Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grype for openSUSE:Factory checked in at 2026-01-17 14:53:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grype (Old) and /work/SRC/openSUSE:Factory/.grype.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grype" Sat Jan 17 14:53:16 2026 rev:111 rq:1327518 version:0.105.0 Changes: -------- --- /work/SRC/openSUSE:Factory/grype/grype.changes 2026-01-12 10:33:12.318839479 +0100 +++ /work/SRC/openSUSE:Factory/.grype.new.1928/grype.changes 2026-01-17 14:54:05.685534869 +0100 @@ -1,0 +2,21 @@ +Fri Jan 16 05:59:03 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.105.0: + * Added Features + - Add archlinux matcher to grype [#3154 @willmurphyscode] + - test: update quality gate db to latest version (#3141) + * Dependencies + - chore(deps): update anchore dependencies (#3165) + - chore(deps): update tools to latest versions (#3161) + - chore(deps): bump golang.org/x/tools from 0.40.0 to 0.41.0 + (#3158) + - chore(deps): bump github.com/go-viper/mapstructure/v2 (#3159) + - chore(deps): bump github/codeql-action from 4.31.9 to 4.31.10 + (#3160) + - chore(deps): bump actions/setup-go in + /.github/actions/bootstrap (#3162) + - chore(deps): update tools to latest versions (#3152) + - chore(deps): bump anchore/sbom-action from 0.21.0 to 0.21.1 + (#3153) + +------------------------------------------------------------------- Old: ---- grype-0.104.4.obscpio New: ---- grype-0.105.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grype.spec ++++++ --- /var/tmp/diff_new_pack.CRoeSK/_old 2026-01-17 14:54:09.745704130 +0100 +++ /var/tmp/diff_new_pack.CRoeSK/_new 2026-01-17 14:54:09.757704630 +0100 @@ -17,7 +17,7 @@ Name: grype -Version: 0.104.4 +Version: 0.105.0 Release: 0 Summary: A vulnerability scanner for container images and filesystems License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.CRoeSK/_old 2026-01-17 14:54:10.109719305 +0100 +++ /var/tmp/diff_new_pack.CRoeSK/_new 2026-01-17 14:54:10.181722307 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/grype</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.104.4</param> + <param name="revision">v0.105.0</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.CRoeSK/_old 2026-01-17 14:54:10.401731479 +0100 +++ /var/tmp/diff_new_pack.CRoeSK/_new 2026-01-17 14:54:10.453733647 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/grype</param> - <param name="changesrevision">d755edde29f4139371a8d01466464960d13d7dac</param></service></servicedata> + <param name="changesrevision">32e7c0d3561dcca0cc4b000a850f681e5fb79a27</param></service></servicedata> (No newline at EOF) ++++++ grype-0.104.4.obscpio -> grype-0.105.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/.binny.yaml new/grype-0.105.0/.binny.yaml --- old/grype-0.104.4/.binny.yaml 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/.binny.yaml 2026-01-15 23:20:54.000000000 +0100 @@ -2,7 +2,7 @@ # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!) - name: binny version: - want: v0.11.0 + want: v0.11.1 method: github-release with: repo: anchore/binny @@ -26,7 +26,7 @@ # used for linting - name: golangci-lint version: - want: v2.7.2 + want: v2.8.0 method: github-release with: repo: golangci/golangci-lint @@ -42,7 +42,7 @@ # used for signing the checksums file at release - name: cosign version: - want: v3.0.3 + want: v3.0.4 method: github-release with: repo: sigstore/cosign @@ -50,7 +50,7 @@ # used to release all artifacts - name: goreleaser version: - want: v2.13.2 + want: v2.13.3 method: github-release with: repo: goreleaser/goreleaser @@ -90,7 +90,7 @@ # used for triggering a release - name: gh version: - want: v2.83.2 + want: v2.85.0 method: github-release with: repo: cli/cli diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/go.mod new/grype-0.105.0/go.mod --- old/grype-0.104.4/go.mod 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/go.mod 2026-01-15 23:20:54.000000000 +0100 @@ -17,8 +17,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 - github.com/anchore/stereoscope v0.1.17 - github.com/anchore/syft v1.40.0 + github.com/anchore/stereoscope v0.1.18 + github.com/anchore/syft v1.40.1 github.com/aquasecurity/go-pep440-version v0.0.1 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de github.com/bitnami/go-version v0.0.0-20250505154626-452e8c5ee607 @@ -33,7 +33,7 @@ github.com/gkampitakis/go-snaps v0.5.19 github.com/glebarez/sqlite v1.11.0 github.com/go-test/deep v1.1.1 - github.com/go-viper/mapstructure/v2 v2.4.0 + github.com/go-viper/mapstructure/v2 v2.5.0 github.com/gocsaf/csaf/v3 v3.5.1 github.com/gohugoio/hashstructure v0.6.0 github.com/google/go-cmp v0.7.0 @@ -68,7 +68,7 @@ github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc golang.org/x/time v0.14.0 - golang.org/x/tools v0.40.0 + golang.org/x/tools v0.41.0 gopkg.in/yaml.v3 v3.0.1 gorm.io/gorm v1.31.1 ) @@ -84,8 +84,6 @@ cloud.google.com/go/storage v1.58.0 // indirect cyphar.com/go-pathrs v0.2.1 // indirect dario.cat/mergo v1.0.2 // indirect - github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect - github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect github.com/BurntSushi/toml v1.6.0 // indirect github.com/DataDog/zstd v1.5.7 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect @@ -96,7 +94,7 @@ github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.13.0 // indirect + github.com/Microsoft/hcsshim v0.14.0-rc.1 // indirect github.com/ProtonMail/go-crypto v1.3.0 // indirect github.com/STARRY-S/zip v0.2.3 // indirect github.com/acobaugh/osrelease v0.1.0 // indirect @@ -133,7 +131,7 @@ github.com/becheran/wildmatch-go v1.0.0 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect - github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect + github.com/bmatcuk/doublestar/v4 v4.9.2 // indirect github.com/bodgit/plumbing v1.3.0 // indirect github.com/bodgit/sevenzip v1.6.1 // indirect github.com/bodgit/windows v1.0.1 // indirect @@ -150,15 +148,16 @@ github.com/clipperhouse/uax29/v2 v2.3.0 // indirect github.com/cloudflare/circl v1.6.1 // indirect github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect - github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.30 // indirect - github.com/containerd/containerd/api v1.9.0 // indirect + github.com/containerd/cgroups/v3 v3.1.2 // indirect + github.com/containerd/containerd/api v1.10.0 // indirect + github.com/containerd/containerd/v2 v2.2.1 // indirect github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/fifo v1.1.0 // indirect github.com/containerd/log v0.1.0 // indirect - github.com/containerd/platforms v0.2.1 // indirect + github.com/containerd/platforms v1.0.0-rc.2 // indirect + github.com/containerd/plugin v1.0.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect github.com/containerd/ttrpc v1.2.7 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect @@ -167,11 +166,10 @@ github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect github.com/diskfs/go-diskfs v1.7.0 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v29.1.3+incompatible // indirect + github.com/docker/cli v29.1.4+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.4 // indirect github.com/docker/go-connections v0.6.0 // indirect - github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect github.com/elliotchance/phpserialize v1.4.0 // indirect @@ -193,7 +191,7 @@ github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-restruct/restruct v1.2.0-alpha // indirect - github.com/goccy/go-yaml v1.19.1 // indirect + github.com/goccy/go-yaml v1.19.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/licensecheck v0.3.1 // indirect @@ -201,7 +199,7 @@ github.com/google/s2a-go v0.1.9 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect github.com/googleapis/gax-go/v2 v2.15.0 // indirect - github.com/gpustack/gguf-parser-go v0.22.1 // indirect + github.com/gpustack/gguf-parser-go v0.23.1 // indirect github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.70 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-version v1.8.0 // indirect @@ -245,7 +243,7 @@ github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect github.com/muesli/cancelreader v0.2.2 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect @@ -256,7 +254,7 @@ github.com/olekukonko/ll v0.1.3 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect - github.com/opencontainers/runtime-spec v1.2.1 // indirect + github.com/opencontainers/runtime-spec v1.3.0 // indirect github.com/opencontainers/selinux v1.13.1 // indirect github.com/package-url/packageurl-go v0.1.3 // indirect github.com/pborman/indent v1.2.1 // indirect @@ -298,7 +296,7 @@ github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect - github.com/vbatts/go-mtree v0.6.0 // indirect + github.com/vbatts/go-mtree v0.7.0 // indirect github.com/vbatts/tar-split v0.12.2 // indirect github.com/vifraa/gopom v1.0.0 // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect @@ -321,14 +319,14 @@ go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect go4.org v0.0.0-20230225012048-214862532bf5 // indirect - golang.org/x/crypto v0.46.0 // indirect - golang.org/x/mod v0.31.0 // indirect - golang.org/x/net v0.48.0 // indirect + golang.org/x/crypto v0.47.0 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.33.0 // indirect golang.org/x/sync v0.19.0 // indirect - golang.org/x/sys v0.39.0 // indirect - golang.org/x/term v0.38.0 // indirect - golang.org/x/text v0.32.0 // indirect + golang.org/x/sys v0.40.0 // indirect + golang.org/x/term v0.39.0 // indirect + golang.org/x/text v0.33.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect gonum.org/v1/gonum v0.16.0 // indirect google.golang.org/api v0.256.0 // indirect @@ -341,5 +339,5 @@ modernc.org/libc v1.66.10 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect - modernc.org/sqlite v1.42.2 // indirect + modernc.org/sqlite v1.43.0 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/go.sum new/grype-0.105.0/go.sum --- old/grype-0.104.4/go.sum 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/go.sum 2026-01-15 23:20:54.000000000 +0100 @@ -74,8 +74,6 @@ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= -github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa h1:x6kFzdPgBoLbyoNkA/jny0ENpoEz4wqY8lPTQL2DPkg= -github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= @@ -109,8 +107,8 @@ github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA= -github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok= +github.com/Microsoft/hcsshim v0.14.0-rc.1 h1:qAPXKwGOkVn8LlqgBN8GS0bxZ83hOJpcjxzmlQKxKsQ= +github.com/Microsoft/hcsshim v0.14.0-rc.1/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -158,10 +156,10 @@ github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= -github.com/anchore/stereoscope v0.1.17 h1:5M7IkeJEbNsWQx//fc76g5IO4qU66vvQluYK71/Of7I= -github.com/anchore/stereoscope v0.1.17/go.mod h1:I0SxhY9lL3rPCD4FAl56JxL+gbL9nUVOFful8dwQ56o= -github.com/anchore/syft v1.40.0 h1:ZvSIk0QPW78G4LPVxTC+xjLZZz3fBAKeCD5zafdzcgE= -github.com/anchore/syft v1.40.0/go.mod h1:5rpl7m/MAzg96AdsMpYgpQ0Nr9fR6NSVoJFfcErH3bo= +github.com/anchore/stereoscope v0.1.18 h1:Mj34pRtxwfdFJkYKtKjiO9Xn7qs0RTCi59ofRYTSCEU= +github.com/anchore/stereoscope v0.1.18/go.mod h1:y8P4BURfBj0DVRly9cPHsSuZdI/AsZs3ee/x/HusEe4= +github.com/anchore/syft v1.40.1 h1:S0c/ua65y8saiJyCCZohdo7PbO0NNnaLdvD4CNfuGXE= +github.com/anchore/syft v1.40.1/go.mod h1:zgp8kzoX5ZbJzp6XLkJLk0+w7dlezKEsMak9QpfhTxQ= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= @@ -241,8 +239,8 @@ github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/bmatcuk/doublestar/v2 v2.0.4 h1:6I6oUiT/sU27eE2OFcWqBhL1SwjyvQuOssxT4a1yidI= github.com/bmatcuk/doublestar/v2 v2.0.4/go.mod h1:QMmcs3H2AUQICWhfzLXz+IYln8lRQmTZRptLie8RgRw= -github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE= -github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bmatcuk/doublestar/v4 v4.9.2 h1:b0mc6WyRSYLjzofB2v/0cuDUZ+MqoGyH3r0dVij35GI= +github.com/bmatcuk/doublestar/v4 v4.9.2/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU= github.com/bodgit/plumbing v1.3.0/go.mod h1:JOTb4XiRu5xfnmdnDJo6GmSbSbtSyufrsyZFByMtKEs= github.com/bodgit/sevenzip v1.6.1 h1:kikg2pUMYC9ljU7W9SaqHXhym5HyKm8/M/jd31fYan4= @@ -310,12 +308,12 @@ github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls= github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= -github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= -github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.30 h1:/2vezDpLDVGGmkUXmlNPLCCNKHJ5BbC5tJB5JNzQhqE= -github.com/containerd/containerd v1.7.30/go.mod h1:fek494vwJClULlTpExsmOyKCMUAbuVjlFsJQc4/j44M= -github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0= -github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI= +github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8EhrHa4= +github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw= +github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o= +github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM= +github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk= +github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= @@ -326,8 +324,10 @@ github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= -github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= -github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= +github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6acgLGv/QzE4= +github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4= +github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y= +github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8= github.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8= github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q= github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ= @@ -358,8 +358,8 @@ github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= -github.com/docker/cli v29.1.3+incompatible h1:+kz9uDWgs+mAaIZojWfFt4d53/jv0ZUOOoSh5ZnH36c= -github.com/docker/cli v29.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.1.4+incompatible h1:AI8fwZhqsAsrqZnVv9h6lbexeW/LzNTasf6A4vcNN8M= +github.com/docker/cli v29.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= @@ -368,8 +368,6 @@ github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c= github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= -github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 h1:EHZfspsnLAz8Hzccd67D5abwLiqoqym2jz/jOS39mCk= -github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4= @@ -469,13 +467,13 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= -github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= -github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro= +github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= -github.com/goccy/go-yaml v1.19.1 h1:3rG3+v8pkhRqoQ/88NYNMHYVGYztCOCIZ7UQhu7H+NE= -github.com/goccy/go-yaml v1.19.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= +github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= +github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/gocsaf/csaf/v3 v3.5.1 h1:jTA1fLrK0/JIczPs7itTD53qANoO4tn2VaGvUeitePc= github.com/gocsaf/csaf/v3 v3.5.1/go.mod h1:pga89lE+iWJm7smTdzYcXuetYUbgY8caXfaIP4BJG98= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -586,12 +584,12 @@ github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg= github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA= github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs= -github.com/gpustack/gguf-parser-go v0.22.1 h1:FRnEDWqT0Rcplr/R9ctCRSN2+3DhVsf6dnR5/i9JA4E= -github.com/gpustack/gguf-parser-go v0.22.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0= +github.com/gpustack/gguf-parser-go v0.23.1 h1:0U7DOrsi7ryx2L/dlMy+BSQ5bJV4AuMEIgGBs4RK46A= +github.com/gpustack/gguf-parser-go v0.23.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M= github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b h1:wDUNC2eKiL35DbLvsDhiblTUXHxcOPwQSCzi7xpQUN4= github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b/go.mod h1:VzxiSdG6j1pi7rwGm/xYI5RbtpBgM8sARDXlvEvxlu0= github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.70 h1:0HADrxxqaQkGycO1JoUUA+B4FnIkuo8d2bz/hSaTFFQ= @@ -784,8 +782,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI= @@ -817,8 +816,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= -github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= +github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE= github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg= github.com/openvex/go-vex v0.2.7 h1:/pN3bqvS4QOc6WkkL0hbKzJuAtsUD9vmvk9IZkzD3Zc= @@ -872,8 +871,8 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= -github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= -github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= +github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -995,8 +994,8 @@ github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/vbatts/go-mtree v0.6.0 h1:n4r+Tweta4oH0+zWfv77VmfvWXrO69smspK37xvzgMI= -github.com/vbatts/go-mtree v0.6.0/go.mod h1:W7bcG9PCn6lFY+ljGlZxx9DONkxL3v8a7HyN+PrSrjA= +github.com/vbatts/go-mtree v0.7.0 h1:ytmOc3MTRidZiBi9VBCyZ2BHe4fZS47L5v7BVXDWW4E= +github.com/vbatts/go-mtree v0.7.0/go.mod h1:EjdpFC+LZy1TXbRGNa1MKKgjQ+7ew3foMFJK8o4/TdY= github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4= github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= github.com/vifraa/gopom v1.0.0 h1:L9XlKbyvid8PAIK8nr0lihMApJQg/12OBvMA28BcWh0= @@ -1064,10 +1063,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w= go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= @@ -1079,8 +1078,8 @@ go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= -go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= +go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= @@ -1104,8 +1103,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= -golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= +golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1146,8 +1145,8 @@ golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= -golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1193,8 +1192,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= -golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= +golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1303,13 +1302,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= -golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= +golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= -golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= +golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY= +golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1321,8 +1320,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= -golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= +golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1384,8 +1383,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= -golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= +golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= +golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1601,8 +1600,8 @@ modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= -modernc.org/sqlite v1.42.2 h1:7hkZUNJvJFN2PgfUdjni9Kbvd4ef4mNLOu0B9FGxM74= -modernc.org/sqlite v1.42.2/go.mod h1:+VkC6v3pLOAE0A0uVucQEcbVW0I5nHCeDaBf+DpsQT8= +modernc.org/sqlite v1.43.0 h1:8YqiFx3G1VhHTXO2Q00bl1Wz9KhS9Q5okwfp9Y97VnA= +modernc.org/sqlite v1.43.0/go.mod h1:+VkC6v3pLOAE0A0uVucQEcbVW0I5nHCeDaBf+DpsQT8= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/db/v6/data.go new/grype-0.105.0/grype/db/v6/data.go --- old/grype-0.104.4/grype/db/v6/data.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/db/v6/data.go 2026-01-15 23:20:54.000000000 +0100 @@ -40,9 +40,9 @@ {Alias: "chainguard", Rolling: true}, // others - {Alias: "arch", Rolling: true}, + {Alias: "archlinux", Rolling: true}, {Alias: "minimos", Rolling: true}, - {Alias: "archlinux", ReplacementName: strRef("arch"), Rolling: true}, // non-standard, but common (dockerhub uses "archlinux") + {Alias: "arch", ReplacementName: strRef("archlinux"), Rolling: true}, // os-release ID=arch, but namespace uses archlinux {Alias: "oracle", ReplacementName: strRef("ol")}, // non-standard, but common {Alias: "oraclelinux", ReplacementName: strRef("ol")}, // non-standard, but common (dockerhub uses "oraclelinux") {Alias: "amazon", ReplacementName: strRef("amzn")}, // non-standard, but common diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/db/v6/operating_system_store_test.go new/grype-0.105.0/grype/db/v6/operating_system_store_test.go --- old/grype-0.104.4/grype/db/v6/operating_system_store_test.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/db/v6/operating_system_store_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -29,7 +29,7 @@ debianUnstable := &OperatingSystem{Name: "debian", ReleaseID: "debian", LabelVersion: "unstable"} debian7 := &OperatingSystem{Name: "debian", ReleaseID: "debian", MajorVersion: "7", LabelVersion: "wheezy"} wolfi := &OperatingSystem{Name: "wolfi", ReleaseID: "wolfi", MajorVersion: "20230201"} - arch := &OperatingSystem{Name: "arch", ReleaseID: "arch", MajorVersion: "20241110", MinorVersion: "0"} + arch := &OperatingSystem{Name: "archlinux", ReleaseID: "arch", MajorVersion: "20241110", MinorVersion: "0"} oracle5 := &OperatingSystem{Name: "oracle", ReleaseID: "ol", MajorVersion: "5"} oracle6 := &OperatingSystem{Name: "oracle", ReleaseID: "ol", MajorVersion: "6"} amazon2 := &OperatingSystem{Name: "amazon", ReleaseID: "amzn", MajorVersion: "2"} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/distro/distro.go new/grype-0.105.0/grype/distro/distro.go --- old/grype-0.104.4/grype/distro/distro.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/distro/distro.go 2026-01-15 23:20:54.000000000 +0100 @@ -236,16 +236,6 @@ return versionStr } -// Disabled is a way to convey if a Linux distribution is not supported by Grype. -func (d Distro) Disabled() bool { - switch d.Type { - case ArchLinux: - return true - default: - return false - } -} - func nonEmptyStrings(ss ...string) (res []string) { for _, s := range ss { if s != "" { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/match/matcher_type.go new/grype-0.105.0/grype/match/matcher_type.go --- old/grype-0.104.4/grype/match/matcher_type.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/match/matcher_type.go 2026-01-15 23:20:54.000000000 +0100 @@ -18,6 +18,7 @@ CsafVexMatcher MatcherType = "csafvex-matcher" RustMatcher MatcherType = "rust-matcher" BitnamiMatcher MatcherType = "bitnami-matcher" + PacmanMatcher MatcherType = "pacman-matcher" ) var AllMatcherTypes = []MatcherType{ @@ -36,6 +37,7 @@ CsafVexMatcher, RustMatcher, BitnamiMatcher, + PacmanMatcher, } type MatcherType string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/matcher/matchers.go new/grype-0.105.0/grype/matcher/matchers.go --- old/grype-0.104.4/grype/matcher/matchers.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/matcher/matchers.go 2026-01-15 23:20:54.000000000 +0100 @@ -10,6 +10,7 @@ "github.com/anchore/grype/grype/matcher/java" "github.com/anchore/grype/grype/matcher/javascript" "github.com/anchore/grype/grype/matcher/msrc" + "github.com/anchore/grype/grype/matcher/pacman" "github.com/anchore/grype/grype/matcher/portage" "github.com/anchore/grype/grype/matcher/python" "github.com/anchore/grype/grype/matcher/rpm" @@ -46,5 +47,6 @@ rust.NewRustMatcher(mc.Rust), stock.NewStockMatcher(mc.Stock), &bitnami.Matcher{}, + &pacman.Matcher{}, } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/matcher/pacman/matcher.go new/grype-0.105.0/grype/matcher/pacman/matcher.go --- old/grype-0.104.4/grype/matcher/pacman/matcher.go 1970-01-01 01:00:00.000000000 +0100 +++ new/grype-0.105.0/grype/matcher/pacman/matcher.go 2026-01-15 23:20:54.000000000 +0100 @@ -0,0 +1,29 @@ +package pacman + +import ( + "fmt" + + "github.com/anchore/grype/grype/match" + "github.com/anchore/grype/grype/matcher/internal" + "github.com/anchore/grype/grype/pkg" + "github.com/anchore/grype/grype/vulnerability" + syftPkg "github.com/anchore/syft/syft/pkg" +) + +type Matcher struct{} + +func (m *Matcher) PackageTypes() []syftPkg.Type { + return []syftPkg.Type{syftPkg.AlpmPkg} +} + +func (m *Matcher) Type() match.MatcherType { + return match.PacmanMatcher +} + +func (m *Matcher) Match(store vulnerability.Provider, p pkg.Package) ([]match.Match, []match.IgnoreFilter, error) { + matches, ignoreFilters, err := internal.MatchPackageByDistro(store, p, nil, m.Type()) + if err != nil { + return nil, nil, fmt.Errorf("failed to match pacman package: %w", err) + } + return matches, ignoreFilters, nil +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/matcher/pacman/matcher_test.go new/grype-0.105.0/grype/matcher/pacman/matcher_test.go --- old/grype-0.104.4/grype/matcher/pacman/matcher_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/grype-0.105.0/grype/matcher/pacman/matcher_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -0,0 +1,174 @@ +package pacman + +import ( + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/google/uuid" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/anchore/grype/grype/distro" + "github.com/anchore/grype/grype/match" + "github.com/anchore/grype/grype/pkg" + "github.com/anchore/grype/grype/version" + "github.com/anchore/grype/grype/vulnerability" + "github.com/anchore/grype/grype/vulnerability/mock" + syftPkg "github.com/anchore/syft/syft/pkg" +) + +func TestMatcherType(t *testing.T) { + m := Matcher{} + assert.Equal(t, match.PacmanMatcher, m.Type()) +} + +func TestMatcherPackageTypes(t *testing.T) { + m := Matcher{} + assert.Equal(t, []syftPkg.Type{syftPkg.AlpmPkg}, m.PackageTypes()) +} + +func TestMatch(t *testing.T) { + archVuln := vulnerability.Vulnerability{ + Reference: vulnerability.Reference{ + ID: "AVG-1234", + Namespace: "arch:distro:archlinux:rolling", + }, + PackageName: "curl", + Constraint: version.MustGetConstraint("< 8.5.0-1", version.PacmanFormat), + } + + vp := mock.VulnerabilityProvider(archVuln) + + m := Matcher{} + d := distro.New(distro.ArchLinux, "", "rolling") + + p := pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "curl", + Version: "8.4.0-1", + Type: syftPkg.AlpmPkg, + Distro: d, + } + + expected := []match.Match{ + { + Vulnerability: archVuln, + Package: p, + Details: []match.Detail{ + { + Type: match.ExactDirectMatch, + Confidence: 1.0, + SearchedBy: match.DistroParameters{ + Distro: match.DistroIdentification{ + Type: d.Type.String(), + Version: d.Version, + }, + Package: match.PackageParameter{ + Name: "curl", + Version: "8.4.0-1", + }, + Namespace: "arch:distro:archlinux:rolling", + }, + Found: match.DistroResult{ + VulnerabilityID: "AVG-1234", + VersionConstraint: archVuln.Constraint.String(), + }, + Matcher: match.PacmanMatcher, + }, + }, + }, + } + + actual, _, err := m.Match(vp, p) + require.NoError(t, err) + + assertMatches(t, expected, actual) +} + +func TestMatchNoVulnerability(t *testing.T) { + archVuln := vulnerability.Vulnerability{ + Reference: vulnerability.Reference{ + ID: "AVG-1234", + Namespace: "arch:distro:archlinux:rolling", + }, + PackageName: "curl", + Constraint: version.MustGetConstraint("< 8.0.0-1", version.PacmanFormat), + } + + vp := mock.VulnerabilityProvider(archVuln) + + m := Matcher{} + d := distro.New(distro.ArchLinux, "", "rolling") + + // Package version is newer than the constraint, should not match + p := pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "curl", + Version: "8.5.0-1", + Type: syftPkg.AlpmPkg, + Distro: d, + } + + actual, _, err := m.Match(vp, p) + require.NoError(t, err) + assert.Empty(t, actual) +} + +func TestMatchWithEpoch(t *testing.T) { + archVuln := vulnerability.Vulnerability{ + Reference: vulnerability.Reference{ + ID: "AVG-5678", + Namespace: "arch:distro:archlinux:rolling", + }, + PackageName: "openssl", + Constraint: version.MustGetConstraint("< 1:3.0.8-1", version.PacmanFormat), + } + + vp := mock.VulnerabilityProvider(archVuln) + + m := Matcher{} + d := distro.New(distro.ArchLinux, "", "rolling") + + p := pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "openssl", + Version: "1:3.0.7-4", + Type: syftPkg.AlpmPkg, + Distro: d, + } + + actual, _, err := m.Match(vp, p) + require.NoError(t, err) + require.Len(t, actual, 1) + assert.Equal(t, "AVG-5678", actual[0].Vulnerability.ID) +} + +func TestMatchNilDistro(t *testing.T) { + m := Matcher{} + + p := pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "curl", + Version: "8.4.0-1", + Type: syftPkg.AlpmPkg, + Distro: nil, + } + + actual, _, err := m.Match(mock.VulnerabilityProvider(), p) + require.NoError(t, err) + assert.Empty(t, actual) +} + +func assertMatches(t *testing.T, expected, actual []match.Match) { + t.Helper() + opts := []cmp.Option{ + cmpopts.IgnoreFields(vulnerability.Vulnerability{}, "Constraint"), + cmpopts.IgnoreFields(pkg.Package{}, "Locations"), + cmpopts.IgnoreUnexported(distro.Distro{}), + } + + if diff := cmp.Diff(expected, actual, opts...); diff != "" { + t.Errorf("mismatch (-want +got):\n%s", diff) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/pkg/package.go new/grype-0.105.0/grype/pkg/package.go --- old/grype-0.104.4/grype/pkg/package.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/pkg/package.go 2026-01-15 23:20:54.000000000 +0100 @@ -205,6 +205,7 @@ // sqlite3 vulnerability.db 'select distinct namespace from vulnerability where fix_state in ("wont-fix", "not-fixed") order by namespace;' | cut -d ':' -f 1 | sort | uniq // then removing 'github' var comprehensiveDistros = []distro.Type{ + distro.ArchLinux, distro.Azure, distro.Debian, distro.Mariner, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/pkg/version_format.go new/grype-0.105.0/grype/pkg/version_format.go --- old/grype-0.104.4/grype/pkg/version_format.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/pkg/version_format.go 2026-01-15 23:20:54.000000000 +0100 @@ -27,6 +27,8 @@ return version.PortageFormat case syftPkg.GoModulePkg: return version.GolangFormat + case syftPkg.AlpmPkg: + return version.PacmanFormat } if isJvmPackage(p) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/pkg/version_format_test.go new/grype-0.105.0/grype/pkg/version_format_test.go --- old/grype-0.104.4/grype/pkg/version_format_test.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/pkg/version_format_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -43,6 +43,13 @@ format: version.GemFormat, }, { + name: "alpm (arch linux)", + p: Package{ + Type: syftPkg.AlpmPkg, + }, + format: version.PacmanFormat, + }, + { name: "jvm by metadata", p: Package{ Metadata: JavaVMInstallationMetadata{}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/constraint.go new/grype-0.105.0/grype/version/constraint.go --- old/grype-0.104.4/grype/version/constraint.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/version/constraint.go 2026-01-15 23:20:54.000000000 +0100 @@ -36,6 +36,8 @@ c, err = newKBConstraint(constStr) case PortageFormat: c, err = newGenericConstraint(PortageFormat, constStr) + case PacmanFormat: + c, err = newGenericConstraint(PacmanFormat, constStr) case JVMFormat: c, err = newGenericConstraint(JVMFormat, constStr) case UnknownFormat: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/format.go new/grype-0.105.0/grype/version/format.go --- old/grype-0.104.4/grype/version/format.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/version/format.go 2026-01-15 23:20:54.000000000 +0100 @@ -20,6 +20,7 @@ GolangFormat JVMFormat BitnamiFormat + PacmanFormat ) type Format int @@ -38,6 +39,7 @@ "Go", "JVM", "Bitnami", + "Pacman", } var Formats = []Format{ @@ -53,6 +55,7 @@ GolangFormat, JVMFormat, BitnamiFormat, + PacmanFormat, } func ParseFormat(userStr string) Format { @@ -82,6 +85,8 @@ return PortageFormat case strings.ToLower(JVMFormat.String()), "jvm", "jre", "jdk", "openjdk", "jep223": return JVMFormat + case strings.ToLower(PacmanFormat.String()), "pacman": + return PacmanFormat } return UnknownFormat } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/format_test.go new/grype-0.105.0/grype/version/format_test.go --- old/grype-0.104.4/grype/version/format_test.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/version/format_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -142,6 +142,11 @@ input: "jep223", format: JVMFormat, }, + // PacmanFormat cases + { + input: "pacman", + format: PacmanFormat, + }, // UnknownFormat case { input: "unknown", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/pacman_version.go new/grype-0.105.0/grype/version/pacman_version.go --- old/grype-0.104.4/grype/version/pacman_version.go 1970-01-01 01:00:00.000000000 +0100 +++ new/grype-0.105.0/grype/version/pacman_version.go 2026-01-15 23:20:54.000000000 +0100 @@ -0,0 +1,188 @@ +package version + +import ( + "fmt" + "reflect" + "strings" + "unicode" +) + +var _ Comparator = (*pacmanVersion)(nil) + +type pacmanVersion struct { + epoch *int + version string + release string +} + +func newPacmanVersion(raw string) (pacmanVersion, error) { + epoch, remainingVersion, err := splitEpochFromVersion(raw) + if err != nil { + return pacmanVersion{}, err + } + + fields := strings.SplitN(remainingVersion, "-", 2) + version := fields[0] + + var release string + if len(fields) > 1 { + // there is a release + release = fields[1] + } + + return pacmanVersion{ + epoch: epoch, + version: version, + release: release, + }, nil +} + +func (v pacmanVersion) Compare(other *Version) (int, error) { + if other == nil { + return -1, ErrNoVersionProvided + } + + o, err := newPacmanVersion(other.Raw) + if err != nil { + return 0, err + } + + return v.compare(o), nil +} + +// Compare returns 0 if v == v2, -1 if v < v2, and +1 if v > v2. +// Pacman uses a similar scheme to RPM: epoch:version-release +// If epochs are NOT present and explicit in both versions then they are ignored for the comparison. +func (v pacmanVersion) compare(v2 pacmanVersion) int { + if reflect.DeepEqual(v, v2) { + return 0 + } + + // Only compare epochs if both are present and explicit + if epochIsPresent(v.epoch) && epochIsPresent(v2.epoch) { + epochResult := compareEpochs(*v.epoch, *v2.epoch) + if epochResult != 0 { + return epochResult + } + } + + ret := comparePacmanVersions(v.version, v2.version) + if ret != 0 { + return ret + } + + return comparePacmanVersions(v.release, v2.release) +} + +func (v pacmanVersion) String() string { + version := "" + if v.epoch != nil { + version += fmt.Sprintf("%d:", *v.epoch) + } + version += v.version + + if v.release != "" { + version += fmt.Sprintf("-%s", v.release) + } + return version +} + +// comparePacmanVersions compares two version or release strings without the epoch. +// Pacman version comparison is similar to RPM, comparing alphanumeric segments. +// Source: https://wiki.archlinux.org/title/Pacman/Tips_and_tricks#Version_comparison +// The scheme is based on RPM's algorithm. +// +// Note: dupl lint is suppressed because although pacman's vercmp is based on rpm's vercmp, +// they are not identical and may diverge in the future. We intentionally keep them decoupled. +// +//nolint:funlen,gocognit,dupl +func comparePacmanVersions(a, b string) int { + // shortcut for equality + if a == b { + return 0 + } + + // get alpha/numeric segments + segsa := alphanumPattern.FindAllString(a, -1) + segsb := alphanumPattern.FindAllString(b, -1) + maxSegs := max(len(segsa), len(segsb)) + minSegs := min(len(segsa), len(segsb)) + + // compare each segment + for i := 0; i < minSegs; i++ { + a := segsa[i] + b := segsb[i] + + // compare tildes + if []rune(a)[0] == '~' || []rune(b)[0] == '~' { + if []rune(a)[0] != '~' { + return 1 + } + if []rune(b)[0] != '~' { + return -1 + } + } + + if unicode.IsNumber([]rune(a)[0]) { + // numbers are always greater than alphas + if !unicode.IsNumber([]rune(b)[0]) { + // a is numeric, b is alpha + return 1 + } + + // trim leading zeros + a = strings.TrimLeft(a, "0") + b = strings.TrimLeft(b, "0") + + // longest string wins without further comparison + if len(a) > len(b) { + return 1 + } else if len(b) > len(a) { + return -1 + } + } else if unicode.IsNumber([]rune(b)[0]) { + // a is alpha, b is numeric + return -1 + } + + // string compare + if a < b { + return -1 + } else if a > b { + return 1 + } + } + + // segments were all the same but separators must have been different + if len(segsa) == len(segsb) { + return 0 + } + + // If there is a tilde in a segment past the min number of segments, find it. + if len(segsa) > minSegs && []rune(segsa[minSegs])[0] == '~' { + return -1 + } else if len(segsb) > minSegs && []rune(segsb[minSegs])[0] == '~' { + return 1 + } + // are the remaining segments 0s? + segaAll0s := true + segbAll0s := true + for i := minSegs; i < maxSegs; i++ { + if i < len(segsa) && segsa[i] != "0" { + segaAll0s = false + } + if i < len(segsb) && segsb[i] != "0" { + segbAll0s = false + } + } + + if segaAll0s && segbAll0s { + return 0 + } + + // whoever has the most segments wins + if len(segsa) > len(segsb) { + return 1 + } + return -1 +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/pacman_version_test.go new/grype-0.105.0/grype/version/pacman_version_test.go --- old/grype-0.104.4/grype/version/pacman_version_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/grype-0.105.0/grype/version/pacman_version_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -0,0 +1,177 @@ +package version + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestPacmanVersionCompare(t *testing.T) { + tests := []struct { + name string + v1 string + v2 string + want int + wantErr bool + }{ + { + name: "equal versions", + v1: "1.0.0", + v2: "1.0.0", + want: 0, + wantErr: false, + }, + { + name: "first greater", + v1: "1.0.1", + v2: "1.0.0", + want: 1, + wantErr: false, + }, + { + name: "second greater", + v1: "1.0.0", + v2: "1.0.1", + want: -1, + wantErr: false, + }, + { + name: "with release numbers", + v1: "1.0.0-1", + v2: "1.0.0-2", + want: -1, + wantErr: false, + }, + { + name: "with release numbers greater", + v1: "1.0.0-2", + v2: "1.0.0-1", + want: 1, + wantErr: false, + }, + { + name: "complex version", + v1: "5.6.0-1", + v2: "5.6.0-2", + want: -1, + wantErr: false, + }, + { + name: "alpha vs release", + v1: "1.0.0alpha", + v2: "1.0.0", + want: 1, + wantErr: false, + }, + { + name: "with epoch", + v1: "1:1.0.0", + v2: "2:1.0.0", + want: -1, + wantErr: false, + }, + { + name: "epoch takes precedence", + v1: "2:1.0.0", + v2: "1:2.0.0", + want: 1, + wantErr: false, + }, + { + name: "tilde version", + v1: "1.0.0~rc1", + v2: "1.0.0", + want: -1, + wantErr: false, + }, + { + name: "leading zeros", + v1: "1.0.001", + v2: "1.0.1", + want: 0, + wantErr: false, + }, + { + name: "version with plus sign", + v1: "0.115+24+g5230646-1", + v2: "0.116-1", + want: -1, + wantErr: false, + }, + { + name: "version with git hash suffix", + v1: "0.12.8+8+ga957a90b-1", + v2: "0.12.8+8+ga957a90b-2", + want: -1, + wantErr: false, + }, + { + name: "real arch versions curl", + v1: "8.4.0-1", + v2: "8.5.0-1", + want: -1, + wantErr: false, + }, + { + name: "real arch versions openssl with epoch", + v1: "1:3.0.7-4", + v2: "1:3.0.8-1", + want: -1, + wantErr: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + v1, err := newPacmanVersion(tt.v1) + assert.NoError(t, err) + + v2 := New(tt.v2, PacmanFormat) + result, err := v1.Compare(v2) + + if tt.wantErr { + assert.Error(t, err) + } else { + assert.NoError(t, err) + assert.Equal(t, tt.want, result) + } + }) + } +} + +func TestPacmanVersionString(t *testing.T) { + tests := []struct { + name string + raw string + want string + }{ + { + name: "simple version", + raw: "1.0.0", + want: "1.0.0", + }, + { + name: "with release", + raw: "1.0.0-1", + want: "1.0.0-1", + }, + { + name: "with epoch", + raw: "1:1.0.0", + want: "1:1.0.0", + }, + { + name: "with epoch and release", + raw: "1:1.0.0-1", + want: "1:1.0.0-1", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + v, err := newPacmanVersion(tt.raw) + assert.NoError(t, err) + assert.Equal(t, tt.want, v.String()) + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/rpm_version.go new/grype-0.105.0/grype/version/rpm_version.go --- old/grype-0.104.4/grype/version/rpm_version.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/version/rpm_version.go 2026-01-15 23:20:54.000000000 +0100 @@ -144,7 +144,7 @@ // https://github.com/rpm-software-management/rpm/blob/master/lib/rpmvercmp.c#L16 var alphanumPattern = regexp.MustCompile("([a-zA-Z]+)|([0-9]+)|(~)") -//nolint:funlen,gocognit +//nolint:funlen,gocognit,dupl // see comparePacmanVersions for why we keep these decoupled func compareRpmVersions(a, b string) int { // shortcut for equality if a == b { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/grype/version/version.go new/grype-0.105.0/grype/version/version.go --- old/grype-0.104.4/grype/version/version.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/grype/version/version.go 2026-01-15 23:20:54.000000000 +0100 @@ -62,6 +62,8 @@ comparator = newPortageVersion(v.Raw) case JVMFormat: comparator, err = newJvmVersion(v.Raw) + case PacmanFormat: + comparator, err = newPacmanVersion(v.Raw) case UnknownFormat: comparator, err = newFuzzyVersion(v.Raw) default: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/test/integration/db_mock_test.go new/grype-0.105.0/test/integration/db_mock_test.go --- old/grype-0.104.4/test/integration/db_mock_test.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/test/integration/db_mock_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -220,5 +220,13 @@ PackageName: "dive", Constraint: version.MustGetConstraint("<= 1.0.42", version.RpmFormat), }, + { + Reference: vulnerability.Reference{ + ID: "CVE-arch-xz-backdoor", + Namespace: "arch:distro:arch:rolling", + }, + PackageName: "xz", + Constraint: version.MustGetConstraint("< 5.6.1-2", version.PacmanFormat), + }, }...) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/test/integration/match_by_image_test.go new/grype-0.105.0/test/integration/match_by_image_test.go --- old/grype-0.104.4/test/integration/match_by_image_test.go 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/test/integration/match_by_image_test.go 2026-01-15 23:20:54.000000000 +0100 @@ -536,6 +536,46 @@ }) } +func addArchMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Collection, provider vulnerability.Provider, theResult *match.Matches) { + packages := catalog.PackagesByPath("/var/lib/pacman/local/xz-5.2.4-1/desc") + if len(packages) != 1 { + t.Logf("Arch Packages: %+v", packages) + t.Fatalf("problem with upstream syft cataloger (pacman)") + } + thePkg := pkg.New(packages[0]) + vulns, err := provider.FindVulnerabilities(byNamespace("arch:distro:arch:rolling"), search.ByPackageName(thePkg.Name)) + require.NoError(t, err) + require.NotEmpty(t, vulns) + vulnObj := vulns[0] + + theResult.Add(match.Match{ + Vulnerability: vulnObj, + Package: thePkg, + Details: []match.Detail{ + { + Type: match.ExactDirectMatch, + Confidence: 1.0, + SearchedBy: match.DistroParameters{ + Distro: match.DistroIdentification{ + Type: "archlinux", + Version: "", + }, + Namespace: "arch:distro:arch:rolling", + Package: match.PackageParameter{ + Name: "xz", + Version: "5.2.4-1", + }, + }, + Found: match.DistroResult{ + VersionConstraint: "< 5.6.1-2 (pacman)", + VulnerabilityID: vulnObj.ID, + }, + Matcher: match.PacmanMatcher, + }, + }, + }) +} + func addHaskellMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Collection, provider vulnerability.Provider, theResult *match.Matches) { packages := catalog.PackagesByPath("/haskell/stack.yaml") if len(packages) < 1 { @@ -710,6 +750,14 @@ return expectedMatches }, }, + { + name: "image-arch-match-coverage", + expectedFn: func(theSource source.Source, catalog *syftPkg.Collection, provider vulnerability.Provider) match.Matches { + expectedMatches := match.NewMatches() + addArchMatches(t, theSource, catalog, provider, &expectedMatches) + return expectedMatches + }, + }, // TODO: add this back in when #744 is fully implemented (see https://github.com/anchore/grype/issues/744#issuecomment-2448163737) //{ // name: "image-portage-match-coverage", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.104.4/test/quality/test-db new/grype-0.105.0/test/quality/test-db --- old/grype-0.104.4/test/quality/test-db 2026-01-08 14:18:03.000000000 +0100 +++ new/grype-0.105.0/test/quality/test-db 2026-01-15 23:20:54.000000000 +0100 @@ -1 +1 @@ -vulnerability-db_v6.1.3_2025-11-27T00:25:44Z_1764228132.tar.zst +vulnerability-db_v6.1.3_2026-01-01T00:29:57Z_1767255600.tar.zst ++++++ grype.obsinfo ++++++ --- /var/tmp/diff_new_pack.CRoeSK/_old 2026-01-17 14:54:20.674159715 +0100 +++ /var/tmp/diff_new_pack.CRoeSK/_new 2026-01-17 14:54:20.678159881 +0100 @@ -1,5 +1,5 @@ name: grype -version: 0.104.4 -mtime: 1767878283 -commit: d755edde29f4139371a8d01466464960d13d7dac +version: 0.105.0 +mtime: 1768515654 +commit: 32e7c0d3561dcca0cc4b000a850f681e5fb79a27 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grype/vendor.tar.gz /work/SRC/openSUSE:Factory/.grype.new.1928/vendor.tar.gz differ: char 14, line 1
