chore: update SBOM for Python 3.10

sbom/cve-bin-tool-py3.10.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:51b0461a-601d-40c8-9e2f-3fb74dd746ff",
+  "serialNumber": "urn:uuid:9536bb49-29db-4c9b-a066-230076147613",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-10-02T00:42:50Z",
+    "timestamp": "2023-10-09T00:26:42Z",
     "tools": {
       "components": [
         {
@@ -58,7 +58,11 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.8.5",
+      "version": "3.8.6",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:aiohttp:3.8.6",
       "description": "Async http client/server framework (asyncio)",
       "licenses": [
         {
@@ -70,12 +74,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/aiohttp/3.8.5",
+          "url": "https://pypi.org/project/aiohttp/3.8.6",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.8.5",
+      "purl": "pkg:pypi/aiohttp@3.8.6",
       "properties": [
         {
           "name": "License Comments",
@@ -88,6 +92,10 @@
       "bom-ref": "3-aiosignal",
       "name": "aiosignal",
       "version": "1.3.1",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:aiosignal:1.3.1",
       "licenses": [
         {
           "license": {
@@ -116,6 +124,10 @@
       "bom-ref": "4-frozenlist",
       "name": "frozenlist",
       "version": "1.4.0",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:frozenlist:1.4.0",
       "description": "A list-like structure which implements collections.abc.MutableSequence",
       "licenses": [
         {
@@ -496,7 +508,7 @@
       "name": "gsutil",
       "version": "5.26",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "buganizer-system+187143@google.com"
@@ -631,7 +643,7 @@
       "name": "gcs-oauth2-boto-plugin",
       "version": "3.0",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "gs-team@google.com"
@@ -739,7 +751,7 @@
       "name": "pyu2f",
       "version": "0.1.5",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "pyu2f-team@google.com"
@@ -865,7 +877,7 @@
       "name": "oauth2client",
       "version": "4.1.3",
       "supplier": {
-        "name": "Google Inc.",
+        "name": "Google Inc .",
         "contact": [
           {
             "email": "jonwayne+oauth2client@google.com"
@@ -973,7 +985,7 @@
       "name": "rsa",
       "version": "4.7.2",
       "supplier": {
-        "name": "Sybren A. Stuvel",
+        "name": "Sybren A . Stuvel",
         "contact": [
           {
             "email": "sybren@stuvel.eu"
@@ -1060,9 +1072,7 @@
       "description": "cryptography is a package which provides cryptographic recipes and primitives to Python developers.",
       "licenses": [
         {
-          "license": {
-            "expression": "Apache-2.0 OR BSD-3-Clause"
-          }
+          "expression": "Apache-2.0 OR BSD-3-Clause"
         }
       ],
       "externalReferences": [
@@ -1359,6 +1369,10 @@
       "bom-ref": "41-markupsafe",
       "name": "markupsafe",
       "version": "2.1.3",
+      "supplier": {
+        "name": "NOASSERTION"
+      },
+      "cpe": "cpe:/a:NOASSERTION:markupsafe:2.1.3",
       "description": "Safely add untrusted strings to HTML/XML markup.",
       "licenses": [
         {
@@ -1462,11 +1476,11 @@
       "type": "library",
       "bom-ref": "45-rpds-py",
       "name": "rpds-py",
-      "version": "0.10.3",
+      "version": "0.10.4",
       "supplier": {
         "name": "Julian Berman"
       },
-      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "licenses": [
         {
@@ -1478,18 +1492,18 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/rpds-py/0.10.3",
+          "url": "https://pypi.org/project/rpds-py/0.10.4",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/rpds-py@0.10.3"
+      "purl": "pkg:pypi/rpds-py@0.10.4"
     },
     {
       "type": "library",
       "bom-ref": "46-lib4sbom",
       "name": "lib4sbom",
-      "version": "0.4.3",
+      "version": "0.5.1",
       "supplier": {
         "name": "Anthony Harrison",
         "contact": [
@@ -1498,7 +1512,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*",
       "description": "Software Bill of Material (SBOM) generator and consumer library",
       "licenses": [
         {
@@ -1510,12 +1524,12 @@
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/lib4sbom/0.4.3",
+          "url": "https://pypi.org/project/lib4sbom/0.5.1",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/lib4sbom@0.4.3"
+      "purl": "pkg:pypi/lib4sbom@0.5.1"
     },
     {
       "type": "library",
@@ -1604,9 +1618,7 @@
       "description": "Core utilities for Python packages",
       "licenses": [
         {
-          "license": {
-            "expression": "BSD-2-Clause OR Apache-2.0"
-          }
+          "expression": "BSD-2-Clause OR Apache-2.0"
         }
       ],
       "externalReferences": [
@@ -1806,7 +1818,7 @@
       "type": "library",
       "bom-ref": "55-urllib3",
       "name": "urllib3",
-      "version": "2.0.5",
+      "version": "2.0.6",
       "supplier": {
         "name": "Andrey Petrov",
         "contact": [
@@ -1815,16 +1827,16 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*",
       "description": "HTTP library with thread-safe connection pooling, file post, and more.",
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/urllib3/2.0.5",
+          "url": "https://pypi.org/project/urllib3/2.0.6",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/urllib3@2.0.5"
+      "purl": "pkg:pypi/urllib3@2.0.6"
     },
     {
       "type": "library",
@@ -2106,12 +2118,6 @@
     }
   ],
   "dependencies": [
-    {
-      "ref": "CDXRef-DOCUMENT",
-      "dependsOn": [
-        "1-cve-bin-tool"
-      ]
-    },
     {
       "ref": "1-cve-bin-tool",
       "dependsOn": [
@@ -2304,6 +2310,7 @@
     {
       "ref": "46-lib4sbom",
       "dependsOn": [
+        "14-defusedxml",
         "47-pyyaml",
         "48-semantic-version"
       ]

sbom/cve-bin-tool-py3.10.spdx

@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-82ead980-e1fd-45b3-8d00-de095f71cc6a
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-0e8ee6fa-c119-4a2f-87a9-ef0cb6121781
 LicenseListVersion: 3.21
 Creator: Tool: sbom4python-0.10.0
-Created: 2023-10-02T00:41:34Z
+Created: 2023-10-09T00:25:11Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -26,24 +26,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.2.2.dev0:*:*:
 
 PackageName: aiohttp
 SPDXID: SPDXRef-Package-2-aiohttp
-PackageVersion: 3.8.5
+PackageVersion: 3.8.6
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.5
+PackageSupplier: Organization: NOASSERTION
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.8.6
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>aiohttp declares Apache 2 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Async http client/server framework (asyncio)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.5
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.8.6
 ##### 
 
 PackageName: aiosignal
 SPDXID: SPDXRef-Package-3-aiosignal
 PackageVersion: 1.3.1
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiosignal/1.3.1
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -57,7 +57,7 @@ PackageName: frozenlist
 SPDXID: SPDXRef-Package-4-frozenlist
 PackageVersion: 1.4.0
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/frozenlist/1.4.0
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
@@ -630,7 +630,7 @@ PackageName: markupsafe
 SPDXID: SPDXRef-Package-41-markupsafe
 PackageVersion: 2.1.3
 PrimaryPackagePurpose: LIBRARY
-PackageSupplier: NOASSERTION
+PackageSupplier: Organization: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.3
 FilesAnalyzed: false
 PackageLicenseDeclared: BSD-3-Clause
@@ -687,32 +687,32 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.30.2:*:*:*
 
 PackageName: rpds-py
 SPDXID: SPDXRef-Package-45-rpds-py
-PackageVersion: 0.10.3
+PackageVersion: 0.10.4
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.3
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.10.4
 FilesAnalyzed: false
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python bindings to Rust's persistent data structures (rpds)</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.10.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.10.4:*:*:*:*:*:*:*
 ##### 
 
 PackageName: lib4sbom
 SPDXID: SPDXRef-Package-46-lib4sbom
-PackageVersion: 0.4.3
+PackageVersion: 0.5.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.5.1
 FilesAnalyzed: false
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Software Bill of Material (SBOM) generator and consumer library</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.5.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.5.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: pyyaml
@@ -842,17 +842,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2023.7.22:*:*:*:
 
 PackageName: urllib3
 SPDXID: SPDXRef-Package-55-urllib3
-PackageVersion: 2.0.5
+PackageVersion: 2.0.6
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.5
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.0.6
 FilesAnalyzed: false
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>HTTP library with thread-safe connection pooling, file post, and more.</text>
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.5
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.5:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.0.6
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.0.6:*:*:*:*:*:*:*
 ##### 
 
 PackageName: rich
@@ -991,7 +991,6 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/zstandard@0.21.0
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:gregory_szorc:zstandard:0.21.0:*:*:*:*:*:*:*
 ##### 
 
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-cve-bin-tool
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-11-beautifulsoup4
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-13-cvss
 Relationship: SPDXRef-Package-1-cve-bin-tool DEPENDS_ON SPDXRef-Package-14-defusedxml
@@ -1069,6 +1068,7 @@ Relationship: SPDXRef-Package-42-jsonschema DEPENDS_ON SPDXRef-Package-6-attrs
 Relationship: SPDXRef-Package-43-jsonschema-specifications DEPENDS_ON SPDXRef-Package-44-referencing
 Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-45-rpds-py
 Relationship: SPDXRef-Package-44-referencing DEPENDS_ON SPDXRef-Package-6-attrs
+Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-14-defusedxml
 Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-47-pyyaml
 Relationship: SPDXRef-Package-46-lib4sbom DEPENDS_ON SPDXRef-Package-48-semantic-version
 Relationship: SPDXRef-Package-49-packaging DEPENDS_ON SPDXRef-Package-26-pyparsing
@@ -1084,3 +1084,4 @@ Relationship: SPDXRef-Package-57-markdown-it-py DEPENDS_ON SPDXRef-Package-58-md
 Relationship: SPDXRef-Package-62-xmlschema DEPENDS_ON SPDXRef-Package-63-elementpath
 Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-10-idna
 Relationship: SPDXRef-Package-9-yarl DEPENDS_ON SPDXRef-Package-8-multidict
+Relationship: SPDXRef-Package-None DESCRIBES SPDXRef-Package-1-cve-bin-tool