Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package syft for openSUSE:Factory checked in at 2026-01-30 18:26:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/syft (Old) and /work/SRC/openSUSE:Factory/.syft.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft" Fri Jan 30 18:26:10 2026 rev:116 rq:1329957 version:1.41.1 Changes: -------- --- /work/SRC/openSUSE:Factory/syft/syft.changes 2026-01-28 15:11:06.995901298 +0100 +++ /work/SRC/openSUSE:Factory/.syft.new.1995/syft.changes 2026-01-30 18:26:32.428265606 +0100 @@ -1,0 +2,10 @@ +Fri Jan 30 06:21:02 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.41.1: + * Bug Fixes + - [Bug Report] Missing some dependencies on cyclonedx formatted + SBOM using syft [#4562 #4573 @spiffcs] + * Dependencies + - chore(deps): update tools to latest versions (#4577) + +------------------------------------------------------------------- Old: ---- syft-1.41.0.obscpio New: ---- syft-1.41.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ syft.spec ++++++ --- /var/tmp/diff_new_pack.vBeuFH/_old 2026-01-30 18:26:34.880368549 +0100 +++ /var/tmp/diff_new_pack.vBeuFH/_new 2026-01-30 18:26:34.884368717 +0100 @@ -17,7 +17,7 @@ Name: syft -Version: 1.41.0 +Version: 1.41.1 Release: 0 Summary: CLI tool and library for generating a Software Bill of Materials License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.vBeuFH/_old 2026-01-30 18:26:34.948371404 +0100 +++ /var/tmp/diff_new_pack.vBeuFH/_new 2026-01-30 18:26:34.952371572 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/syft</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.41.0</param> + <param name="revision">v1.41.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.vBeuFH/_old 2026-01-30 18:26:34.980372748 +0100 +++ /var/tmp/diff_new_pack.vBeuFH/_new 2026-01-30 18:26:34.984372916 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/syft</param> - <param name="changesrevision">e8b4527bfbb7780cd70f2541fce4dca58803fb53</param></service></servicedata> + <param name="changesrevision">8d836fb8b0b80f1702c9d1c57a8655307ac85b14</param></service></servicedata> (No newline at EOF) ++++++ syft-1.41.0.obscpio -> syft-1.41.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.41.0/.binny.yaml new/syft-1.41.1/.binny.yaml --- old/syft-1.41.0/.binny.yaml 2026-01-27 11:14:26.000000000 +0100 +++ new/syft-1.41.1/.binny.yaml 2026-01-27 21:18:18.000000000 +0100 @@ -90,7 +90,7 @@ # used for running all local and CI tasks - name: task version: - want: v3.47.0 + want: v3.48.0 method: github-release with: repo: go-task/task diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.41.0/syft/pkg/cataloger/python/cataloger_test.go new/syft-1.41.1/syft/pkg/cataloger/python/cataloger_test.go --- old/syft-1.41.0/syft/pkg/cataloger/python/cataloger_test.go 2026-01-27 11:14:26.000000000 +0100 +++ new/syft-1.41.1/syft/pkg/cataloger/python/cataloger_test.go 2026-01-27 21:18:18.000000000 +0100 @@ -635,6 +635,7 @@ "jinja2 @ 3.1.4 (.) [dependency-of] fastapi @ 0.111.0 (.)", "jinja2 @ 3.1.4 (.) [dependency-of] starlette @ 0.37.2 (.)", "markdown-it-py @ 3.0.0 (.) [dependency-of] rich @ 13.7.1 (.)", + "markupsafe @ 2.1.5 (.) [dependency-of] jinja2 @ 3.1.4 (.)", // MarkupSafe (mixed case) -> markupsafe "mdurl @ 0.1.2 (.) [dependency-of] markdown-it-py @ 3.0.0 (.)", "orjson @ 3.10.3 (.) [dependency-of] fastapi @ 0.111.0 (.)", "pydantic @ 2.7.1 (.) [dependency-of] fastapi @ 0.111.0 (.)", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.41.0/syft/pkg/cataloger/python/dependency.go new/syft-1.41.1/syft/pkg/cataloger/python/dependency.go --- old/syft-1.41.0/syft/pkg/cataloger/python/dependency.go 2026-01-27 11:14:26.000000000 +0100 +++ new/syft-1.41.1/syft/pkg/cataloger/python/dependency.go 2026-01-27 21:18:18.000000000 +0100 @@ -74,8 +74,10 @@ } func packageRef(name, extra string) string { - cleanExtra := strings.TrimSpace(extra) - cleanName := strings.TrimSpace(name) + // normalize both package name and extra to ensure case-insensitive matching per Python packaging spec + // https://packaging.python.org/en/latest/specifications/name-normalization/ + cleanName := normalize(strings.TrimSpace(name)) + cleanExtra := normalize(strings.TrimSpace(extra)) if cleanExtra == "" { return cleanName } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.41.0/syft/pkg/cataloger/python/dependency_test.go new/syft-1.41.1/syft/pkg/cataloger/python/dependency_test.go --- old/syft-1.41.0/syft/pkg/cataloger/python/dependency_test.go 2026-01-27 11:14:26.000000000 +0100 +++ new/syft-1.41.1/syft/pkg/cataloger/python/dependency_test.go 2026-01-27 21:18:18.000000000 +0100 @@ -181,6 +181,30 @@ }, }, }, + { + name: "dependency names with mixed case should be normalized", + p: pkg.Package{ + Name: "dj-rest-auth", + Metadata: pkg.PythonPoetryLockEntry{ + Dependencies: []pkg.PythonPoetryLockDependencyEntry{ + { + Name: "Django", // note: capital D + Version: ">=4.2,<6.0", + }, + { + Name: "djangorestframework", + Version: ">=3.13.0", + }, + }, + }, + }, + want: dependency.Specification{ + ProvidesRequires: dependency.ProvidesRequires{ + Provides: []string{"dj-rest-auth"}, + Requires: []string{"django", "djangorestframework"}, // "Django" should be normalized to "django" + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -196,6 +220,38 @@ want []dependency.Specification }{ { + name: "case-insensitive dependency resolution", + fixture: "test-fixtures/poetry/case-sensitivity/poetry.lock", + want: []dependency.Specification{ + // packages are in the order they appear in the lock file + { + ProvidesRequires: dependency.ProvidesRequires{ + Provides: []string{"django"}, + Requires: []string{"asgiref", "sqlparse"}, + }, + }, + { + ProvidesRequires: dependency.ProvidesRequires{ + Provides: []string{"djangorestframework"}, + Requires: []string{"django"}, + }, + }, + { + // dj-rest-auth depends on Django (capital D) which should resolve to django + ProvidesRequires: dependency.ProvidesRequires{ + Provides: []string{"dj-rest-auth"}, + Requires: []string{"django", "djangorestframework"}, // Django normalized to django + }, + Variants: []dependency.ProvidesRequires{ + { + Provides: []string{"dj-rest-auth[with-social]"}, + Requires: []string{"django-allauth"}, + }, + }, + }, + }, + }, + { name: "simple dependencies with extras", fixture: "test-fixtures/poetry/simple-deps/poetry.lock", want: []dependency.Specification{ @@ -275,6 +331,64 @@ }) } } + +// Test_packageRef verifies that package references are normalized according to +// the Python Packaging specification for names and extras: +// https://packaging.python.org/en/latest/specifications/name-normalization/ +func Test_packageRef(t *testing.T) { + tests := []struct { + name string + pkg string + extra string + want string + }{ + { + name: "simple package name", + pkg: "requests", + want: "requests", + }, + { + name: "package with extra", + pkg: "requests", + extra: "security", + want: "requests[security]", + }, + { + name: "package name with mixed case", + pkg: "Django", + want: "django", + }, + { + name: "package name with underscores", + pkg: "some_package", + want: "some-package", + }, + { + name: "package name with mixed case and extra", + pkg: "Django", + extra: "argon2", + want: "django[argon2]", + }, + { + name: "extra with mixed case", + pkg: "package", + extra: "Security", + want: "package[security]", + }, + { + name: "both with mixed case and separators", + pkg: "Some_Package", + extra: "Dev_Extra", + want: "some-package[dev-extra]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := packageRef(tt.pkg, tt.extra) + assert.Equal(t, tt.want, got) + }) + } +} func Test_extractPackageName(t *testing.T) { tests := []struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.41.0/syft/pkg/cataloger/python/test-fixtures/poetry/case-sensitivity/poetry.lock new/syft-1.41.1/syft/pkg/cataloger/python/test-fixtures/poetry/case-sensitivity/poetry.lock --- old/syft-1.41.0/syft/pkg/cataloger/python/test-fixtures/poetry/case-sensitivity/poetry.lock 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-1.41.1/syft/pkg/cataloger/python/test-fixtures/poetry/case-sensitivity/poetry.lock 2026-01-27 21:18:18.000000000 +0100 @@ -0,0 +1,55 @@ +# This file is automatically @generated by Poetry and should not be edited manually. + +[[package]] +name = "django" +version = "5.2.6" +description = "A high-level Python web framework" +optional = false +python-versions = ">=3.10" +groups = ["main"] +files = [ + {file = "Django-5.2.6-py3-none-any.whl", hash = "sha256:example1"}, + {file = "django-5.2.6.tar.gz", hash = "sha256:example2"}, +] + +[package.dependencies] +asgiref = ">=3.8.1,<4" +sqlparse = ">=0.3.1" + +[[package]] +name = "djangorestframework" +version = "3.16.1" +description = "Web APIs for Django, made easy." +optional = false +python-versions = ">=3.9" +groups = ["main"] +files = [ + {file = "djangorestframework-3.16.1-py3-none-any.whl", hash = "sha256:example3"}, + {file = "djangorestframework-3.16.1.tar.gz", hash = "sha256:example4"}, +] + +[package.dependencies] +django = ">=4.2" + +[[package]] +name = "dj-rest-auth" +version = "7.0.1" +description = "Authentication and Registration in Django Rest Framework" +optional = false +python-versions = ">=3.8" +groups = ["main"] +files = [ + {file = "dj-rest-auth-7.0.1.tar.gz", hash = "sha256:3f8c744cbcf05355ff4bcbef0c8a63645da38e29a0fdef3c3332d4aced52fb90"}, +] + +[package.dependencies] +Django = ">=4.2,<6.0" +djangorestframework = ">=3.13.0" + +[package.extras] +with-social = ["django-allauth[socialaccount] (>=64.0.0)"] + +[metadata] +lock-version = "2.1" +python-versions = "^3.10" +content-hash = "example" ++++++ syft.obsinfo ++++++ --- /var/tmp/diff_new_pack.vBeuFH/_old 2026-01-30 18:26:39.336555630 +0100 +++ /var/tmp/diff_new_pack.vBeuFH/_new 2026-01-30 18:26:39.340555798 +0100 @@ -1,5 +1,5 @@ name: syft -version: 1.41.0 -mtime: 1769508866 -commit: e8b4527bfbb7780cd70f2541fce4dca58803fb53 +version: 1.41.1 +mtime: 1769545098 +commit: 8d836fb8b0b80f1702c9d1c57a8655307ac85b14 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/syft/vendor.tar.gz /work/SRC/openSUSE:Factory/.syft.new.1995/vendor.tar.gz differ: char 134, line 1
