Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grype for openSUSE:Factory checked in at 2026-02-04 21:07:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grype (Old) and /work/SRC/openSUSE:Factory/.grype.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grype" Wed Feb 4 21:07:34 2026 rev:114 rq:1330857 version:0.107.1 Changes: -------- --- /work/SRC/openSUSE:Factory/grype/grype.changes 2026-01-30 18:23:57.893759150 +0100 +++ /work/SRC/openSUSE:Factory/.grype.new.1670/grype.changes 2026-02-04 21:07:54.817163902 +0100 @@ -1,0 +2,10 @@ +Wed Feb 04 06:03:29 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.107.1: + * Additional Changes + - support context cancellation while finding vuln matches + [#3200 @luhring] + * Dependencies + - chore(deps): update anchore dependencies (#3203) + +------------------------------------------------------------------- Old: ---- grype-0.107.0.obscpio New: ---- grype-0.107.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grype.spec ++++++ --- /var/tmp/diff_new_pack.Rm6Mtx/_old 2026-02-04 21:08:00.181388553 +0100 +++ /var/tmp/diff_new_pack.Rm6Mtx/_new 2026-02-04 21:08:00.197389222 +0100 @@ -17,7 +17,7 @@ Name: grype -Version: 0.107.0 +Version: 0.107.1 Release: 0 Summary: A vulnerability scanner for container images and filesystems License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Rm6Mtx/_old 2026-02-04 21:08:00.405397934 +0100 +++ /var/tmp/diff_new_pack.Rm6Mtx/_new 2026-02-04 21:08:00.425398772 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/grype</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.107.0</param> + <param name="revision">v0.107.1</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Rm6Mtx/_old 2026-02-04 21:08:00.561404467 +0100 +++ /var/tmp/diff_new_pack.Rm6Mtx/_new 2026-02-04 21:08:00.605406310 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/grype</param> - <param name="changesrevision">3e8647396b9b201136afe07a30b98cd5850dcc64</param></service></servicedata> + <param name="changesrevision">c6a67581ab4e7aa494351b919326ad6606af3010</param></service></servicedata> (No newline at EOF) ++++++ grype-0.107.0.obscpio -> grype-0.107.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.107.0/cmd/grype/cli/commands/root.go new/grype-0.107.1/cmd/grype/cli/commands/root.go --- old/grype-0.107.0/cmd/grype/cli/commands/root.go 2026-01-29 22:30:09.000000000 +0100 +++ new/grype-0.107.1/cmd/grype/cli/commands/root.go 2026-02-03 19:42:03.000000000 +0100 @@ -1,6 +1,7 @@ package commands import ( + "context" "errors" "fmt" "strings" @@ -81,12 +82,12 @@ Args: validateRootArgs, SilenceUsage: true, SilenceErrors: true, - RunE: func(_ *cobra.Command, args []string) error { + RunE: func(cmd *cobra.Command, args []string) error { userInput := "" if len(args) > 0 { userInput = args[0] } - return runGrype(app, opts, userInput) + return runGrype(cmd.Context(), app, opts, userInput) }, ValidArgsFunction: dockerImageValidArgsFunction, }, opts) @@ -114,7 +115,7 @@ } //nolint:funlen -func runGrype(app clio.Application, opts *options.Grype, userInput string) (errs error) { +func runGrype(ctx context.Context, app clio.Application, opts *options.Grype, userInput string) (errs error) { writer, err := format.MakeScanResultWriter(opts.Outputs, opts.File, format.PresentationConfig{ TemplateFilePath: opts.OutputTemplateFile, ShowSuppressed: opts.ShowSuppressed, @@ -228,7 +229,7 @@ VexProcessor: vexProcessor, } - remainingMatches, ignoredMatches, err := vulnMatcher.FindMatches(packages, pkgContext) + remainingMatches, ignoredMatches, err := vulnMatcher.FindMatchesContext(ctx, packages, pkgContext) if err != nil { if !errors.Is(err, grypeerr.ErrAboveSeverityThreshold) { return err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.107.0/go.mod new/grype-0.107.1/go.mod --- old/grype-0.107.0/go.mod 2026-01-29 22:30:09.000000000 +0100 +++ new/grype-0.107.1/go.mod 2026-02-03 19:42:03.000000000 +0100 @@ -18,7 +18,7 @@ github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 github.com/anchore/stereoscope v0.1.19 - github.com/anchore/syft v1.41.1 + github.com/anchore/syft v1.41.2 github.com/aquasecurity/go-pep440-version v0.0.1 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de github.com/bitnami/go-version v0.0.0-20250505154626-452e8c5ee607 @@ -339,5 +339,5 @@ modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect - modernc.org/sqlite v1.44.1 // indirect + modernc.org/sqlite v1.44.3 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.107.0/go.sum new/grype-0.107.1/go.sum --- old/grype-0.107.0/go.sum 2026-01-29 22:30:09.000000000 +0100 +++ new/grype-0.107.1/go.sum 2026-02-03 19:42:03.000000000 +0100 @@ -158,8 +158,8 @@ github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= github.com/anchore/stereoscope v0.1.19 h1:1G5LVmRN1Sz6qNezpVAEeN7QfWwCE9zw9TJK1ZGnkvw= github.com/anchore/stereoscope v0.1.19/go.mod h1:+laNHlk05xA2YqgEzq8mxkFzclL3NRdeNIsiQQVeZZ4= -github.com/anchore/syft v1.41.1 h1:lUoEi/ICCSe8eqDmwwG7Kw6brVT20Ap5OmiqWlmddAg= -github.com/anchore/syft v1.41.1/go.mod h1:vrE06rTzgwrHB3T7fh83S/M555rpxy/olUG5c+oVcoU= +github.com/anchore/syft v1.41.2 h1:mC2l3P8dUvBdz+97ZNcKD410s8vGFGFXdZa+neaQEb8= +github.com/anchore/syft v1.41.2/go.mod h1:j8SaTiPQzSxElS0MWw3ML2m2EK4av/7Vm4q8WpwUmYw= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= @@ -1602,8 +1602,8 @@ modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= -modernc.org/sqlite v1.44.1 h1:qybx/rNpfQipX/t47OxbHmkkJuv2JWifCMH8SVUiDas= -modernc.org/sqlite v1.44.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA= +modernc.org/sqlite v1.44.3 h1:+39JvV/HWMcYslAwRxHb8067w+2zowvFOUrOWIy9PjY= +modernc.org/sqlite v1.44.3/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.107.0/grype/vulnerability_matcher.go new/grype-0.107.1/grype/vulnerability_matcher.go --- old/grype-0.107.0/grype/vulnerability_matcher.go 2026-01-29 22:30:09.000000000 +0100 +++ new/grype-0.107.1/grype/vulnerability_matcher.go 2026-02-03 19:42:03.000000000 +0100 @@ -1,6 +1,7 @@ package grype import ( + "context" "errors" "fmt" "runtime/debug" @@ -69,11 +70,27 @@ return m.eolDistroPackages } -func (m *VulnerabilityMatcher) FindMatches(pkgs []pkg.Package, context pkg.Context) (remainingMatches *match.Matches, ignoredMatches []match.IgnoredMatch, err error) { +// FindMatches finds vulnerabilities for the given packages and package context. +// FindMatches does not support context cancellation; for that, use +// FindMatchesContext. +func (m *VulnerabilityMatcher) FindMatches( + pkgs []pkg.Package, + pkgContext pkg.Context, +) (remainingMatches *match.Matches, ignoredMatches []match.IgnoredMatch, err error) { + return m.FindMatchesContext(context.Background(), pkgs, pkgContext) +} + +// FindMatchesContext finds vulnerabilities for the given packages and package +// context, and supports context cancellation. +func (m *VulnerabilityMatcher) FindMatchesContext( + ctx context.Context, + pkgs []pkg.Package, + pkgContext pkg.Context, +) (remainingMatches *match.Matches, ignoredMatches []match.IgnoredMatch, err error) { progressMonitor := trackMatcher(len(pkgs)) - // capture distro detection failure from context for alerting - m.distroDetectionFailed = context.DistroDetectionFailed + // capture distro detection failure from pkgContext for alerting + m.distroDetectionFailed = pkgContext.DistroDetectionFailed if m.distroDetectionFailed { log.Warn("distro detection failed: linux release info was present but distro type could not be determined") } @@ -86,13 +103,13 @@ } }() - remainingMatches, ignoredMatches, err = m.findDBMatches(pkgs, progressMonitor) + remainingMatches, ignoredMatches, err = m.findDBMatches(ctx, pkgs, progressMonitor) if err != nil { err = fmt.Errorf("unable to find matches against vulnerability database: %w", err) return remainingMatches, ignoredMatches, err } - remainingMatches, ignoredMatches, err = m.findVEXMatches(context, remainingMatches, ignoredMatches, progressMonitor) + remainingMatches, ignoredMatches, err = m.findVEXMatches(pkgContext, remainingMatches, ignoredMatches, progressMonitor) if err != nil { err = fmt.Errorf("unable to find matches against VEX sources: %w", err) return remainingMatches, ignoredMatches, err @@ -110,11 +127,11 @@ return remainingMatches, ignoredMatches, nil } -func (m *VulnerabilityMatcher) findDBMatches(pkgs []pkg.Package, progressMonitor *monitorWriter) (*match.Matches, []match.IgnoredMatch, error) { +func (m *VulnerabilityMatcher) findDBMatches(ctx context.Context, pkgs []pkg.Package, progressMonitor *monitorWriter) (*match.Matches, []match.IgnoredMatch, error) { var ignoredMatches []match.IgnoredMatch log.Trace("finding matches against DB") - matches, err := m.searchDBForMatches(pkgs, progressMonitor) + matches, err := m.searchDBForMatches(ctx, pkgs, progressMonitor) if err != nil { if match.IsFatalError(err) { return nil, nil, err @@ -160,6 +177,7 @@ //nolint:funlen func (m *VulnerabilityMatcher) searchDBForMatches( + ctx context.Context, packages []pkg.Package, progressMonitor *monitorWriter, ) (match.Matches, error) { @@ -213,6 +231,10 @@ matchAgainst = []match.Matcher{defaultMatcher} } for _, theMatcher := range matchAgainst { + if err := ctx.Err(); err != nil { + return match.Matches{}, err + } + matches, ignorers, err := callMatcherSafely(theMatcher, m.VulnerabilityProvider, p) if err != nil { if match.IsFatalError(err) { @@ -265,14 +287,14 @@ return m.Match(vp, p) } -func (m *VulnerabilityMatcher) findVEXMatches(context pkg.Context, remainingMatches *match.Matches, ignoredMatches []match.IgnoredMatch, progressMonitor *monitorWriter) (*match.Matches, []match.IgnoredMatch, error) { +func (m *VulnerabilityMatcher) findVEXMatches(pkgContext pkg.Context, remainingMatches *match.Matches, ignoredMatches []match.IgnoredMatch, progressMonitor *monitorWriter) (*match.Matches, []match.IgnoredMatch, error) { if m.VexProcessor == nil { log.Trace("no VEX documents provided, skipping VEX matching") return remainingMatches, ignoredMatches, nil } log.Trace("finding matches against available VEX documents") - matchesAfterVex, ignoredMatchesAfterVex, err := m.VexProcessor.ApplyVEX(&context, remainingMatches, ignoredMatches) + matchesAfterVex, ignoredMatchesAfterVex, err := m.VexProcessor.ApplyVEX(&pkgContext, remainingMatches, ignoredMatches) if err != nil { return nil, nil, fmt.Errorf("unable to find matches against VEX documents: %w", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-0.107.0/test/quality/test-db new/grype-0.107.1/test/quality/test-db --- old/grype-0.107.0/test/quality/test-db 2026-01-29 22:30:09.000000000 +0100 +++ new/grype-0.107.1/test/quality/test-db 2026-02-03 19:42:03.000000000 +0100 @@ -1 +1 @@ -vulnerability-db_v6.1.3_2026-01-01T00:29:57Z_1767255600.tar.zst +vulnerability-db_v6.1.4_2026-02-01T00:35:14Z_1769927274.tar.zst ++++++ grype.obsinfo ++++++ --- /var/tmp/diff_new_pack.Rm6Mtx/_old 2026-02-04 21:08:15.138014928 +0100 +++ /var/tmp/diff_new_pack.Rm6Mtx/_new 2026-02-04 21:08:15.146015263 +0100 @@ -1,5 +1,5 @@ name: grype -version: 0.107.0 -mtime: 1769722209 -commit: 3e8647396b9b201136afe07a30b98cd5850dcc64 +version: 0.107.1 +mtime: 1770144123 +commit: c6a67581ab4e7aa494351b919326ad6606af3010 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grype/vendor.tar.gz /work/SRC/openSUSE:Factory/.grype.new.1670/vendor.tar.gz differ: char 131, line 1
