Merge branch 'main' into enhance-products-no-identified-vulns

cve_bin_tool/data_sources/nvd_source.py

@@ -173,7 +173,8 @@ def format_data(self, all_cve_entries):
     def parse_node(self, node: dict[str, list[dict[str, str]]]) -> list[dict[str, str]]:
         affects_list = []
         if "cpe_match" in node:
-            for cpe_match in node["cpe_match"]:
+            vulnerable_matches = (m for m in node["cpe_match"] if m["vulnerable"])
+            for cpe_match in vulnerable_matches:
                 cpe_split = cpe_match["cpe23Uri"].split(":")
                 affects = {
                     "vendor": cpe_split[3],
@@ -277,7 +278,8 @@ def parse_node_api2(
     ) -> list[dict[str, str]]:
         affects_list = []
         if "cpeMatch" in node:
-            for cpe_match in node["cpeMatch"]:
+            vulnerable_matches = (m for m in node["cpeMatch"] if m["vulnerable"])
+            for cpe_match in vulnerable_matches:
                 cpe_split = cpe_match["criteria"].split(":")
                 affects = {
                     "vendor": cpe_split[3],

sbom/cve-bin-tool-py3.10.json

@@ -1,11 +1,11 @@
 {
-  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuide3e05b88-20fe-4fb4-a70a-7a988a30a646",
+  "serialNumber": "urn:uuid:6f40516e-8cc0-4e34-bf8d-348ae81ded16",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-08-07T01:14:28Z",
+    "timestamp": "2023-08-14T00:45:41Z",
     "tools": {
       "components": [
         {
@@ -144,7 +144,7 @@
       "type": "library",
       "bom-ref": "5-async-timeout",
       "name": "async-timeout",
-      "version": "4.0.2",
+      "version": "4.0.3",
       "supplier": {
         "name": "Andrew Svetlov",
         "contact": [
@@ -153,7 +153,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:*",
       "description": "Timeout context manager for asyncio programs",
       "licenses": [
         {
@@ -165,12 +165,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/async-timeout/4.0.2",
+          "url": "https://pypi.org/project/async-timeout/4.0.3",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/async-timeout@4.0.2",
+      "purl": "pkg:pypi/async-timeout@4.0.3",
       "properties": [
         {
           "name": "License Comments",
@@ -1419,11 +1419,11 @@
       "type": "library",
       "bom-ref": "43-jsonschema",
       "name": "jsonschema",
-      "version": "4.18.6",
+      "version": "4.19.0",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*",
       "description": "An implementation of JSON Schema validation for Python",
       "licenses": [
         {
@@ -1435,12 +1435,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/jsonschema/4.18.6",
+          "url": "https://pypi.org/project/jsonschema/4.19.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/jsonschema@4.18.6"
+      "purl": "pkg:pypi/jsonschema@4.19.0"
     },
     {
       "type": "library",
@@ -1527,7 +1527,7 @@
       "type": "library",
       "bom-ref": "47-lib4sbom",
       "name": "lib4sbom",
-      "version": "0.4.1",
+      "version": "0.4.2",
       "supplier": {
         "name": "Anthony Harrison",
         "contact": [
@@ -1536,7 +1536,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.2:*:*:*:*:*:*:*",
       "description": "Software Bill of Material (SBOM) generator and consumer library",
       "licenses": [
         {
@@ -1548,12 +1548,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/lib4sbom/0.4.1",
+          "url": "https://pypi.org/project/lib4sbom/0.4.2",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/lib4sbom@0.4.1"
+      "purl": "pkg:pypi/lib4sbom@0.4.2"
     },
     {
       "type": "library",
@@ -1666,7 +1666,7 @@
       "type": "library",
       "bom-ref": "51-plotly",
       "name": "plotly",
-      "version": "5.15.0",
+      "version": "5.16.0",
       "supplier": {
         "name": "Chris P",
         "contact": [
@@ -1675,7 +1675,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:chris_p:plotly:5.16.0:*:*:*:*:*:*:*",
       "description": "An open-source, interactive data visualization library for Python",
       "licenses": [
         {
@@ -1687,12 +1687,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/plotly/5.15.0",
+          "url": "https://pypi.org/project/plotly/5.16.0",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/plotly@5.15.0"
+      "purl": "pkg:pypi/plotly@5.16.0"
     },
     {
       "type": "library",

sbom/cve-bin-tool-py3.10.spdx

@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-d5127a7d-b857-4821-a5d3-57951445c898
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-7c81cabe-6439-445a-a042-d629b416431f
 LicenseListVersion: 3.21
 Creator: Tool: sbom4python-0.10.0
-Created: 2023-08-07T01:12:54Z
+Created: 2023-08-14T00:44:13Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -70,18 +70,18 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0
 
 PackageName: async-timeout
 SPDXID: SPDXRef-Package-5-async-timeout
-PackageVersion: 4.0.2
+PackageVersion: 4.0.3
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Andrew Svetlov (andrew.svetlov@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.2
+PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.3
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>async-timeout declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Timeout context manager for asyncio programs</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.2
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:*
 ##### 
 
 PackageName: attrs
@@ -658,17 +658,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3
 
 PackageName: jsonschema
 SPDXID: SPDXRef-Package-43-jsonschema
-PackageVersion: 4.18.6
+PackageVersion: 4.19.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/jsonschema/4.18.6
+PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>An implementation of JSON Schema validation for Python</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.18.6
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: jsonschema-specifications
@@ -718,17 +718,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*:
 
 PackageName: lib4sbom
 SPDXID: SPDXRef-Package-47-lib4sbom
-PackageVersion: 0.4.1
+PackageVersion: 0.4.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.1
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.2
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Software Bill of Material (SBOM) generator and consumer library</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pyyaml
@@ -780,17 +780,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut
 
 PackageName: plotly
 SPDXID: SPDXRef-Package-51-plotly
-PackageVersion: 5.15.0
+PackageVersion: 5.16.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/5.15.0
+PackageDownloadLocation: https://pypi.org/project/plotly/5.16.0
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>An open-source, interactive data visualization library for Python</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.15.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: tenacity