Merge branch 'main' into add-sbom-evidence-to-all-components

Author: ffontaine

cve_bin_tool/data_sources/nvd_source.py

@@ -24,6 +24,7 @@
     DISK_LOCATION_BACKUP,
     DISK_LOCATION_DEFAULT,
     NVD_FILENAME_TEMPLATE,
+    NVD_VERSION,
 )
 from cve_bin_tool.error_handler import (
     AttemptedToWriteOutsideCachedir,
@@ -49,11 +50,13 @@ class NVD_Source(Data_Source):
     CACHEDIR = DISK_LOCATION_DEFAULT
     BACKUPCACHEDIR = DISK_LOCATION_BACKUP
     FEED_NVD = "https://nvd.nist.gov/vuln/data-feeds"
-    FEED_MIRROR = "https://v4.mirror.cveb.in/nvd/json/cve/1.1"
+    FEED_MIRROR = f"https://v4.mirror.cveb.in/nvd/json/cve/{NVD_VERSION}"
     LOGGER = LOGGER.getChild("CVEDB")
     NVDCVE_FILENAME_TEMPLATE = NVD_FILENAME_TEMPLATE
+    NVDCVE_VERSION = NVD_VERSION
+    NVDCVE_TOP_LIST_TAG = "CVE_Items" if NVD_VERSION == "1.1" else "vulnerabilities"
     META_LINK_NVD = "https://nvd.nist.gov"
-    META_LINK_MIRROR = "https://v4.mirror.cveb.in/nvd/json/cve/1.1"
+    META_LINK_MIRROR = f"https://v4.mirror.cveb.in/nvd/json/cve/{NVD_VERSION}"
     META_REGEX_NVD = re.compile(r"feeds\/json\/.*-[0-9]*\.[0-9]*-[0-9]*\.meta")
     META_REGEX_MIRROR = re.compile(r"nvdcve-[0-9]*\.[0-9]*-[0-9]*\.meta")
     RANGE_UNSET = ""
@@ -107,9 +110,14 @@ async def get_cve_data(self):
             severity_data = []
             affected_data = []
             years = self.nvd_years()
+            formatter = (
+                self.format_data
+                if self.NVDCVE_VERSION == "1.1"
+                else self.format_data_api2
+            )
             for year in years:
-                severity, affected = self.format_data(
-                    self.load_nvd_year(year)["CVE_Items"]
+                severity, affected = formatter(
+                    self.load_nvd_year(year)[self.NVDCVE_TOP_LIST_TAG]
                 )
                 severity_data.extend(severity)
                 affected_data.extend(affected)
@@ -239,6 +247,10 @@ def format_data_api2(self, all_cve_entries):
 
             cve_item = cve_element["cve"]
 
+            if cve_item["vulnStatus"] == "Rejected":
+                # Skip this CVE if it's marked as 'REJECT'
+                continue
+
             cve = {
                 "ID": cve_item["id"],
                 "description": cve_item["descriptions"][0]["value"],
@@ -252,9 +264,6 @@ def format_data_api2(self, all_cve_entries):
                     else cve_item["published"]
                 ),
             }
-            if cve["description"].startswith("** REJECT **"):
-                # Skip this CVE if it's marked as 'REJECT'
-                continue
 
             # Multiple ways of including CVSS metrics.
             # Newer data uses "impact" -- we may wish to delete the old below
@@ -612,17 +621,18 @@ def load_nvd_year(self, year: int) -> dict[str, str | object]:
         with gzip.open(filename, "rb") as fileobj:
             cves_for_year = json.load(fileobj)
             self.LOGGER.debug(
-                f'Year {year} has {len(cves_for_year["CVE_Items"])} CVEs in dataset'
+                f"Year {year} has {len(cves_for_year[self.NVDCVE_TOP_LIST_TAG])} CVEs in dataset"
             )
             return cves_for_year
 
     def nvd_years(self) -> list[int]:
         """
         Return the years we have NVD data for.
         """
+        any_year_file = self.NVDCVE_FILENAME_TEMPLATE.format("*")
         return sorted(
             int(filename.split(".")[-3].split("-")[-1])
-            for filename in glob.glob(str(Path(self.cachedir) / "nvdcve-1.1-*.json.gz"))
+            for filename in glob.glob(str(Path(self.cachedir) / any_year_file))
         )
         # FIXME: temporary workaround so we don't try to load bad year data
         # return list(range(2020, 2025))

cve_bin_tool/database_defaults.py

@@ -9,4 +9,5 @@
 DISK_LOCATION_BACKUP = CACHE_DIR / "cve-bin-tool-backup"
 OLD_CACHE_DIR = Path.home() / ".cache" / "cvedb"
 DBNAME = "cve.db"
-NVD_FILENAME_TEMPLATE = "nvdcve-1.1-{}.json.gz"
+NVD_VERSION = "2.0"
+NVD_FILENAME_TEMPLATE = "nvdcve-" + NVD_VERSION + "-{}.json.gz"

sbom/cve-bin-tool-py3.10.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.7",
-  "serialNumber": "urn:uuid:c3cb32d7-0079-445e-9940-dcc3953bbff2",
+  "serialNumber": "urn:uuid:3afa9eb1-4948-472a-bffc-204138519a06",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-11-03T00:42:18Z",
+    "timestamp": "2025-11-10T00:43:04Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -4145,7 +4145,7 @@
       "type": "library",
       "bom-ref": "64-plotly",
       "name": "plotly",
-      "version": "6.3.1",
+      "version": "6.4.0",
       "supplier": {
         "name": "Chris P",
         "contact": [
@@ -4154,12 +4154,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:chris_p:plotly:6.3.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:chris_p:plotly:6.4.0:*:*:*:*:*:*:*",
       "description": "An open-source interactive data visualization library for Python",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "8b4420d1dcf2b040f5983eed433f95732ed24930e496d36eb70d211923532e64"
+          "content": "a1062eafbdc657976c2eedd276c90e184ccd6c21282a5e9ee8f20efca9c9a4c5"
         }
       ],
       "externalReferences": [
@@ -4169,7 +4169,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/plotly/6.3.1/#files",
+          "url": "https://pypi.org/project/plotly/6.4.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4186,11 +4186,11 @@
           "type": "log"
         }
       ],
-      "purl": "pkg:pypi/plotly@6.3.1",
+      "purl": "pkg:pypi/plotly@6.4.0",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-10-02T16:10:22Z"
+          "value": "2025-11-04T17:59:22Z"
         },
         {
           "name": "language",
@@ -4210,7 +4210,7 @@
       "type": "library",
       "bom-ref": "65-narwhals",
       "name": "narwhals",
-      "version": "2.10.1",
+      "version": "2.10.2",
       "supplier": {
         "name": "Marco Gorelli",
         "contact": [
@@ -4219,7 +4219,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.10.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.10.2:*:*:*:*:*:*:*",
       "description": "Extremely lightweight compatibility layer between dataframe libraries",
       "licenses": [
         {
@@ -4237,7 +4237,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/narwhals/2.10.1/#files",
+          "url": "https://pypi.org/project/narwhals/2.10.2/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4254,11 +4254,11 @@
           "type": "issue-tracker"
         }
       ],
-      "purl": "pkg:pypi/[email protected].1",
+      "purl": "pkg:pypi/[email protected].2",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-10-02T16:10:22Z"
+          "value": "2025-11-04T17:59:22Z"
         },
         {
           "name": "language",

sbom/cve-bin-tool-py3.10.spdx

@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-a231666f-6120-44f7-91b3-d92943ac4331
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-c37a6b38-02c7-4b17-a90d-c51629ac5075
 LicenseListVersion: 3.26
 Creator: Tool: sbom4python-0.12.4
-Created: 2025-11-03T00:42:03Z
+Created: 2025-11-10T00:42:54Z
 CreatorComment: <text>SBOM Type: Build - This document has been automatically generated.</text>
 ##### 
 
@@ -1303,13 +1303,13 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:25.0:*:*:*:*:*
 
 PackageName: plotly
 SPDXID: SPDXRef-64-plotly
-PackageVersion: 6.3.1
+PackageVersion: 6.4.0
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Chris P ([email protected])
-PackageDownloadLocation: https://pypi.org/project/plotly/6.3.1/#files
+PackageDownloadLocation: https://pypi.org/project/plotly/6.4.0/#files
 FilesAnalyzed: false
 PackageHomePage: https://plotly.com/python/
-PackageChecksum: SHA256: 8b4420d1dcf2b040f5983eed433f95732ed24930e496d36eb70d211923532e64
+PackageChecksum: SHA256: a1062eafbdc657976c2eedd276c90e184ccd6c21282a5e9ee8f20efca9c9a4c5
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseComments: <text>plotly declares MIT License
@@ -1336,33 +1336,33 @@ THE SOFTWARE.
  which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>An open-source interactive data visualization library for Python</text>
-ReleaseDate: 2025-10-02T16:10:22Z
+ReleaseDate: 2025-11-04T17:59:22Z
 ExternalRef: OTHER documentation https://plotly.com/python/
 ExternalRef: OTHER vcs https://github.com/plotly/plotly.py
 ExternalRef: OTHER log https://github.com/plotly/plotly.py/blob/main/CHANGELOG.md
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@6.3.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.3.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@6.4.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.4.0:*:*:*:*:*:*:*
 ##### 
 
 PackageName: narwhals
 SPDXID: SPDXRef-65-narwhals
-PackageVersion: 2.10.1
+PackageVersion: 2.10.2
 PrimaryPackagePurpose: LIBRARY
 PackageSupplier: Person: Marco Gorelli ([email protected])
-PackageDownloadLocation: https://pypi.org/project/narwhals/2.10.1/#files
+PackageDownloadLocation: https://pypi.org/project/narwhals/2.10.2/#files
 FilesAnalyzed: false
 PackageHomePage: https://github.com/narwhals-dev/narwhals
 PackageLicenseDeclared: NOASSERTION
 PackageLicenseConcluded: MIT
 PackageLicenseComments: <text>narwhals declares MIT License which is not currently a valid SPDX License identifier or expression.</text>
 PackageCopyrightText: NOASSERTION
 PackageSummary: <text>Extremely lightweight compatibility layer between dataframe libraries</text>
-ReleaseDate: 2025-10-02T16:10:22Z
+ReleaseDate: 2025-11-04T17:59:22Z
 ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
 ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
 ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.10.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].2
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:2.10.2:*:*:*:*:*:*:*
 ##### 
 
 PackageName: python-gnupg

sbom/cve-bin-tool-py3.11.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.7",
-  "serialNumber": "urn:uuid:7028081c-321c-4f41-83d9-e4fb54855c7b",
+  "serialNumber": "urn:uuid:4a902649-ff6d-4934-be86-2eb8dd79be62",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-11-03T00:42:32Z",
+    "timestamp": "2025-11-10T00:41:52Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -4063,7 +4063,7 @@
       "type": "library",
       "bom-ref": "63-plotly",
       "name": "plotly",
-      "version": "6.3.1",
+      "version": "6.4.0",
       "supplier": {
         "name": "Chris P",
         "contact": [
@@ -4072,12 +4072,12 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:chris_p:plotly:6.3.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:chris_p:plotly:6.4.0:*:*:*:*:*:*:*",
       "description": "An open-source interactive data visualization library for Python",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "8b4420d1dcf2b040f5983eed433f95732ed24930e496d36eb70d211923532e64"
+          "content": "a1062eafbdc657976c2eedd276c90e184ccd6c21282a5e9ee8f20efca9c9a4c5"
         }
       ],
       "externalReferences": [
@@ -4087,7 +4087,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/plotly/6.3.1/#files",
+          "url": "https://pypi.org/project/plotly/6.4.0/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4104,11 +4104,11 @@
           "type": "log"
         }
       ],
-      "purl": "pkg:pypi/plotly@6.3.1",
+      "purl": "pkg:pypi/plotly@6.4.0",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-10-02T16:10:22Z"
+          "value": "2025-11-04T17:59:22Z"
         },
         {
           "name": "language",
@@ -4128,7 +4128,7 @@
       "type": "library",
       "bom-ref": "64-narwhals",
       "name": "narwhals",
-      "version": "2.10.1",
+      "version": "2.10.2",
       "supplier": {
         "name": "Marco Gorelli",
         "contact": [
@@ -4137,7 +4137,7 @@
           }
         ]
       },
-      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.10.1:*:*:*:*:*:*:*",
+      "cpe": "cpe:2.3:a:marco_gorelli:narwhals:2.10.2:*:*:*:*:*:*:*",
       "description": "Extremely lightweight compatibility layer between dataframe libraries",
       "licenses": [
         {
@@ -4155,7 +4155,7 @@
           "comment": "Home page for project"
         },
         {
-          "url": "https://pypi.org/project/narwhals/2.10.1/#files",
+          "url": "https://pypi.org/project/narwhals/2.10.2/#files",
           "type": "distribution",
           "comment": "Download location for component"
         },
@@ -4172,11 +4172,11 @@
           "type": "issue-tracker"
         }
       ],
-      "purl": "pkg:pypi/[email protected].1",
+      "purl": "pkg:pypi/[email protected].2",
       "properties": [
         {
           "name": "release_date",
-          "value": "2025-10-02T16:10:22Z"
+          "value": "2025-11-04T17:59:22Z"
         },
         {
           "name": "language",