Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apko for openSUSE:Factory checked in at 2025-12-18 18:33:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apko (Old) and /work/SRC/openSUSE:Factory/.apko.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apko" Thu Dec 18 18:33:33 2025 rev:83 rq:1323445 version:0.30.33 Changes: -------- --- /work/SRC/openSUSE:Factory/apko/apko.changes 2025-12-17 17:43:34.389821730 +0100 +++ /work/SRC/openSUSE:Factory/.apko.new.1928/apko.changes 2025-12-18 18:35:37.284121820 +0100 @@ -1,0 +2,8 @@ +Thu Dec 18 06:04:01 UTC 2025 - Johannes Kastl <[email protected]> + +- Update to version 0.30.33: + * Add support for SPDX SBOMs without shortcut fields. (#1988) + * build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 + (#1991) + +------------------------------------------------------------------- Old: ---- apko-0.30.32.obscpio New: ---- apko-0.30.33.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apko.spec ++++++ --- /var/tmp/diff_new_pack.KV6ktU/_old 2025-12-18 18:35:38.056154251 +0100 +++ /var/tmp/diff_new_pack.KV6ktU/_new 2025-12-18 18:35:38.056154251 +0100 @@ -17,7 +17,7 @@ Name: apko -Version: 0.30.32 +Version: 0.30.33 Release: 0 Summary: Build OCI images from APK packages directly without Dockerfile License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.KV6ktU/_old 2025-12-18 18:35:38.096155931 +0100 +++ /var/tmp/diff_new_pack.KV6ktU/_new 2025-12-18 18:35:38.100156099 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/apko</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.30.32</param> + <param name="revision">v0.30.33</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.KV6ktU/_old 2025-12-18 18:35:38.140157779 +0100 +++ /var/tmp/diff_new_pack.KV6ktU/_new 2025-12-18 18:35:38.144157947 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/apko</param> - <param name="changesrevision">4586db5bfba0a88824ca7d79b097e0004c55d29d</param></service></servicedata> + <param name="changesrevision">53957f9ee52c20f0db840d578fe5969ba49cc133</param></service></servicedata> (No newline at EOF) ++++++ apko-0.30.32.obscpio -> apko-0.30.33.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.30.32/pkg/sbom/generator/spdx/spdx.go new/apko-0.30.33/pkg/sbom/generator/spdx/spdx.go --- old/apko-0.30.32/pkg/sbom/generator/spdx/spdx.go 2025-12-17 02:20:06.000000000 +0100 +++ new/apko-0.30.33/pkg/sbom/generator/spdx/spdx.go 2025-12-17 15:28:16.000000000 +0100 @@ -215,11 +215,22 @@ } // Cycle the top level elements... + // Find elements described by the document - check both documentDescribes array + // and DESCRIBES relationships (from SPDXRef-DOCUMENT) idsDescribedByAPKSBOM := map[string]struct{}{} + + // First check documentDescribes array for _, elementID := range apkSBOMDoc.DocumentDescribes { idsDescribedByAPKSBOM[elementID] = struct{}{} } + // Also check for DESCRIBES relationships from SPDXRef-DOCUMENT + for _, rel := range apkSBOMDoc.Relationships { + if rel.Element == "SPDXRef-DOCUMENT" && rel.Type == "DESCRIBES" { + idsDescribedByAPKSBOM[rel.Related] = struct{}{} + } + } + // ... searching for a 1st level package targetElementIDs := map[string]struct{}{} for _, pkg := range apkSBOMDoc.Packages { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.30.32/pkg/sbom/generator/spdx/spdx_test.go new/apko-0.30.33/pkg/sbom/generator/spdx/spdx_test.go --- old/apko-0.30.32/pkg/sbom/generator/spdx/spdx_test.go 2025-12-17 02:20:06.000000000 +0100 +++ new/apko-0.30.33/pkg/sbom/generator/spdx/spdx_test.go 2025-12-17 15:28:16.000000000 +0100 @@ -185,6 +185,50 @@ }, }, }, + { + name: "describes-relationship", + opts: &options.Options{ + ImageInfo: options.ImageInfo{ + Layers: []v1.Descriptor{{}}, + }, + OS: options.OSInfo{ + Name: "unknown", + ID: "unknown", + Version: "3.0", + }, + FileName: "sbom", + Packages: []*apk.InstalledPackage{ + { + Package: apk.Package{ + Name: "test-pkg-describes", + Version: "1.0.0-r0", + }, + }, + }, + }, + }, + { + name: "both-describes-methods", + opts: &options.Options{ + ImageInfo: options.ImageInfo{ + Layers: []v1.Descriptor{{}}, + }, + OS: options.OSInfo{ + Name: "unknown", + ID: "unknown", + Version: "3.0", + }, + FileName: "sbom", + Packages: []*apk.InstalledPackage{ + { + Package: apk.Package{ + Name: "test-pkg-both", + Version: "1.0.0-r0", + }, + }, + }, + }, + }, } for _, tt := range tests { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-both-1.0.0-r0.spdx.json new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-both-1.0.0-r0.spdx.json --- old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-both-1.0.0-r0.spdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-both-1.0.0-r0.spdx.json 2025-12-17 15:28:16.000000000 +0100 @@ -0,0 +1,83 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "apk-test-pkg-both-1.0.0-r0", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2025-12-17T00:00:00Z", + "creators": [ + "Tool: melange (test)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.22" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/chainguard/melange/test";, + "documentDescribes": [ + "SPDXRef-Package-test-pkg-both-1.0.0-r0" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-test-pkg-both-1.0.0-r0", + "name": "test-pkg-both", + "versionInfo": "1.0.0-r0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "Apache-2.0", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Test", + "supplier": "Organization: Test", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/wolfi/[email protected]?arch=x86_64&distro=wolfi", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-dep-from-array-1.0.0", + "name": "dep-from-array", + "versionInfo": "1.0.0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "https://example.com/dep-from-array-1.0.0.tar.gz";, + "originator": "Organization: Test", + "supplier": "Organization: Test" + }, + { + "SPDXID": "SPDXRef-Package-dep-from-relationship-2.0.0", + "name": "dep-from-relationship", + "versionInfo": "2.0.0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "BSD-3-Clause", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:golang/github.com/example/[email protected]", + "referenceType": "purl" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-Package-test-pkg-both-1.0.0-r0" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-both-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-dep-from-array-1.0.0" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-both-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-dep-from-relationship-2.0.0" + } + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-describes-1.0.0-r0.spdx.json new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-describes-1.0.0-r0.spdx.json --- old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-describes-1.0.0-r0.spdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-describes-1.0.0-r0.spdx.json 2025-12-17 15:28:16.000000000 +0100 @@ -0,0 +1,101 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "apk-test-pkg-describes-1.0.0-r0", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2025-12-17T00:00:00Z", + "creators": [ + "Tool: melange (test)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.22" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/chainguard/melange/test";, + "packages": [ + { + "SPDXID": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "name": "test-pkg-describes", + "versionInfo": "1.0.0-r0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "Apache-2.0", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Test", + "supplier": "Organization: Test", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/wolfi/[email protected]?arch=x86_64&distro=wolfi", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-test-dependency-1.0.0", + "name": "test-dependency", + "versionInfo": "1.0.0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "https://example.com/test-dependency-1.0.0.tar.gz";, + "originator": "Organization: Test", + "supplier": "Organization: Test" + }, + { + "SPDXID": "SPDXRef-Package-golang-github.com-example-module", + "name": "github.com/example/module", + "versionInfo": "v1.2.3", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:golang/github.com/example/[email protected]", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-npm-lodash", + "name": "lodash", + "versionInfo": "4.17.21", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:npm/[email protected]", + "referenceType": "purl" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-Package-test-pkg-describes-1.0.0-r0" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-test-dependency-1.0.0" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-golang-github.com-example-module" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-npm-lodash" + } + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json --- old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json 2025-12-17 15:28:16.000000000 +0100 @@ -0,0 +1,106 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "sbom", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "0001-01-01T00:00:00Z", + "creators": [ + "Tool: apko (devel)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.16" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/apko/";, + "documentDescribes": [ + "SPDXRef-Package-" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-", + "name": "", + "versionInfo": "3.0", + "filesAnalyzed": false, + "description": "apko operating system layer", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: unknown", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/image?mediaType=\u0026os=linux", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-OperatingSystem-unknown", + "name": "unknown", + "versionInfo": "3.0", + "filesAnalyzed": false, + "description": "Operating System", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: unknown", + "primaryPackagePurpose": "OPERATING_SYSTEM" + }, + { + "SPDXID": "SPDXRef-Package-test-pkg-both-1.0.0-r0", + "name": "test-pkg-both", + "versionInfo": "1.0.0-r0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "Apache-2.0", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Test", + "supplier": "Organization: Test", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/wolfi/[email protected]?arch=x86_64\u0026distro=wolfi", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-dep-from-array-1.0.0", + "name": "dep-from-array", + "versionInfo": "1.0.0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "https://example.com/dep-from-array-1.0.0.tar.gz";, + "originator": "Organization: Test", + "supplier": "Organization: Test" + }, + { + "SPDXID": "SPDXRef-Package-dep-from-relationship-2.0.0", + "name": "dep-from-relationship", + "versionInfo": "2.0.0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "BSD-3-Clause", + "downloadLocation": "NOASSERTION", + "originator": "Organization: unknown", + "supplier": "Organization: unknown", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:golang/github.com/example/[email protected]", + "referenceType": "purl" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-test-pkg-both-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-dep-from-array-1.0.0" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-both-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-dep-from-relationship-2.0.0" + } + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json --- old/apko-0.30.32/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.30.33/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json 2025-12-17 15:28:16.000000000 +0100 @@ -0,0 +1,129 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "sbom", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "0001-01-01T00:00:00Z", + "creators": [ + "Tool: apko (devel)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.16" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/apko/";, + "documentDescribes": [ + "SPDXRef-Package-" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-", + "name": "", + "versionInfo": "3.0", + "filesAnalyzed": false, + "description": "apko operating system layer", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: unknown", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/image?mediaType=\u0026os=linux", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-OperatingSystem-unknown", + "name": "unknown", + "versionInfo": "3.0", + "filesAnalyzed": false, + "description": "Operating System", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: unknown", + "primaryPackagePurpose": "OPERATING_SYSTEM" + }, + { + "SPDXID": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "name": "test-pkg-describes", + "versionInfo": "1.0.0-r0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "Apache-2.0", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Test", + "supplier": "Organization: Test", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/wolfi/[email protected]?arch=x86_64\u0026distro=wolfi", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-test-dependency-1.0.0", + "name": "test-dependency", + "versionInfo": "1.0.0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "https://example.com/test-dependency-1.0.0.tar.gz";, + "originator": "Organization: Test", + "supplier": "Organization: Test" + }, + { + "SPDXID": "SPDXRef-Package-golang-github.com-example-module", + "name": "github.com/example/module", + "versionInfo": "v1.2.3", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "NOASSERTION", + "originator": "Organization: unknown", + "supplier": "Organization: unknown", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:golang/github.com/example/[email protected]", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-npm-lodash", + "name": "lodash", + "versionInfo": "4.17.21", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "downloadLocation": "NOASSERTION", + "originator": "Organization: unknown", + "supplier": "Organization: unknown", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:npm/[email protected]", + "referenceType": "purl" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-test-dependency-1.0.0" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-golang-github.com-example-module" + }, + { + "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-npm-lodash" + } + ] +} ++++++ apko.obsinfo ++++++ --- /var/tmp/diff_new_pack.KV6ktU/_old 2025-12-18 18:35:41.188285819 +0100 +++ /var/tmp/diff_new_pack.KV6ktU/_new 2025-12-18 18:35:41.232287667 +0100 @@ -1,5 +1,5 @@ name: apko -version: 0.30.32 -mtime: 1765934406 -commit: 4586db5bfba0a88824ca7d79b097e0004c55d29d +version: 0.30.33 +mtime: 1765981696 +commit: 53957f9ee52c20f0db840d578fe5969ba49cc133 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/apko/vendor.tar.gz /work/SRC/openSUSE:Factory/.apko.new.1928/vendor.tar.gz differ: char 91, line 2
