diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json
index 66132b4683..15e4a957d7 100644
--- a/sbom/cve-bin-tool-py3.10.json
+++ b/sbom/cve-bin-tool-py3.10.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
- "serialNumber": "urn:uuid:51b0461a-601d-40c8-9e2f-3fb74dd746ff",
+ "serialNumber": "urn:uuid:9536bb49-29db-4c9b-a066-230076147613",
"version": 1,
"metadata": {
- "timestamp": "2023-10-02T00:42:50Z",
+ "timestamp": "2023-10-09T00:26:42Z",
"tools": {
"components": [
{
@@ -58,7 +58,11 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.8.5",
+ "version": "3.8.6",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
"description": "Async http client/server framework (asyncio)",
"licenses": [
{
@@ -70,12 +74,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/aiohttp/3.8.5",
+ "url": "https://pypi.org/project/aiohttp/3.8.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/aiohttp@3.8.5",
+ "purl": "pkg:pypi/aiohttp@3.8.6",
"properties": [
{
"name": "License Comments",
@@ -88,6 +92,10 @@
"bom-ref": "3-aiosignal",
"name": "aiosignal",
"version": "1.3.1",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
"licenses": [
{
"license": {
@@ -116,6 +124,10 @@
"bom-ref": "4-frozenlist",
"name": "frozenlist",
"version": "1.4.0",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
"description": "A list-like structure which implements collections.abc.MutableSequence",
"licenses": [
{
@@ -496,7 +508,7 @@
"name": "gsutil",
"version": "5.26",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "buganizer-system+187143@google.com"
@@ -631,7 +643,7 @@
"name": "gcs-oauth2-boto-plugin",
"version": "3.0",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "gs-team@google.com"
@@ -739,7 +751,7 @@
"name": "pyu2f",
"version": "0.1.5",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "pyu2f-team@google.com"
@@ -865,7 +877,7 @@
"name": "oauth2client",
"version": "4.1.3",
"supplier": {
- "name": "Google Inc.",
+ "name": "Google Inc .",
"contact": [
{
"email": "jonwayne+oauth2client@google.com"
@@ -973,7 +985,7 @@
"name": "rsa",
"version": "4.7.2",
"supplier": {
- "name": "Sybren A. Stuvel",
+ "name": "Sybren A . Stuvel",
"contact": [
{
"email": "sybren@stuvel.eu"
@@ -1060,9 +1072,7 @@
"description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
"licenses": [
{
- "license": {
- "expression": "Apache-2.0 OR BSD-3-Clause"
- }
+ "expression": "Apache-2.0 OR BSD-3-Clause"
}
],
"externalReferences": [
@@ -1359,6 +1369,10 @@
"bom-ref": "41-markupsafe",
"name": "markupsafe",
"version": "2.1.3",
+ "supplier": {
+ "name": "NOASSERTION"
+ },
+ "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
"description": "Safely add untrusted strings to HTML/XML markup.",
"licenses": [
{
@@ -1462,11 +1476,11 @@
"type": "library",
"bom-ref": "45-rpds-py",
"name": "rpds-py",
- "version": "0.10.3",
+ "version": "0.10.4",
"supplier": {
"name": "Julian Berman"
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"licenses": [
{
@@ -1478,18 +1492,18 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/rpds-py/0.10.3",
+ "url": "https://pypi.org/project/rpds-py/0.10.4",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/rpds-py@0.10.3"
+ "purl": "pkg:pypi/rpds-py@0.10.4"
},
{
"type": "library",
"bom-ref": "46-lib4sbom",
"name": "lib4sbom",
- "version": "0.4.3",
+ "version": "0.5.1",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -1498,7 +1512,7 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"licenses": [
{
@@ -1510,12 +1524,12 @@
],
"externalReferences": [
{
- "url": "https://pypi.org/project/lib4sbom/0.4.3",
+ "url": "https://pypi.org/project/lib4sbom/0.5.1",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.4.3"
+ "purl": "pkg:pypi/lib4sbom@0.5.1"
},
{
"type": "library",
@@ -1604,9 +1618,7 @@
"description": "Core utilities for Python packages",
"licenses": [
{
- "license": {
- "expression": "BSD-2-Clause OR Apache-2.0"
- }
+ "expression": "BSD-2-Clause OR Apache-2.0"
}
],
"externalReferences": [
@@ -1806,7 +1818,7 @@
"type": "library",
"bom-ref": "55-urllib3",
"name": "urllib3",
- "version": "2.0.5",
+ "version": "2.0.6",
"supplier": {
"name": "Andrey Petrov",
"contact": [
@@ -1815,16 +1827,16 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
"description": "HTTP library with thread-safe connection pooling, file post, and more.",
"externalReferences": [
{
- "url": "https://pypi.org/project/urllib3/2.0.5",
+ "url": "https://pypi.org/project/urllib3/2.0.6",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/urllib3@2.0.5"
+ "purl": "pkg:pypi/urllib3@2.0.6"
},
{
"type": "library",
@@ -2106,12 +2118,6 @@
}
],
"dependencies": [
- {
- "ref": "CDXRef-DOCUMENT",
- "dependsOn": [
- "1-cve-bin-tool"
- ]
- },
{
"ref": "1-cve-bin-tool",
"dependsOn": [
@@ -2304,6 +2310,7 @@
{
"ref": "46-lib4sbom",
"dependsOn": [
+ "14-defusedxml",
"47-pyyaml",
"48-semantic-version"
]
diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx
index bf2ccda990..b0c5277ea2 100644
--- a/sbom/cve-bin-tool-py3.10.spdx
+++ b/sbom/cve-bin-tool-py3.10.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-82ead980-e1fd-45b3-8d00-de095f71cc6a
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-0e8ee6fa-c119-4a2f-87a9-ef0cb6121781
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
-Created: 2023-10-02T00:41:34Z
+Created: 2023-10-09T00:25:11Z
CreatorComment: This document has been automatically generated.
#####
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
PackageName: aiohttp
SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
#####
PackageName: aiosignal
SPDXID: SPDXRef-Package-3-aiosignal
PackageVersion: 1.3.1
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
SPDXID: SPDXRef-Package-4-frozenlist
PackageVersion: 1.4.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
@@ -630,7 +630,7 @@ PackageName: markupsafe
SPDXID: SPDXRef-Package-41-markupsafe
PackageVersion: 2.1.3
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
@@ -687,32 +687,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
PackageName: rpds-py
SPDXID: SPDXRef-Package-45-rpds-py
-PackageVersion: 0.10.3
+PackageVersion: 0.10.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.3
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.4
FilesAnalyzed: false
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*
#####
PackageName: lib4sbom
SPDXID: SPDXRef-Package-46-lib4sbom
-PackageVersion: 0.4.3
+PackageVersion: 0.5.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
FilesAnalyzed: false
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
#####
PackageName: pyyaml
@@ -842,17 +842,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:
PackageName: urllib3
SPDXID: SPDXRef-Package-55-urllib3
-PackageVersion: 2.0.5
+PackageVersion: 2.0.6
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.5
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
FilesAnalyzed: false
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.5
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
#####
PackageName: rich
@@ -991,7 +991,6 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
#####
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
@@ -1069,6 +1068,7 @@ Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
Relationship: SPDXRef-Package-43-jsonschema-specifications DEPENDS_ON SPDXRef-Package-44-referencing
Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-45-rpds-py
Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-47-pyyaml
Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-48-semantic-version
Relationship: SPDXRef-Package-49-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
@@ -1084,3 +1084,4 @@ Relationship: SPDXRef-Package-57-markdown-it-py DEPENDS_ON SPDXRef-Package-58-md
Relationship: SPDXRef-Package-62-xmlschema DEPENDS_ON SPDXRef-Package-63-elementpath
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool