chore: update SBOM for Python 3.11 (#5249)

github-actions[bot] · web-flow · web-flow · commit 492491e341dd · 2025-07-31T16:37:45.000-07:00
Co-authored-by: GitHub &lt;noreply@github.com&gt;
diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:8d1c95e9-8db8-44d3-b046-3d5fac38da36",
+  "serialNumber": "urn:uuid:782cd393-2c1e-4248-80ef-5068a1a15015",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-07-21T00:54:52Z",
+    "timestamp": "2025-07-28T00:57:29Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -3742,7 +3742,7 @@
       "type": "library",
       "bom-ref": "57-rich",
       "name": "rich",
-      "version": "14.0.0",
+      "version": "14.1.0",
       "supplier": {
         "name": "Will McGugan",
         "contact": [
@@ -3751,12 +3751,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:will_mcgugan:rich:14.0.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:will_mcgugan:rich:14.1.0:*:*:*:*:*:*:*",
       "description": "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1c9491e1951aac09caffd42f448ee3d04e58923ffe14993f6e83068dc395d7e0"
+          "content": "536f5f1785986d6dbdea3c75205c473f970777b4a0d6c6dd1b696aa05a3fa04f"
         }
       ],
       "licenses": [
@@ -3775,7 +3775,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/rich/14.0.0/#files",
+          "url": "https://pypi.org/project/rich/14.1.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -3784,11 +3784,11 @@
           "type": "documentation"
         }
       ],
-      "purl": "pkg:pypi/rich@14.0.0",
+      "purl": "pkg:pypi/rich@14.1.0",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-03-30T14:15:12Z"
+          "value": "2025-07-25T07:32:56Z"
         },
         {
           "name": "language",
@@ -4133,7 +4133,7 @@
       "type": "library",
       "bom-ref": "63-narwhals",
       "name": "narwhals",
-      "version": "1.47.1",
+      "version": "1.48.1",
       "supplier": {
         "name": "Marco Gorelli",
         "contact": [
@@ -4142,7 +4142,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.47.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.48.1:*:*:*:*:*:*:*",
       "description": "Extremely lightweight compatibility layer between dataframe libraries",
       "licenses": [
         {
@@ -4160,7 +4160,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/narwhals/1.47.1/#files",
+          "url": "https://pypi.org/project/narwhals/1.48.1/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4177,7 +4177,7 @@
           "type": "issue-tracker"
         }
       ],
-      "purl": "pkg:pypi/narwhals@1.47.1",
+      "purl": "pkg:pypi/narwhals@1.48.1",
       "properties": [
         {
           "name": "release_date",
@@ -5008,8 +5008,7 @@
       "ref": "57-rich",
       "dependsOn": [
         "58-markdown-it-py",
-        "60-pygments",
-        "6-typing-extensions"
+        "60-pygments"
       ]
     },
     {
diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-d75d7ed0-27fe-47a9-b38e-4b006911997d
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-994eb14e-2b88-4df0-9829-a6f6ef097526
 LicenseListVersion: 3.26
 Creator: Tool: sbom4python-0.12.4
-Created: 2025-07-21T00:54:46Z
+Created: 2025-07-28T00:56:35Z
 CreatorComment: <text>SBOM Type: Build - This document has been automatically generated.</text>
 ##### 
 
@@ -414,12 +414,13 @@ PackageSupplier: Person: Andrey Kislyuk (kislyuk@gmail.com)
 PackageDownloadLocation: https://pypi.org/project/argcomplete/3.6.2/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/kislyuk/argcomplete
+PackageChecksum: SHA256: 65b3133a29ad53fb42c48cf5114752c7ab66c1c38544fdf6460f450c09b42591
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>argcomplete declares Apache Software License which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Bash tab completion for argparse</text>
-ReleaseDate: 2025-06-25T08:28:10Z
+ReleaseDate: 2025-04-03T04:57:01Z
 ExternalRef: OTHER documentation https://kislyuk.github.io/argcomplete
 ExternalRef: OTHER vcs https://github.com/kislyuk/argcomplete
 ExternalRef: OTHER issue-tracker https://github.com/kislyuk/argcomplete/issues
@@ -842,13 +843,12 @@ PackageSupplier: Person: Craig Citro (craigcitro@google.com)
 PackageDownloadLocation: https://pypi.org/project/google-apitools/0.5.32/#files
 FilesAnalyzed: false
 PackageHomePage: http://github.com/google/apitools
-PackageChecksum: SHA256: b78f74116558e0476e19501b5b4b2ac7c93261a69c5449c861ea95cbc853c688
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>google-apitools declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>client libraries for humans</text>
-ReleaseDate: 2021-05-05T22:12:58Z
+ReleaseDate: 2023-12-12T17:40:13Z
 ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-apitools@0.5.32
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:craig_citro:google-apitools:0.5.32:*:*:*:*:*:*:*
 ##### 
@@ -1161,12 +1161,11 @@ PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
 PackageDownloadLocation: https://pypi.org/project/csaf-tool/0.3.2/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/anthonyharrison/csaf
-PackageChecksum: SHA256: 7e5559cb522eb76e3acad39a7bf9ba1b81e5a6224099d511a4c9c2dcf36caa16
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>CSAF generator and analyser</text>
-ReleaseDate: 2024-06-12T20:10:06Z
+ReleaseDate: 2024-08-29T20:36:52Z
 ExternalRef: PACKAGE-MANAGER purl pkg:pypi/csaf-tool@0.3.2
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:csaf-tool:0.3.2:*:*:*:*:*:*:*
 ##### 
@@ -1191,21 +1190,21 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:the_purl_authors:packageurl-python:0.1
 
 PackageName: rich
 SPDXID: SPDXRef-57-rich
-PackageVersion: 14.0.0
+PackageVersion: 14.1.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Will McGugan (willmcgugan@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/rich/14.0.0/#files
+PackageDownloadLocation: https://pypi.org/project/rich/14.1.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/Textualize/rich
-PackageChecksum: SHA256: 1c9491e1951aac09caffd42f448ee3d04e58923ffe14993f6e83068dc395d7e0
+PackageChecksum: SHA256: 536f5f1785986d6dbdea3c75205c473f970777b4a0d6c6dd1b696aa05a3fa04f
 PackageLicenseDeclared: MIT
 PackageLicenseConcluded: MIT
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal</text>
-ReleaseDate: 2025-03-30T14:15:12Z
+ReleaseDate: 2025-07-25T07:32:56Z
 ExternalRef: OTHER documentation https://rich.readthedocs.io/en/latest/
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@14.0.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:14.0.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rich@14.1.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:will_mcgugan:rich:14.1.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: markdown-it-py
@@ -1334,10 +1333,10 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.2.0:*:*:*:*:*:*:*
 
 PackageName: narwhals
 SPDXID: SPDXRef-63-narwhals
-PackageVersion: 1.47.1
+PackageVersion: 1.48.1
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Marco Gorelli (hello_narwhals@proton.me)
-PackageDownloadLocation: https://pypi.org/project/narwhals/1.47.1/#files
+PackageDownloadLocation: https://pypi.org/project/narwhals/1.48.1/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/narwhals-dev/narwhals
 PackageLicenseDeclared: NOASSERTION
@@ -1349,8 +1348,8 @@ ReleaseDate: 2025-06-26T16:20:40Z
 ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
 ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
 ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.47.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.47.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.48.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.48.1:*:*:*:*:*:*:*
 ##### 
 
 PackageName: python-gnupg
@@ -1361,13 +1360,12 @@ PackageSupplier: Person: Vinay Sajip (vinay_sajip@yahoo.co.uk)
 PackageDownloadLocation: https://pypi.org/project/python-gnupg/0.5.4/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/vsajip/python-gnupg
-PackageChecksum: SHA256: 40ce25cde9df29af91fe931ce9df3ce544e14a37f62b13ca878c897217b2de6c
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: BSD-3-Clause
 PackageLicenseComments: <text>python-gnupg declares BSD which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>A wrapper for the Gnu Privacy Guard (GPG or GnuPG)</text>
-ReleaseDate: 2025-01-07T11:58:32Z
+ReleaseDate: 2025-06-26T16:20:40Z
 ExternalRef: OTHER documentation https://gnupg.readthedocs.io/
 ExternalRef: OTHER vcs https://github.com/vsajip/python-gnupg
 ExternalRef: OTHER issue-tracker https://github.com/vsajip/python-gnupg/issues
@@ -1635,7 +1633,6 @@ Relationship: SPDXRef-54-lib4vex DEPENDS_ON SPDXRef-56-packageurl-python
 Relationship: SPDXRef-55-csaf-tool DEPENDS_ON SPDXRef-56-packageurl-python
 Relationship: SPDXRef-55-csaf-tool DEPENDS_ON SPDXRef-57-rich
 Relationship: SPDXRef-57-rich DEPENDS_ON SPDXRef-58-markdown-it-py
-Relationship: SPDXRef-57-rich DEPENDS_ON SPDXRef-6-typing-extensions
 Relationship: SPDXRef-57-rich DEPENDS_ON SPDXRef-60-pygments
 Relationship: SPDXRef-58-markdown-it-py DEPENDS_ON SPDXRef-59-mdurl
 Relationship: SPDXRef-62-plotly DEPENDS_ON SPDXRef-61-packaging
