From 4ae9c3b8d16a192e66f5c05384b5b9dbf8ba15d7 Mon Sep 17 00:00:00 2001 From: GitHub Date: Mon, 29 Sep 2025 00:39:50 +0000 Subject: [PATCH] chore: update SBOM for Python 3.9 --- sbom/cve-bin-tool-py3.9.json | 62 +++++++++++++------------ sbom/cve-bin-tool-py3.9.spdx | 88 +++++++++++++----------------------- 2 files changed, 63 insertions(+), 87 deletions(-) diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index 3287159339..5cc8097714 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:b727b64a-8125-43ab-a84c-ed40382e46ce", + "serialNumber": "urn:uuid:4b024eba-fa76-49a5-b076-b41b6de6f0fd", "version": 1, "metadata": { - "timestamp": "2025-09-22T00:46:07Z", + "timestamp": "2025-09-29T00:39:49Z", "lifecycles": [ { "phase": "build" @@ -958,7 +958,7 @@ "type": "library", "bom-ref": "13-beautifulsoup4", "name": "beautifulsoup4", - "version": "4.13.5", + "version": "4.14.0", "supplier": { "name": "Leonard Richardson", "contact": [ @@ -967,12 +967,12 @@ } ] }, - "cpe": "cpe:2.3:a:leonard_richardson:beautifulsoup4:4.13.5:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:leonard_richardson:beautifulsoup4:4.14.0:*:*:*:*:*:*:*", "description": "Screen-scraping library", "hashes": [ { "alg": "SHA-256", - "content": "642085eaa22233aceadff9c69651bc51e8bf3f874fb6d7104ece2beb24b47c4a" + "content": "aee96fbccdf2d2a8d1288b2afa51fc76bb60823b7881a50fb1ed5f711d1a7d73" } ], "licenses": [ @@ -991,7 +991,7 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/beautifulsoup4/4.13.5/#files", + "url": "https://pypi.org/project/beautifulsoup4/4.14.0/#files", "type": "distribution", "comment": "Download location for component" }, @@ -1000,11 +1000,11 @@ "type": "other" } ], - "purl": "pkg:pypi/beautifulsoup4@4.13.5", + "purl": "pkg:pypi/beautifulsoup4@4.14.0", "properties": [ { "name": "release_date", - "value": "2025-08-24T14:06:14Z" + "value": "2025-09-27T17:22:16Z" }, { "name": "language", @@ -2095,6 +2095,12 @@ }, "cpe": "cpe:2.3:a:paul_mcguire:pyparsing:3.2.5:*:*:*:*:*:*:*", "description": "pyparsing - Classes and methods to define and execute parsing grammars", + "hashes": [ + { + "alg": "SHA-256", + "content": "e38a4f02064cf41fe6593d328d0512495ad1f3d8a91c4f73fc401b3079a59a5e" + } + ], "externalReferences": [ { "url": "https://github.com/pyparsing/pyparsing/", @@ -2111,7 +2117,7 @@ "properties": [ { "name": "release_date", - "value": "2022-02-03T00:00:29Z" + "value": "2025-09-21T04:11:04Z" }, { "name": "language", @@ -2761,7 +2767,7 @@ "type": "library", "bom-ref": "42-google-apitools", "name": "google-apitools", - "version": "0.5.32", + "version": "0.5.35", "supplier": { "name": "Craig Citro", "contact": [ @@ -2770,12 +2776,12 @@ } ] }, - "cpe": "cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:craig_citro:google-apitools:0.5.35:*:*:*:*:*:*:*", "description": "client libraries for humans", "hashes": [ { "alg": "SHA-256", - "content": "b78f74116558e0476e19501b5b4b2ac7c93261a69c5449c861ea95cbc853c688" + "content": "0f6f67fbe6f228f4777ae7e9d00e01476f7b8a48dca3a4353a1c32369437bbd0" } ], "licenses": [ @@ -2794,16 +2800,16 @@ "comment": "Home page for project" }, { - "url": "https://pypi.org/project/google-apitools/0.5.32/#files", + "url": "https://pypi.org/project/google-apitools/0.5.35/#files", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/google-apitools@0.5.32", + "purl": "pkg:pypi/google-apitools@0.5.35", "properties": [ { "name": "release_date", - "value": "2021-05-05T22:12:58Z" + "value": "2025-09-24T20:22:49Z" }, { "name": "language", @@ -3062,17 +3068,17 @@ "type": "library", "bom-ref": "47-markupsafe", "name": "markupsafe", - "version": "3.0.2", + "version": "3.0.3", "description": "Safely add untrusted strings to HTML/XML markup.", "hashes": [ { "alg": "SHA-256", - "content": "7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8" + "content": "2f981d352f04553a7171b8e44369f2af4055f888dfb147d55e42d29e29e74559" } ], "externalReferences": [ { - "url": "https://pypi.org/project/markupsafe/3.0.2/#files", + "url": "https://pypi.org/project/markupsafe/3.0.3/#files", "type": "distribution", "comment": "Download location for component" }, @@ -3085,7 +3091,7 @@ "type": "documentation" }, { - "url": "https://markupsafe.palletsprojects.com/changes/", + "url": "https://markupsafe.palletsprojects.com/page/changes/", "type": "log" }, { @@ -3097,11 +3103,11 @@ "type": "chat" } ], - "purl": "pkg:pypi/markupsafe@3.0.2", + "purl": "pkg:pypi/markupsafe@3.0.3", "properties": [ { "name": "release_date", - "value": "2024-10-18T15:20:51Z" + "value": "2025-09-27T18:36:05Z" }, { "name": "language", @@ -3110,10 +3116,6 @@ { "name": "python_version", "value": "3.9.23" - }, - { - "name": "License Comments", - "value": "markupsafe declares Copyright 2010 Pallets\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A\nPARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n which is not currently a valid SPDX License identifier or expression." } ] }, @@ -3467,7 +3469,7 @@ "type": "library", "bom-ref": "53-pyyaml", "name": "pyyaml", - "version": "6.0.2", + "version": "6.0.3", "supplier": { "name": "Kirill Simonov", "contact": [ @@ -3476,12 +3478,12 @@ } ] }, - "cpe": "cpe:2.3:a:kirill_simonov:pyyaml:6.0.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:kirill_simonov:pyyaml:6.0.3:*:*:*:*:*:*:*", "description": "YAML parser and emitter for Python", "hashes": [ { "alg": "SHA-256", - "content": "0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086" + "content": "214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b" } ], "licenses": [ @@ -3525,11 +3527,11 @@ "type": "vcs" } ], - "purl": "pkg:pypi/pyyaml@6.0.2", + "purl": "pkg:pypi/pyyaml@6.0.3", "properties": [ { "name": "release_date", - "value": "2024-08-06T20:31:40Z" + "value": "2025-09-25T21:31:46Z" }, { "name": "language", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index c23fe8286d..168a876208 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-06511fdd-5d66-4e9d-aae8-faf2852fbca2 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-f6a16c31-3314-4955-bf73-32bbf47bb496 LicenseListVersion: 3.26 Creator: Tool: sbom4python-0.12.4 -Created: 2025-09-22T00:45:35Z +Created: 2025-09-29T00:39:37Z CreatorComment: SBOM Type: Build - This document has been automatically generated. ##### @@ -295,22 +295,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kim_davies:idna:3.10:*:*:*:*:*:*:* PackageName: beautifulsoup4 SPDXID: SPDXRef-13-beautifulsoup4 -PackageVersion: 4.13.5 +PackageVersion: 4.14.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Leonard Richardson (leonardr@segfault.org) -PackageDownloadLocation: https://pypi.org/project/beautifulsoup4/4.13.5/#files +PackageDownloadLocation: https://pypi.org/project/beautifulsoup4/4.14.0/#files FilesAnalyzed: false PackageHomePage: https://www.crummy.com/software/BeautifulSoup/bs4/ -PackageChecksum: SHA256: 642085eaa22233aceadff9c69651bc51e8bf3f874fb6d7104ece2beb24b47c4a +PackageChecksum: SHA256: aee96fbccdf2d2a8d1288b2afa51fc76bb60823b7881a50fb1ed5f711d1a7d73 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: MIT PackageLicenseComments: beautifulsoup4 declares MIT License which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Screen-scraping library -ReleaseDate: 2025-08-24T14:06:14Z +ReleaseDate: 2025-09-27T17:22:16Z ExternalRef: OTHER other https://www.crummy.com/software/BeautifulSoup/bs4/download/ -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/beautifulsoup4@4.13.5 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.13.5:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/beautifulsoup4@4.14.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.14.0:*:*:*:*:*:*:* ##### PackageName: soupsieve @@ -419,12 +419,13 @@ PackageSupplier: Person: Google Inc. (buganizer-system+187143@google.com) PackageDownloadLocation: https://cloud.google.com/storage/docs/gsutil_install FilesAnalyzed: false PackageHomePage: https://cloud.google.com/storage/docs/gsutil +PackageChecksum: SHA256: b6970ea6c0950c854ce2e33c591e177a6f4a657f2824a1b54eaefa2dff2576bb PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: gsutil declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: A command line tool for interacting with cloud storage services. -ReleaseDate: 2022-11-02T17:34:01Z +ReleaseDate: 2025-06-25T08:28:10Z ExternalRef: PACKAGE-MANAGER purl pkg:pypi/gsutil@5.35 ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_inc.:gsutil:5.35:*:*:*:*:*:*:* ##### @@ -574,12 +575,13 @@ PackageSupplier: Person: Google (googleapis-publisher@google.com) PackageDownloadLocation: https://pypi.org/project/google-reauth/0.1.1/#files FilesAnalyzed: false PackageHomePage: https://github.com/Google/google-reauth-python +PackageChecksum: SHA256: cb39074488d74c8853074dde47368bbf8f739d4a4338b89aab696c895b6d8368 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: google-reauth declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Google Reauth Library -ReleaseDate: 2018-07-11T20:58:55Z +ReleaseDate: 2020-12-01T17:35:45Z ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-reauth@0.1.1 ExternalRef: SECURITY cpe23Type cpe:2.3:a:google:google-reauth:0.1.1:*:*:*:*:*:*:* ##### @@ -647,11 +649,12 @@ PackageSupplier: Person: Paul McGuire (ptmcg.gm+pyparsing@gmail.com) PackageDownloadLocation: https://pypi.org/project/pyparsing/3.2.5/#files FilesAnalyzed: false PackageHomePage: https://github.com/pyparsing/pyparsing/ +PackageChecksum: SHA256: e38a4f02064cf41fe6593d328d0512495ad1f3d8a91c4f73fc401b3079a59a5e PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: pyparsing - Classes and methods to define and execute parsing grammars -ReleaseDate: 2022-02-03T00:00:29Z +ReleaseDate: 2025-09-21T04:11:04Z ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyparsing@3.2.5 ExternalRef: SECURITY cpe23Type cpe:2.3:a:paul_mcguire:pyparsing:3.2.5:*:*:*:*:*:*:* ##### @@ -856,21 +859,21 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth-http PackageName: google-apitools SPDXID: SPDXRef-42-google-apitools -PackageVersion: 0.5.32 +PackageVersion: 0.5.35 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Craig Citro (craigcitro@google.com) -PackageDownloadLocation: https://pypi.org/project/google-apitools/0.5.32/#files +PackageDownloadLocation: https://pypi.org/project/google-apitools/0.5.35/#files FilesAnalyzed: false PackageHomePage: http://github.com/google/apitools -PackageChecksum: SHA256: b78f74116558e0476e19501b5b4b2ac7c93261a69c5449c861ea95cbc853c688 +PackageChecksum: SHA256: 0f6f67fbe6f228f4777ae7e9d00e01476f7b8a48dca3a4353a1c32369437bbd0 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: google-apitools declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: client libraries for humans -ReleaseDate: 2021-05-05T22:12:58Z -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-apitools@0.5.32 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*:*:*:*:*:* +ReleaseDate: 2025-09-24T20:22:49Z +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-apitools@0.5.35 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.35:*:*:*:*:*:*:* ##### PackageName: monotonic @@ -953,52 +956,23 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.1.6 PackageName: markupsafe SPDXID: SPDXRef-47-markupsafe -PackageVersion: 3.0.2 +PackageVersion: 3.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: NOASSERTION -PackageDownloadLocation: https://pypi.org/project/markupsafe/3.0.2/#files +PackageDownloadLocation: https://pypi.org/project/markupsafe/3.0.3/#files FilesAnalyzed: false -PackageChecksum: SHA256: 7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8 +PackageChecksum: SHA256: 2f981d352f04553a7171b8e44369f2af4055f888dfb147d55e42d29e29e74559 PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION -PackageLicenseComments: markupsafe declares Copyright 2010 Pallets - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Safely add untrusted strings to HTML/XML markup. -ReleaseDate: 2024-10-18T15:20:51Z +ReleaseDate: 2025-09-27T18:36:05Z ExternalRef: OTHER other https://palletsprojects.com/donate ExternalRef: OTHER documentation https://markupsafe.palletsprojects.com/ -ExternalRef: OTHER log https://markupsafe.palletsprojects.com/changes/ +ExternalRef: OTHER log https://markupsafe.palletsprojects.com/page/changes/ ExternalRef: OTHER vcs https://github.com/pallets/markupsafe/ ExternalRef: OTHER chat https://discord.gg/pallets -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@3.0.2 +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@3.0.3 ##### PackageName: jsonschema @@ -1116,25 +1090,25 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.8.8:*:*:*: PackageName: pyyaml SPDXID: SPDXRef-53-pyyaml -PackageVersion: 6.0.2 +PackageVersion: 6.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Kirill Simonov (xi@resolvent.net) PackageDownloadLocation: https://pypi.org/project/PyYAML/ FilesAnalyzed: false PackageHomePage: https://pyyaml.org/ -PackageChecksum: SHA256: 0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086 +PackageChecksum: SHA256: 214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: YAML parser and emitter for Python -ReleaseDate: 2024-08-06T20:31:40Z +ReleaseDate: 2025-09-25T21:31:46Z ExternalRef: OTHER issue-tracker https://github.com/yaml/pyyaml/issues ExternalRef: OTHER build-system https://github.com/yaml/pyyaml/actions ExternalRef: OTHER documentation https://pyyaml.org/wiki/PyYAMLDocumentation ExternalRef: OTHER mailing-list http://lists.sourceforge.net/lists/listinfo/yaml-core ExternalRef: OTHER vcs https://github.com/yaml/pyyaml -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyyaml@6.0.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pyyaml@6.0.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:kirill_simonov:pyyaml:6.0.3:*:*:*:*:*:*:* ##### PackageName: semantic-version