chore: update SBOM for Python 3.9 (#5212)

github-actions[bot] · web-flow · web-flow · commit b475889decf8 · 2025-07-14T11:07:21.000-07:00
Co-authored-by: GitHub &lt;noreply@github.com&gt;
diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:791caee7-af62-4547-8b93-b2a4799619d1",
+  "serialNumber": "urn:uuid:6f55701c-22f2-4e12-a861-ebe0bab120ac",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-07-07T00:43:36Z",
+    "timestamp": "2025-07-14T00:45:46Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -79,12 +79,12 @@
       "type": "library",
       "bom-ref": "2-aiohttp",
       "name": "aiohttp",
-      "version": "3.12.13",
+      "version": "3.12.14",
       "description": "Async http client/server framework (asyncio)",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "5421af8f22a98f640261ee48aae3a37f0c41371e99412d55eaf2f8a46d5dad29"
+          "content": "906d5075b5ba0dd1c66fcaaf60eb09926a9fef3ca92d912d2a0bbdbecf8b1248"
         }
       ],
       "licenses": [
@@ -103,7 +103,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/aiohttp/3.12.13/#files",
+          "url": "https://pypi.org/project/aiohttp/3.12.14/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -140,11 +140,11 @@
           "type": "vcs"
         }
       ],
-      "purl": "pkg:pypi/aiohttp@3.12.13",
+      "purl": "pkg:pypi/aiohttp@3.12.14",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-06-14T15:12:58Z"
+          "value": "2025-07-10T13:02:38Z"
         },
         {
           "name": "language",
@@ -231,6 +231,12 @@
       "name": "aiosignal",
       "version": "1.4.0",
       "description": "aiosignal: a list of registered asynchronous callbacks",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "053243f8b92b990551949e63930a839ff0cf0b0ebbe0597b0f3fb19e1a0fe82e"
+        }
+      ],
       "licenses": [
         {
           "license": {
@@ -280,7 +286,7 @@
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-03-12T01:42:47Z"
+          "value": "2025-07-03T22:54:42Z"
         },
         {
           "name": "language",
@@ -4218,7 +4224,7 @@
       "type": "library",
       "bom-ref": "64-narwhals",
       "name": "narwhals",
-      "version": "1.45.0",
+      "version": "1.46.0",
       "supplier": {
         "name": "Marco Gorelli",
         "contact": [
@@ -4227,8 +4233,14 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.45.0:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.46.0:*:*:*:*:*:*:*",
       "description": "Extremely lightweight compatibility layer between dataframe libraries",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "f15d2255695d7e99f624f76aa5b765eb3fff8a509d3215049707af3a3feebc90"
+        }
+      ],
       "licenses": [
         {
           "license": {
@@ -4245,7 +4257,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/narwhals/1.45.0/#files",
+          "url": "https://pypi.org/project/narwhals/1.46.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4262,11 +4274,11 @@
           "type": "issue-tracker"
         }
       ],
-      "purl": "pkg:pypi/narwhals@1.45.0",
+      "purl": "pkg:pypi/narwhals@1.46.0",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-06-26T16:20:40Z"
+          "value": "2025-07-07T11:34:42Z"
         },
         {
           "name": "language",
@@ -4555,7 +4567,7 @@
       "type": "library",
       "bom-ref": "69-certifi",
       "name": "certifi",
-      "version": "2025.6.15",
+      "version": "2025.7.9",
       "supplier": {
         "name": "Kenneth Reitz",
         "contact": [
@@ -4564,12 +4576,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2025.6.15:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:kenneth_reitz:certifi:2025.7.9:*:*:*:*:*:*:*",
       "description": "Python package for providing Mozilla's CA Bundle.",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2e0c7ce7cb5d8f8634ca55d2ba7e6ec2689a2fd6537d8dec1296a477a4910057"
+          "content": "d842783a14f8fdd646895ac26f719a061408834473cfc10203f6a575beb15d39"
         }
       ],
       "licenses": [
@@ -4588,7 +4600,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/certifi/2025.6.15/#files",
+          "url": "https://pypi.org/project/certifi/2025.7.9/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4597,11 +4609,11 @@
           "type": "vcs"
         }
       ],
-      "purl": "pkg:pypi/certifi@2025.6.15",
+      "purl": "pkg:pypi/certifi@2025.7.9",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-06-15T02:45:49Z"
+          "value": "2025-07-09T02:13:57Z"
         },
         {
           "name": "language",
diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-b1825513-4478-44f6-93bb-fc741e99e648
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-4febd54a-bc7a-4016-83c1-b7304af16ea6
 LicenseListVersion: 3.25
 Creator: Tool: sbom4python-0.12.4
-Created: 2025-07-07T00:43:23Z
+Created: 2025-07-14T00:45:32Z
 CreatorComment: <text>SBOM Type: Build - This document has been automatically generated.</text>
 ##### 
 
@@ -27,18 +27,18 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4.1:*:*:*:*:*
 
 PackageName: aiohttp
 SPDXID: SPDXRef-2-aiohttp
-PackageVersion: 3.12.13
+PackageVersion: 3.12.14
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.12.13/#files
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.12.14/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/aio-libs/aiohttp
-PackageChecksum: SHA256: 5421af8f22a98f640261ee48aae3a37f0c41371e99412d55eaf2f8a46d5dad29
+PackageChecksum: SHA256: 906d5075b5ba0dd1c66fcaaf60eb09926a9fef3ca92d912d2a0bbdbecf8b1248
 PackageLicenseDeclared: Apache-2.0
 PackageLicenseConcluded: Apache-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Async http client/server framework (asyncio)</text>
-ReleaseDate: 2025-06-14T15:12:58Z
+ReleaseDate: 2025-07-10T13:02:38Z
 ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org
 ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org
 ExternalRef: OTHER build-system https://github.com/aio-libs/aiohttp/actions?query=workflow%3ACI
@@ -47,7 +47,7 @@ ExternalRef: OTHER log https://docs.aiohttp.org/en/stable/changes.html
 ExternalRef: OTHER other https://docs.aiohttp.org
 ExternalRef: OTHER issue-tracker https://github.com/aio-libs/aiohttp/issues
 ExternalRef: OTHER vcs https://github.com/aio-libs/aiohttp
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.12.13
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.12.14
 ##### 
 
 PackageName: aiohappyeyeballs
@@ -79,12 +79,13 @@ PackageSupplier: NOASSERTION
 PackageDownloadLocation: https://pypi.org/project/aiosignal/1.4.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/aio-libs/aiosignal
+PackageChecksum: SHA256: 053243f8b92b990551949e63930a839ff0cf0b0ebbe0597b0f3fb19e1a0fe82e
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: Apache-2.0
 PackageLicenseComments: <text>aiosignal declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>aiosignal: a list of registered asynchronous callbacks</text>
-ReleaseDate: 2025-03-12T01:42:47Z
+ReleaseDate: 2025-07-03T22:54:42Z
 ExternalRef: OTHER other https://gitter.im/aio-libs/Lobby
 ExternalRef: OTHER build-system https://github.com/aio-libs/aiosignal/actions
 ExternalRef: OTHER other https://codecov.io/github/aio-libs/aiosignal
@@ -1359,23 +1360,24 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.2.0:*:*:*:*:*:*:*
 
 PackageName: narwhals
 SPDXID: SPDXRef-64-narwhals
-PackageVersion: 1.45.0
+PackageVersion: 1.46.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Marco Gorelli (hello_narwhals@proton.me)
-PackageDownloadLocation: https://pypi.org/project/narwhals/1.45.0/#files
+PackageDownloadLocation: https://pypi.org/project/narwhals/1.46.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/narwhals-dev/narwhals
+PackageChecksum: SHA256: f15d2255695d7e99f624f76aa5b765eb3fff8a509d3215049707af3a3feebc90
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: MIT
 PackageLicenseComments: <text>narwhals declares MIT License which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Extremely lightweight compatibility layer between dataframe libraries</text>
-ReleaseDate: 2025-06-26T16:20:40Z
+ReleaseDate: 2025-07-07T11:34:42Z
 ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
 ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
 ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.45.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.45.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.46.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.46.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: python-gnupg
@@ -1464,21 +1466,21 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.5.0:*:*:*:*:*:
 
 PackageName: certifi
 SPDXID: SPDXRef-69-certifi
-PackageVersion: 2025.6.15
+PackageVersion: 2025.7.9
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Kenneth Reitz (me@kennethreitz.com)
-PackageDownloadLocation: https://pypi.org/project/certifi/2025.6.15/#files
+PackageDownloadLocation: https://pypi.org/project/certifi/2025.7.9/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/certifi/python-certifi
-PackageChecksum: SHA256: 2e0c7ce7cb5d8f8634ca55d2ba7e6ec2689a2fd6537d8dec1296a477a4910057
+PackageChecksum: SHA256: d842783a14f8fdd646895ac26f719a061408834473cfc10203f6a575beb15d39
 PackageLicenseDeclared: MPL-2.0
 PackageLicenseConcluded: MPL-2.0
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Python package for providing Mozilla's CA Bundle.</text>
-ReleaseDate: 2025-06-15T02:45:49Z
+ReleaseDate: 2025-07-09T02:13:57Z
 ExternalRef: OTHER vcs https://github.com/certifi/python-certifi
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2025.6.15
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2025.6.15:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/certifi@2025.7.9
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:kenneth_reitz:certifi:2025.7.9:*:*:*:*:*:*:*
 ##### 
 
 PackageName: rpmfile
