Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 37 additions & 25 deletions sbom/cve-bin-tool-py3.9.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:0fa43716-8c8f-48a5-9055-05a17bd14ee1",
"serialNumber": "urn:uuid:fa996397-5c8b-43a4-acc5-438711dddcb5",
"version": 1,
"metadata": {
"timestamp": "2025-10-13T00:40:50Z",
"timestamp": "2025-10-20T00:42:12Z",
"lifecycles": [
{
"phase": "build"
Expand Down Expand Up @@ -79,12 +79,12 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
"version": "3.13.0",
"version": "3.13.1",
"description": "Async http client/server framework (asyncio)",
"hashes": [
{
"alg": "SHA-256",
"content": "ca69ec38adf5cadcc21d0b25e2144f6a25b7db7bea7e730bac25075bc305eff0"
"content": "2349a6b642020bf20116a8a5c83bae8ba071acf1461c7cbe45fc7fafd552e7e2"
}
],
"licenses": [
Expand All @@ -100,7 +100,7 @@
"comment": "Home page for project"
},
{
"url": "https://pypi.org/project/aiohttp/3.13.0/#files",
"url": "https://pypi.org/project/aiohttp/3.13.1/#files",
"type": "distribution",
"comment": "Download location for component"
},
Expand Down Expand Up @@ -137,11 +137,11 @@
"type": "vcs"
}
],
"purl": "pkg:pypi/[email protected].0",
"purl": "pkg:pypi/[email protected].1",
"properties": [
{
"name": "release_date",
"value": "2025-10-06T19:54:40Z"
"value": "2025-10-17T13:58:56Z"
},
{
"name": "language",
Expand Down Expand Up @@ -894,6 +894,12 @@
},
"cpe": "cpe:2.3:a:kim_davies:idna:3.11:*:*:*:*:*:*:*",
"description": "Internationalized Domain Names in Applications (IDNA)",
"hashes": [
{
"alg": "SHA-256",
"content": "771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea"
}
],
"externalReferences": [
{
"url": "https://pypi.org/project/idna/3.11/#files",
Expand All @@ -917,7 +923,7 @@
"properties": [
{
"name": "release_date",
"value": "2025-10-06T14:08:42Z"
"value": "2025-10-12T14:55:18Z"
},
{
"name": "language",
Expand Down Expand Up @@ -3646,7 +3652,7 @@
"type": "library",
"bom-ref": "56-xmlschema",
"name": "xmlschema",
"version": "4.1.0",
"version": "4.2.0",
"supplier": {
"name": "Davide Brunato",
"contact": [
Expand All @@ -3655,12 +3661,12 @@
}
]
},
"cpe": "cpe:2.3:a:davide_brunato:xmlschema:4.1.0:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:a:davide_brunato:xmlschema:4.2.0:*:*:*:*:*:*:*",
"description": "An XML Schema validator and decoder",
"hashes": [
{
"alg": "SHA-256",
"content": "eabf610f398a58700bc4ac94380ad9ce558297a3f9ca8b7722ed3f7888eb4498"
"content": "82d24a50eea5e7f2d603312813848cd66fddf8fa2b6730839c6aa3d66312e3b6"
}
],
"externalReferences": [
Expand All @@ -3670,16 +3676,16 @@
"comment": "Home page for project"
},
{
"url": "https://pypi.org/project/xmlschema/4.1.0/#files",
"url": "https://pypi.org/project/xmlschema/4.2.0/#files",
"type": "distribution",
"comment": "Download location for component"
}
],
"purl": "pkg:pypi/xmlschema@4.1.0",
"purl": "pkg:pypi/xmlschema@4.2.0",
"properties": [
{
"name": "release_date",
"value": "2025-06-05T21:17:35Z"
"value": "2025-10-14T09:19:28Z"
},
{
"name": "language",
Expand Down Expand Up @@ -4304,7 +4310,7 @@
"type": "library",
"bom-ref": "67-narwhals",
"name": "narwhals",
"version": "2.7.0",
"version": "2.8.0",
"supplier": {
"name": "Marco Gorelli",
"contact": [
Expand All @@ -4313,8 +4319,14 @@
}
]
},
"cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.7.0:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.8.0:*:*:*:*:*:*:*",
"description": "Extremely lightweight compatibility layer between dataframe libraries",
"hashes": [
{
"alg": "SHA-256",
"content": "6304856676ba4a79fd34148bda63aed8060dd6edb1227edf3659ce5e091de73c"
}
],
"licenses": [
{
"license": {
Expand All @@ -4331,7 +4343,7 @@
"comment": "Home page for project"
},
{
"url": "https://pypi.org/project/narwhals/2.7.0/#files",
"url": "https://pypi.org/project/narwhals/2.8.0/#files",
"type": "distribution",
"comment": "Download location for component"
},
Expand All @@ -4348,11 +4360,11 @@
"type": "issue-tracker"
}
],
"purl": "pkg:pypi/narwhals@2.7.0",
"purl": "pkg:pypi/narwhals@2.8.0",
"properties": [
{
"name": "release_date",
"value": "2025-10-02T16:10:22Z"
"value": "2025-10-13T08:44:25Z"
},
{
"name": "language",
Expand Down Expand Up @@ -4512,7 +4524,7 @@
"type": "library",
"bom-ref": "70-charset-normalizer",
"name": "charset-normalizer",
"version": "3.4.3",
"version": "3.4.4",
"supplier": {
"name": "Ahmed R .",
"contact": [
Expand All @@ -4521,12 +4533,12 @@
}
]
},
"cpe": "cpe:2.3:a:ahmed_r.:charset-normalizer:3.4.3:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:a:ahmed_r.:charset-normalizer:3.4.4:*:*:*:*:*:*:*",
"description": "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.",
"hashes": [
{
"alg": "SHA-256",
"content": "fb7f67a1bfa6e40b438170ebdc8158b78dc465a5a67b6dde178a46987b244a72"
"content": "e824f1492727fa856dd6eda4f7cee25f8518a12f3c4a56a74e8095695089cf6d"
}
],
"licenses": [
Expand All @@ -4540,7 +4552,7 @@
],
"externalReferences": [
{
"url": "https://pypi.org/project/charset-normalizer/3.4.3/#files",
"url": "https://pypi.org/project/charset-normalizer/3.4.4/#files",
"type": "distribution",
"comment": "Download location for component"
},
Expand All @@ -4561,11 +4573,11 @@
"type": "issue-tracker"
}
],
"purl": "pkg:pypi/[email protected].3",
"purl": "pkg:pypi/[email protected].4",
"properties": [
{
"name": "release_date",
"value": "2025-08-09T07:55:36Z"
"value": "2025-10-14T04:40:11Z"
},
{
"name": "language",
Expand Down
52 changes: 27 additions & 25 deletions sbom/cve-bin-tool-py3.9.spdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-389e7e0c-72a5-4fd1-81e1-a7100edeee49
DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-6f3240c3-2796-4fa6-b32e-a2ca8c00d5be
LicenseListVersion: 3.26
Creator: Tool: sbom4python-0.12.4
Created: 2025-10-13T00:40:32Z
Created: 2025-10-20T00:41:59Z
CreatorComment: <text>SBOM Type: Build - This document has been automatically generated.</text>
#####

Expand All @@ -27,18 +27,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4.1:*:*:*:*:*

PackageName: aiohttp
SPDXID: SPDXRef-2-aiohttp
PackageVersion: 3.13.0
PackageVersion: 3.13.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
PackageDownloadLocation: https://pypi.org/project/aiohttp/3.13.0/#files
PackageDownloadLocation: https://pypi.org/project/aiohttp/3.13.1/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/aio-libs/aiohttp
PackageChecksum: SHA256: ca69ec38adf5cadcc21d0b25e2144f6a25b7db7bea7e730bac25075bc305eff0
PackageChecksum: SHA256: 2349a6b642020bf20116a8a5c83bae8ba071acf1461c7cbe45fc7fafd552e7e2
PackageLicenseDeclared: Apache-2.0 AND MIT
PackageLicenseConcluded: Apache-2.0 AND MIT
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Async http client/server framework (asyncio)</text>
ReleaseDate: 2025-10-06T19:54:40Z
ReleaseDate: 2025-10-17T13:58:56Z
ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org
ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org
ExternalRef: OTHER build-system https://github.com/aio-libs/aiohttp/actions?query=workflow%3ACI
Expand All @@ -47,7 +47,7 @@ ExternalRef: OTHER log https://docs.aiohttp.org/en/stable/changes.html
ExternalRef: OTHER other https://docs.aiohttp.org
ExternalRef: OTHER issue-tracker https://github.com/aio-libs/aiohttp/issues
ExternalRef: OTHER vcs https://github.com/aio-libs/aiohttp
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].0
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].1
#####

PackageName: aiohappyeyeballs
Expand Down Expand Up @@ -278,11 +278,12 @@ PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Kim Davies ([email protected])
PackageDownloadLocation: https://pypi.org/project/idna/3.11/#files
FilesAnalyzed: false
PackageChecksum: SHA256: 771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Internationalized Domain Names in Applications (IDNA)</text>
ReleaseDate: 2025-10-06T14:08:42Z
ReleaseDate: 2025-10-12T14:55:18Z
ExternalRef: OTHER log https://github.com/kjd/idna/blob/master/HISTORY.rst
ExternalRef: OTHER issue-tracker https://github.com/kjd/idna/issues
ExternalRef: OTHER vcs https://github.com/kjd/idna
Expand Down Expand Up @@ -1148,20 +1149,20 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:michal_horejsek:fastjsonschema:2.21.2:

PackageName: xmlschema
SPDXID: SPDXRef-56-xmlschema
PackageVersion: 4.1.0
PackageVersion: 4.2.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Davide Brunato ([email protected])
PackageDownloadLocation: https://pypi.org/project/xmlschema/4.1.0/#files
PackageDownloadLocation: https://pypi.org/project/xmlschema/4.2.0/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/sissaschool/xmlschema
PackageChecksum: SHA256: eabf610f398a58700bc4ac94380ad9ce558297a3f9ca8b7722ed3f7888eb4498
PackageChecksum: SHA256: 82d24a50eea5e7f2d603312813848cd66fddf8fa2b6730839c6aa3d66312e3b6
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: <text>An XML Schema validator and decoder</text>
ReleaseDate: 2025-06-05T21:17:35Z
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@4.1.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:4.1.0:*:*:*:*:*:*:*
ReleaseDate: 2025-10-14T09:19:28Z
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/xmlschema@4.2.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:davide_brunato:xmlschema:4.2.0:*:*:*:*:*:*:*
#####

PackageName: elementpath
Expand Down Expand Up @@ -1381,23 +1382,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.3.1:*:*:*:*:*:*:*

PackageName: narwhals
SPDXID: SPDXRef-67-narwhals
PackageVersion: 2.7.0
PackageVersion: 2.8.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Marco Gorelli ([email protected])
PackageDownloadLocation: https://pypi.org/project/narwhals/2.7.0/#files
PackageDownloadLocation: https://pypi.org/project/narwhals/2.8.0/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/narwhals-dev/narwhals
PackageChecksum: SHA256: 6304856676ba4a79fd34148bda63aed8060dd6edb1227edf3659ce5e091de73c
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: MIT
PackageLicenseComments: <text>narwhals declares MIT License which is not currently a valid SPDX License identifier or expression.</text>
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Extremely lightweight compatibility layer between dataframe libraries</text>
ReleaseDate: 2025-10-02T16:10:22Z
ReleaseDate: 2025-10-13T08:44:25Z
ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@2.7.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.7.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@2.8.0
ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.8.0:*:*:*:*:*:*:*
#####

PackageName: python-gnupg
Expand Down Expand Up @@ -1444,23 +1446,23 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:requests:2.32.5:*:*:*:*:

PackageName: charset-normalizer
SPDXID: SPDXRef-70-charset-normalizer
PackageVersion: 3.4.3
PackageVersion: 3.4.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Ahmed R. ([email protected])
PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.4.3/#files
PackageDownloadLocation: https://pypi.org/project/charset-normalizer/3.4.4/#files
FilesAnalyzed: false
PackageChecksum: SHA256: fb7f67a1bfa6e40b438170ebdc8158b78dc465a5a67b6dde178a46987b244a72
PackageChecksum: SHA256: e824f1492727fa856dd6eda4f7cee25f8518a12f3c4a56a74e8095695089cf6d
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: <text>The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.</text>
ReleaseDate: 2025-08-09T07:55:36Z
ReleaseDate: 2025-10-14T04:40:11Z
ExternalRef: OTHER log https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md
ExternalRef: OTHER documentation https://charset-normalizer.readthedocs.io/
ExternalRef: OTHER vcs https://github.com/jawah/charset_normalizer
ExternalRef: OTHER issue-tracker https://github.com/jawah/charset_normalizer/issues
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_r.:charset-normalizer:3.4.3:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].4
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_r.:charset-normalizer:3.4.4:*:*:*:*:*:*:*
#####

PackageName: urllib3
Expand Down