chore: update SBOM for Python 3.9 (#4704)

Co-authored-by: GitHub <[email protected]>

Author: github-actions[bot]

sbom/cve-bin-tool-py3.9.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:479f7136-1f8c-4345-9ff1-dd1cc73d455a",
+  "serialNumber": "urn:uuid:8d9ab13d-9eb5-4d84-8db8-0f66ae95c640",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-01-06T00:38:36Z",
+    "timestamp": "2025-01-20T00:37:46Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -3187,7 +3187,7 @@
       "type": "library",
       "bom-ref": "50-referencing",
       "name": "referencing",
-      "version": "0.35.1",
+      "version": "0.36.1",
       "supplier": {
         "name": "Julian Berman",
         "contact": [
@@ -3196,12 +3196,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:julian_berman:referencing:0.36.1:*:*:*:*:*:*:*",
       "description": "JSON Referencing + Python",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "eda6d3234d62814d1c64e305c1331c9a3a6132da475ab6382eaa997b21ee75de"
+          "content": "363d9c65f080d0d70bc41c721dce3c7f3e77fc09f269cd5c8813da18069a6794"
         }
       ],
       "externalReferences": [
@@ -3211,7 +3211,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/referencing/0.35.1/#files",
+          "url": "https://pypi.org/project/referencing/0.36.1/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -3240,11 +3240,11 @@
           "type": "vcs"
         }
       ],
-      "purl": "pkg:pypi/referencing@0.35.1",
+      "purl": "pkg:pypi/referencing@0.36.1",
       "properties": [
         {
           "name": "release_date",
-          "value": "2024-05-01T20:26:02Z"
+          "value": "2025-01-17T02:22:02Z"
         },
         {
           "name": "language",
@@ -3860,7 +3860,7 @@
       "type": "library",
       "bom-ref": "61-pygments",
       "name": "pygments",
-      "version": "2.19.0",
+      "version": "2.19.1",
       "supplier": {
         "name": "Georg Brandl",
         "contact": [
@@ -3869,12 +3869,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:georg_brandl:pygments:2.19.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:georg_brandl:pygments:2.19.1:*:*:*:*:*:*:*",
       "description": "Pygments is a syntax highlighting package written in Python.",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4755e6e64d22161d5b61432c0600c923c5927214e7c956e31c23923c89251a9b"
+          "content": "9ea1544ad55cecf4b8242fab6dd35a93bbce657034b0611ee383099054ab6d8c"
         }
       ],
       "licenses": [
@@ -3893,7 +3893,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/pygments/2.19.0/#files",
+          "url": "https://pypi.org/project/pygments/2.19.1/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -3914,11 +3914,11 @@
           "type": "log"
         }
       ],
-      "purl": "pkg:pypi/[email protected].0",
+      "purl": "pkg:pypi/[email protected].1",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-01-05T14:11:12Z"
+          "value": "2025-01-06T17:26:25Z"
         },
         {
           "name": "language",
@@ -3934,7 +3934,7 @@
       "type": "library",
       "bom-ref": "62-python-gnupg",
       "name": "python-gnupg",
-      "version": "0.5.3",
+      "version": "0.5.4",
       "supplier": {
         "name": "Vinay Sajip",
         "contact": [
@@ -3943,12 +3943,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.3:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:vinay_sajip:python-gnupg:0.5.4:*:*:*:*:*:*:*",
       "description": "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2f8a4c6f63766feca6cc1416408f8b84e1b914fe7b54514e570fc5cbe92e9248"
+          "content": "40ce25cde9df29af91fe931ce9df3ce544e14a37f62b13ca878c897217b2de6c"
         }
       ],
       "licenses": [
@@ -3967,7 +3967,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/python-gnupg/0.5.3/#files",
+          "url": "https://pypi.org/project/python-gnupg/0.5.4/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -3984,11 +3984,11 @@
           "type": "issue-tracker"
         }
       ],
-      "purl": "pkg:pypi/[email protected].3",
+      "purl": "pkg:pypi/[email protected].4",
       "properties": [
         {
           "name": "release_date",
-          "value": "2024-09-20T16:43:47Z"
+          "value": "2025-01-07T11:58:32Z"
         },
         {
           "name": "language",
@@ -4499,7 +4499,7 @@
       "type": "library",
       "bom-ref": "71-setuptools",
       "name": "setuptools",
-      "version": "75.7.0",
+      "version": "75.8.0",
       "supplier": {
         "name": "Python Packaging Authority",
         "contact": [
@@ -4508,17 +4508,17 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.7.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:75.8.0:*:*:*:*:*:*:*",
       "description": "Easily download, build, install, upgrade, and uninstall Python packages",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "84fb203f278ebcf5cd08f97d3fb96d3fbed4b629d500b29ad60d11e00769b183"
+          "content": "e3982f444617239225d675215d51f6ba05f845d4eec313da4418fdbb56fb27e3"
         }
       ],
       "externalReferences": [
         {
-          "url": "https://pypi.org/project/setuptools/75.7.0/#files",
+          "url": "https://pypi.org/project/setuptools/75.8.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4535,11 +4535,11 @@
           "type": "log"
         }
       ],
-      "purl": "pkg:pypi/setuptools@75.7.0",
+      "purl": "pkg:pypi/setuptools@75.8.0",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-01-05T16:31:09Z"
+          "value": "2025-01-08T18:28:20Z"
         },
         {
           "name": "language",
@@ -5002,7 +5002,8 @@
       "ref": "50-referencing",
       "dependsOn": [
         "7-attrs",
-        "51-rpds-py"
+        "51-rpds-py",
+        "9-typing-extensions"
       ]
     },
     {

sbom/cve-bin-tool-py3.9.spdx

@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-f67ad1c3-97c5-451f-b1a8-0254d2355315
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-31bf5ea1-4a07-4862-b35b-3a6c110b95ba
 LicenseListVersion: 3.25
 Creator: Tool: sbom4python-0.12.1
-Created: 2025-01-06T00:38:28Z
+Created: 2025-01-20T00:37:39Z
 CreatorComment: <text>This document has been automatically generated.</text>
 ##### 
 
@@ -1054,26 +1054,26 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema-specification
 
 PackageName: referencing
 SPDXID: SPDXRef-50-referencing
-PackageVersion: 0.35.1
+PackageVersion: 0.36.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Julian Berman ([email protected])
-PackageDownloadLocation: https://pypi.org/project/referencing/0.35.1/#files
+PackageDownloadLocation: https://pypi.org/project/referencing/0.36.1/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/python-jsonschema/referencing
-PackageChecksum: SHA256: eda6d3234d62814d1c64e305c1331c9a3a6132da475ab6382eaa997b21ee75de
+PackageChecksum: SHA256: 363d9c65f080d0d70bc41c721dce3c7f3e77fc09f269cd5c8813da18069a6794
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>JSON Referencing + Python</text>
-ReleaseDate: 2024-05-01T20:26:02Z
+ReleaseDate: 2025-01-17T02:22:02Z
 ExternalRef: OTHER documentation https://referencing.readthedocs.io/
 ExternalRef: OTHER issue-tracker https://github.com/python-jsonschema/referencing/issues/
 ExternalRef: OTHER other https://github.com/sponsors/Julian
 ExternalRef: OTHER other https://tidelift.com/subscription/pkg/pypi-referencing?utm_source=pypi-referencing&utm_medium=referral&utm_campaign=pypi-link
 ExternalRef: OTHER log https://referencing.readthedocs.io/en/stable/changes/
 ExternalRef: OTHER vcs https://github.com/python-jsonschema/referencing
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/referencing@0.35.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.35.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/referencing@0.36.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.36.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: rpds-py
@@ -1272,46 +1272,46 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:taneli_hukkinen:mdurl:0.1.2:*:*:*:*:*:
 
 PackageName: pygments
 SPDXID: SPDXRef-61-pygments
-PackageVersion: 2.19.0
+PackageVersion: 2.19.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Georg Brandl ([email protected])
-PackageDownloadLocation: https://pypi.org/project/pygments/2.19.0/#files
+PackageDownloadLocation: https://pypi.org/project/pygments/2.19.1/#files
 FilesAnalyzed: false
 PackageHomePage: https://pygments.org
-PackageChecksum: SHA256: 4755e6e64d22161d5b61432c0600c923c5927214e7c956e31c23923c89251a9b
+PackageChecksum: SHA256: 9ea1544ad55cecf4b8242fab6dd35a93bbce657034b0611ee383099054ab6d8c
 PackageLicenseDeclared: BSD-2-Clause
 PackageLicenseConcluded: BSD-2-Clause
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Pygments is a syntax highlighting package written in Python.</text>
-ReleaseDate: 2025-01-05T14:11:12Z
+ReleaseDate: 2025-01-06T17:26:25Z
 ExternalRef: OTHER documentation https://pygments.org/docs
 ExternalRef: OTHER vcs https://github.com/pygments/pygments
 ExternalRef: OTHER issue-tracker https://github.com/pygments/pygments/issues
 ExternalRef: OTHER log https://github.com/pygments/pygments/blob/master/CHANGES
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.19.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg_brandl:pygments:2.19.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: python-gnupg
 SPDXID: SPDXRef-62-python-gnupg
-PackageVersion: 0.5.3
+PackageVersion: 0.5.4
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Vinay Sajip ([email protected])
-PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.3/#files
+PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.4/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/vsajip/python-gnupg
-PackageChecksum: SHA256: 2f8a4c6f63766feca6cc1416408f8b84e1b914fe7b54514e570fc5cbe92e9248
+PackageChecksum: SHA256: 40ce25cde9df29af91fe931ce9df3ce544e14a37f62b13ca878c897217b2de6c
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: BSD-3-Clause
 PackageLicenseComments: <text>python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A wrapper for the Gnu Privacy Guard (GPG or GnuPG)</text>
-ReleaseDate: 2024-09-20T16:43:47Z
+ReleaseDate: 2025-01-07T11:58:32Z
 ExternalRef: OTHER documentation https://gnupg.readthedocs.io/
 ExternalRef: OTHER vcs https://github.com/vsajip/python-gnupg
 ExternalRef: OTHER issue-tracker https://github.com/vsajip/python-gnupg/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:python-gnupg:0.5.4:*:*:*:*:*:*:*
 ##### 
 
 PackageName: packaging
@@ -1474,22 +1474,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:*
 
 PackageName: setuptools
 SPDXID: SPDXRef-71-setuptools
-PackageVersion: 75.7.0
+PackageVersion: 75.8.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Organization: Python Packaging Authority ([email protected])
-PackageDownloadLocation: https://pypi.org/project/setuptools/75.7.0/#files
+PackageDownloadLocation: https://pypi.org/project/setuptools/75.8.0/#files
 FilesAnalyzed: false
-PackageChecksum: SHA256: 84fb203f278ebcf5cd08f97d3fb96d3fbed4b629d500b29ad60d11e00769b183
+PackageChecksum: SHA256: e3982f444617239225d675215d51f6ba05f845d4eec313da4418fdbb56fb27e3
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Easily download, build, install, upgrade, and uninstall Python packages</text>
-ReleaseDate: 2025-01-05T16:31:09Z
+ReleaseDate: 2025-01-08T18:28:20Z
 ExternalRef: OTHER vcs https://github.com/pypa/setuptools
 ExternalRef: OTHER documentation https://setuptools.pypa.io/
 ExternalRef: OTHER log https://setuptools.pypa.io/en/stable/history.html
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/setuptools@75.7.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.7.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/setuptools@75.8.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:75.8.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: toml
@@ -1658,6 +1658,7 @@ Relationship: SPDXRef-48-jsonschema DEPENDS_ON SPDXRef-7-attrs
 Relationship: SPDXRef-49-jsonschema-specifications DEPENDS_ON SPDXRef-50-referencing
 Relationship: SPDXRef-50-referencing DEPENDS_ON SPDXRef-51-rpds-py
 Relationship: SPDXRef-50-referencing DEPENDS_ON SPDXRef-7-attrs
+Relationship: SPDXRef-50-referencing DEPENDS_ON SPDXRef-9-typing-extensions
 Relationship: SPDXRef-52-lib4sbom DEPENDS_ON SPDXRef-16-defusedxml
 Relationship: SPDXRef-52-lib4sbom DEPENDS_ON SPDXRef-53-pyyaml
 Relationship: SPDXRef-52-lib4sbom DEPENDS_ON SPDXRef-54-semantic-version