ffontaine · github-actions · Oct 9, 2023
diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:17568046-fe99-4c9b-bfff-029133fafff0",
+  "serialNumber": "urn:uuid:4de8b809-0ea6-4f9c-853d-2d39a65805e3",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-10-02T00:32:05Z",
+    "timestamp": "2023-10-09T00:48:16Z",
     "tools": {
       "components": [
         {
@@ -58,7 +58,11 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.8.5",
+      "version": "3.8.6",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -70,12 +74,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/aiohttp/3.8.5",
+          "url": "https://pypi.org/project/aiohttp/3.8.6",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.8.5",
+      "purl": "pkg:pypi/aiohttp@3.8.6",
       "properties": [
         {
           "name": "License Comments",
@@ -88,6 +92,10 @@
       "bom-ref": "3-aiosignal",
       "name": "aiosignal",
       "version": "1.3.1",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
       "licenses": [
         {
           "license": {
@@ -116,6 +124,10 @@
       "bom-ref": "4-frozenlist",
       "name": "frozenlist",
       "version": "1.4.0",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
       "description": "A list-like structure which implements collections.abc.MutableSequence",
       "licenses": [
         {
@@ -496,7 +508,7 @@
       "name": "gsutil",
       "version": "5.26",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "buganizer-system+187143@google.com"
@@ -631,7 +643,7 @@
       "name": "gcs-oauth2-boto-plugin",
       "version": "3.0",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "gs-team@google.com"
@@ -739,7 +751,7 @@
       "name": "pyu2f",
       "version": "0.1.5",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "pyu2f-team@google.com"
@@ -865,7 +877,7 @@
       "name": "oauth2client",
       "version": "4.1.3",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "jonwayne+oauth2client@google.com"
@@ -973,7 +985,7 @@
       "name": "rsa",
       "version": "4.7.2",
       "supplier": {
-        "name": "Sybren A. Stuvel",
+        "name": "Sybren A . Stuvel",
         "contact": [
           {
             "email": "sybren@stuvel.eu"
@@ -1060,9 +1072,7 @@
       "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
       "licenses": [
         {
-          "license": {
-            "expression": "Apache-2.0 OR BSD-3-Clause"
-          }
+          "expression": "Apache-2.0 OR BSD-3-Clause"
         }
       ],
       "externalReferences": [
@@ -1328,7 +1338,7 @@
       "name": "importlib-metadata",
       "version": "6.8.0",
       "supplier": {
-        "name": "Jason R. Coombs",
+        "name": "Jason R . Coombs",
         "contact": [
           {
             "email": "jaraco@jaraco.com"
@@ -1352,7 +1362,7 @@
       "name": "zipp",
       "version": "3.17.0",
       "supplier": {
-        "name": "Jason R. Coombs",
+        "name": "Jason R . Coombs",
         "contact": [
           {
             "email": "jaraco@jaraco.com"
@@ -1431,6 +1441,10 @@
       "bom-ref": "44-markupsafe",
       "name": "markupsafe",
       "version": "2.1.3",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
       "description": "Safely add untrusted strings to HTML/XML markup.",
       "licenses": [
         {
@@ -1534,11 +1548,11 @@
       "type": "library",
       "bom-ref": "48-rpds-py",
       "name": "rpds-py",
-      "version": "0.10.3",
+      "version": "0.10.4",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "licenses": [
         {
@@ -1550,12 +1564,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/rpds-py/0.10.3",
+          "url": "https://pypi.org/project/rpds-py/0.10.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/rpds-py@0.10.3"
+      "purl": "pkg:pypi/rpds-py@0.10.4"
     },
     {
       "type": "library",
@@ -1585,7 +1599,7 @@
       "type": "library",
       "bom-ref": "50-lib4sbom",
       "name": "lib4sbom",
-      "version": "0.4.3",
+      "version": "0.5.1",
       "supplier": {
         "name": "Anthony Harrison",
         "contact": [
@@ -1594,7 +1608,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
       "description": "Software Bill of Material (SBOM) generator and consumer library",
       "licenses": [
         {
@@ -1606,12 +1620,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/lib4sbom/0.4.3",
+          "url": "https://pypi.org/project/lib4sbom/0.5.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/lib4sbom@0.4.3"
+      "purl": "pkg:pypi/lib4sbom@0.5.1"
     },
     {
       "type": "library",
@@ -1700,9 +1714,7 @@
       "description": "Core utilities for Python packages",
       "licenses": [
         {
-          "license": {
-            "expression": "BSD-2-Clause OR Apache-2.0"
-          }
+          "expression": "BSD-2-Clause OR Apache-2.0"
         }
       ],
       "externalReferences": [
@@ -1902,7 +1914,7 @@
       "type": "library",
       "bom-ref": "59-urllib3",
       "name": "urllib3",
-      "version": "2.0.5",
+      "version": "2.0.6",
       "supplier": {
         "name": "Andrey Petrov",
         "contact": [
@@ -1911,16 +1923,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
       "description": "HTTP library with thread-safe connection pooling, file post, and more.",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/urllib3/2.0.5",
+          "url": "https://pypi.org/project/urllib3/2.0.6",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/urllib3@2.0.5"
+      "purl": "pkg:pypi/urllib3@2.0.6"
     },
     {
       "type": "library",
@@ -2226,12 +2238,6 @@
     }
   ],
   "dependencies": [
-    {
-      "ref": "CDXRef-DOCUMENT",
-      "dependsOn": [
-        "1-cve-bin-tool"
-      ]
-    },
     {
       "ref": "1-cve-bin-tool",
       "dependsOn": [
@@ -2441,6 +2447,7 @@
     {
       "ref": "50-lib4sbom",
       "dependsOn": [
+        "14-defusedxml",
         "51-pyyaml",
         "52-semantic-version"
       ]