diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json
index 751eec4c24..1862f852e8 100644
--- a/sbom/cve-bin-tool-py3.8.json
+++ b/sbom/cve-bin-tool-py3.8.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:17568046-fe99-4c9b-bfff-029133fafff0",
+ "serialNumber": "urn:uuid:4de8b809-0ea6-4f9c-853d-2d39a65805e3",
"version": 1,
"metadata": {
- "timestamp": "2023-10-02T00:32:05Z",
+ "timestamp": "2023-10-09T00:48:16Z",
"tools": {
"components": [
{
@@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.8.5",
+ "version": "3.8.6",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -70,12 +74,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.8.5",
+ "url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.8.5",
+ "purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
@@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
@@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
@@ -496,7 +508,7 @@
"name": "gsutil",
"version": "5.26",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
@@ -631,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
@@ -739,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
@@ -865,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
@@ -973,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
- "name": "Sybren A. Stuvel",
+ "name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
@@ -1060,9 +1072,7 @@
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
- "license": {
- "expression": "Apache-2.0 OR BSD-3-Clause"
- }
+ "expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
@@ -1328,7 +1338,7 @@
"name": "importlib-metadata",
"version": "6.8.0",
"supplier": {
- "name": "Jason R. Coombs",
+ "name": "Jason R . Coombs",
"contact": [
{
"email": "jaraco@jaraco.com"
@@ -1352,7 +1362,7 @@
"name": "zipp",
"version": "3.17.0",
"supplier": {
- "name": "Jason R. Coombs",
+ "name": "Jason R . Coombs",
"contact": [
{
"email": "jaraco@jaraco.com"
@@ -1431,6 +1441,10 @@
"bom-ref": "44-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
@@ -1534,11 +1548,11 @@
"type": "library",
"bom-ref": "48-rpds-py",
"name": "rpds-py",
- "version": "0.10.3",
+ "version": "0.10.4",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -1550,12 +1564,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.10.3",
+ "url": "https://pypi.org/project/rpds-py/0.10.4",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.10.3"
+ "purl": "pkg:pypi/rpds-py@0.10.4"
},
{
"type": "library",
@@ -1585,7 +1599,7 @@
"type": "library",
"bom-ref": "50-lib4sbom",
"name": "lib4sbom",
- "version": "0.4.3",
+ "version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -1594,7 +1608,7 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
@@ -1606,12 +1620,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/lib4sbom/0.4.3",
+ "url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.4.3"
+ "purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
@@ -1700,9 +1714,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
- "license": {
- "expression": "BSD-2-Clause OR Apache-2.0"
- }
+ "expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
@@ -1902,7 +1914,7 @@
"type": "library",
"bom-ref": "59-urllib3",
"name": "urllib3",
- "version": "2.0.5",
+ "version": "2.0.6",
"supplier": {
"name": "Andrey Petrov",
"contact": [
@@ -1911,16 +1923,16 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
"description": "HTTP library with thread-safe connection pooling, file post, and more.",
"externalReferences": [
{
- "url": "https://pypi.org/project/urllib3/2.0.5",
+ "url": "https://pypi.org/project/urllib3/2.0.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/urllib3@2.0.5"
+ "purl": "pkg:pypi/urllib3@2.0.6"
},
{
"type": "library",
@@ -2226,12 +2238,6 @@
}
],
"dependencies": [
- {
- "ref": "CDXRef-DOCUMENT",
- "dependsOn": [
- "1-cve-bin-tool"
- ]
- },
{
"ref": "1-cve-bin-tool",
"dependsOn": [
@@ -2441,6 +2447,7 @@
{
"ref": "50-lib4sbom",
"dependsOn": [
+ "14-defusedxml",
"51-pyyaml",
"52-semantic-version"
]
diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx
index fb950d851f..4913c82e5e 100644
--- a/sbom/cve-bin-tool-py3.8.spdx
+++ b/sbom/cve-bin-tool-py3.8.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-ebff0116-82ab-443a-8fd6-d69be07b0963
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-e34e00f1-303d-4ece-bab7-45a34b5bdea3
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-10-02T00:30:33Z
+Created: 2023-10-09T00:46:47Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####
PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -675,7 +675,7 @@ PackageName: markupsafe
SPDXID: SPDXRef-Package-44-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
@@ -732,17 +732,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
PackageName: rpds-py
SPDXID: SPDXRef-Package-48-rpds-py
-PackageVersion: 0.10.3
+PackageVersion: 0.10.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.3
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.4
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*
#####
PackageName: pkgutil-resolve-name
@@ -762,17 +762,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:pkgutil-resolve-name:1.3.1
PackageName: lib4sbom
SPDXID: SPDXRef-Package-50-lib4sbom
-PackageVersion: 0.4.3
+PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####
PackageName: pyyaml
@@ -902,17 +902,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:
PackageName: urllib3
SPDXID: SPDXRef-Package-59-urllib3
-PackageVersion: 2.0.5
+PackageVersion: 2.0.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.5
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.5
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
#####
PackageName: rich
@@ -1066,7 +1066,6 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
@@ -1151,6 +1150,7 @@ Relationship: SPDXRef-Package-46-jsonschema-specifications DEPENDS_ON SPDXRef-Pa
Relationship: SPDXRef-Package-46-jsonschema-specifications DEPENDS_ON SPDXRef-Package-47-referencing
Relationship: SPDXRef-Package-47-referencing DEPENDS_ON SPDXRef-Package-48-rpds-py
Relationship: SPDXRef-Package-47-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-50-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-50-lib4sbom DEPENDS_ON SPDXRef-Package-51-pyyaml
Relationship: SPDXRef-Package-50-lib4sbom DEPENDS_ON SPDXRef-Package-52-semantic-version
Relationship: SPDXRef-Package-53-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
@@ -1167,3 +1167,4 @@ Relationship: SPDXRef-Package-61-markdown-it-py DEPENDS_ON SPDXRef-Package-62-md
Relationship: SPDXRef-Package-67-xmlschema DEPENDS_ON SPDXRef-Package-68-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool