Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-01-12 11:49:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Mon Jan 12 11:49:12 2026 rev:128 rq:1326681 version:0.37.4 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2025-12-16 16:00:06.152565476 +0100 +++ /work/SRC/openSUSE:Factory/.melange.new.1928/melange.changes 2026-01-12 11:49:14.487409253 +0100 @@ -1,0 +2,33 @@ +Mon Jan 12 06:15:48 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.37.4: + * Create LicenseRefs for any non-standard SBOM identifier. + +------------------------------------------------------------------- +Wed Jan 07 16:34:39 UTC 2026 - Thomas Bechtold <[email protected]> + +- Update to version 0.37.3: + * git pipeline: fix cherry-picking multiple commits (#2284) + * build(deps): bump github.com/spdx/tools-golang in the gomod + group (#2283) + * build(deps): bump chainguard.dev/apko in the gomod group + (#2281) + * pkg: Emit appCpe stanza (#2280) + * build(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 + (#2276) + * build(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 + (#2274) + * build(deps): bump the gomod group across 1 directory with 5 + updates (#2279) + * build(deps): bump + go.opentelemetry.io/otel/exporters/stdout/stdouttrace (#2275) + * build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 + (#2273) + * build(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 + (#2272) + * build(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 + (#2270) + * build(deps): bump step-security/harden-runner in the actions + group (#2269) + +------------------------------------------------------------------- Old: ---- melange-0.37.0.obscpio New: ---- melange-0.37.4.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.ztZ3Wu/_old 2026-01-12 11:49:15.711460069 +0100 +++ /var/tmp/diff_new_pack.ztZ3Wu/_new 2026-01-12 11:49:15.711460069 +0100 @@ -1,7 +1,7 @@ # # spec file for package melange # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: melange -Version: 0.37.0 +Version: 0.37.4 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ztZ3Wu/_old 2026-01-12 11:49:15.763462227 +0100 +++ /var/tmp/diff_new_pack.ztZ3Wu/_new 2026-01-12 11:49:15.767462393 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.37.0</param> + <param name="revision">v0.37.4</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.ztZ3Wu/_old 2026-01-12 11:49:15.795463556 +0100 +++ /var/tmp/diff_new_pack.ztZ3Wu/_new 2026-01-12 11:49:15.799463722 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange</param> - <param name="changesrevision">70848dbbf4972daa018e43ce951faacc75a60a86</param></service></servicedata> + <param name="changesrevision">6b1e13f05def7cddcf23ae8d0f50a205fcf6417f</param></service></servicedata> (No newline at EOF) ++++++ melange-0.37.0.obscpio -> melange-0.37.4.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/e2e-tests/git-checkout-build.yaml new/melange-0.37.4/e2e-tests/git-checkout-build.yaml --- old/melange-0.37.0/e2e-tests/git-checkout-build.yaml 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/e2e-tests/git-checkout-build.yaml 2026-01-07 00:48:12.000000000 +0100 @@ -197,13 +197,19 @@ branch: 1.x cherry-picks: | main/582b4d7d62f1c512568649ce8b6db085a3d85a9f: here comment + cpick/16138cad5f7729c79eca69b4cf808247d5eed76c: second cherry-pick - name: "check cherry-picks" working-directory: cherry-pick-test runs: | hash=$(git rev-parse --verify HEAD) + status=$(git status -b --porcelain) expected_hash="225e712ae452645acbd8f137b13d6b1ded8a96a1" [ "$hash" != "$expected_hash" ] + # git status should show being two commits head + [ "$status" == "## 1.x...origin/1.x [ahead 2]" ] + # for-cherry-pick.txt should exist as a file + [ -f for-cherry-pick.txt ] cd .. rm -R cherry-pick-test diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/e2e-tests/test-fixtures/create-git-repo new/melange-0.37.4/e2e-tests/test-fixtures/create-git-repo --- old/melange-0.37.0/e2e-tests/test-fixtures/create-git-repo 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/e2e-tests/test-fixtures/create-git-repo 2026-01-07 00:48:12.000000000 +0100 @@ -85,6 +85,13 @@ v wfile README "more stuff on dev" v gcommit -m "more stuff on dev" README +v git checkout --quiet -b cpick main +v wfile README "cherry-pick source branch stuff" +v gcommit -m "cherry-pick source branch stuff" README +v wfile for-cherry-pick.txt "cherry-pickable file" +v git add for-cherry-pick.txt +v gcommit -m "add second cherry-pick source" for-cherry-pick.txt + v git checkout --quiet main v wfile README "mainline stuff" v gcommit -m "mainline stuff" README diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/go.mod new/melange-0.37.4/go.mod --- old/melange-0.37.0/go.mod 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/go.mod 2026-01-07 00:48:12.000000000 +0100 @@ -3,12 +3,12 @@ go 1.24.6 require ( - chainguard.dev/apko v0.30.29 - github.com/chainguard-dev/clog v1.7.0 + chainguard.dev/apko v0.30.34 + github.com/chainguard-dev/clog v1.8.0 github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 - github.com/chainguard-dev/yam v0.2.43 + github.com/chainguard-dev/yam v0.2.44 github.com/charmbracelet/log v0.4.2 - github.com/docker/cli v29.1.2+incompatible + github.com/docker/cli v29.1.3+incompatible github.com/docker/docker v28.5.2+incompatible github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4 github.com/github/go-spdx/v2 v2.3.5 @@ -28,22 +28,22 @@ github.com/package-url/packageurl-go v0.1.3 github.com/pkg/errors v0.9.1 github.com/psanford/memfs v0.0.0-20241019191636-4ef911798f9b - github.com/spdx/tools-golang v0.5.5 + github.com/spdx/tools-golang v0.5.6 github.com/spf13/cobra v1.10.2 github.com/stretchr/testify v1.11.1 github.com/ulikunitz/xz v0.5.15 github.com/yookoala/realpath v1.0.0 github.com/zealic/xignore v0.3.3 - go.opentelemetry.io/otel v1.38.0 - go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 - go.opentelemetry.io/otel/sdk v1.38.0 + go.opentelemetry.io/otel v1.39.0 + go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0 + go.opentelemetry.io/otel/sdk v1.39.0 go.yaml.in/yaml/v2 v2.4.3 - golang.org/x/crypto v0.45.0 + golang.org/x/crypto v0.46.0 golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b golang.org/x/sync v0.19.0 golang.org/x/sys v0.39.0 - golang.org/x/term v0.37.0 - golang.org/x/text v0.31.0 + golang.org/x/term v0.38.0 + golang.org/x/text v0.32.0 golang.org/x/time v0.14.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 @@ -72,7 +72,7 @@ require ( chainguard.dev/go-grpc-kit v0.17.15 // indirect - chainguard.dev/sdk v0.1.44 // indirect + chainguard.dev/sdk v0.1.45 // indirect cloud.google.com/go/auth v0.17.0 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect @@ -160,17 +160,17 @@ go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect - go.opentelemetry.io/otel/metric v1.38.0 // indirect - go.opentelemetry.io/otel/trace v1.38.0 // indirect + go.opentelemetry.io/otel/metric v1.39.0 // indirect + go.opentelemetry.io/otel/trace v1.39.0 // indirect go.step.sm/crypto v0.75.0 // indirect golang.org/x/mod v0.30.0 // indirect golang.org/x/net v0.47.0 // indirect - golang.org/x/oauth2 v0.33.0 // indirect + golang.org/x/oauth2 v0.34.0 // indirect google.golang.org/api v0.257.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect google.golang.org/grpc v1.77.0 // indirect - google.golang.org/protobuf v1.36.10 + google.golang.org/protobuf v1.36.11 gopkg.in/warnings.v0 v0.1.2 // indirect - k8s.io/apimachinery v0.34.2 // indirect + k8s.io/apimachinery v0.34.3 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/go.sum new/melange-0.37.4/go.sum --- old/melange-0.37.0/go.sum 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/go.sum 2026-01-07 00:48:12.000000000 +0100 @@ -1,9 +1,9 @@ -chainguard.dev/apko v0.30.29 h1:/uQYBoLsq92KSuKWTLj9s/5Cs5a/b57zLNz1MUWja8s= -chainguard.dev/apko v0.30.29/go.mod h1:4FN9ULTi71cdylQx9XACNsZANRzroDOjY2yXSLdDT6Q= +chainguard.dev/apko v0.30.34 h1:CsdZUk1lqKBoKacIZVQwFrPm+2LNL+7+F8SybfCkOjc= +chainguard.dev/apko v0.30.34/go.mod h1:d9NfhhEs/0YTTXaasfeLsLiHGBIO5JPF7xTFl7sQtrQ= chainguard.dev/go-grpc-kit v0.17.15 h1:y+FBjta2lsC0XxlkG+W5P1VxYl0zG74GRvoYN2o+p7s= chainguard.dev/go-grpc-kit v0.17.15/go.mod h1:1wAVAX2CCamtFlfMs9PFzfgQQxX1/TQyF6cbWApbJ2U= -chainguard.dev/sdk v0.1.44 h1:N65xDKBSgZ/y8M8F/BZUv2sjMHxDKTPV5RieTg6mqew= -chainguard.dev/sdk v0.1.44/go.mod h1:sOIIIsNAfdlDdm+it6viMvVsgXHOVwJ8tDi4CKpbjnI= +chainguard.dev/sdk v0.1.45 h1:s8lqcoqwq+9nfZXYvPd3h9sDzwhQ0cjXLWUCFRTSJ20= +chainguard.dev/sdk v0.1.45/go.mod h1:Xq7KQhJHsWAovd8AiWBAj/ftcNkxMPx5YoQeGVTIj2c= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4= cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ= @@ -23,7 +23,6 @@ github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw= github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE= -github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -41,12 +40,12 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chainguard-dev/clog v1.7.0 h1:guPznsK8vLHvzz1QJe2yU6MFeYaiSOFOQBYw4OXu+g8= -github.com/chainguard-dev/clog v1.7.0/go.mod h1:4+WFhRMsGH79etYXY3plYdp+tCz/KCkU8fAr0HoaPvs= +github.com/chainguard-dev/clog v1.8.0 h1:frlTMEdg3XQR+ioQ6O9i92uigY8GTUcWKpuCFkhcCHA= +github.com/chainguard-dev/clog v1.8.0/go.mod h1:5MQOZi+Iu7fV7GcJG8ag8rCB5elEOpqRMKEASgnGVdo= github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 h1:XR2vgQC024I9/boh9r1ihVv8Z14+pbvWqXeYMCnZJpc= github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10/go.mod h1:1p6+MesLcjKeON5BRWa7I87mvAY0QmKjgginIM3w6BI= -github.com/chainguard-dev/yam v0.2.43 h1:WRIYo9WbqOmls+CbmKWpt/vUQ0g4IiVjANrJj7hOAUI= -github.com/chainguard-dev/yam v0.2.43/go.mod h1:Dwk2i+W3mifDxxM5nILZrvUs9GYZsIjVjEONgKMtBrI= +github.com/chainguard-dev/yam v0.2.44 h1:7KVpFJ3RZb85NDrAMrlFTx+Bq4SlMyg/3Lpl8o3N/58= +github.com/chainguard-dev/yam v0.2.44/go.mod h1:Dwk2i+W3mifDxxM5nILZrvUs9GYZsIjVjEONgKMtBrI= github.com/charmbracelet/colorprofile v0.3.2 h1:9J27WdztfJQVAQKX2WOlSSRB+5gaKqqITmrvb1uTIiI= github.com/charmbracelet/colorprofile v0.3.2/go.mod h1:mTD5XzNeWHj8oqHb+S1bssQb7vIHbepiebQ2kPKVKbI= github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY= @@ -88,8 +87,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v29.1.2+incompatible h1:s4QI7drXpIo78OM+CwuthPsO5kCf8cpNsck5PsLVTH8= -github.com/docker/cli v29.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.1.3+incompatible h1:+kz9uDWgs+mAaIZojWfFt4d53/jv0ZUOOoSh5ZnH36c= +github.com/docker/cli v29.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= @@ -166,7 +165,6 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4phx0aUgzYzHW6I= @@ -308,9 +306,8 @@ github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= -github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= -github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XOmk= -github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE= +github.com/spdx/tools-golang v0.5.6 h1:HUwSJWxyAR7vBstEeZ1+guD6Jcl4TVsKyTBUwT0RjTQ= +github.com/spdx/tools-golang v0.5.6/go.mod h1:jg7w0LOpoNAw6OxKEzCoqPC2GCTj45LyTlVmXubDsYw= github.com/spf13/afero v1.2.0/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA= github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo= @@ -322,7 +319,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -330,8 +326,6 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/u-root/u-root v0.15.0 h1:8JXfjAA/Vs8EXfZUA2ftvoHbiYYLdaU8umJ461aq+Jw= @@ -363,22 +357,22 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= -go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= -go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 h1:kJxSDN4SgWWTjG/hPp3O7LCGLcHXFlvS2/FFOrwL+SE= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0/go.mod h1:mgIOzS7iZeKJdeB8/NYHrJ48fdGc71Llo5bJ1J4DWUE= -go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= -go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= -go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= -go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= -go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= -go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= -go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= -go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0 h1:8UPA4IbVZxpsD76ihGOQiFml99GPAEZLohDXvqHdi6U= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0/go.mod h1:MZ1T/+51uIVKlRzGw1Fo46KEWThjlCBZKl2LzY5nv4g= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.step.sm/crypto v0.75.0 h1:UAHYD6q6ggYyzLlIKHv1MCUVjZIesXRZpGTlRC/HSHw= @@ -394,8 +388,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= -golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= +golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= +golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b h1:DXr+pvt3nC887026GRP39Ej11UATqWDmWuS99x26cD0= golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4= @@ -421,8 +415,8 @@ golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo= -golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= +golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -454,8 +448,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU= -golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254= +golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= +golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -463,8 +457,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= -golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -508,8 +502,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= -google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -530,14 +524,13 @@ gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4= -k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= +k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= mvdan.cc/sh/v3 v3.12.0 h1:ejKUR7ONP5bb+UGHGEG/k9V5+pRVIyD+LsZz7o8KHrI= mvdan.cc/sh/v3 v3.12.0/go.mod h1:Se6Cj17eYSn+sNooLZiEUnNNmNxg0imoYlTu4CyaGyg= sigs.k8s.io/release-utils v0.12.2 h1:H06v3FuLElAkf7Ikkd9ll8hnhdtQ+OgktJAni3iIAl8= sigs.k8s.io/release-utils v0.12.2/go.mod h1:Ab9Lb/FpGUw4lUXj1QYbUcF2TRzll+GS7Md54W1G7sA= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/pkg/build/build.go new/melange-0.37.4/pkg/build/build.go --- old/melange-0.37.0/pkg/build/build.go 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/pkg/build/build.go 2026-01-07 00:48:12.000000000 +0100 @@ -76,7 +76,7 @@ } var gccLinkTemplate = `*link: -+ --package-metadata={"type":"apk","os":"{{.Namespace}}","name":"{{.Configuration.Package.Name}}","version":"{{.Configuration.Package.FullVersion}}","architecture":"{{.Arch.ToAPK}}"} ++ --package-metadata={"type":"apk","os":"{{.Namespace}}","name":"{{.Configuration.Package.Name}}","version":"{{.Configuration.Package.FullVersion}}","architecture":"{{.Arch.ToAPK}}"{{if .Configuration.Package.CPE.Vendor}},"appCpe":"{{.Configuration.Package.CPEString}}"{{end}}} ` var ErrSkipThisArch = errors.New("error: skip this arch") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/pkg/build/pipelines/git-checkout.yaml new/melange-0.37.4/pkg/build/pipelines/git-checkout.yaml --- old/melange-0.37.0/pkg/build/pipelines/git-checkout.yaml 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/pkg/build/pipelines/git-checkout.yaml 2026-01-07 00:48:12.000000000 +0100 @@ -94,7 +94,7 @@ return 1 fi - local line="" branch="" hash="" comment="" + local line="" branch="" hash="" comment="" unshallow_arg is_shallow while IFS= read -r line; do # Drop anything after # line=${line%%#*} @@ -118,10 +118,16 @@ # If branch information exists, strip it off to just leave the branch name [ "$branch" != "$hash" ] && branch=${branch%/*} || branch="" + unshallow_arg="" + is_shallow=$(git rev-parse --is-shallow-repository) + if [ "$is_shallow" == "true" ] ; then + unshallow_arg="--unshallow" + fi + if [ -n "$branch" ]; then case " $fetched_branches " in *" $branch "*) ;; - *) vr git fetch --unshallow origin $branch:$branch || { + *) vr git fetch $unshallow_arg origin $branch:$branch || { msg "failed to fetch branch $branch" return 1 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/pkg/build/sbom/spdx/spdx.go new/melange-0.37.4/pkg/build/sbom/spdx/spdx.go --- old/melange-0.37.0/pkg/build/sbom/spdx/spdx.go 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/pkg/build/sbom/spdx/spdx.go 2026-01-07 00:48:12.000000000 +0100 @@ -191,7 +191,7 @@ } // Add licensing information - li, err := gc.Configuration.Package.LicensingInfos(gc.WorkspaceDir) + li, err := gc.Configuration.Package.LicensingInfos(ctx, gc.WorkspaceDir) if err != nil { return nil, fmt.Errorf("gathering licensing infos: %w", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/pkg/build/sbom/spdx/spdx_test.go new/melange-0.37.4/pkg/build/sbom/spdx/spdx_test.go --- old/melange-0.37.0/pkg/build/sbom/spdx/spdx_test.go 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/pkg/build/sbom/spdx/spdx_test.go 2026-01-07 00:48:12.000000000 +0100 @@ -263,6 +263,233 @@ } } +func TestSBOMGenerationWithNonSPDXLicense(t *testing.T) { + tmpDir := t.TempDir() + ctx := context.Background() + outputFS := apkofs.DirFS(ctx, tmpDir) + + // Create a custom license file + licenseContent := "This is a proprietary license. All rights reserved." + if err := os.WriteFile(filepath.Join(tmpDir, "LICENSE.proprietary"), []byte(licenseContent), 0o644); err != nil { + t.Fatalf("failed to write license file: %v", err) + } + + // Build configuration with non-SPDX license + cfg := &config.Configuration{ + Package: config.Package{ + Name: "proprietary-pkg", + Version: "1.0.0", + Epoch: 0, + Description: "Package with proprietary license", + Copyright: []config.Copyright{ + {License: "PROPRIETARY", LicensePath: "LICENSE.proprietary"}, + }, + }, + } + + testTime := time.Date(2024, 6, 1, 0, 0, 0, 0, time.UTC) + + genCtx := &build.GeneratorContext{ + Configuration: cfg, + WorkspaceDir: tmpDir, + OutputFS: outputFS, + SourceDateEpoch: testTime, + Namespace: "test-ns", + Arch: "x86_64", + ReleaseData: &apko_build.ReleaseData{ + ID: "test-os", + VersionID: "1.0", + }, + } + + gen := &Generator{} + if err := gen.GenerateSBOM(ctx, genCtx); err != nil { + t.Fatalf("GenerateSBOM failed: %v", err) + } + + // Read the generated SBOM + sbomPath := filepath.Join(tmpDir, "proprietary-pkg", build.SBOMDir, + fmt.Sprintf("proprietary-pkg-%s.spdx.json", cfg.Package.FullVersion())) + + var actual spdx.Document + data, err := os.ReadFile(sbomPath) + if err != nil { + t.Fatalf("failed to read SBOM: %v", err) + } + if err := json.Unmarshal(data, &actual); err != nil { + t.Fatalf("failed to unmarshal SBOM: %v", err) + } + + expected := &spdx.Document{ + ID: "SPDXRef-DOCUMENT", + Name: "apk-proprietary-pkg-1.0.0-r0", + Version: "SPDX-2.3", + CreationInfo: spdx.CreationInfo{ + Created: "2024-06-01T00:00:00Z", + Creators: []string{"Tool: melange (devel)", "Organization: Chainguard, Inc"}, + LicenseListVersion: "3.22", + }, + DataLicense: "CC0-1.0", + Namespace: actual.Namespace, // Use actual namespace since it's dynamically generated + DocumentDescribes: []string{"SPDXRef-Package-proprietary-pkg-1.0.0-r0"}, + Packages: []spdx.Package{ + { + ID: "SPDXRef-OperatingSystem", + Name: "test-os", + Version: "1.0", + FilesAnalyzed: false, + LicenseConcluded: "NOASSERTION", + LicenseDeclared: "NOASSERTION", + Description: "Operating System", + DownloadLocation: "NOASSERTION", + Originator: "Organization: Test-Ns", + Supplier: "Organization: Test-Ns", + PrimaryPurpose: "OPERATING-SYSTEM", + }, + { + ID: "SPDXRef-Package-proprietary-pkg-1.0.0-r0", + Name: "proprietary-pkg", + Version: "1.0.0-r0", + FilesAnalyzed: false, + LicenseConcluded: "NOASSERTION", + LicenseDeclared: "LicenseRef-PROPRIETARY", + DownloadLocation: "NOASSERTION", + Originator: "Organization: Test-Ns", + Supplier: "Organization: Test-Ns", + CopyrightText: "NOASSERTION", + ExternalRefs: []spdx.ExternalRef{ + { + Category: "PACKAGE-MANAGER", + Locator: "pkg:apk/test-ns/[email protected]?arch=x86_64&distro=test-ns", + Type: "purl", + }, + }, + }, + }, + LicensingInfos: []spdx.LicensingInfo{ + { + LicenseID: "LicenseRef-PROPRIETARY", + ExtractedText: licenseContent, + }, + }, + } + + if diff := cmp.Diff(expected, &actual); diff != "" { + t.Errorf("SBOM mismatch (-want +got):\n%s", diff) + } +} + +func TestSBOMGenerationWithMixedLicenses(t *testing.T) { + tmpDir := t.TempDir() + ctx := context.Background() + outputFS := apkofs.DirFS(ctx, tmpDir) + + // Build configuration with mixed valid and invalid SPDX licenses + cfg := &config.Configuration{ + Package: config.Package{ + Name: "mixed-license-pkg", + Version: "2.0.0", + Epoch: 1, + Description: "Package with mixed licenses", + Copyright: []config.Copyright{ + {License: "MIT"}, + {License: "CustomLicense"}, + }, + }, + } + + testTime := time.Date(2024, 6, 1, 0, 0, 0, 0, time.UTC) + + genCtx := &build.GeneratorContext{ + Configuration: cfg, + WorkspaceDir: tmpDir, + OutputFS: outputFS, + SourceDateEpoch: testTime, + Namespace: "test-ns", + Arch: "x86_64", + ReleaseData: &apko_build.ReleaseData{ + ID: "test-os", + VersionID: "1.0", + }, + } + + gen := &Generator{} + if err := gen.GenerateSBOM(ctx, genCtx); err != nil { + t.Fatalf("GenerateSBOM failed: %v", err) + } + + // Read the generated SBOM + sbomPath := filepath.Join(tmpDir, "mixed-license-pkg", build.SBOMDir, + fmt.Sprintf("mixed-license-pkg-%s.spdx.json", cfg.Package.FullVersion())) + + var actual spdx.Document + data, err := os.ReadFile(sbomPath) + if err != nil { + t.Fatalf("failed to read SBOM: %v", err) + } + if err := json.Unmarshal(data, &actual); err != nil { + t.Fatalf("failed to unmarshal SBOM: %v", err) + } + + expected := &spdx.Document{ + ID: "SPDXRef-DOCUMENT", + Name: "apk-mixed-license-pkg-2.0.0-r1", + Version: "SPDX-2.3", + CreationInfo: spdx.CreationInfo{ + Created: "2024-06-01T00:00:00Z", + Creators: []string{"Tool: melange (devel)", "Organization: Chainguard, Inc"}, + LicenseListVersion: "3.22", + }, + DataLicense: "CC0-1.0", + Namespace: actual.Namespace, // Use actual namespace since it's dynamically generated + DocumentDescribes: []string{"SPDXRef-Package-mixed-license-pkg-2.0.0-r1"}, + Packages: []spdx.Package{ + { + ID: "SPDXRef-OperatingSystem", + Name: "test-os", + Version: "1.0", + FilesAnalyzed: false, + LicenseConcluded: "NOASSERTION", + LicenseDeclared: "NOASSERTION", + Description: "Operating System", + DownloadLocation: "NOASSERTION", + Originator: "Organization: Test-Ns", + Supplier: "Organization: Test-Ns", + PrimaryPurpose: "OPERATING-SYSTEM", + }, + { + ID: "SPDXRef-Package-mixed-license-pkg-2.0.0-r1", + Name: "mixed-license-pkg", + Version: "2.0.0-r1", + FilesAnalyzed: false, + LicenseConcluded: "NOASSERTION", + LicenseDeclared: "MIT AND LicenseRef-CustomLicense", + DownloadLocation: "NOASSERTION", + Originator: "Organization: Test-Ns", + Supplier: "Organization: Test-Ns", + CopyrightText: "NOASSERTION", + ExternalRefs: []spdx.ExternalRef{ + { + Category: "PACKAGE-MANAGER", + Locator: "pkg:apk/test-ns/[email protected]?arch=x86_64&distro=test-ns", + Type: "purl", + }, + }, + }, + }, + LicensingInfos: []spdx.LicensingInfo{ + { + LicenseID: "LicenseRef-CustomLicense", + ExtractedText: "Non-SPDX License: CustomLicense", + }, + }, + } + + if diff := cmp.Diff(expected, &actual); diff != "" { + t.Errorf("SBOM mismatch (-want +got):\n%s", diff) + } +} + func TestSBOMGenerationWithSubpackageGitCheckout(t *testing.T) { tmpDir := t.TempDir() ctx := context.Background() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/pkg/config/config.go new/melange-0.37.4/pkg/config/config.go --- old/melange-0.37.0/pkg/config/config.go 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/pkg/config/config.go 2026-01-07 00:48:12.000000000 +0100 @@ -36,6 +36,7 @@ "time" apko_types "chainguard.dev/apko/pkg/build/types" + "github.com/github/go-spdx/v2/spdxexp" purl "github.com/package-url/packageurl-go" "chainguard.dev/melange/pkg/sbom" @@ -192,8 +193,9 @@ // against NVD records. func (p Package) CPEString() (string, error) { const anyValue = "*" + const partApplication = "a" - part := anyValue + part := partApplication if p.CPE.Part != "" { part = p.CPE.Part } @@ -231,6 +233,9 @@ } // Last-mile validation to avoid headaches downstream of this. + if !slices.Contains([]string{"a", "h", "o"}, part) { + return "", fmt.Errorf("part value must be a, h or o") + } if vendor == anyValue { return "", fmt.Errorf("vendor value must be exactly specified") } @@ -437,7 +442,9 @@ } // LicenseExpression returns an SPDX license expression formed from the data in -// the copyright structs found in the conf. It's a simple OR for now. +// the copyright structs found in the conf. It's a simple AND for now. +// Invalid SPDX license identifiers are converted to LicenseRef-<sanitized-name> +// format for SPDX compliance. func (p Package) LicenseExpression() string { licenseExpression := "" if p.Copyright == nil { @@ -447,26 +454,92 @@ if licenseExpression != "" { licenseExpression += " AND " } - licenseExpression += cp.License + license := normalizeLicenseID(cp.License) + licenseExpression += license } return licenseExpression } +// normalizeLicenseID checks if a license identifier is a valid SPDX license. +// If valid, it returns the license as-is. If invalid, it returns a LicenseRef- +// formatted identifier that is SPDX compliant. +func normalizeLicenseID(license string) string { + if license == "" { + return "" + } + + if isValidSPDXLicense(license) { + return license + } + + // Convert invalid license to LicenseRef format + return toLicenseRef(license) +} + +// toLicenseRef converts a license name to a valid SPDX LicenseRef identifier. +// SPDX LicenseRef identifiers must match the pattern: LicenseRef-[a-zA-Z0-9.-]+ +func toLicenseRef(license string) string { + // Sanitize the license name to only contain valid characters + var sb strings.Builder + for _, r := range license { + switch { + case (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == '.' || r == '-': + sb.WriteRune(r) + case r == ' ' || r == '_': + sb.WriteRune('-') + default: + // Skip invalid characters + } + } + + sanitized := sb.String() + if sanitized == "" { + // If nothing remains after sanitization, use a hash + h := sha256.Sum256([]byte(license)) + sanitized = hex.EncodeToString(h[:8]) + } + + return "LicenseRef-" + sanitized +} + +// isValidSPDXLicense checks if a license identifier is a valid SPDX license. +func isValidSPDXLicense(license string) bool { + if license == "" { + return false + } + valid, _ := spdxexp.ValidateLicenses([]string{license}) + return valid +} + // LicensingInfos looks at the `Package.Copyright[].LicensePath` fields of the // parsed build configuration for the package. If this value has been set, // LicensingInfos opens the file at this path from the build's workspace // directory, and reads in the license content. LicensingInfos then returns a -// map of the `Copyright.License` field to the string content of the file from -// `.LicensePath`. -func (p Package) LicensingInfos(workspaceDir string) (map[string]string, error) { +// map of the license identifier (using LicenseRef format for non-SPDX licenses) +// to the string content of the file from `.LicensePath`. +// +// For licenses that are not valid SPDX identifiers, the extracted text will +// include the original license name if no LicensePath is specified. A warning +// is logged in this case to encourage providing the full license text. +func (p Package) LicensingInfos(ctx context.Context, workspaceDir string) (map[string]string, error) { + log := clog.FromContext(ctx) licenseInfos := make(map[string]string) for _, cp := range p.Copyright { + license := cp.License + id := normalizeLicenseID(license) + if cp.LicensePath != "" { + // Read license content from file content, err := os.ReadFile(filepath.Join(workspaceDir, cp.LicensePath)) // #nosec G304 - Reading license file from build workspace if err != nil { return nil, fmt.Errorf("failed to read licensepath %q: %w", cp.LicensePath, err) } - licenseInfos[cp.License] = string(content) + licenseInfos[id] = string(content) + } else if strings.HasPrefix(id, "LicenseRef-") { + // For non-SPDX licenses without a license path, include the original + // license name as the extracted text so consumers know what it refers to + log.Warnf("non-SPDX license %q used without license-path; consider adding license-path with full license text for SBOM compliance", license) + licenseInfos[id] = fmt.Sprintf("Non-SPDX License: %s", license) } } return licenseInfos, nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.37.0/pkg/config/config_test.go new/melange-0.37.4/pkg/config/config_test.go --- old/melange-0.37.0/pkg/config/config_test.go 2025-12-11 19:04:59.000000000 +0100 +++ new/melange-0.37.4/pkg/config/config_test.go 2026-01-07 00:48:12.000000000 +0100 @@ -9,6 +9,7 @@ "testing" "github.com/chainguard-dev/clog/slogtest" + "github.com/google/go-cmp/cmp" purl "github.com/package-url/packageurl-go" "github.com/stretchr/testify/require" @@ -1647,4 +1648,373 @@ } }) } +} + +func TestNormalizeLicenseID(t *testing.T) { + tests := []struct { + name string + license string + expected string + }{ + { + name: "valid SPDX license MIT", + license: "MIT", + expected: "MIT", + }, + { + name: "valid SPDX license Apache-2.0", + license: "Apache-2.0", + expected: "Apache-2.0", + }, + { + name: "valid SPDX license GPL-3.0-only", + license: "GPL-3.0-only", + expected: "GPL-3.0-only", + }, + { + name: "invalid SPDX license - custom", + license: "MyCustomLicense", + expected: "LicenseRef-MyCustomLicense", + }, + { + name: "invalid SPDX license - with spaces", + license: "My Custom License", + expected: "LicenseRef-My-Custom-License", + }, + { + name: "invalid SPDX license - GPL typo", + license: "GPL", + expected: "LicenseRef-GPL", + }, + { + name: "empty license", + license: "", + expected: "", + }, + { + name: "invalid license with special chars", + license: "Custom@License!v2", + expected: "LicenseRef-CustomLicensev2", + }, + { + name: "PROPRIETARY license", + license: "PROPRIETARY", + expected: "LicenseRef-PROPRIETARY", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := normalizeLicenseID(tt.license) + if diff := cmp.Diff(tt.expected, result); diff != "" { + t.Errorf("normalizeLicenseID() mismatch (-want +got):\n%s", diff) + } + }) + } +} + +func TestToLicenseRef(t *testing.T) { + tests := []struct { + name string + license string + expected string + }{ + { + name: "simple name", + license: "CustomLicense", + expected: "LicenseRef-CustomLicense", + }, + { + name: "name with spaces", + license: "Custom License v2", + expected: "LicenseRef-Custom-License-v2", + }, + { + name: "name with underscores", + license: "Custom_License_v2", + expected: "LicenseRef-Custom-License-v2", + }, + { + name: "name with dots and hyphens", + license: "Custom-License.v2", + expected: "LicenseRef-Custom-License.v2", + }, + { + name: "name with special chars", + license: "License@#$%^&*()", + expected: "LicenseRef-License", + }, + { + name: "only special chars - uses hash", + license: "@#$%^&*()", + expected: "LicenseRef-a821cf5c9ba958c4", // SHA256 hash prefix + }, + { + name: "numbers only", + license: "12345", + expected: "LicenseRef-12345", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := toLicenseRef(tt.license) + if diff := cmp.Diff(tt.expected, result); diff != "" { + t.Errorf("toLicenseRef() mismatch (-want +got):\n%s", diff) + } + }) + } +} + +func TestIsValidSPDXLicense(t *testing.T) { + tests := []struct { + name string + license string + expected bool + }{ + { + name: "valid MIT", + license: "MIT", + expected: true, + }, + { + name: "valid Apache-2.0", + license: "Apache-2.0", + expected: true, + }, + { + name: "valid GPL-3.0-or-later", + license: "GPL-3.0-or-later", + expected: true, + }, + { + name: "valid BSD-3-Clause", + license: "BSD-3-Clause", + expected: true, + }, + { + name: "invalid - custom license", + license: "MyLicense", + expected: false, + }, + { + name: "invalid - GPL without version", + license: "GPL", + expected: false, + }, + { + name: "empty string", + license: "", + expected: false, + }, + { + name: "valid SPDX expression", + license: "MIT AND Apache-2.0", + expected: true, + }, + { + name: "invalid - PROPRIETARY", + license: "PROPRIETARY", + expected: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := isValidSPDXLicense(tt.license) + if result != tt.expected { + t.Errorf("isValidSPDXLicense(%q) = %v, want %v", tt.license, result, tt.expected) + } + }) + } +} + +func TestLicenseExpressionWithValidation(t *testing.T) { + tests := []struct { + name string + copyright []Copyright + expected string + }{ + { + name: "nil copyright", + copyright: nil, + expected: "", + }, + { + name: "empty copyright", + copyright: []Copyright{}, + expected: "", + }, + { + name: "single valid license", + copyright: []Copyright{ + {License: "MIT"}, + }, + expected: "MIT", + }, + { + name: "multiple valid licenses", + copyright: []Copyright{ + {License: "MIT"}, + {License: "Apache-2.0"}, + }, + expected: "MIT AND Apache-2.0", + }, + { + name: "single invalid license", + copyright: []Copyright{ + {License: "CustomLicense"}, + }, + expected: "LicenseRef-CustomLicense", + }, + { + name: "mixed valid and invalid licenses", + copyright: []Copyright{ + {License: "MIT"}, + {License: "CustomLicense"}, + {License: "Apache-2.0"}, + }, + expected: "MIT AND LicenseRef-CustomLicense AND Apache-2.0", + }, + { + name: "invalid license with spaces", + copyright: []Copyright{ + {License: "My Custom License"}, + }, + expected: "LicenseRef-My-Custom-License", + }, + { + name: "PROPRIETARY license", + copyright: []Copyright{ + {License: "PROPRIETARY"}, + }, + expected: "LicenseRef-PROPRIETARY", + }, + { + name: "mixed with PROPRIETARY", + copyright: []Copyright{ + {License: "MIT"}, + {License: "PROPRIETARY"}, + }, + expected: "MIT AND LicenseRef-PROPRIETARY", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + pkg := Package{ + Copyright: tt.copyright, + } + result := pkg.LicenseExpression() + if diff := cmp.Diff(tt.expected, result); diff != "" { + t.Errorf("LicenseExpression() mismatch (-want +got):\n%s", diff) + } + }) + } +} + +func TestLicensingInfosWithValidation(t *testing.T) { + // Create a temp directory with a license file + tmpDir := t.TempDir() + licenseContent := "This is my custom license text" + if err := os.WriteFile(filepath.Join(tmpDir, "LICENSE.custom"), []byte(licenseContent), 0o644); err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + copyright []Copyright + expected map[string]string + }{ + { + name: "nil copyright", + copyright: nil, + expected: map[string]string{}, + }, + { + name: "empty copyright", + copyright: []Copyright{}, + expected: map[string]string{}, + }, + { + name: "valid SPDX license without license path - no entry", + copyright: []Copyright{ + {License: "MIT"}, + }, + expected: map[string]string{}, + }, + { + name: "invalid SPDX license without license path - has entry", + copyright: []Copyright{ + {License: "CustomLicense"}, + }, + expected: map[string]string{ + "LicenseRef-CustomLicense": "Non-SPDX License: CustomLicense", + }, + }, + { + name: "invalid SPDX license with license path - uses file content", + copyright: []Copyright{ + {License: "CustomLicense", LicensePath: "LICENSE.custom"}, + }, + expected: map[string]string{ + "LicenseRef-CustomLicense": licenseContent, + }, + }, + { + name: "valid SPDX license with license path - uses file content", + copyright: []Copyright{ + {License: "MIT", LicensePath: "LICENSE.custom"}, + }, + expected: map[string]string{ + "MIT": licenseContent, + }, + }, + { + name: "mixed valid and invalid licenses", + copyright: []Copyright{ + {License: "MIT"}, + {License: "CustomLicense"}, + {License: "Apache-2.0", LicensePath: "LICENSE.custom"}, + }, + expected: map[string]string{ + "LicenseRef-CustomLicense": "Non-SPDX License: CustomLicense", + "Apache-2.0": licenseContent, + }, + }, + { + name: "PROPRIETARY license without license path", + copyright: []Copyright{ + {License: "PROPRIETARY"}, + }, + expected: map[string]string{ + "LicenseRef-PROPRIETARY": "Non-SPDX License: PROPRIETARY", + }, + }, + { + name: "PROPRIETARY license with license path", + copyright: []Copyright{ + {License: "PROPRIETARY", LicensePath: "LICENSE.custom"}, + }, + expected: map[string]string{ + "LicenseRef-PROPRIETARY": licenseContent, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + ctx := slogtest.Context(t) + pkg := Package{ + Copyright: tt.copyright, + } + result, err := pkg.LicensingInfos(ctx, tmpDir) + if err != nil { + t.Fatalf("LicensingInfos() error = %v", err) + } + if diff := cmp.Diff(tt.expected, result); diff != "" { + t.Errorf("LicensingInfos() mismatch (-want +got):\n%s", diff) + } + }) + } } ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.ztZ3Wu/_old 2026-01-12 11:49:16.639498596 +0100 +++ /var/tmp/diff_new_pack.ztZ3Wu/_new 2026-01-12 11:49:16.643498762 +0100 @@ -1,5 +1,5 @@ name: melange -version: 0.37.0 -mtime: 1765476299 -commit: 70848dbbf4972daa018e43ce951faacc75a60a86 +version: 0.37.4 +mtime: 1767743292 +commit: 6b1e13f05def7cddcf23ae8d0f50a205fcf6417f ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.1928/vendor.tar.gz differ: char 14, line 1
