bcfa1cbc38dca13b9ec8bf3363a475
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: LGPL-3.0-or-later
 PackageLicenseComments: <text>cvss declares LGPLv3+ which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>CVSS2/3/4 library with interactive calculator for Python 2 and Python 3</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cvss@3.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:stanislav_red_hat_product_security:cvss:3.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: defusedxml
@@ -570,32 +569,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_pyopenssl_developers:pyopenssl:24.
 
 PackageName: cryptography
 SPDXID: SPDXRef-Package-36-cryptography
-PackageVersion: 43.0.0
+PackageVersion: 43.0.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: The cryptography developers The Python Cryptographic Authority and individual contributors (cryptography-dev@python.org)
-PackageDownloadLocation: https://pypi.org/project/cryptography/43.0.0
+PackageDownloadLocation: https://pypi.org/project/cryptography/43.0.1
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0 OR BSD-3-Clause
 PackageLicenseConcluded: Apache-2.0 OR BSD-3-Clause
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>cryptography is a package which provides cryptographic recipes and primitives to Python developers.</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cryptography@43.0.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cryptography@43.0.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_cryptography_developers_the_python_cryptographic_authority_and_individual_contributors:cryptography:43.0.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: cffi
 SPDXID: SPDXRef-Package-37-cffi
-PackageVersion: 1.17.0
+PackageVersion: 1.17.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Armin Maciej Fijalkowski (python-cffi@googlegroups.com)
-PackageDownloadLocation: https://pypi.org/project/cffi/1.17.0
+PackageDownloadLocation: https://pypi.org/project/cffi/1.17.1
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Foreign Function Interface for Python calling C code.</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cffi@1.17.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cffi@1.17.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_maciej_fijalkowski:cffi:1.17.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pycparser
@@ -1056,17 +1055,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:*
 
 PackageName: setuptools
 SPDXID: SPDXRef-Package-67-setuptools
-PackageVersion: 74.0.0
+PackageVersion: 74.1.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org)
-PackageDownloadLocation: https://pypi.org/project/setuptools/74.0.0
+PackageDownloadLocation: https://pypi.org/project/setuptools/74.1.2
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Easily download, build, install, upgrade, and uninstall Python packages</text>
-ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.0.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.1.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.1.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: toml