chore: update SBOM for Python 3.11 (#5260)

github-actions[bot] · web-flow · web-flow · commit 271264d7289b · 2025-08-04T11:17:33.000-07:00
Co-authored-by: GitHub &lt;noreply@github.com&gt;
diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:782cd393-2c1e-4248-80ef-5068a1a15015",
+  "serialNumber": "urn:uuid:5ab92791-f41f-4b08-b4c4-db025c92b5b9",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-07-28T00:57:29Z",
+    "timestamp": "2025-08-04T00:53:01Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -79,21 +79,18 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.12.14",
+      "version": "3.12.15",
       "description": "Async http client/server framework (asyncio)",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "906d5075b5ba0dd1c66fcaaf60eb09926a9fef3ca92d912d2a0bbdbecf8b1248"
+          "content": "b6fc902bff74d9b1879ad55f5404153e2b33a82e72a95c89cec5eb6cc9e92fbc"
         }
       ],
       "licenses": [
         {
-          "license": {
-            "id": "Apache-2.0",
-            "url": "https://www.apache.org/licenses/LICENSE-2.0",
-            "acknowledgement": "concluded"
-          }
+          "expression": "Apache-2.0 AND MIT",
+          "acknowledgement": "concluded"
         }
       ],
       "externalReferences": [
@@ -103,7 +100,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/aiohttp/3.12.14/#files",
+          "url": "https://pypi.org/project/aiohttp/3.12.15/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -140,11 +137,11 @@
           "type": "vcs"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.12.14",
+      "purl": "pkg:pypi/aiohttp@3.12.15",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-07-10T13:02:38Z"
+          "value": "2025-07-29T05:49:43Z"
         },
         {
           "name": "language",
@@ -3689,16 +3686,16 @@
       "type": "library",
       "bom-ref": "56-packageurl-python",
       "name": "packageurl-python",
-      "version": "0.17.1",
+      "version": "0.17.3",
       "supplier": {
         "name": "the purl authors"
       },
-      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.17.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:the_purl_authors:packageurl-python:0.17.3:*:*:*:*:*:*:*",
       "description": "A purl aka. Package URL parser and builder",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "59b0862ae0b216994f847e05b4c6e870e0d16e1ddd706feefb19d79810f22cbd"
+          "content": "f51b5aab570159f07258c8e998e9972ff3bf060da16b7334a42bd9f9737777d9"
         }
       ],
       "licenses": [
@@ -3717,16 +3714,16 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/packageurl-python/0.17.1/#files",
+          "url": "https://pypi.org/project/packageurl-python/0.17.3/#files",
           "type": "distribution",
           "comment": "Download location for component"
         }
       ],
-      "purl": "pkg:pypi/packageurl-python@0.17.1",
+      "purl": "pkg:pypi/packageurl-python@0.17.3",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-06-06T13:13:58Z"
+          "value": "2025-08-01T03:24:33Z"
         },
         {
           "name": "language",
@@ -4133,7 +4130,7 @@
       "type": "library",
       "bom-ref": "63-narwhals",
       "name": "narwhals",
-      "version": "1.48.1",
+      "version": "2.0.1",
       "supplier": {
         "name": "Marco Gorelli",
         "contact": [
@@ -4142,8 +4139,14 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.48.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.0.1:*:*:*:*:*:*:*",
       "description": "Extremely lightweight compatibility layer between dataframe libraries",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "837457e36a2ba1710c881fb69e1f79ce44fb81728c92ac378f70892a53af8ddb"
+        }
+      ],
       "licenses": [
         {
           "license": {
@@ -4160,7 +4163,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/narwhals/1.48.1/#files",
+          "url": "https://pypi.org/project/narwhals/2.0.1/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4177,11 +4180,11 @@
           "type": "issue-tracker"
         }
       ],
-      "purl": "pkg:pypi/narwhals@1.48.1",
+      "purl": "pkg:pypi/narwhals@2.0.1",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-06-26T16:20:40Z"
+          "value": "2025-07-29T08:39:03Z"
         },
         {
           "name": "language",
@@ -4470,7 +4473,7 @@
       "type": "library",
       "bom-ref": "68-certifi",
       "name": "certifi",
-      "version": "2025.7.14",
+      "version": "2025.8.3",
       "supplier": {
         "name": "Kenneth Reitz",
         "contact": [
@@ -4479,12 +4482,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2025.7.14:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2025.8.3:*:*:*:*:*:*:*",
       "description": "Python package for providing Mozilla's CA Bundle.",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6b31f564a415d79ee77df69d757bb49a5bb53bd9f756cbbe24394ffd6fc1f4b2"
+          "content": "f6c12493cfb1b06ba2ff328595af9350c65d6644968e5d3a2ffd78699af217a5"
         }
       ],
       "licenses": [
@@ -4503,7 +4506,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/certifi/2025.7.14/#files",
+          "url": "https://pypi.org/project/certifi/2025.8.3/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4512,11 +4515,11 @@
           "type": "vcs"
         }
       ],
-      "purl": "pkg:pypi/certifi@2025.7.14",
+      "purl": "pkg:pypi/certifi@2025.8.3",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-07-14T03:29:26Z"
+          "value": "2025-08-03T03:07:45Z"
         },
         {
           "name": "language",
diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-994eb14e-2b88-4df0-9829-a6f6ef097526
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-7c378e2d-f181-4971-b509-6b6e5d0f3d1a
 LicenseListVersion: 3.26
 Creator: Tool: sbom4python-0.12.4
-Created: 2025-07-28T00:56:35Z
+Created: 2025-08-04T00:52:52Z
 CreatorComment: <text>SBOM Type: Build - This document has been automatically generated.</text>
 ##### 
 
@@ -27,18 +27,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4.1:*:*:*:*:*
 
 PackageName: aiohttp
 SPDXID: SPDXRef-2-aiohttp
-PackageVersion: 3.12.14
+PackageVersion: 3.12.15
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.12.14/#files
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.12.15/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/aio-libs/aiohttp
-PackageChecksum: SHA256: 906d5075b5ba0dd1c66fcaaf60eb09926a9fef3ca92d912d2a0bbdbecf8b1248
-PackageLicenseDeclared: Apache-2.0
-PackageLicenseConcluded: Apache-2.0
+PackageChecksum: SHA256: b6fc902bff74d9b1879ad55f5404153e2b33a82e72a95c89cec5eb6cc9e92fbc
+PackageLicenseDeclared: Apache-2.0 AND MIT
+PackageLicenseConcluded: Apache-2.0 AND MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Async http client/server framework (asyncio)</text>
-ReleaseDate: 2025-07-10T13:02:38Z
+ReleaseDate: 2025-07-29T05:49:43Z
 ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org
 ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org
 ExternalRef: OTHER build-system https://github.com/aio-libs/aiohttp/actions?query=workflow%3ACI
@@ -47,7 +47,7 @@ ExternalRef: OTHER log https://docs.aiohttp.org/en/stable/changes.html
 ExternalRef: OTHER other https://docs.aiohttp.org
 ExternalRef: OTHER issue-tracker https://github.com/aio-libs/aiohttp/issues
 ExternalRef: OTHER vcs https://github.com/aio-libs/aiohttp
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.12.14
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.12.15
 ##### 
 
 PackageName: aiohappyeyeballs
@@ -843,12 +843,13 @@ PackageSupplier: Person: Craig Citro (craigcitro@google.com)
 PackageDownloadLocation: https://pypi.org/project/google-apitools/0.5.32/#files
 FilesAnalyzed: false
 PackageHomePage: http://github.com/google/apitools
+PackageChecksum: SHA256: b78f74116558e0476e19501b5b4b2ac7c93261a69c5449c861ea95cbc853c688
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>google-apitools declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>client libraries for humans</text>
-ReleaseDate: 2023-12-12T17:40:13Z
+ReleaseDate: 2021-05-05T22:12:58Z
 ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-apitools@0.5.32
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*:*:*:*:*:*
 ##### 
@@ -1161,31 +1162,32 @@ PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
 PackageDownloadLocation: https://pypi.org/project/csaf-tool/0.3.2/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/anthonyharrison/csaf
+PackageChecksum: SHA256: 7e5559cb522eb76e3acad39a7bf9ba1b81e5a6224099d511a4c9c2dcf36caa16
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>CSAF generator and analyser</text>
-ReleaseDate: 2024-08-29T20:36:52Z
+ReleaseDate: 2024-06-12T20:10:06Z
 ExternalRef: PACKAGE-MANAGER purl pkg:pypi/csaf-tool@0.3.2
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:csaf-tool:0.3.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: packageurl-python
 SPDXID: SPDXRef-56-packageurl-python
-PackageVersion: 0.17.1
+PackageVersion: 0.17.3
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: the purl authors
-PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.17.1/#files
+PackageDownloadLocation: https://pypi.org/project/packageurl-python/0.17.3/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/package-url/packageurl-python
-PackageChecksum: SHA256: 59b0862ae0b216994f847e05b4c6e870e0d16e1ddd706feefb19d79810f22cbd
+PackageChecksum: SHA256: f51b5aab570159f07258c8e998e9972ff3bf060da16b7334a42bd9f9737777d9
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A purl aka. Package URL parser and builder</text>
-ReleaseDate: 2025-06-06T13:13:58Z
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.17.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.17.1:*:*:*:*:*:*:*
+ReleaseDate: 2025-08-01T03:24:33Z
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/packageurl-python@0.17.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.17.3:*:*:*:*:*:*:*
 ##### 
 
 PackageName: rich
@@ -1333,23 +1335,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.2.0:*:*:*:*:*:*:*
 
 PackageName: narwhals
 SPDXID: SPDXRef-63-narwhals
-PackageVersion: 1.48.1
+PackageVersion: 2.0.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Marco Gorelli (hello_narwhals@proton.me)
-PackageDownloadLocation: https://pypi.org/project/narwhals/1.48.1/#files
+PackageDownloadLocation: https://pypi.org/project/narwhals/2.0.1/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/narwhals-dev/narwhals
+PackageChecksum: SHA256: 837457e36a2ba1710c881fb69e1f79ce44fb81728c92ac378f70892a53af8ddb
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: MIT
 PackageLicenseComments: <text>narwhals declares MIT License which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Extremely lightweight compatibility layer between dataframe libraries</text>
-ReleaseDate: 2025-06-26T16:20:40Z
+ReleaseDate: 2025-07-29T08:39:03Z
 ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
 ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
 ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.48.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.48.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@2.0.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.0.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: python-gnupg
@@ -1360,12 +1363,13 @@ PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk)
 PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.4/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/vsajip/python-gnupg
+PackageChecksum: SHA256: 40ce25cde9df29af91fe931ce9df3ce544e14a37f62b13ca878c897217b2de6c
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: BSD-3-Clause
 PackageLicenseComments: <text>python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A wrapper for the Gnu Privacy Guard (GPG or GnuPG)</text>
-ReleaseDate: 2025-06-26T16:20:40Z
+ReleaseDate: 2025-01-07T11:58:32Z
 ExternalRef: OTHER documentation https://gnupg.readthedocs.io/
 ExternalRef: OTHER vcs https://github.com/vsajip/python-gnupg
 ExternalRef: OTHER issue-tracker https://github.com/vsajip/python-gnupg/issues
@@ -1437,21 +1441,21 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.5.0:*:*:*:*:*:
 
 PackageName: certifi
 SPDXID: SPDXRef-68-certifi
-PackageVersion: 2025.7.14
+PackageVersion: 2025.8.3
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com)
-PackageDownloadLocation: https://pypi.org/project/certifi/2025.7.14/#files
+PackageDownloadLocation: https://pypi.org/project/certifi/2025.8.3/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/certifi/python-certifi
-PackageChecksum: SHA256: 6b31f564a415d79ee77df69d757bb49a5bb53bd9f756cbbe24394ffd6fc1f4b2
+PackageChecksum: SHA256: f6c12493cfb1b06ba2ff328595af9350c65d6644968e5d3a2ffd78699af217a5
 PackageLicenseDeclared: MPL-2.0
 PackageLicenseConcluded: MPL-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python package for providing Mozilla's CA Bundle.</text>
-ReleaseDate: 2025-07-14T03:29:26Z
+ReleaseDate: 2025-08-03T03:07:45Z
 ExternalRef: OTHER vcs https://github.com/certifi/python-certifi
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2025.7.14
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2025.7.14:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2025.8.3
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2025.8.3:*:*:*:*:*:*:*
 ##### 
 
 PackageName: rpmfile
