From 1834f63eac9dbdbaa2ea76ba25cb6b30948d0301 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:14:28 -0700 Subject: [PATCH 01/11] chore: update SBOM for Python 3.8 (#4409) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.8.json | 100 +++++++++++++++++------------------ sbom/cve-bin-tool-py3.8.spdx | 80 ++++++++++++++-------------- 2 files changed, 90 insertions(+), 90 deletions(-) diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json index ab95503139..3fd83ca2ab 100644 --- a/sbom/cve-bin-tool-py3.8.json +++ b/sbom/cve-bin-tool-py3.8.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:78249e2c-ba6b-44f6-bf53-f4428b5dd43d", + "serialNumber": "urn:uuid:d87a674a-b387-4583-a4d4-bfed4fdfb862", "version": 1, "metadata": { - "timestamp": "2024-08-26T00:35:34Z", + "timestamp": "2024-09-02T00:36:17Z", "lifecycles": [ { "phase": "build" @@ -31,7 +31,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.4rc0", + "version": "3.4rc1", "supplier": { "name": "Terri Oda", "contact": [ @@ -40,7 +40,7 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "licenses": [ { @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.4rc0", + "url": "https://pypi.org/project/cve-bin-tool/3.4rc1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.4rc0", + "purl": "pkg:pypi/cve-bin-tool@3.4rc1", "properties": [ { "name": "language", @@ -119,6 +119,12 @@ }, "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", + "hashes": [ + { + "alg": "SHA-1", + "content": "c31b127a69bdcd7895d1a521985d918061955348" + } + ], "licenses": [ { "license": { @@ -356,7 +362,7 @@ "type": "library", "bom-ref": "9-yarl", "name": "yarl", - "version": "1.9.4", + "version": "1.9.7", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -365,14 +371,8 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*", "description": "Yet another URL library", - "hashes": [ - { - "alg": "SHA-1", - "content": "6362ff155ba02964a5e773927412f7cf4ca23cd1" - } - ], "licenses": [ { "license": { @@ -384,12 +384,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/yarl/1.9.4", + "url": "https://pypi.org/project/yarl/1.9.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.9.4", + "purl": "pkg:pypi/yarl@1.9.7", "properties": [ { "name": "language", @@ -416,6 +416,12 @@ }, "cpe": "cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", + "hashes": [ + { + "alg": "SHA-1", + "content": "784c6f45c162db9709588124f2f1def5b70615ff" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/idna/3.8", @@ -1886,7 +1892,7 @@ "type": "library", "bom-ref": "43-zipp", "name": "zipp", - "version": "3.20.0", + "version": "3.20.1", "supplier": { "name": "Jason R .", "contact": [ @@ -1895,16 +1901,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.0", + "url": "https://pypi.org/project/zipp/3.20.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.0", + "purl": "pkg:pypi/zipp@3.20.1", "properties": [ { "name": "language", @@ -2208,7 +2214,7 @@ "type": "library", "bom-ref": "52-lib4sbom", "name": "lib4sbom", - "version": "0.7.3", + "version": "0.7.4", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2217,7 +2223,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -2230,12 +2236,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.7.3", + "url": "https://pypi.org/project/lib4sbom/0.7.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.7.3", + "purl": "pkg:pypi/lib4sbom@0.7.4", "properties": [ { "name": "language", @@ -2343,7 +2349,7 @@ "type": "library", "bom-ref": "55-lib4vex", "name": "lib4vex", - "version": "0.1.0", + "version": "0.2.0", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2352,14 +2358,8 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:*", "description": "VEX generator and consumer library", - "hashes": [ - { - "alg": "SHA-1", - "content": "84229c7770dd95cf887d6874e0203da4c8aa809b" - } - ], "licenses": [ { "license": { @@ -2371,12 +2371,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4vex/0.1.0", + "url": "https://pypi.org/project/lib4vex/0.2.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4vex@0.1.0", + "purl": "pkg:pypi/lib4vex@0.2.0", "properties": [ { "name": "language", @@ -2485,7 +2485,7 @@ "type": "library", "bom-ref": "58-rich", "name": "rich", - "version": "13.7.1", + "version": "13.8.0", "supplier": { "name": "Will McGugan", "contact": [ @@ -2494,7 +2494,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2507,12 +2507,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/rich/13.7.1", + "url": "https://pypi.org/project/rich/13.8.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.7.1", + "purl": "pkg:pypi/rich@13.8.0", "properties": [ { "name": "language", @@ -2725,7 +2725,7 @@ "type": "library", "bom-ref": "64-plotly", "name": "plotly", - "version": "5.23.0", + "version": "5.24.0", "supplier": { "name": "Chris P", "contact": [ @@ -2734,7 +2734,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -2747,12 +2747,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.23.0", + "url": "https://pypi.org/project/plotly/5.24.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.23.0", + "purl": "pkg:pypi/plotly@5.24.0", "properties": [ { "name": "language", @@ -2915,7 +2915,7 @@ "type": "library", "bom-ref": "68-certifi", "name": "certifi", - "version": "2024.7.4", + "version": "2024.8.30", "supplier": { "name": "Kenneth Reitz", "contact": [ @@ -2924,7 +2924,7 @@ } ] }, - "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:*", "description": "Python package for providing Mozilla's CA Bundle.", "licenses": [ { @@ -2937,12 +2937,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/certifi/2024.7.4", + "url": "https://pypi.org/project/certifi/2024.8.30", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/certifi@2024.7.4", + "purl": "pkg:pypi/certifi@2024.8.30", "properties": [ { "name": "language", @@ -3090,7 +3090,7 @@ "type": "library", "bom-ref": "72-setuptools", "name": "setuptools", - "version": "73.0.1", + "version": "74.0.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -3099,16 +3099,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/73.0.1", + "url": "https://pypi.org/project/setuptools/74.0.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@73.0.1", + "purl": "pkg:pypi/setuptools@74.0.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx index bdf945fcb4..9b46a3d149 100644 --- a/sbom/cve-bin-tool-py3.8.spdx +++ b/sbom/cve-bin-tool-py3.8.spdx @@ -2,26 +2,26 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-da6f8d35-e8b9-490e-bf04-c8364e3c55e7 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-36380a6d-1569-477d-a8b9-2881d984a8f1 LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.1 -Created: 2024-08-26T00:34:07Z +Created: 2024-09-02T00:34:50Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.4rc0 +PackageVersion: 3.4rc1 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc0 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc1 FilesAnalyzed: false PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:* ##### PackageName: aiohttp @@ -46,6 +46,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0 FilesAnalyzed: false +PackageChecksum: SHA1: c31b127a69bdcd7895d1a521985d918061955348 PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION @@ -135,18 +136,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.5:*:*:*:* PackageName: yarl SPDXID: SPDXRef-Package-9-yarl -PackageVersion: 1.9.4 +PackageVersion: 1.9.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.9.4 +PackageDownloadLocation: https://pypi.org/project/yarl/1.9.7 FilesAnalyzed: false -PackageChecksum: SHA1: 6362ff155ba02964a5e773927412f7cf4ca23cd1 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:* ##### PackageName: idna @@ -156,6 +156,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) PackageDownloadLocation: https://pypi.org/project/idna/3.8 FilesAnalyzed: false +PackageChecksum: SHA1: 784c6f45c162db9709588124f2f1def5b70615ff PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -680,17 +681,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.4.0:*:*: PackageName: zipp SPDXID: SPDXRef-Package-43-zipp -PackageVersion: 3.20.0 +PackageVersion: 3.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0 +PackageDownloadLocation: https://pypi.org/project/zipp/3.20.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:* ##### PackageName: importlib-resources @@ -816,17 +817,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:pkgutil-resolve-name:1.3.1 PackageName: lib4sbom SPDXID: SPDXRef-Package-52-lib4sbom -PackageVersion: 0.7.3 +PackageVersion: 0.7.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.3 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.4 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -863,18 +864,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10. PackageName: lib4vex SPDXID: SPDXRef-Package-55-lib4vex -PackageVersion: 0.1.0 +PackageVersion: 0.2.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4vex/0.1.0 +PackageDownloadLocation: https://pypi.org/project/lib4vex/0.2.0 FilesAnalyzed: false -PackageChecksum: SHA1: 84229c7770dd95cf887d6874e0203da4c8aa809b PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: VEX generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.1.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.2.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:* ##### PackageName: csaf-tool @@ -911,17 +911,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-Package-58-rich -PackageVersion: 13.7.1 +PackageVersion: 13.8.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.7.1 +PackageDownloadLocation: https://pypi.org/project/rich/13.8.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.7.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.8.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -1004,17 +1004,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:* PackageName: plotly SPDXID: SPDXRef-Package-64-plotly -PackageVersion: 5.23.0 +PackageVersion: 5.24.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.23.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.24.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.23.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.24.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:* ##### PackageName: tenacity @@ -1069,17 +1069,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.3:*:*:*:*: PackageName: certifi SPDXID: SPDXRef-Package-68-certifi -PackageVersion: 2024.7.4 +PackageVersion: 2024.8.30 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com) -PackageDownloadLocation: https://pypi.org/project/certifi/2024.7.4 +PackageDownloadLocation: https://pypi.org/project/certifi/2024.8.30 FilesAnalyzed: false PackageLicenseDeclared: MPL-2.0 PackageLicenseConcluded: MPL-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Python package for providing Mozilla's CA Bundle. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.7.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.8.30 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:* ##### PackageName: charset-normalizer @@ -1131,17 +1131,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-Package-72-setuptools -PackageVersion: 73.0.1 +PackageVersion: 74.0.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/73.0.1 +PackageDownloadLocation: https://pypi.org/project/setuptools/74.0.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@73.0.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.0.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:* ##### PackageName: toml From cda104ae9cc98c78a73ac116ec0556f6088df0a6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:42:35 -0700 Subject: [PATCH 02/11] chore: update SBOM for Python 3.9 (#4410) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.9.json | 100 +++++++++++++++++------------------ sbom/cve-bin-tool-py3.9.spdx | 80 ++++++++++++++-------------- 2 files changed, 90 insertions(+), 90 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index d37e15b7ac..79e6981159 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:d9b39d3b-6c3f-40c2-92f5-0cb2db8e77c6", + "serialNumber": "urn:uuid:50bfa9df-b444-48d3-8555-5cf0b55b4651", "version": 1, "metadata": { - "timestamp": "2024-08-26T00:36:59Z", + "timestamp": "2024-09-02T00:36:44Z", "lifecycles": [ { "phase": "build" @@ -31,7 +31,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.4rc0", + "version": "3.4rc1", "supplier": { "name": "Terri Oda", "contact": [ @@ -40,7 +40,7 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "licenses": [ { @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.4rc0", + "url": "https://pypi.org/project/cve-bin-tool/3.4rc1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.4rc0", + "purl": "pkg:pypi/cve-bin-tool@3.4rc1", "properties": [ { "name": "language", @@ -119,6 +119,12 @@ }, "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", + "hashes": [ + { + "alg": "SHA-1", + "content": "c31b127a69bdcd7895d1a521985d918061955348" + } + ], "licenses": [ { "license": { @@ -356,7 +362,7 @@ "type": "library", "bom-ref": "9-yarl", "name": "yarl", - "version": "1.9.4", + "version": "1.9.7", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -365,14 +371,8 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*", "description": "Yet another URL library", - "hashes": [ - { - "alg": "SHA-1", - "content": "6362ff155ba02964a5e773927412f7cf4ca23cd1" - } - ], "licenses": [ { "license": { @@ -384,12 +384,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/yarl/1.9.4", + "url": "https://pypi.org/project/yarl/1.9.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.9.4", + "purl": "pkg:pypi/yarl@1.9.7", "properties": [ { "name": "language", @@ -416,6 +416,12 @@ }, "cpe": "cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", + "hashes": [ + { + "alg": "SHA-1", + "content": "784c6f45c162db9709588124f2f1def5b70615ff" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/idna/3.8", @@ -1886,7 +1892,7 @@ "type": "library", "bom-ref": "43-zipp", "name": "zipp", - "version": "3.20.0", + "version": "3.20.1", "supplier": { "name": "Jason R .", "contact": [ @@ -1895,16 +1901,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.0", + "url": "https://pypi.org/project/zipp/3.20.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.0", + "purl": "pkg:pypi/zipp@3.20.1", "properties": [ { "name": "language", @@ -2140,7 +2146,7 @@ "type": "library", "bom-ref": "50-lib4sbom", "name": "lib4sbom", - "version": "0.7.3", + "version": "0.7.4", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2149,7 +2155,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -2162,12 +2168,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.7.3", + "url": "https://pypi.org/project/lib4sbom/0.7.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.7.3", + "purl": "pkg:pypi/lib4sbom@0.7.4", "properties": [ { "name": "language", @@ -2275,7 +2281,7 @@ "type": "library", "bom-ref": "53-lib4vex", "name": "lib4vex", - "version": "0.1.0", + "version": "0.2.0", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2284,14 +2290,8 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:*", "description": "VEX generator and consumer library", - "hashes": [ - { - "alg": "SHA-1", - "content": "84229c7770dd95cf887d6874e0203da4c8aa809b" - } - ], "licenses": [ { "license": { @@ -2303,12 +2303,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4vex/0.1.0", + "url": "https://pypi.org/project/lib4vex/0.2.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4vex@0.1.0", + "purl": "pkg:pypi/lib4vex@0.2.0", "properties": [ { "name": "language", @@ -2417,7 +2417,7 @@ "type": "library", "bom-ref": "56-rich", "name": "rich", - "version": "13.7.1", + "version": "13.8.0", "supplier": { "name": "Will McGugan", "contact": [ @@ -2426,7 +2426,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2439,12 +2439,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/rich/13.7.1", + "url": "https://pypi.org/project/rich/13.8.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.7.1", + "purl": "pkg:pypi/rich@13.8.0", "properties": [ { "name": "language", @@ -2623,7 +2623,7 @@ "type": "library", "bom-ref": "61-plotly", "name": "plotly", - "version": "5.23.0", + "version": "5.24.0", "supplier": { "name": "Chris P", "contact": [ @@ -2632,7 +2632,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -2645,12 +2645,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.23.0", + "url": "https://pypi.org/project/plotly/5.24.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.23.0", + "purl": "pkg:pypi/plotly@5.24.0", "properties": [ { "name": "language", @@ -2813,7 +2813,7 @@ "type": "library", "bom-ref": "65-certifi", "name": "certifi", - "version": "2024.7.4", + "version": "2024.8.30", "supplier": { "name": "Kenneth Reitz", "contact": [ @@ -2822,7 +2822,7 @@ } ] }, - "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:*", "description": "Python package for providing Mozilla's CA Bundle.", "licenses": [ { @@ -2835,12 +2835,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/certifi/2024.7.4", + "url": "https://pypi.org/project/certifi/2024.8.30", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/certifi@2024.7.4", + "purl": "pkg:pypi/certifi@2024.8.30", "properties": [ { "name": "language", @@ -2988,7 +2988,7 @@ "type": "library", "bom-ref": "69-setuptools", "name": "setuptools", - "version": "73.0.1", + "version": "74.0.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -2997,16 +2997,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/73.0.1", + "url": "https://pypi.org/project/setuptools/74.0.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@73.0.1", + "purl": "pkg:pypi/setuptools@74.0.0", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index 00399c3f56..898ec8ed66 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,26 +2,26 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-23d1e40d-edfc-4a3f-84f6-7d2a69613c5d +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-d43650e7-6fd7-4d7a-a26a-ed4f63fe564e LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.1 -Created: 2024-08-26T00:35:43Z +Created: 2024-09-02T00:35:18Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.4rc0 +PackageVersion: 3.4rc1 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc0 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc1 FilesAnalyzed: false PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:* ##### PackageName: aiohttp @@ -46,6 +46,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0 FilesAnalyzed: false +PackageChecksum: SHA1: c31b127a69bdcd7895d1a521985d918061955348 PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION @@ -135,18 +136,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.5:*:*:*:* PackageName: yarl SPDXID: SPDXRef-Package-9-yarl -PackageVersion: 1.9.4 +PackageVersion: 1.9.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.9.4 +PackageDownloadLocation: https://pypi.org/project/yarl/1.9.7 FilesAnalyzed: false -PackageChecksum: SHA1: 6362ff155ba02964a5e773927412f7cf4ca23cd1 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:* ##### PackageName: idna @@ -156,6 +156,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) PackageDownloadLocation: https://pypi.org/project/idna/3.8 FilesAnalyzed: false +PackageChecksum: SHA1: 784c6f45c162db9709588124f2f1def5b70615ff PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -680,17 +681,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:importlib-metadata:8.4.0:*:*: PackageName: zipp SPDXID: SPDXRef-Package-43-zipp -PackageVersion: 3.20.0 +PackageVersion: 3.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0 +PackageDownloadLocation: https://pypi.org/project/zipp/3.20.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:* ##### PackageName: jinja2 @@ -786,17 +787,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:* PackageName: lib4sbom SPDXID: SPDXRef-Package-50-lib4sbom -PackageVersion: 0.7.3 +PackageVersion: 0.7.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.3 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.4 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -833,18 +834,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10. PackageName: lib4vex SPDXID: SPDXRef-Package-53-lib4vex -PackageVersion: 0.1.0 +PackageVersion: 0.2.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4vex/0.1.0 +PackageDownloadLocation: https://pypi.org/project/lib4vex/0.2.0 FilesAnalyzed: false -PackageChecksum: SHA1: 84229c7770dd95cf887d6874e0203da4c8aa809b PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: VEX generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.1.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.2.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:* ##### PackageName: csaf-tool @@ -881,17 +881,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-Package-56-rich -PackageVersion: 13.7.1 +PackageVersion: 13.8.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.7.1 +PackageDownloadLocation: https://pypi.org/project/rich/13.8.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.7.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.8.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -959,17 +959,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:* PackageName: plotly SPDXID: SPDXRef-Package-61-plotly -PackageVersion: 5.23.0 +PackageVersion: 5.24.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.23.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.24.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.23.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.24.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:* ##### PackageName: tenacity @@ -1024,17 +1024,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.3:*:*:*:*: PackageName: certifi SPDXID: SPDXRef-Package-65-certifi -PackageVersion: 2024.7.4 +PackageVersion: 2024.8.30 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com) -PackageDownloadLocation: https://pypi.org/project/certifi/2024.7.4 +PackageDownloadLocation: https://pypi.org/project/certifi/2024.8.30 FilesAnalyzed: false PackageLicenseDeclared: MPL-2.0 PackageLicenseConcluded: MPL-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Python package for providing Mozilla's CA Bundle. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.7.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.8.30 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:* ##### PackageName: charset-normalizer @@ -1086,17 +1086,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-Package-69-setuptools -PackageVersion: 73.0.1 +PackageVersion: 74.0.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/73.0.1 +PackageDownloadLocation: https://pypi.org/project/setuptools/74.0.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@73.0.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.0.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:* ##### PackageName: toml From 473f80e46a99448a1fc1d8f043723ba710d3a811 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:43:00 -0700 Subject: [PATCH 03/11] chore: update SBOM for Python 3.10 (#4408) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.10.json | 100 +++++++++++++++++----------------- sbom/cve-bin-tool-py3.10.spdx | 80 +++++++++++++-------------- 2 files changed, 90 insertions(+), 90 deletions(-) diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json index c9c8fe6f03..f3c781b2b4 100644 --- a/sbom/cve-bin-tool-py3.10.json +++ b/sbom/cve-bin-tool-py3.10.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:7eff258d-ffbd-4ef3-8572-1791b27b4ba9", + "serialNumber": "urn:uuid:54f89c33-a2a1-4926-b839-2599401ff6fe", "version": 1, "metadata": { - "timestamp": "2024-08-26T00:33:42Z", + "timestamp": "2024-09-02T00:35:34Z", "lifecycles": [ { "phase": "build" @@ -31,7 +31,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.4rc0", + "version": "3.4rc1", "supplier": { "name": "Terri Oda", "contact": [ @@ -40,7 +40,7 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "licenses": [ { @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.4rc0", + "url": "https://pypi.org/project/cve-bin-tool/3.4rc1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.4rc0", + "purl": "pkg:pypi/cve-bin-tool@3.4rc1", "properties": [ { "name": "language", @@ -119,6 +119,12 @@ }, "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", + "hashes": [ + { + "alg": "SHA-1", + "content": "c31b127a69bdcd7895d1a521985d918061955348" + } + ], "licenses": [ { "license": { @@ -356,7 +362,7 @@ "type": "library", "bom-ref": "9-yarl", "name": "yarl", - "version": "1.9.4", + "version": "1.9.7", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -365,14 +371,8 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*", "description": "Yet another URL library", - "hashes": [ - { - "alg": "SHA-1", - "content": "6362ff155ba02964a5e773927412f7cf4ca23cd1" - } - ], "licenses": [ { "license": { @@ -384,12 +384,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/yarl/1.9.4", + "url": "https://pypi.org/project/yarl/1.9.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.9.4", + "purl": "pkg:pypi/yarl@1.9.7", "properties": [ { "name": "language", @@ -416,6 +416,12 @@ }, "cpe": "cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", + "hashes": [ + { + "alg": "SHA-1", + "content": "784c6f45c162db9709588124f2f1def5b70615ff" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/idna/3.8", @@ -2072,7 +2078,7 @@ "type": "library", "bom-ref": "48-lib4sbom", "name": "lib4sbom", - "version": "0.7.3", + "version": "0.7.4", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2081,7 +2087,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -2094,12 +2100,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.7.3", + "url": "https://pypi.org/project/lib4sbom/0.7.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.7.3", + "purl": "pkg:pypi/lib4sbom@0.7.4", "properties": [ { "name": "language", @@ -2207,7 +2213,7 @@ "type": "library", "bom-ref": "51-lib4vex", "name": "lib4vex", - "version": "0.1.0", + "version": "0.2.0", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2216,14 +2222,8 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:*", "description": "VEX generator and consumer library", - "hashes": [ - { - "alg": "SHA-1", - "content": "84229c7770dd95cf887d6874e0203da4c8aa809b" - } - ], "licenses": [ { "license": { @@ -2235,12 +2235,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4vex/0.1.0", + "url": "https://pypi.org/project/lib4vex/0.2.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4vex@0.1.0", + "purl": "pkg:pypi/lib4vex@0.2.0", "properties": [ { "name": "language", @@ -2349,7 +2349,7 @@ "type": "library", "bom-ref": "54-rich", "name": "rich", - "version": "13.7.1", + "version": "13.8.0", "supplier": { "name": "Will McGugan", "contact": [ @@ -2358,7 +2358,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2371,12 +2371,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/rich/13.7.1", + "url": "https://pypi.org/project/rich/13.8.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.7.1", + "purl": "pkg:pypi/rich@13.8.0", "properties": [ { "name": "language", @@ -2555,7 +2555,7 @@ "type": "library", "bom-ref": "59-plotly", "name": "plotly", - "version": "5.23.0", + "version": "5.24.0", "supplier": { "name": "Chris P", "contact": [ @@ -2564,7 +2564,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -2577,12 +2577,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.23.0", + "url": "https://pypi.org/project/plotly/5.24.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.23.0", + "purl": "pkg:pypi/plotly@5.24.0", "properties": [ { "name": "language", @@ -2745,7 +2745,7 @@ "type": "library", "bom-ref": "63-certifi", "name": "certifi", - "version": "2024.7.4", + "version": "2024.8.30", "supplier": { "name": "Kenneth Reitz", "contact": [ @@ -2754,7 +2754,7 @@ } ] }, - "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:*", "description": "Python package for providing Mozilla's CA Bundle.", "licenses": [ { @@ -2767,12 +2767,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/certifi/2024.7.4", + "url": "https://pypi.org/project/certifi/2024.8.30", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/certifi@2024.7.4", + "purl": "pkg:pypi/certifi@2024.8.30", "properties": [ { "name": "language", @@ -2920,7 +2920,7 @@ "type": "library", "bom-ref": "67-setuptools", "name": "setuptools", - "version": "73.0.1", + "version": "74.0.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -2929,16 +2929,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/73.0.1", + "url": "https://pypi.org/project/setuptools/74.0.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@73.0.1", + "purl": "pkg:pypi/setuptools@74.0.0", "properties": [ { "name": "language", @@ -3101,7 +3101,7 @@ "type": "library", "bom-ref": "71-zipp", "name": "zipp", - "version": "3.20.0", + "version": "3.20.1", "supplier": { "name": "Jason R .", "contact": [ @@ -3110,16 +3110,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.0", + "url": "https://pypi.org/project/zipp/3.20.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.0", + "purl": "pkg:pypi/zipp@3.20.1", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx index 75884edc00..a7547c119c 100644 --- a/sbom/cve-bin-tool-py3.10.spdx +++ b/sbom/cve-bin-tool-py3.10.spdx @@ -2,26 +2,26 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-52daf87b-56da-4893-b447-66d3a4fe8925 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-a62995ad-3aeb-4e13-9e6a-812e4226470c LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.1 -Created: 2024-08-26T00:32:36Z +Created: 2024-09-02T00:34:20Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.4rc0 +PackageVersion: 3.4rc1 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc0 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc1 FilesAnalyzed: false PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:* ##### PackageName: aiohttp @@ -46,6 +46,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0 FilesAnalyzed: false +PackageChecksum: SHA1: c31b127a69bdcd7895d1a521985d918061955348 PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION @@ -135,18 +136,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.5:*:*:*:* PackageName: yarl SPDXID: SPDXRef-Package-9-yarl -PackageVersion: 1.9.4 +PackageVersion: 1.9.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.9.4 +PackageDownloadLocation: https://pypi.org/project/yarl/1.9.7 FilesAnalyzed: false -PackageChecksum: SHA1: 6362ff155ba02964a5e773927412f7cf4ca23cd1 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:* ##### PackageName: idna @@ -156,6 +156,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) PackageDownloadLocation: https://pypi.org/project/idna/3.8 FilesAnalyzed: false +PackageChecksum: SHA1: 784c6f45c162db9709588124f2f1def5b70615ff PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -756,17 +757,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:* PackageName: lib4sbom SPDXID: SPDXRef-Package-48-lib4sbom -PackageVersion: 0.7.3 +PackageVersion: 0.7.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.3 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.4 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -803,18 +804,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10. PackageName: lib4vex SPDXID: SPDXRef-Package-51-lib4vex -PackageVersion: 0.1.0 +PackageVersion: 0.2.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4vex/0.1.0 +PackageDownloadLocation: https://pypi.org/project/lib4vex/0.2.0 FilesAnalyzed: false -PackageChecksum: SHA1: 84229c7770dd95cf887d6874e0203da4c8aa809b PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: VEX generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.1.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.2.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:* ##### PackageName: csaf-tool @@ -851,17 +851,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-Package-54-rich -PackageVersion: 13.7.1 +PackageVersion: 13.8.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.7.1 +PackageDownloadLocation: https://pypi.org/project/rich/13.8.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.7.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.8.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -929,17 +929,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:* PackageName: plotly SPDXID: SPDXRef-Package-59-plotly -PackageVersion: 5.23.0 +PackageVersion: 5.24.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.23.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.24.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.23.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.24.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:* ##### PackageName: tenacity @@ -994,17 +994,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.3:*:*:*:*: PackageName: certifi SPDXID: SPDXRef-Package-63-certifi -PackageVersion: 2024.7.4 +PackageVersion: 2024.8.30 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com) -PackageDownloadLocation: https://pypi.org/project/certifi/2024.7.4 +PackageDownloadLocation: https://pypi.org/project/certifi/2024.8.30 FilesAnalyzed: false PackageLicenseDeclared: MPL-2.0 PackageLicenseConcluded: MPL-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Python package for providing Mozilla's CA Bundle. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.7.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.8.30 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:* ##### PackageName: charset-normalizer @@ -1056,17 +1056,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-Package-67-setuptools -PackageVersion: 73.0.1 +PackageVersion: 74.0.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/73.0.1 +PackageDownloadLocation: https://pypi.org/project/setuptools/74.0.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@73.0.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.0.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:* ##### PackageName: toml @@ -1119,17 +1119,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.4.0:*:*:* PackageName: zipp SPDXID: SPDXRef-Package-71-zipp -PackageVersion: 3.20.0 +PackageVersion: 3.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0 +PackageDownloadLocation: https://pypi.org/project/zipp/3.20.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:* ##### PackageName: zstandard From 7953bc8a63108c3802be7fba72f628421ea0e8b7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:43:32 -0700 Subject: [PATCH 04/11] chore: update SBOM for Python 3.11 (#4406) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.11.json | 100 +++++++++++++++++----------------- sbom/cve-bin-tool-py3.11.spdx | 80 +++++++++++++-------------- 2 files changed, 90 insertions(+), 90 deletions(-) diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json index e6eda83dbf..53a249e9bf 100644 --- a/sbom/cve-bin-tool-py3.11.json +++ b/sbom/cve-bin-tool-py3.11.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:9af242dd-4082-4aa8-816f-1bde08e5ec39", + "serialNumber": "urn:uuid:8d777d06-7268-47f3-a20f-8749b7aa610c", "version": 1, "metadata": { - "timestamp": "2024-08-26T00:33:39Z", + "timestamp": "2024-09-02T00:35:21Z", "lifecycles": [ { "phase": "build" @@ -31,7 +31,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.4rc0", + "version": "3.4rc1", "supplier": { "name": "Terri Oda", "contact": [ @@ -40,7 +40,7 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "licenses": [ { @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.4rc0", + "url": "https://pypi.org/project/cve-bin-tool/3.4rc1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.4rc0", + "purl": "pkg:pypi/cve-bin-tool@3.4rc1", "properties": [ { "name": "language", @@ -119,6 +119,12 @@ }, "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", + "hashes": [ + { + "alg": "SHA-1", + "content": "c31b127a69bdcd7895d1a521985d918061955348" + } + ], "licenses": [ { "license": { @@ -307,7 +313,7 @@ "type": "library", "bom-ref": "8-yarl", "name": "yarl", - "version": "1.9.4", + "version": "1.9.7", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -316,14 +322,8 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*", "description": "Yet another URL library", - "hashes": [ - { - "alg": "SHA-1", - "content": "6362ff155ba02964a5e773927412f7cf4ca23cd1" - } - ], "licenses": [ { "license": { @@ -335,12 +335,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/yarl/1.9.4", + "url": "https://pypi.org/project/yarl/1.9.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.9.4", + "purl": "pkg:pypi/yarl@1.9.7", "properties": [ { "name": "language", @@ -367,6 +367,12 @@ }, "cpe": "cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", + "hashes": [ + { + "alg": "SHA-1", + "content": "784c6f45c162db9709588124f2f1def5b70615ff" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/idna/3.8", @@ -2023,7 +2029,7 @@ "type": "library", "bom-ref": "47-lib4sbom", "name": "lib4sbom", - "version": "0.7.3", + "version": "0.7.4", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2032,7 +2038,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -2045,12 +2051,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.7.3", + "url": "https://pypi.org/project/lib4sbom/0.7.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.7.3", + "purl": "pkg:pypi/lib4sbom@0.7.4", "properties": [ { "name": "language", @@ -2158,7 +2164,7 @@ "type": "library", "bom-ref": "50-lib4vex", "name": "lib4vex", - "version": "0.1.0", + "version": "0.2.0", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2167,14 +2173,8 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:*", "description": "VEX generator and consumer library", - "hashes": [ - { - "alg": "SHA-1", - "content": "84229c7770dd95cf887d6874e0203da4c8aa809b" - } - ], "licenses": [ { "license": { @@ -2186,12 +2186,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4vex/0.1.0", + "url": "https://pypi.org/project/lib4vex/0.2.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4vex@0.1.0", + "purl": "pkg:pypi/lib4vex@0.2.0", "properties": [ { "name": "language", @@ -2300,7 +2300,7 @@ "type": "library", "bom-ref": "53-rich", "name": "rich", - "version": "13.7.1", + "version": "13.8.0", "supplier": { "name": "Will McGugan", "contact": [ @@ -2309,7 +2309,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2322,12 +2322,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/rich/13.7.1", + "url": "https://pypi.org/project/rich/13.8.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.7.1", + "purl": "pkg:pypi/rich@13.8.0", "properties": [ { "name": "language", @@ -2506,7 +2506,7 @@ "type": "library", "bom-ref": "58-plotly", "name": "plotly", - "version": "5.23.0", + "version": "5.24.0", "supplier": { "name": "Chris P", "contact": [ @@ -2515,7 +2515,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -2528,12 +2528,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.23.0", + "url": "https://pypi.org/project/plotly/5.24.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.23.0", + "purl": "pkg:pypi/plotly@5.24.0", "properties": [ { "name": "language", @@ -2696,7 +2696,7 @@ "type": "library", "bom-ref": "62-certifi", "name": "certifi", - "version": "2024.7.4", + "version": "2024.8.30", "supplier": { "name": "Kenneth Reitz", "contact": [ @@ -2705,7 +2705,7 @@ } ] }, - "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:*", "description": "Python package for providing Mozilla's CA Bundle.", "licenses": [ { @@ -2718,12 +2718,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/certifi/2024.7.4", + "url": "https://pypi.org/project/certifi/2024.8.30", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/certifi@2024.7.4", + "purl": "pkg:pypi/certifi@2024.8.30", "properties": [ { "name": "language", @@ -2871,7 +2871,7 @@ "type": "library", "bom-ref": "66-setuptools", "name": "setuptools", - "version": "73.0.1", + "version": "74.0.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -2880,16 +2880,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/73.0.1", + "url": "https://pypi.org/project/setuptools/74.0.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@73.0.1", + "purl": "pkg:pypi/setuptools@74.0.0", "properties": [ { "name": "language", @@ -3003,7 +3003,7 @@ "type": "library", "bom-ref": "69-zipp", "name": "zipp", - "version": "3.20.0", + "version": "3.20.1", "supplier": { "name": "Jason R .", "contact": [ @@ -3012,16 +3012,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.0", + "url": "https://pypi.org/project/zipp/3.20.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.0", + "purl": "pkg:pypi/zipp@3.20.1", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx index b901630885..2b4f8399f7 100644 --- a/sbom/cve-bin-tool-py3.11.spdx +++ b/sbom/cve-bin-tool-py3.11.spdx @@ -2,26 +2,26 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-983b9eae-107a-4ff7-8bc2-0c1e0f743a8f +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-d5e66b4b-7566-4d32-a557-46c6265be44c LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.1 -Created: 2024-08-26T00:32:36Z +Created: 2024-09-02T00:34:17Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.4rc0 +PackageVersion: 3.4rc1 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc0 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc1 FilesAnalyzed: false PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:* ##### PackageName: aiohttp @@ -46,6 +46,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0 FilesAnalyzed: false +PackageChecksum: SHA1: c31b127a69bdcd7895d1a521985d918061955348 PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION @@ -118,18 +119,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.5:*:*:*:* PackageName: yarl SPDXID: SPDXRef-Package-8-yarl -PackageVersion: 1.9.4 +PackageVersion: 1.9.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.9.4 +PackageDownloadLocation: https://pypi.org/project/yarl/1.9.7 FilesAnalyzed: false -PackageChecksum: SHA1: 6362ff155ba02964a5e773927412f7cf4ca23cd1 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:* ##### PackageName: idna @@ -139,6 +139,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) PackageDownloadLocation: https://pypi.org/project/idna/3.8 FilesAnalyzed: false +PackageChecksum: SHA1: 784c6f45c162db9709588124f2f1def5b70615ff PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -739,17 +740,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:* PackageName: lib4sbom SPDXID: SPDXRef-Package-47-lib4sbom -PackageVersion: 0.7.3 +PackageVersion: 0.7.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.3 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.4 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -786,18 +787,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10. PackageName: lib4vex SPDXID: SPDXRef-Package-50-lib4vex -PackageVersion: 0.1.0 +PackageVersion: 0.2.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4vex/0.1.0 +PackageDownloadLocation: https://pypi.org/project/lib4vex/0.2.0 FilesAnalyzed: false -PackageChecksum: SHA1: 84229c7770dd95cf887d6874e0203da4c8aa809b PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: VEX generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.1.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.2.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:* ##### PackageName: csaf-tool @@ -834,17 +834,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-Package-53-rich -PackageVersion: 13.7.1 +PackageVersion: 13.8.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.7.1 +PackageDownloadLocation: https://pypi.org/project/rich/13.8.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.7.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.8.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -912,17 +912,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:* PackageName: plotly SPDXID: SPDXRef-Package-58-plotly -PackageVersion: 5.23.0 +PackageVersion: 5.24.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.23.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.24.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.23.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.24.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:* ##### PackageName: tenacity @@ -977,17 +977,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.3:*:*:*:*: PackageName: certifi SPDXID: SPDXRef-Package-62-certifi -PackageVersion: 2024.7.4 +PackageVersion: 2024.8.30 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com) -PackageDownloadLocation: https://pypi.org/project/certifi/2024.7.4 +PackageDownloadLocation: https://pypi.org/project/certifi/2024.8.30 FilesAnalyzed: false PackageLicenseDeclared: MPL-2.0 PackageLicenseConcluded: MPL-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Python package for providing Mozilla's CA Bundle. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.7.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.8.30 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:* ##### PackageName: charset-normalizer @@ -1039,17 +1039,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-Package-66-setuptools -PackageVersion: 73.0.1 +PackageVersion: 74.0.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/73.0.1 +PackageDownloadLocation: https://pypi.org/project/setuptools/74.0.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@73.0.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.0.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:* ##### PackageName: xmlschema @@ -1086,17 +1086,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.4.0:*:*:* PackageName: zipp SPDXID: SPDXRef-Package-69-zipp -PackageVersion: 3.20.0 +PackageVersion: 3.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0 +PackageDownloadLocation: https://pypi.org/project/zipp/3.20.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:* ##### PackageName: zstandard From 300880026e95c5e9d2114eb06f78ca2c34f2b661 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:44:02 -0700 Subject: [PATCH 05/11] chore: update SBOM for Python 3.12 (#4407) Co-authored-by: GitHub --- sbom/cve-bin-tool-py3.12.json | 100 +++++++++++++++++----------------- sbom/cve-bin-tool-py3.12.spdx | 80 +++++++++++++-------------- 2 files changed, 90 insertions(+), 90 deletions(-) diff --git a/sbom/cve-bin-tool-py3.12.json b/sbom/cve-bin-tool-py3.12.json index b1f4601f31..b56f1af913 100644 --- a/sbom/cve-bin-tool-py3.12.json +++ b/sbom/cve-bin-tool-py3.12.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:1a468904-d4b4-4448-9ff4-2a4c6cda96ce", + "serialNumber": "urn:uuid:b1f117ed-2d0e-4be8-99ca-e91c6c6428cc", "version": 1, "metadata": { - "timestamp": "2024-08-26T00:35:14Z", + "timestamp": "2024-09-02T00:35:23Z", "lifecycles": [ { "phase": "build" @@ -31,7 +31,7 @@ "type": "application", "bom-ref": "1-cve-bin-tool", "name": "cve-bin-tool", - "version": "3.4rc0", + "version": "3.4rc1", "supplier": { "name": "Terri Oda", "contact": [ @@ -40,7 +40,7 @@ } ] }, - "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:*", "description": "CVE Binary Checker Tool", "licenses": [ { @@ -53,12 +53,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/cve-bin-tool/3.4rc0", + "url": "https://pypi.org/project/cve-bin-tool/3.4rc1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/cve-bin-tool@3.4rc0", + "purl": "pkg:pypi/cve-bin-tool@3.4rc1", "properties": [ { "name": "language", @@ -119,6 +119,12 @@ }, "cpe": "cpe:2.3:a:j._nick_koston:aiohappyeyeballs:2.4.0:*:*:*:*:*:*:*", "description": "Happy Eyeballs for asyncio", + "hashes": [ + { + "alg": "SHA-1", + "content": "c31b127a69bdcd7895d1a521985d918061955348" + } + ], "licenses": [ { "license": { @@ -307,7 +313,7 @@ "type": "library", "bom-ref": "8-yarl", "name": "yarl", - "version": "1.9.4", + "version": "1.9.7", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -316,14 +322,8 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:*", "description": "Yet another URL library", - "hashes": [ - { - "alg": "SHA-1", - "content": "6362ff155ba02964a5e773927412f7cf4ca23cd1" - } - ], "licenses": [ { "license": { @@ -335,12 +335,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/yarl/1.9.4", + "url": "https://pypi.org/project/yarl/1.9.7", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/yarl@1.9.4", + "purl": "pkg:pypi/yarl@1.9.7", "properties": [ { "name": "language", @@ -367,6 +367,12 @@ }, "cpe": "cpe:2.3:a:kim_davies:idna:3.8:*:*:*:*:*:*:*", "description": "Internationalized Domain Names in Applications (IDNA)", + "hashes": [ + { + "alg": "SHA-1", + "content": "784c6f45c162db9709588124f2f1def5b70615ff" + } + ], "externalReferences": [ { "url": "https://pypi.org/project/idna/3.8", @@ -2023,7 +2029,7 @@ "type": "library", "bom-ref": "47-lib4sbom", "name": "lib4sbom", - "version": "0.7.3", + "version": "0.7.4", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2032,7 +2038,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -2045,12 +2051,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.7.3", + "url": "https://pypi.org/project/lib4sbom/0.7.4", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.7.3", + "purl": "pkg:pypi/lib4sbom@0.7.4", "properties": [ { "name": "language", @@ -2158,7 +2164,7 @@ "type": "library", "bom-ref": "50-lib4vex", "name": "lib4vex", - "version": "0.1.0", + "version": "0.2.0", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -2167,14 +2173,8 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:*", "description": "VEX generator and consumer library", - "hashes": [ - { - "alg": "SHA-1", - "content": "84229c7770dd95cf887d6874e0203da4c8aa809b" - } - ], "licenses": [ { "license": { @@ -2186,12 +2186,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4vex/0.1.0", + "url": "https://pypi.org/project/lib4vex/0.2.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4vex@0.1.0", + "purl": "pkg:pypi/lib4vex@0.2.0", "properties": [ { "name": "language", @@ -2300,7 +2300,7 @@ "type": "library", "bom-ref": "53-rich", "name": "rich", - "version": "13.7.1", + "version": "13.8.0", "supplier": { "name": "Will McGugan", "contact": [ @@ -2309,7 +2309,7 @@ } ] }, - "cpe": "cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:*", "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal", "licenses": [ { @@ -2322,12 +2322,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/rich/13.7.1", + "url": "https://pypi.org/project/rich/13.8.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/rich@13.7.1", + "purl": "pkg:pypi/rich@13.8.0", "properties": [ { "name": "language", @@ -2506,7 +2506,7 @@ "type": "library", "bom-ref": "58-plotly", "name": "plotly", - "version": "5.23.0", + "version": "5.24.0", "supplier": { "name": "Chris P", "contact": [ @@ -2515,7 +2515,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -2528,12 +2528,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.23.0", + "url": "https://pypi.org/project/plotly/5.24.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.23.0", + "purl": "pkg:pypi/plotly@5.24.0", "properties": [ { "name": "language", @@ -2696,7 +2696,7 @@ "type": "library", "bom-ref": "62-certifi", "name": "certifi", - "version": "2024.7.4", + "version": "2024.8.30", "supplier": { "name": "Kenneth Reitz", "contact": [ @@ -2705,7 +2705,7 @@ } ] }, - "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:*", "description": "Python package for providing Mozilla's CA Bundle.", "licenses": [ { @@ -2718,12 +2718,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/certifi/2024.7.4", + "url": "https://pypi.org/project/certifi/2024.8.30", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/certifi@2024.7.4", + "purl": "pkg:pypi/certifi@2024.8.30", "properties": [ { "name": "language", @@ -2871,7 +2871,7 @@ "type": "library", "bom-ref": "66-setuptools", "name": "setuptools", - "version": "73.0.1", + "version": "74.0.0", "supplier": { "name": "Python Packaging Authority", "contact": [ @@ -2880,16 +2880,16 @@ } ] }, - "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:*", "description": "Easily download, build, install, upgrade, and uninstall Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/setuptools/73.0.1", + "url": "https://pypi.org/project/setuptools/74.0.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/setuptools@73.0.1", + "purl": "pkg:pypi/setuptools@74.0.0", "properties": [ { "name": "language", @@ -3003,7 +3003,7 @@ "type": "library", "bom-ref": "69-zipp", "name": "zipp", - "version": "3.20.0", + "version": "3.20.1", "supplier": { "name": "Jason R .", "contact": [ @@ -3012,16 +3012,16 @@ } ] }, - "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:*", "description": "Backport of pathlib-compatible object wrapper for zip files", "externalReferences": [ { - "url": "https://pypi.org/project/zipp/3.20.0", + "url": "https://pypi.org/project/zipp/3.20.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/zipp@3.20.0", + "purl": "pkg:pypi/zipp@3.20.1", "properties": [ { "name": "language", diff --git a/sbom/cve-bin-tool-py3.12.spdx b/sbom/cve-bin-tool-py3.12.spdx index 1bc12152d3..961f9fa3a9 100644 --- a/sbom/cve-bin-tool-py3.12.spdx +++ b/sbom/cve-bin-tool-py3.12.spdx @@ -2,26 +2,26 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-9d2818ca-979d-421e-8731-e16027125f26 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-ef020a48-2e0c-4106-8ee5-6ade813bf11c LicenseListVersion: 3.22 Creator: Tool: sbom4python-0.11.1 -Created: 2024-08-26T00:33:49Z +Created: 2024-09-02T00:34:08Z CreatorComment: This document has been automatically generated. ##### PackageName: cve-bin-tool SPDXID: SPDXRef-Package-1-cve-bin-tool -PackageVersion: 3.4rc0 +PackageVersion: 3.4rc1 PrimaryPackagePurpose: APPLICATION PackageSupplier: Person: Terri Oda (terri.oda@intel.com) -PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc0 +PackageDownloadLocation: https://pypi.org/project/cve-bin-tool/3.4rc1 FilesAnalyzed: false PackageLicenseDeclared: GPL-3.0-or-later PackageLicenseConcluded: GPL-3.0-or-later PackageCopyrightText: NOASSERTION PackageSummary: CVE Binary Checker Tool -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/cve-bin-tool@3.4rc1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4rc1:*:*:*:*:*:*:* ##### PackageName: aiohttp @@ -46,6 +46,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: J. Nick Koston (nick@koston.org) PackageDownloadLocation: https://pypi.org/project/aiohappyeyeballs/2.4.0 FilesAnalyzed: false +PackageChecksum: SHA1: c31b127a69bdcd7895d1a521985d918061955348 PackageLicenseDeclared: Python-2.0.1 PackageLicenseConcluded: Python-2.0.1 PackageCopyrightText: NOASSERTION @@ -118,18 +119,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.0.5:*:*:*:* PackageName: yarl SPDXID: SPDXRef-Package-8-yarl -PackageVersion: 1.9.4 +PackageVersion: 1.9.7 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/yarl/1.9.4 +PackageDownloadLocation: https://pypi.org/project/yarl/1.9.7 FilesAnalyzed: false -PackageChecksum: SHA1: 6362ff155ba02964a5e773927412f7cf4ca23cd1 PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Yet another URL library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/yarl@1.9.7 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:yarl:1.9.7:*:*:*:*:*:*:* ##### PackageName: idna @@ -139,6 +139,7 @@ PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kim Davies (kim+pypi@gumleaf.org) PackageDownloadLocation: https://pypi.org/project/idna/3.8 FilesAnalyzed: false +PackageChecksum: SHA1: 784c6f45c162db9709588124f2f1def5b70615ff PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION @@ -739,17 +740,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.20.0:*:*:*:*:* PackageName: lib4sbom SPDXID: SPDXRef-Package-47-lib4sbom -PackageVersion: 0.7.3 +PackageVersion: 0.7.4 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.3 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.7.4 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.3 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.3:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4sbom@0.7.4 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.7.4:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -786,18 +787,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:raphael_barrois:semantic-version:2.10. PackageName: lib4vex SPDXID: SPDXRef-Package-50-lib4vex -PackageVersion: 0.1.0 +PackageVersion: 0.2.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4vex/0.1.0 +PackageDownloadLocation: https://pypi.org/project/lib4vex/0.2.0 FilesAnalyzed: false -PackageChecksum: SHA1: 84229c7770dd95cf887d6874e0203da4c8aa809b PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: VEX generator and consumer library -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.1.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.1.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/lib4vex@0.2.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4vex:0.2.0:*:*:*:*:*:*:* ##### PackageName: csaf-tool @@ -834,17 +834,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1 PackageName: rich SPDXID: SPDXRef-Package-53-rich -PackageVersion: 13.7.1 +PackageVersion: 13.8.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com) -PackageDownloadLocation: https://pypi.org/project/rich/13.7.1 +PackageDownloadLocation: https://pypi.org/project/rich/13.8.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.7.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.7.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/rich@13.8.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:13.8.0:*:*:*:*:*:*:* ##### PackageName: markdown-it-py @@ -912,17 +912,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:24.1:*:*:*:*:* PackageName: plotly SPDXID: SPDXRef-Package-58-plotly -PackageVersion: 5.23.0 +PackageVersion: 5.24.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.23.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.24.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.23.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.23.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/plotly@5.24.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.24.0:*:*:*:*:*:*:* ##### PackageName: tenacity @@ -977,17 +977,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.3:*:*:*:*: PackageName: certifi SPDXID: SPDXRef-Package-62-certifi -PackageVersion: 2024.7.4 +PackageVersion: 2024.8.30 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com) -PackageDownloadLocation: https://pypi.org/project/certifi/2024.7.4 +PackageDownloadLocation: https://pypi.org/project/certifi/2024.8.30 FilesAnalyzed: false PackageLicenseDeclared: MPL-2.0 PackageLicenseConcluded: MPL-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Python package for providing Mozilla's CA Bundle. -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.7.4 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.7.4:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/certifi@2024.8.30 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2024.8.30:*:*:*:*:*:*:* ##### PackageName: charset-normalizer @@ -1039,17 +1039,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:* PackageName: setuptools SPDXID: SPDXRef-Package-66-setuptools -PackageVersion: 73.0.1 +PackageVersion: 74.0.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org) -PackageDownloadLocation: https://pypi.org/project/setuptools/73.0.1 +PackageDownloadLocation: https://pypi.org/project/setuptools/74.0.0 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@73.0.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:73.0.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/setuptools@74.0.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:74.0.0:*:*:*:*:*:*:* ##### PackageName: xmlschema @@ -1086,17 +1086,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:elementpath:4.4.0:*:*:* PackageName: zipp SPDXID: SPDXRef-Package-69-zipp -PackageVersion: 3.20.0 +PackageVersion: 3.20.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Jason R. (jaraco@jaraco.com) -PackageDownloadLocation: https://pypi.org/project/zipp/3.20.0 +PackageDownloadLocation: https://pypi.org/project/zipp/3.20.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Backport of pathlib-compatible object wrapper for zip files -ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE_MANAGER purl pkg:pypi/zipp@3.20.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r.:zipp:3.20.1:*:*:*:*:*:*:* ##### PackageName: zstandard From 3a6060f6104e2db382ae3babfd0b6ad95bb85a7c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:45:16 -0700 Subject: [PATCH 06/11] chore: update pre-commit config (#4405) Co-authored-by: GitHub --- .pre-commit-config.yaml | 6 +++--- dev-requirements.txt | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b562440781..d48d3ff785 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,7 +14,7 @@ repos: exclude: ^fuzz/generated/ - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.4.2 + rev: 24.8.0 hooks: - id: black exclude: ^fuzz/generated/ @@ -27,7 +27,7 @@ repos: args: ["--py38-plus"] - repo: https://github.com/pycqa/flake8 - rev: 7.1.0 + rev: 7.1.1 hooks: - id: flake8 exclude: ^fuzz/generated/|bandit\.conf$ @@ -45,7 +45,7 @@ repos: - id: gitlint - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.11.1 + rev: v1.11.2 hooks: - id: mypy additional_dependencies: diff --git a/dev-requirements.txt b/dev-requirements.txt index e48ad15cf0..509182adb4 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -1,14 +1,14 @@ -black==24.4.2 +black==24.8.0 isort; python_version < "3.8" isort==5.13.2; python_version >= "3.8" pre-commit; python_version <= "3.8" pre-commit==3.8.0; python_version > "3.8" flake8; python_version < "3.8" -flake8==7.1.0; python_version >= "3.8" +flake8==7.1.1; python_version >= "3.8" bandit==1.7.9 gitlint==v0.19.1 interrogate -mypy==v1.11.1 +mypy==v1.11.2 pytest>=7.2.0 pytest-xdist pytest-cov From 50098e5dc40306cfeeb965c5b6c4e6b246d91f38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:47:19 -0700 Subject: [PATCH 07/11] chore(deps): bump actions/upload-artifact from 4.3.1 to 4.4.0 (#4411) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.1 to 4.4.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...50769540e7f4bd5e21e526ee35c689e35e0d6874) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- .github/workflows/update-js-dependencies.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index bdd5be8ff4..b1421eff06 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -39,7 +39,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml index b273fcdc0c..e461a9275c 100644 --- a/.github/workflows/update-js-dependencies.yml +++ b/.github/workflows/update-js-dependencies.yml @@ -73,7 +73,7 @@ jobs: output_html(TestOutputEngine.MOCK_OUTPUT, None, "", "", "", 3, 3, 0, None, None, open("test.html", "w"))' - name: Upload mock report - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: HTML report path: test.html From 3d6c627c237e159a4e9ef0abcf706c75b9a1b068 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:48:03 -0700 Subject: [PATCH 08/11] chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6 (#4413) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.5 to 3.26.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2c779ab0d087cd7fe7b826087247c2c81f27bfa6...4dd16135b69a43b6c8efb853346f8437d92d3c93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d29a8db214..3568f6df4b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,7 +51,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -76,4 +76,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 From ec8be1a41a20b38415aaeeff7a34c018cdf99b97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:48:56 -0700 Subject: [PATCH 09/11] chore(deps): bump actions/setup-python from 5.1.1 to 5.2.0 (#4412) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5.1.1...v5.2.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-wheel.yml | 2 +- .github/workflows/cve_scan.yml | 2 +- .github/workflows/formatting.yml | 2 +- .github/workflows/fuzzing.yml | 2 +- .github/workflows/linting.yml | 2 +- .github/workflows/sbom.yml | 2 +- .github/workflows/testing.yml | 10 +++++----- .github/workflows/update-cache.yml | 2 +- .github/workflows/update-js-dependencies.yml | 2 +- .github/workflows/update-pre-commit.yml | 2 +- .github/workflows/validate-yml.yml | 2 +- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml index d8b1ac05a5..eedddbaf43 100644 --- a/.github/workflows/build-wheel.yml +++ b/.github/workflows/build-wheel.yml @@ -28,7 +28,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml index ff5ee5ee86..0977b15207 100644 --- a/.github/workflows/cve_scan.yml +++ b/.github/workflows/cve_scan.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml index bb99d0f2ae..f8c5867f53 100644 --- a/.github/workflows/formatting.yml +++ b/.github/workflows/formatting.yml @@ -24,7 +24,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 19c87446d1..0ff4d7bbcc 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v5.1.1 + uses: actions/setup-python@v5.2.0 with: python-version: 3.9 diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index ac1f68f974..4add7725c1 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 40c0d96437..e0a7db108f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -27,7 +27,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.python }} cache: 'pip' diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 2ede932b2d..558898480b 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -49,7 +49,7 @@ jobs: pypi.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' cache: 'pip' @@ -108,7 +108,7 @@ jobs: www.sqlite.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.python }} cache: 'pip' @@ -240,7 +240,7 @@ jobs: www.sqlite.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.10' cache: 'pip' @@ -397,7 +397,7 @@ jobs: www.sqlite.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.10' cache: 'pip' @@ -503,7 +503,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.12' cache: 'pip' diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml index 7d601f31b0..889cbcc692 100644 --- a/.github/workflows/update-cache.yml +++ b/.github/workflows/update-cache.yml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml index e461a9275c..9d083c4499 100644 --- a/.github/workflows/update-js-dependencies.yml +++ b/.github/workflows/update-js-dependencies.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml index 98ed98dddb..f7fa1463e1 100644 --- a/.github/workflows/update-pre-commit.yml +++ b/.github/workflows/update-pre-commit.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' diff --git a/.github/workflows/validate-yml.yml b/.github/workflows/validate-yml.yml index 1088c86852..6e0cdcd2d4 100644 --- a/.github/workflows/validate-yml.yml +++ b/.github/workflows/validate-yml.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' cache: 'pip' From b893616662e3ae8483acb609596a7b83f00096dc Mon Sep 17 00:00:00 2001 From: Sanskar Sharma Date: Wed, 4 Sep 2024 21:46:17 +0530 Subject: [PATCH 10/11] feat: auto detect for vex and added linkage check (#4415) * feat: enable auto-detection for vex files * feat: sbom-vex linkage checker for cyclonedx using bom-link * feat: validation for serialNumber --- cve_bin_tool/cli.py | 18 +++++++++++---- cve_bin_tool/output_engine/__init__.py | 1 + cve_bin_tool/sbom_manager/parse.py | 21 +++++++++++++++++ cve_bin_tool/util.py | 32 +++++++++++++++++++++++--- cve_bin_tool/vex_manager/generate.py | 9 ++++++-- cve_bin_tool/vex_manager/parse.py | 19 ++++++++++++--- 6 files changed, 87 insertions(+), 13 deletions(-) diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py index c8a99ff8c3..51664d18bc 100644 --- a/cve_bin_tool/cli.py +++ b/cve_bin_tool/cli.py @@ -1025,6 +1025,7 @@ def main(argv=None): total_files: int = 0 parsed_data: dict[ProductInfo, TriageData] = {} vex_product_info: dict[str, str] = {} + sbom_serial_number = "" # Package List parsing if args["package_list"]: sbom_root = args["package_list"] @@ -1095,6 +1096,7 @@ def main(argv=None): validate=not args["disable_validation_check"], ) parsed_data = sbom_list.parse_sbom() + sbom_serial_number = sbom_list.serialNumber LOGGER.info( f"The number of products to process from SBOM - {len(parsed_data)}" ) @@ -1103,10 +1105,10 @@ def main(argv=None): cve_scanner.get_cves(product_info, triage_data) if args["vex_file"]: - # for now use cyclonedx as auto detection is not implemented in latest pypi package of lib4vex + # use auto so that lib4vex can auto-detect the vex type. vexdata = VEXParse( filename=args["vex_file"], - vextype="cyclonedx", + vextype="auto", logger=LOGGER, ) parsed_vex_data = vexdata.parse_vex() @@ -1122,9 +1124,14 @@ def main(argv=None): LOGGER.info( f"VEX file {args['vex_file']} is not a standalone file and will be used as a triage file" ) - # need to do validation on the sbom part - # need to implement is_linked() function which will check the linkage. - if args["sbom_file"]: + # check weather vex is linked with given sbom or not. + # only check cyclonedx since it have serialNumber. + if ( + args["sbom_file"] + and args["sbom"] == "cyclonedx" + and vexdata.vextype == "cyclonedx" + and sbom_serial_number not in vexdata.serialNumbers + ): LOGGER.warning( f"SBOM file: {args['sbom_file']} is not linked to VEX file: {args['vex_file']}." ) @@ -1162,6 +1169,7 @@ def main(argv=None): "release": args["release"], "vendor": args["vendor"], "revision_reason": args["revision_reason"], + "sbom_serial_number": sbom_serial_number, } elif args["vex_file"]: vex_product_info["revision_reason"] = args["revision_reason"] diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py index cb8a14bda3..5cf0e60b2c 100644 --- a/cve_bin_tool/output_engine/__init__.py +++ b/cve_bin_tool/output_engine/__init__.py @@ -803,6 +803,7 @@ def output_cves(self, outfile, output_type="console"): self.vex_type, self.all_cve_data, self.vex_product_info["revision_reason"], + self.vex_product_info["sbom_serial_number"], logger=self.logger, ) vexgen.generate_vex() diff --git a/cve_bin_tool/sbom_manager/parse.py b/cve_bin_tool/sbom_manager/parse.py index 97e6ca448e..9066ed5e37 100644 --- a/cve_bin_tool/sbom_manager/parse.py +++ b/cve_bin_tool/sbom_manager/parse.py @@ -23,6 +23,7 @@ decode_cpe23, find_product_location, validate_location, + validate_serialNumber, ) from cve_bin_tool.validator import validate_cyclonedx, validate_spdx, validate_swid @@ -58,6 +59,7 @@ def __init__( self.type = sbom_type self.logger = logger or LOGGER.getChild(self.__class__.__name__) self.validate = validate + self.serialNumber = "" # Connect to the database self.cvedb = CVEDB(version_check=False) @@ -253,6 +255,25 @@ def parse_cyclonedx_spdx(self) -> [(str, str, str)]: sbom_parser = SBOMParser(sbom_type=self.type) # Load SBOM sbom_parser.parse_file(self.filename) + doc = sbom_parser.get_document() + uuid = doc.get("uuid", "") + if self.type == "cyclonedx": + parts = uuid.split(":") + if len(parts) == 3 and parts[0] == "urn" and parts[1] == "uuid": + serialNumber = parts[2] + if validate_serialNumber(serialNumber): + self.serialNumber = serialNumber + else: + LOGGER.error( + f"The SBOM file '{self.filename}' has an invalid serial number." + ) + return [] + else: + LOGGER.error( + f"The SBOM file '{self.filename}' has an invalid serial number." + ) + return [] + modules = [] if self.validate and self.filename.endswith(".xml"): # Only for XML files diff --git a/cve_bin_tool/util.py b/cve_bin_tool/util.py index 7b590f10a9..b7b49ba7f1 100644 --- a/cve_bin_tool/util.py +++ b/cve_bin_tool/util.py @@ -391,7 +391,7 @@ def decode_purl(purl: str) -> ProductInfo | None: return None -def decode_bom_ref(ref: str) -> ProductInfo | None: +def decode_bom_ref(ref: str): """ Decodes the BOM reference for each component. @@ -418,11 +418,29 @@ def decode_bom_ref(ref: str) -> ProductInfo | None: urn_cdx = re.compile( r"urn:cdx:(?P.*?)\/(?P.*?)#(?P.*)" ) + urn_cdx_with_purl = re.compile( + r"urn:cdx:(?P[^/]+)\/(?P[^#]+)#(?Ppkg:[^\s]+)" + ) location = "location/to/product" - match = urn_cbt_ext_ref.match(ref) or urn_cbt_ref.match(ref) or urn_cdx.match(ref) + match = ( + urn_cdx_with_purl.match(ref) + or urn_cbt_ext_ref.match(ref) + or urn_cbt_ref.match(ref) + or urn_cdx.match(ref) + ) if match: urn_dict = match.groupdict() - if "bom_ref" in urn_dict: # For urn_cdx match + if "purl" in urn_dict: # For urn_cdx_with_purl match + serialNumber = urn_dict["bomSerialNumber"] + product_info = decode_purl(urn_dict["purl"]) + if not validate_serialNumber(serialNumber): + LOGGER.error( + f"The BOM link contains an invalid serial number: '{serialNumber}'" + ) + return product_info + else: + return product_info, serialNumber + elif "bom_ref" in urn_dict: # For urn_cdx match cdx_bom_ref = urn_dict["bom_ref"] try: product, version = cdx_bom_ref.rsplit("-", 1) @@ -466,6 +484,14 @@ def validate_version(version: str) -> bool: return re.search(cpe_regex, version) is not None +def validate_serialNumber(serialNumber: str) -> bool: + """ + Validates the serial number present in sbom + """ + pattern = r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + return re.match(pattern, serialNumber) is not None + + class DirWalk: """ for filename in DirWalk('*.c').walk(roots): diff --git a/cve_bin_tool/vex_manager/generate.py b/cve_bin_tool/vex_manager/generate.py index c3441cd497..83ddc9150b 100644 --- a/cve_bin_tool/vex_manager/generate.py +++ b/cve_bin_tool/vex_manager/generate.py @@ -48,6 +48,7 @@ def __init__( vextype: str, all_cve_data: Dict[ProductInfo, CVEData], revision_reason: str = "", + sbom_serial_number: str = "", sbom: Optional[str] = None, logger: Optional[Logger] = None, validate: bool = True, @@ -62,6 +63,7 @@ def __init__( self.logger = logger or LOGGER.getChild(self.__class__.__name__) self.validate = validate self.all_cve_data = all_cve_data + self.sbom_serial_number = sbom_serial_number def generate_vex(self) -> None: """ @@ -155,10 +157,13 @@ def __get_vulnerabilities(self) -> List[Vulnerability]: else cve.remarks.name ) # more details will be added using set_value() - bom_version = 1 - ref = f"urn:cbt:{bom_version}/{vendor}#{product}:{version}" if purl is None: purl = f"pkg:generic/{vendor}/{product}@{version}" + bom_version = 1 + if self.sbom_serial_number != "": + ref = f"urn:cdx:{self.sbom_serial_number}/{bom_version}#{purl}" + else: + ref = f"urn:cbt:{bom_version}/{vendor}#{product}:{version}" vulnerability.set_value("purl", str(purl)) vulnerability.set_value("bom_link", ref) diff --git a/cve_bin_tool/vex_manager/parse.py b/cve_bin_tool/vex_manager/parse.py index 6c4136a2f1..37eea3eb60 100644 --- a/cve_bin_tool/vex_manager/parse.py +++ b/cve_bin_tool/vex_manager/parse.py @@ -20,6 +20,7 @@ class VEXParse: - vextype (str): The type of VEX file. - logger: The logger object for logging messages. - parsed_data: A dictionary to store the parsed data. + - serialNumbers: serialNumbers from the bom_link used to check linkage with sbom. Methods: - __init__(self, filename: str, vextype: str, logger=None): Initializes the VEXParse object. @@ -60,11 +61,16 @@ def __init__(self, filename: str, vextype: str, logger=None): self.vextype = vextype self.logger = logger or LOGGER.getChild(self.__class__.__name__) self.parsed_data = {} + self.serialNumbers = set() def parse_vex(self) -> DefaultDict[ProductInfo, TriageData]: """Parses the VEX file and extracts the necessary fields from the vulnerabilities.""" vexparse = VEXParser(vex_type=self.vextype) vexparse.parse(self.filename) + if self.vextype == "auto": + self.vextype = vexparse.get_type() + + self.logger.info(f"Parsed Vex File: {self.filename} of type: {self.vextype}") self.logger.debug(f"VEX Vulnerabilities: {vexparse.get_vulnerabilities()}") self.__process_vulnerabilities(vexparse.get_vulnerabilities()) self.__process_metadata(vexparse.get_metadata()) @@ -101,7 +107,6 @@ def __process_product(self, product) -> None: def __process_vulnerabilities(self, vulnerabilities) -> None: """ "processes the vulnerabilities and extracts the necessary fields from the vulnerability.""" - # for now cyclonedx is supported with minor tweaks other will be supported later for vuln in vulnerabilities: # Extract necessary fields from the vulnerability cve_id = vuln.get("id") @@ -110,10 +115,18 @@ def __process_vulnerabilities(self, vulnerabilities) -> None: response = vuln.get("remediation") comments = vuln.get("comments") severity = vuln.get("severity") # Severity is not available in Lib4VEX - # Decode the bom reference for cyclonedx something similar would be done for other formats + # Decode the bom reference for cyclonedx and purl for csaf and openvex product_info = None + serialNumber = "" if self.vextype == "cyclonedx": - product_info = decode_bom_ref(vuln.get("bom_link")) + decoded_ref = decode_bom_ref(vuln.get("bom_link")) + if isinstance(decoded_ref, tuple) and not isinstance( + decoded_ref, ProductInfo + ): + product_info, serialNumber = decoded_ref + self.serialNumbers.add(serialNumber) + else: + product_info = decoded_ref elif self.vextype in ["openvex", "csaf"]: product_info = decode_purl(vuln.get("purl")) if product_info: From cbf9f2bea4fd46ded0e094e896a18d1cced039ea Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Wed, 4 Sep 2024 09:48:56 -0700 Subject: [PATCH 11/11] chore: bump version for 3.4 release (#4416) Signed-off-by: Terri Oda --- cve_bin_tool/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve_bin_tool/version.py b/cve_bin_tool/version.py index ce3bb5f716..a67def4c2c 100644 --- a/cve_bin_tool/version.py +++ b/cve_bin_tool/version.py @@ -8,7 +8,7 @@ from cve_bin_tool.log import LOGGER from cve_bin_tool.util import make_http_requests -VERSION: str = "3.4rc1" +VERSION: str = "3.4" HTTP_HEADERS: dict = { "User-Agent": f"cve-bin-tool/{VERSION} (https://github.com/intel/cve-bin-tool/)",