diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json
index 825c55e6e7..ae40202bf1 100644
--- a/sbom/cve-bin-tool-py3.11.json
+++ b/sbom/cve-bin-tool-py3.11.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
- "serialNumber": "urn:uuid:5ee9c94c-b00e-4257-94ee-c5ca1ae27014",
+ "serialNumber": "urn:uuid:9beac773-cc9b-489c-b592-7ebc48d64ad5",
"version": 1,
"metadata": {
- "timestamp": "2025-12-08T00:42:38Z",
+ "timestamp": "2025-12-22T00:41:15Z",
"lifecycles": [
{
"phase": "build"
@@ -932,7 +932,7 @@
"type": "library",
"bom-ref": "13-soupsieve",
"name": "soupsieve",
- "version": "2.8",
+ "version": "2.8.1",
"supplier": {
"name": "Isaac Muse",
"contact": [
@@ -941,12 +941,12 @@
}
]
},
- "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.8:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:isaac_muse:soupsieve:2.8.1:*:*:*:*:*:*:*",
"description": "A modern CSS selector implementation for Beautiful Soup.",
"hashes": [
{
"alg": "SHA-256",
- "content": "0cc76456a30e20f5d7f2e14a98a4ae2ee4e5abdc7c5ea0aafe795f344bc7984c"
+ "content": "a11fe2a6f3d76ab3cf2de04eb339c1be5b506a8a47f2ceb6d139803177f85434"
}
],
"licenses": [
@@ -965,16 +965,16 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/soupsieve/2.8/#files",
+ "url": "https://pypi.org/project/soupsieve/2.8.1/#files",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/soupsieve@2.8",
+ "purl": "pkg:pypi/soupsieve@2.8.1",
"properties": [
{
"name": "release_date",
- "value": "2025-08-27T15:39:50Z"
+ "value": "2025-12-18T13:50:33Z"
},
{
"name": "language",
@@ -2613,7 +2613,7 @@
"type": "library",
"bom-ref": "40-google-auth-httplib2",
"name": "google-auth-httplib2",
- "version": "0.2.1",
+ "version": "0.3.0",
"supplier": {
"name": "Google Cloud Platform",
"contact": [
@@ -2622,14 +2622,8 @@
}
]
},
- "cpe": "cpe:2.3:a:google_cloud_platform:google-auth-httplib2:0.2.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:google_cloud_platform:google-auth-httplib2:0.3.0:*:*:*:*:*:*:*",
"description": "Google Authentication Library: httplib2 transport",
- "hashes": [
- {
- "alg": "SHA-256",
- "content": "1be94c611db91c01f9703e7f62b0a59bbd5587a95571c7b6fade510d648bc08b"
- }
- ],
"licenses": [
{
"license": {
@@ -2646,16 +2640,16 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/google-auth-httplib2/0.2.1/#files",
+ "url": "https://pypi.org/project/google-auth-httplib2/0.3.0/#files",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/google-auth-httplib2@0.2.1",
+ "purl": "pkg:pypi/google-auth-httplib2@0.3.0",
"properties": [
{
"name": "release_date",
- "value": "2025-10-30T21:13:15Z"
+ "value": "2025-02-20T21:01:16Z"
},
{
"name": "language",
@@ -3210,7 +3204,7 @@
"type": "library",
"bom-ref": "49-lib4sbom",
"name": "lib4sbom",
- "version": "0.9.1",
+ "version": "0.9.2",
"supplier": {
"name": "Anthony Harrison",
"contact": [
@@ -3219,12 +3213,12 @@
}
]
},
- "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.9.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.9.2:*:*:*:*:*:*:*",
"description": "Software Bill of Material (SBOM) generator and consumer library",
"hashes": [
{
"alg": "SHA-256",
- "content": "f2423d5e06a82f5462b05d0c5b9273d6e3674753ade9f5a0d4abdcf73f799117"
+ "content": "c1aac4257eb7b01971c9c273650cf33b17ec5cb87c66af2fdd80968ebe5064d7"
}
],
"licenses": [
@@ -3243,16 +3237,16 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/lib4sbom/0.9.1/#files",
+ "url": "https://pypi.org/project/lib4sbom/0.9.2/#files",
"type": "distribution",
"comment": "Download location for component"
}
],
- "purl": "pkg:pypi/lib4sbom@0.9.1",
+ "purl": "pkg:pypi/lib4sbom@0.9.2",
"properties": [
{
"name": "release_date",
- "value": "2025-11-13T20:07:13Z"
+ "value": "2025-12-19T19:55:40Z"
},
{
"name": "language",
@@ -4128,7 +4122,7 @@
"type": "library",
"bom-ref": "64-narwhals",
"name": "narwhals",
- "version": "2.13.0",
+ "version": "2.14.0",
"supplier": {
"name": "Marco Gorelli",
"contact": [
@@ -4137,17 +4131,8 @@
}
]
},
- "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.13.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.14.0:*:*:*:*:*:*:*",
"description": "Extremely lightweight compatibility layer between dataframe libraries",
- "licenses": [
- {
- "license": {
- "id": "MIT",
- "url": "https://opensource.org/license/mit/",
- "acknowledgement": "concluded"
- }
- }
- ],
"externalReferences": [
{
"url": "https://github.com/narwhals-dev/narwhals",
@@ -4155,7 +4140,7 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/narwhals/2.13.0/#files",
+ "url": "https://pypi.org/project/narwhals/2.14.0/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -4172,7 +4157,7 @@
"type": "issue-tracker"
}
],
- "purl": "pkg:pypi/narwhals@2.13.0",
+ "purl": "pkg:pypi/narwhals@2.14.0",
"properties": [
{
"name": "release_date",
@@ -4188,7 +4173,7 @@
},
{
"name": "License Comments",
- "value": "narwhals declares MIT License which is not currently a valid SPDX License identifier or expression."
+ "value": "narwhals declares MIT License\n\nCopyright (c) 2024, Marco Gorelli\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE. which is not currently a valid SPDX License identifier or expression."
}
]
},
@@ -4405,7 +4390,7 @@
"type": "library",
"bom-ref": "68-urllib3",
"name": "urllib3",
- "version": "2.6.0",
+ "version": "2.6.2",
"supplier": {
"name": "Andrey Petrov",
"contact": [
@@ -4414,17 +4399,17 @@
}
]
},
- "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.6.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrey_petrov:urllib3:2.6.2:*:*:*:*:*:*:*",
"description": "HTTP library with thread-safe connection pooling, file post, and more.",
"hashes": [
{
"alg": "SHA-256",
- "content": "c90f7a39f716c572c4e3e58509581ebd83f9b59cced005b7db7ad2d22b0db99f"
+ "content": "ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd"
}
],
"externalReferences": [
{
- "url": "https://pypi.org/project/urllib3/2.6.0/#files",
+ "url": "https://pypi.org/project/urllib3/2.6.2/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -4445,11 +4430,11 @@
"type": "issue-tracker"
}
],
- "purl": "pkg:pypi/urllib3@2.6.0",
+ "purl": "pkg:pypi/urllib3@2.6.2",
"properties": [
{
"name": "release_date",
- "value": "2025-12-05T15:08:45Z"
+ "value": "2025-12-11T15:56:38Z"
},
{
"name": "language",
diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx
index c1b17a1317..3161a840c6 100644
--- a/sbom/cve-bin-tool-py3.11.spdx
+++ b/sbom/cve-bin-tool-py3.11.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-4e367992-b033-4800-87b0-77713a595446
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-8e9fec5d-32cd-4d92-8e4d-9ce2c37b7211
LicenseListVersion: 3.26
Creator: Tool: sbom4python-0.12.4
-Created: 2025-12-08T00:42:28Z
+Created: 2025-12-22T00:41:08Z
CreatorComment: SBOM Type: Build - This document has been automatically generated.
#####
@@ -290,21 +290,21 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:leonard_richardson:beautifulsoup4:4.14
PackageName: soupsieve
SPDXID: SPDXRef-13-soupsieve
-PackageVersion: 2.8
+PackageVersion: 2.8.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Isaac Muse (Isaac.Muse@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/soupsieve/2.8/#files
+PackageDownloadLocation: https://pypi.org/project/soupsieve/2.8.1/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/facelessuser/soupsieve
-PackageChecksum: SHA256: 0cc76456a30e20f5d7f2e14a98a4ae2ee4e5abdc7c5ea0aafe795f344bc7984c
+PackageChecksum: SHA256: a11fe2a6f3d76ab3cf2de04eb339c1be5b506a8a47f2ceb6d139803177f85434
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: MIT
PackageLicenseComments: soupsieve declares MIT License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: A modern CSS selector implementation for Beautiful Soup.
-ReleaseDate: 2025-08-27T15:39:50Z
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.8
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.8:*:*:*:*:*:*:*
+ReleaseDate: 2025-12-18T13:50:33Z
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/soupsieve@2.8.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:isaac_muse:soupsieve:2.8.1:*:*:*:*:*:*:*
#####
PackageName: cvss
@@ -815,21 +815,20 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:thomas_kemmer:cachetools:5.5.2:*:*:*:*
PackageName: google-auth-httplib2
SPDXID: SPDXRef-40-google-auth-httplib2
-PackageVersion: 0.2.1
+PackageVersion: 0.3.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Google Cloud Platform (googleapis-packages@google.com)
-PackageDownloadLocation: https://pypi.org/project/google-auth-httplib2/0.2.1/#files
+PackageDownloadLocation: https://pypi.org/project/google-auth-httplib2/0.3.0/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/GoogleCloudPlatform/google-auth-library-python-httplib2
-PackageChecksum: SHA256: 1be94c611db91c01f9703e7f62b0a59bbd5587a95571c7b6fade510d648bc08b
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: google-auth-httplib2 declares Apache 2.0 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Google Authentication Library: httplib2 transport
-ReleaseDate: 2025-10-30T21:13:15Z
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth-httplib2@0.2.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth-httplib2:0.2.1:*:*:*:*:*:*:*
+ReleaseDate: 2025-02-20T21:01:16Z
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/google-auth-httplib2@0.3.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:google_cloud_platform:google-auth-httplib2:0.3.0:*:*:*:*:*:*:*
#####
PackageName: google-apitools
@@ -1010,20 +1009,20 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.30.0:*:*:*:*:*
PackageName: lib4sbom
SPDXID: SPDXRef-49-lib4sbom
-PackageVersion: 0.9.1
+PackageVersion: 0.9.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.9.1/#files
+PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.9.2/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/anthonyharrison/lib4sbom
-PackageChecksum: SHA256: f2423d5e06a82f5462b05d0c5b9273d6e3674753ade9f5a0d4abdcf73f799117
+PackageChecksum: SHA256: c1aac4257eb7b01971c9c273650cf33b17ec5cb87c66af2fdd80968ebe5064d7
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Software Bill of Material (SBOM) generator and consumer library
-ReleaseDate: 2025-11-13T20:07:13Z
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.9.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.9.1:*:*:*:*:*:*:*
+ReleaseDate: 2025-12-19T19:55:40Z
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.9.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.9.2:*:*:*:*:*:*:*
#####
PackageName: pyyaml
@@ -1322,23 +1321,43 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.5.0:*:*:*:*:*:*:*
PackageName: narwhals
SPDXID: SPDXRef-64-narwhals
-PackageVersion: 2.13.0
+PackageVersion: 2.14.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Marco Gorelli (hello_narwhals@proton.me)
-PackageDownloadLocation: https://pypi.org/project/narwhals/2.13.0/#files
+PackageDownloadLocation: https://pypi.org/project/narwhals/2.14.0/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/narwhals-dev/narwhals
PackageLicenseDeclared: NOASSERTION
-PackageLicenseConcluded: MIT
-PackageLicenseComments: narwhals declares MIT License which is not currently a valid SPDX License identifier or expression.
+PackageLicenseConcluded: NOASSERTION
+PackageLicenseComments: narwhals declares MIT License
+
+Copyright (c) 2024, Marco Gorelli
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE. which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Extremely lightweight compatibility layer between dataframe libraries
ReleaseDate: 2025-11-17T18:39:20Z
ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@2.13.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.13.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@2.14.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.14.0:*:*:*:*:*:*:*
#####
PackageName: python-gnupg
@@ -1406,23 +1425,23 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:ahmed_r.:charset-normalizer:3.4.4:*:*:
PackageName: urllib3
SPDXID: SPDXRef-68-urllib3
-PackageVersion: 2.6.0
+PackageVersion: 2.6.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrey Petrov (andrey.petrov@shazow.net)
-PackageDownloadLocation: https://pypi.org/project/urllib3/2.6.0/#files
+PackageDownloadLocation: https://pypi.org/project/urllib3/2.6.2/#files
FilesAnalyzed: false
-PackageChecksum: SHA256: c90f7a39f716c572c4e3e58509581ebd83f9b59cced005b7db7ad2d22b0db99f
+PackageChecksum: SHA256: ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: HTTP library with thread-safe connection pooling, file post, and more.
-ReleaseDate: 2025-12-05T15:08:45Z
+ReleaseDate: 2025-12-11T15:56:38Z
ExternalRef: OTHER log https://github.com/urllib3/urllib3/blob/main/CHANGES.rst
ExternalRef: OTHER documentation https://urllib3.readthedocs.io
ExternalRef: OTHER vcs https://github.com/urllib3/urllib3
ExternalRef: OTHER issue-tracker https://github.com/urllib3/urllib3/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.6.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.6.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/urllib3@2.6.2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrey_petrov:urllib3:2.6.2:*:*:*:*:*:*:*
#####
PackageName: certifi