Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grype-db for openSUSE:Factory checked in at 2026-02-09 15:34:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grype-db (Old) and /work/SRC/openSUSE:Factory/.grype-db.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grype-db" Mon Feb 9 15:34:53 2026 rev:29 rq:1331942 version:0.51.0 Changes: -------- --- /work/SRC/openSUSE:Factory/grype-db/grype-db.changes 2026-01-30 18:26:08.651267396 +0100 +++ /work/SRC/openSUSE:Factory/.grype-db.new.1670/grype-db.changes 2026-02-09 15:35:01.455834332 +0100 @@ -1,0 +2,29 @@ +Mon Feb 09 06:20:19 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.51.0: + * Added Features + - capture new CVSS scores and additional references from GHSA + [#863 @westonsteimel] + - Add support for secureos distro (#765) [#856 + @willmurphyscode] + * Bug Fixes + - remove default configs from grype-db-manager [#861 + @willmurphyscode] + * Additional Changes + - document use of uv not poetry [#640 @popey] + * Dependencies + - chore(deps): Bump boto3 in the python-minor-and-patch group + (#868) + - chore(deps): Bump actions/cache in /.github/actions/bootstrap + (#867) + - chore(deps): Bump actions/cache from 5.0.2 to 5.0.3 (#866) + - chore(deps): Bump the python-minor-and-patch group across 1 + directory with 4 updates (#862) + - chore(deps): update tools to latest versions (#865) + - chore(deps): update anchore dependencies (#864) + - chore(deps): Bump actions/setup-python in + /.github/actions/bootstrap (#854) + - chore(deps): Bump peter-evans/create-pull-request from 8.0.0 + to 8.1.0 (#853) + +------------------------------------------------------------------- Old: ---- grype-db-0.50.0.obscpio New: ---- grype-db-0.51.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grype-db.spec ++++++ --- /var/tmp/diff_new_pack.9weiQt/_old 2026-02-09 15:35:04.047943357 +0100 +++ /var/tmp/diff_new_pack.9weiQt/_new 2026-02-09 15:35:04.051943525 +0100 @@ -17,7 +17,7 @@ Name: grype-db -Version: 0.50.0 +Version: 0.51.0 Release: 0 Summary: A vulnerability scanner for container images and filesystems License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.9weiQt/_old 2026-02-09 15:35:04.107945881 +0100 +++ /var/tmp/diff_new_pack.9weiQt/_new 2026-02-09 15:35:04.111946049 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/grype-db</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.50.0</param> + <param name="revision">v0.51.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.9weiQt/_old 2026-02-09 15:35:04.143947395 +0100 +++ /var/tmp/diff_new_pack.9weiQt/_new 2026-02-09 15:35:04.151947732 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/grype-db</param> - <param name="changesrevision">ebc5f8151645415711407e8edc248df8c89d5195</param></service></servicedata> + <param name="changesrevision">013670be3fbdc9eea9e85f19c549aa48f8320e55</param></service></servicedata> (No newline at EOF) ++++++ grype-db-0.50.0.obscpio -> grype-db-0.51.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/.binny.yaml new/grype-db-0.51.0/.binny.yaml --- old/grype-db-0.50.0/.binny.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/.binny.yaml 2026-02-06 13:53:02.000000000 +0100 @@ -2,7 +2,7 @@ # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!) - name: binny version: - want: v0.11.1 + want: v0.11.2 method: github-release with: repo: anchore/binny diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/.grype-db-manager.yaml new/grype-db-0.51.0/.grype-db-manager.yaml --- old/grype-db-0.50.0/.grype-db-manager.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/.grype-db-manager.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,9 +0,0 @@ -data: !include config/grype-db-manager/include.d/data.yaml - -grype-db: !include config/grype-db-manager/include.d/grype-db-local-build-r2.yaml - -# note: do not put any values here! -# distribution: -# ... - -validate: !include config/grype-db-manager/include.d/validate.yaml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/DEVELOPING.md new/grype-db-0.51.0/DEVELOPING.md --- old/grype-db-0.50.0/DEVELOPING.md 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/DEVELOPING.md 2026-02-06 13:53:02.000000000 +0100 @@ -5,16 +5,11 @@ This codebase is primarily Go, however, there are also Python scripts critical to the daily DB publishing process as well as acceptance testing. You will require the following: -- Python 3.8+ installed on your system. Consider using [pyenv](https://github.com/pyenv/pyenv) if you do not have a +- Python 3.11+ installed on your system. Consider using [pyenv](https://github.com/pyenv/pyenv) if you do not have a preference for managing python interpreter installations. - `zstd` binary utility if you are packaging v6+ DB schemas - _(optional)_ `xz` binary utility if you have specifically overridden the package command options - -- [Poetry](https://python-poetry.org/) installed for dependency and virtualenv management for python dependencies, to install: - - ```bash - curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/install-poetry.py | python - - ``` +- [uv](https://docs.astral.sh/uv/) installed for dependency and virtualenv management for python dependencies (see [installation docs](https://docs.astral.sh/uv/getting-started/installation/)) To download go tooling used for static analysis and dependent go modules run the following: @@ -264,8 +259,7 @@ ```bash # from the repo root - # must be in a poetry shell - grype-db-manager db build-and-upload --schema-version <version> + uv run grype-db-manager db build-and-upload --schema-version <version> ``` This call needs to be repeated for all schema versions that are supported (see `manager/src/grype_db_manager/data/schema-info.json`). @@ -282,8 +276,7 @@ ```bash # from the repo root - # must be in a poetry shell - grype-db-manager listing update + uv run grype-db-manager listing update ``` During this step the locally crafted listing file is tested against installations of grype. The correctness of the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/config/grype-db/publish-nightly-r2.yaml new/grype-db-0.51.0/config/grype-db/publish-nightly-r2.yaml --- old/grype-db-0.50.0/config/grype-db/publish-nightly-r2.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/config/grype-db/publish-nightly-r2.yaml 2026-02-06 13:53:02.000000000 +0100 @@ -28,6 +28,7 @@ - name: minimos - name: oracle - name: rhel + - name: secureos - name: sles - name: ubuntu - name: wolfi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/config/grype-db/publish-nightly.yaml new/grype-db-0.51.0/config/grype-db/publish-nightly.yaml --- old/grype-db-0.50.0/config/grype-db/publish-nightly.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/config/grype-db/publish-nightly.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,45 +0,0 @@ -# this is a grype-db application configuration file intended for use with the daily db publisher workflow - -provider: - root: data/vunnel - - # No manual configs are provided since 'provider.vunnel.generateConfigs' is set to true - # this means that well run vunnel to get the list of supported providers. All supported providers - # will be included in the database build. This prevents the need from manually updating this file - # for every new provider that is added. - # - # Any providers that should be excluded from processing should be added to the 'provider.vunnel.excludeProviders' list. - configs: - - name: nvd - - name: alpine - - name: amazon - - name: bitnami - - name: chainguard - - name: chainguard-libraries - - name: debian - - name: echo - - name: epss - - name: github - - name: kev - - name: mariner - - name: minimos - - name: oracle - - name: rhel - - name: sles - - name: ubuntu - - name: wolfi - - vunnel: - executor: docker - docker-tag: latest - generate-configs: false - env: - GITHUB_TOKEN: $GITHUB_TOKEN - NVD_API_KEY: $NVD_API_KEY - -pull: - parallelism: 4 - -package: - # required for v5 - publish-base-url: https://toolbox-data.anchore.io/grype/databases diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/config/grype-db-manager/include.d/grype-db-local-build-r2.yaml new/grype-db-0.51.0/config/grype-db-manager/include.d/grype-db-local-build-r2.yaml --- old/grype-db-0.50.0/config/grype-db-manager/include.d/grype-db-local-build-r2.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/config/grype-db-manager/include.d/grype-db-local-build-r2.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,9 +0,0 @@ -# grype-db: - -# use the current repo at the current commit as the source of truth for the grype-db build source. -# note: assume this will be invoked from the root of the repo -version: latest - -# grype-db application configuration to use. -# note: assume this will be invoked from the root of the repo -config: config/grype-db/publish-nightly-r2.yaml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/config/grype-db-manager/include.d/grype-db-local-build.yaml new/grype-db-0.51.0/config/grype-db-manager/include.d/grype-db-local-build.yaml --- old/grype-db-0.50.0/config/grype-db-manager/include.d/grype-db-local-build.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/config/grype-db-manager/include.d/grype-db-local-build.yaml 2026-02-06 13:53:02.000000000 +0100 @@ -6,4 +6,4 @@ # grype-db application configuration to use. # note: assume this will be invoked from the root of the repo -config: config/grype-db/publish-nightly.yaml +config: config/grype-db/publish-nightly-r2.yaml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/config/grype-db-manager/publish-production-r2.yaml new/grype-db-0.51.0/config/grype-db-manager/publish-production-r2.yaml --- old/grype-db-0.50.0/config/grype-db-manager/publish-production-r2.yaml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/config/grype-db-manager/publish-production-r2.yaml 2026-02-06 13:53:02.000000000 +0100 @@ -2,7 +2,7 @@ data: !include config/grype-db-manager/include.d/data.yaml -grype-db: !include config/grype-db-manager/include.d/grype-db-local-build-r2.yaml +grype-db: !include config/grype-db-manager/include.d/grype-db-local-build.yaml distribution: !include config/grype-db-manager/include.d/distribution-production-r2.yaml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/go.mod new/grype-db-0.51.0/go.mod --- old/grype-db-0.50.0/go.mod 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/go.mod 2026-02-06 13:53:02.000000000 +0100 @@ -8,9 +8,9 @@ github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d github.com/adrg/xdg v0.5.3 github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 - github.com/anchore/grype v0.107.0 + github.com/anchore/grype v0.107.1 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 - github.com/anchore/syft v1.41.1 + github.com/anchore/syft v1.41.2 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de github.com/dave/jennifer v1.7.1 github.com/dustin/go-humanize v1.0.1 @@ -314,7 +314,7 @@ modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect - modernc.org/sqlite v1.44.1 // indirect + modernc.org/sqlite v1.44.3 // indirect ) // the go.mod file did not have the correct minimum go version at the time of release tagging diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/go.sum new/grype-db-0.51.0/go.sum --- old/grype-db-0.50.0/go.sum 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/go.sum 2026-02-06 13:53:02.000000000 +0100 @@ -152,14 +152,14 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ= github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg= github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= -github.com/anchore/grype v0.107.0 h1:7uzKfPikWG5EIDOWG+vHn8s1eGlDggR2WYHxHW0qxVM= -github.com/anchore/grype v0.107.0/go.mod h1:pA3mape0QNEI+beNfjS3LXtnUfJgk3zVvOR1FYIlE8Y= +github.com/anchore/grype v0.107.1 h1:N7EIlJfuq7RKA5nSgXPxOfifyB8EABYd2vP+CJwL1bY= +github.com/anchore/grype v0.107.1/go.mod h1:DilbSyGMuYZREWL/tIZYOA4PedC2X2FOaEMAmQaNGhg= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= github.com/anchore/stereoscope v0.1.19 h1:1G5LVmRN1Sz6qNezpVAEeN7QfWwCE9zw9TJK1ZGnkvw= github.com/anchore/stereoscope v0.1.19/go.mod h1:+laNHlk05xA2YqgEzq8mxkFzclL3NRdeNIsiQQVeZZ4= -github.com/anchore/syft v1.41.1 h1:lUoEi/ICCSe8eqDmwwG7Kw6brVT20Ap5OmiqWlmddAg= -github.com/anchore/syft v1.41.1/go.mod h1:vrE06rTzgwrHB3T7fh83S/M555rpxy/olUG5c+oVcoU= +github.com/anchore/syft v1.41.2 h1:mC2l3P8dUvBdz+97ZNcKD410s8vGFGFXdZa+neaQEb8= +github.com/anchore/syft v1.41.2/go.mod h1:j8SaTiPQzSxElS0MWw3ML2m2EK4av/7Vm4q8WpwUmYw= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= @@ -1576,8 +1576,8 @@ modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= -modernc.org/sqlite v1.44.1 h1:qybx/rNpfQipX/t47OxbHmkkJuv2JWifCMH8SVUiDas= -modernc.org/sqlite v1.44.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA= +modernc.org/sqlite v1.44.3 h1:+39JvV/HWMcYslAwRxHb8067w+2zowvFOUrOWIy9PjY= +modernc.org/sqlite v1.44.3/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/Makefile new/grype-db-0.51.0/manager/Makefile --- old/grype-db-0.50.0/manager/Makefile 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/Makefile 2026-02-06 13:53:02.000000000 +0100 @@ -46,20 +46,6 @@ cd tests/cli && uv run make -## DB Testing targets ################################# - -.PHONY: db-acceptance -db-acceptance: ## Run DB acceptance tests - @ echo "Building and testing DB schema=$(schema_version)" - if [ -z "$(schema_version)" ]; then \ - echo "schema_version is not set"; \ - exit 1; \ - fi - - export DB_ID=$(shell uv run grype-db-manager db build --schema-version $(schema_version)) - uv run grype-db-manager db validaate $(DB_ID) - - ## Halp! ################################# .PHONY: help diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/src/grype_db_manager/cli/cli.py new/grype-db-0.51.0/manager/src/grype_db_manager/cli/cli.py --- old/grype-db-0.50.0/manager/src/grype_db_manager/cli/cli.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/src/grype_db_manager/cli/cli.py 2026-02-06 13:53:02.000000000 +0100 @@ -12,7 +12,7 @@ @click.option("--verbose", "-v", "verbosity", count=True, help="show details of all comparisons") [email protected]("--config", "-c", "config_path", default=None, help="override config path") [email protected]("--config", "-c", "config_path", default=None, help="config file path (required for subcommands)") @click.group(help="A tool for publishing validated grype databases to S3 for distribution.") @click.version_option(package_name=package_name, message="%(prog)s %(version)s") @click.pass_context @@ -23,7 +23,17 @@ import colorlog # noqa: PLC0415 - ctx.obj = config.load(path=config_path, verbosity=verbosity) + # config is required for subcommands, but not for --help or --version + if ctx.invoked_subcommand is not None: + if not config_path: + msg = "missing required option: -c/--config" + raise click.UsageError(msg) + ctx.obj = config.load(path=config_path) + ctx.obj.verbosity = verbosity + elif config_path: + # allow loading config even without subcommand (e.g., for future use) + ctx.obj = config.load(path=config_path) + ctx.obj.verbosity = verbosity class DeltaTimeFormatter(colorlog.ColoredFormatter): def __init__(self, *args: Any, **kwargs: Any): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/src/grype_db_manager/cli/config.py new/grype-db-0.51.0/manager/src/grype_db_manager/cli/config.py --- old/grype-db-0.50.0/manager/src/grype_db_manager/cli/config.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/src/grype_db_manager/cli/config.py 2026-02-06 13:53:02.000000000 +0100 @@ -21,12 +21,6 @@ yaml.add_constructor("!include", yaml_include.Constructor(base_dir=os.getcwd()), Loader=yaml.SafeLoader) -DEFAULT_CONFIGS = ( - ".grype-db-manager.yaml", - "grype-db-manager.yaml", -) - - @dataclass class Log: level: str = "INFO" @@ -37,7 +31,7 @@ @dataclass class GrypeDB: - version: str = "latest" + version: str = "" config: str = "" @@ -78,27 +72,10 @@ @dataclass() class Validate: - default_max_year: int = 2021 + default_max_year: int = 0 gates: list[ValidateDB] = field(default_factory=list) listing: ValidateListing = field(default_factory=ValidateListing) - expected_providers: list[str] = field( - default_factory=lambda: [ - "alpine", - "amazon", - "chainguard", - "debian", - "echo", - "github", - "mariner", - "minimos", - "nvd", - "oracle", - "rhel", - "sles", - "ubuntu", - "wolfi", - ], - ) + expected_providers: list[str] = field(default_factory=list) @dataclass() @@ -123,9 +100,9 @@ @dataclass class Data: - root: str = ".grype-db-manager" - vunnel_root: str = "data/vunnel" - yardstick_root: str = "data/yardstick" + root: str = "" + vunnel_root: str = "" + yardstick_root: str = "" @dataclass @@ -194,47 +171,15 @@ def load( - path: None | str | list[str] | tuple[str] = DEFAULT_CONFIGS, + path: str, wire_values: bool = True, - verbosity: int = 0, env: Mapping | None = None, ) -> Application: - cfg = _load_paths(path, wire_values=wire_values, env=env, verbosity=verbosity) - - if not cfg: - msg = "no config found" - raise FileNotFoundError(msg) - - return cfg - - -def _load_paths( - path: None | str | list[str] | tuple[str], - wire_values: bool = True, - env: Mapping | None = None, - verbosity: int = 0, -) -> Application | None: if not path: - path = DEFAULT_CONFIGS - - if isinstance(path, str): - if path == "": - path = DEFAULT_CONFIGS - else: - return _load(path, wire_values=wire_values, env=env) - - if isinstance(path, (list, tuple)): - for p in path: - if not os.path.exists(p): - continue - - return _load(p, wire_values=wire_values, env=env) - - # use the default application config - return Application(verbosity=verbosity) + msg = "config path is required (use -c/--config)" + raise ValueError(msg) - msg = f"invalid path type {type(path)}" - raise ValueError(msg) + return _load(path, wire_values=wire_values, env=env) def _load(path: str, wire_values: bool = True, env: Mapping | None = None) -> Application: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/src/grype_db_manager/grypedb.py new/grype-db-0.51.0/manager/src/grype_db_manager/grypedb.py --- old/grype-db-0.50.0/manager/src/grype_db_manager/grypedb.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/src/grype_db_manager/grypedb.py 2026-02-06 13:53:02.000000000 +0100 @@ -136,111 +136,11 @@ "wolfi:distro:wolfi:rolling", ] -v3_expected_namespaces = [ - "alpine:3.10", - "alpine:3.11", - "alpine:3.12", - "alpine:3.13", - "alpine:3.14", - "alpine:3.15", - "alpine:3.16", - "alpine:3.17", - "alpine:3.18", - "alpine:3.2", - "alpine:3.3", - "alpine:3.4", - "alpine:3.5", - "alpine:3.6", - "alpine:3.7", - "alpine:3.8", - "alpine:3.9", - "alpine:edge", - "amzn:2", - "amzn:2022", - "amzn:2023", - "chainguard:rolling", - "debian:10", - "debian:11", - "debian:12", - "debian:13", - "debian:7", - "debian:8", - "debian:9", - "debian:unstable", - "github:composer", - "github:dart", - "github:gem", - "github:go", - "github:java", - "github:npm", - "github:nuget", - "github:python", - "github:rust", - "github:swift", - "mariner:1.0", - "mariner:2.0", - "minimos:rolling", - "nvd", - "ol:5", - "ol:6", - "ol:7", - "ol:8", - "ol:9", - "rhel:5", - "rhel:6", - "rhel:7", - "rhel:8", - "rhel:9", - "sles:11", - "sles:11.1", - "sles:11.2", - "sles:11.3", - "sles:11.4", - "sles:12", - "sles:12.1", - "sles:12.2", - "sles:12.3", - "sles:12.4", - "sles:12.5", - "sles:15", - "sles:15.1", - "sles:15.2", - "sles:15.3", - "sles:15.4", - "sles:15.5", - "ubuntu:12.04", - "ubuntu:12.10", - "ubuntu:13.04", - "ubuntu:14.04", - "ubuntu:14.10", - "ubuntu:15.04", - "ubuntu:15.10", - "ubuntu:16.04", - "ubuntu:16.10", - "ubuntu:17.04", - "ubuntu:17.10", - "ubuntu:18.04", - "ubuntu:18.10", - "ubuntu:19.04", - "ubuntu:19.10", - "ubuntu:20.04", - "ubuntu:20.10", - "ubuntu:21.04", - "ubuntu:21.10", - "ubuntu:22.04", - "ubuntu:22.10", - "ubuntu:23.04", - "ubuntu:23.10", - "ubuntu:24.04", - "wolfi:rolling", -] - def expected_namespaces(schema_version: int) -> list[str]: - if schema_version <= 3: - return v3_expected_namespaces - if schema_version == 4: - return v4_expected_namespaces + if schema_version < 5: + msg = f"schema {schema_version} is EOL. v5 is latest supported version" + raise ValueError(msg) return v4_expected_namespaces + v5_additional_namespaces @@ -622,6 +522,10 @@ str | None: The path to the installed binary, or None if no installation was performed. """ + if not input_version: + msg = "grype-db version is required (set grype_db.version in config)" + raise ValueError(msg) + os.makedirs(bin_dir, exist_ok=True) # Check for explicit grype-db binary override (opt-in only) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/cli/s3-mock/setup-legacy-workflow-3.py new/grype-db-0.51.0/manager/tests/cli/s3-mock/setup-legacy-workflow-3.py --- old/grype-db-0.50.0/manager/tests/cli/s3-mock/setup-legacy-workflow-3.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/cli/s3-mock/setup-legacy-workflow-3.py 2026-02-06 13:53:02.000000000 +0100 @@ -11,7 +11,7 @@ def main(): - cfg = config.load() + cfg = config.load(".grype-db-manager.yaml") s3_bucket = cfg.distribution.s3_bucket s3_path = cfg.distribution.s3_path diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/cli/s3-mock/setup-legacy-workflow-4.py new/grype-db-0.51.0/manager/tests/cli/s3-mock/setup-legacy-workflow-4.py --- old/grype-db-0.50.0/manager/tests/cli/s3-mock/setup-legacy-workflow-4.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/cli/s3-mock/setup-legacy-workflow-4.py 2026-02-06 13:53:02.000000000 +0100 @@ -11,7 +11,7 @@ def main(): - cfg = config.load() + cfg = config.load(".grype-db-manager.yaml") s3_bucket = cfg.distribution.s3_bucket s3_path = cfg.distribution.s3_path diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/cli/s3-mock/setup-workflow-1.py new/grype-db-0.51.0/manager/tests/cli/s3-mock/setup-workflow-1.py --- old/grype-db-0.50.0/manager/tests/cli/s3-mock/setup-workflow-1.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/cli/s3-mock/setup-workflow-1.py 2026-02-06 13:53:02.000000000 +0100 @@ -11,7 +11,7 @@ def main(): - cfg = config.load() + cfg = config.load(".grype-db-manager.yaml") s3_bucket = cfg.distribution.s3_bucket region = cfg.distribution.aws_region diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/cli/test_legacy_workflows.py new/grype-db-0.51.0/manager/tests/cli/test_legacy_workflows.py --- old/grype-db-0.50.0/manager/tests/cli/test_legacy_workflows.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/cli/test_legacy_workflows.py 2026-02-06 13:53:02.000000000 +0100 @@ -14,16 +14,16 @@ command.run("make vunnel-oracle-data", env=cli_env) logger.step("case 1: create the DB") - stdout, _ = command.run("grype-db-manager -v db build -s 5", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml -v db build -s 5", env=cli_env) assert stdout.strip(), "Expected non-empty output" db_id = stdout.splitlines()[-1] # assume DB ID is the last line of output - stdout, _ = command.run("grype-db-manager db list", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml db list", env=cli_env) assert db_id in stdout, f"Expected DB ID {db_id} in output" logger.step("case 2: delete the DB") - command.run("grype-db-manager db clear", env=cli_env) - stdout, _ = command.run("grype-db-manager db list", env=cli_env) + command.run("grype-db-manager -c .grype-db-manager.yaml db clear", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml db list", env=cli_env) assert db_id not in stdout, f"Did not expect DB ID {db_id} in output" @@ -39,7 +39,7 @@ command.run("make vunnel-oracle-data", env=cli_env) # create the database - stdout, _ = command.run("grype-db-manager -v db build -s 5", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml -v db build -s 5", env=cli_env) assert stdout.strip(), "Expected non-empty output" db_id = stdout.splitlines()[-1] # Get the last line as the DB ID @@ -51,7 +51,7 @@ cli_env["GOWORK"] = "off" stdout, _ = command.run( - f"grype-db-manager -vv db validate {db_id} --skip-namespace-check --recapture", + f"grype-db-manager -c .grype-db-manager.yaml -vv db validate {db_id} --skip-namespace-check --recapture", env=cli_env, expect_fail=True, ) @@ -65,7 +65,7 @@ command.run("make install-oracle-labels", env=cli_env) _, stderr = command.run( - f"grype-db-manager -vv db validate {db_id}", + f"grype-db-manager -c .grype-db-manager.yaml -vv db validate {db_id}", env=cli_env, expect_fail=True, ) @@ -79,7 +79,7 @@ command.run("make install-oracle-labels", env=cli_env) stdout, _ = command.run( - f"grype-db-manager -vv db validate {db_id} --skip-namespace-check", + f"grype-db-manager -c .grype-db-manager.yaml -vv db validate {db_id} --skip-namespace-check", env=cli_env, ) assert "Quality gate passed!" in stdout @@ -121,7 +121,7 @@ logger.step("case 1: update a listing file based on S3 state") # generate a new listing file - stdout, _ = command.run("grype-db-manager listing update", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml listing update", env=cli_env) assert "Validation passed" in stdout assert "listing.json uploaded to s3://testbucket/grype/databases" in stdout @@ -195,7 +195,7 @@ # build, validate, and upload the database stdout, _ = command.run( - f"grype-db-manager db build-and-upload --schema-version {schema_version} --skip-namespace-check", + f"grype-db-manager -c .grype-db-manager.yaml db build-and-upload --schema-version {schema_version} --skip-namespace-check", env=cli_env, ) assert "Quality gate passed!" in stdout @@ -204,7 +204,7 @@ logger.step("case 2: update the listing file based on the DB uploaded") # update the listing file and validate - stdout, _ = command.run("grype-db-manager -v listing update", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml -v listing update", env=cli_env) assert "Validation passed" in stdout assert "listing.json uploaded to s3://testbucket/grype/databases" in stdout diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/cli/test_workflows.py new/grype-db-0.51.0/manager/tests/cli/test_workflows.py --- old/grype-db-0.50.0/manager/tests/cli/test_workflows.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/cli/test_workflows.py 2026-02-06 13:53:02.000000000 +0100 @@ -31,7 +31,7 @@ } ) - cfg = config.load() + cfg = config.load(".grype-db-manager.yaml") image = cfg.validate.gates[0].images[0] grype = grype.install(schema.grype_version(schema_version), bin_dir) @@ -46,15 +46,15 @@ command.run("python setup-workflow-1.py", env=cli_env) logger.step("case 1: create the DB") - stdout, _ = command.run(f"grype-db-manager -v db build -s {schema_version}", env=cli_env) + stdout, _ = command.run(f"grype-db-manager -c .grype-db-manager.yaml -v db build -s {schema_version}", env=cli_env) assert stdout.strip(), "Expected non-empty output" db_id = stdout.splitlines()[-1] # assume DB ID is the last line of output - stdout, _ = command.run("grype-db-manager db list", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml db list", env=cli_env) assert db_id in stdout, f"Expected DB ID {db_id} in output" logger.step("case 2: upload the DB") - stdout, _ = command.run(f"grype-db-manager db upload {db_id}", env=cli_env) + stdout, _ = command.run(f"grype-db-manager -c .grype-db-manager.yaml db upload {db_id}", env=cli_env) assert f"DB archive '{db_id}' uploaded to s3://testbucket/grype/databases/v{schema_version}" in stdout assert f"latest.json '{db_id}' uploaded to s3://testbucket/grype/databases/v{schema_version}" in stdout @@ -66,8 +66,8 @@ assert "ELSA-2021-9314" in stdout logger.step("case 4: delete the DB") - command.run("grype-db-manager db clear", env=cli_env) - stdout, _ = command.run("grype-db-manager db list", env=cli_env) + command.run("grype-db-manager -c .grype-db-manager.yaml db clear", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml db list", env=cli_env) assert db_id not in stdout, f"Did not expect DB ID {db_id} in output" ### end of testing ### @@ -89,7 +89,7 @@ command.run("make vunnel-oracle-data", env=cli_env) # create the database - stdout, _ = command.run("grype-db-manager -v db build -s 6", env=cli_env) + stdout, _ = command.run("grype-db-manager -c .grype-db-manager.yaml -v db build -s 6", env=cli_env) assert stdout.strip(), "Expected non-empty output" db_id = stdout.splitlines()[-1] # Get the last line as the DB ID @@ -102,7 +102,7 @@ # note: we add --force to ensure we're checking validations (even if it's disabled for the schema) stdout, stderr = command.run( - f"grype-db-manager -vv db validate {db_id} --skip-namespace-check --force --recapture", + f"grype-db-manager -c .grype-db-manager.yaml -vv db validate {db_id} --skip-namespace-check --force --recapture", env=cli_env, expect_fail=True, ) @@ -117,7 +117,7 @@ command.run("make install-oracle-labels", env=cli_env) _, stderr = command.run( - f"grype-db-manager -vv db validate {db_id} --force", + f"grype-db-manager -c .grype-db-manager.yaml -vv db validate {db_id} --force", env=cli_env, expect_fail=True, ) @@ -131,7 +131,7 @@ command.run("make install-oracle-labels", env=cli_env) stdout, _ = command.run( - f"grype-db-manager -vv db validate {db_id} --skip-namespace-check --force", + f"grype-db-manager -c .grype-db-manager.yaml -vv db validate {db_id} --skip-namespace-check --force", env=cli_env, ) assert "Quality gate passed!" in stdout diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/unit/cli/test_config.py new/grype-db-0.51.0/manager/tests/unit/cli/test_config.py --- old/grype-db-0.50.0/manager/tests/unit/cli/test_config.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/unit/cli/test_config.py 2026-02-06 13:53:02.000000000 +0100 @@ -42,62 +42,6 @@ assert cfg.distribution.s3_path == "s3-path" -def test_load_default(): - cfg = config.Application() - - actual = cfg.to_yaml() - - expected = """\ -assertAwsCredentials: true -data: - root: .grype-db-manager - vunnelRoot: data/vunnel - yardstickRoot: data/yardstick -distribution: - awsRegion: null - downloadUrlPrefix: null - listingFileName: listing.json - listingReplicas: [] - s3AlwaysSuffixSchemaVersion: false - s3Bucket: null - s3EndpointUrl: null - s3Path: null -grypeDb: - config: '' - version: latest -log: - level: INFO -schemaMappingFile: '' -validate: - defaultMaxYear: 2021 - expectedProviders: - - alpine - - amazon - - chainguard - - debian - - echo - - github - - mariner - - minimos - - nvd - - oracle - - rhel - - sles - - ubuntu - - wolfi - gates: [] - listing: - image: null - minimumPackages: null - minimumVulnerabilities: null - overrideDbSchemaVersion: null - overrideGrypeVersion: null -verbosity: 0 -""" - - assert actual == expected - - def test_load(test_dir_path): config_path = test_dir_path("fixtures/config/full.yaml") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/unit/cli/test_listing.py new/grype-db-0.51.0/manager/tests/unit/cli/test_listing.py --- old/grype-db-0.50.0/manager/tests/unit/cli/test_listing.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/unit/cli/test_listing.py 2026-02-06 13:53:02.000000000 +0100 @@ -39,7 +39,7 @@ listing_file_name = "listing.json" with utils.set_directory(dir_with_config): - cfg = config.load() + cfg = config.load(".grype-db-manager.yaml") if os.path.exists(listing_file_name): os.remove(listing_file_name) @@ -144,7 +144,7 @@ expected_object = db.Listing.from_json(f.read()) runner = CliRunner() - result = runner.invoke(cli.cli, "listing create".split()) + result = runner.invoke(cli.cli, "-c .grype-db-manager.yaml listing create".split()) # for debugging print(result.output) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/manager/tests/unit/test_grypedb.py new/grype-db-0.51.0/manager/tests/unit/test_grypedb.py --- old/grype-db-0.50.0/manager/tests/unit/test_grypedb.py 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/manager/tests/unit/test_grypedb.py 2026-02-06 13:53:02.000000000 +0100 @@ -73,9 +73,6 @@ pytest.param(grypedb.expected_namespaces(5), 5, False, id="v5 matches"), pytest.param(grypedb.expected_namespaces(5) + ["extra_items"], 5, False, id="v5 with extra items"), pytest.param(list(grypedb.expected_namespaces(5))[:-5], 5, True, id="v5 missing items"), - pytest.param(grypedb.expected_namespaces(3), 3, False, id="v3 matches"), - pytest.param(grypedb.expected_namespaces(3) + ["extra_items"], 3, False, id="v3 with extra items"), - pytest.param(list(grypedb.expected_namespaces(3))[:-5], 3, True, id="v3 missing items"), ], ) def test_validate_namespaces(self, tmp_path: pathlib.Path, mocker, schema_version, listed_namespaces, expect_error): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pkg/process/v6/transformers/github/test-fixtures/GHSA-qc55-vm3j-74gp.json new/grype-db-0.51.0/pkg/process/v6/transformers/github/test-fixtures/GHSA-qc55-vm3j-74gp.json --- old/grype-db-0.50.0/pkg/process/v6/transformers/github/test-fixtures/GHSA-qc55-vm3j-74gp.json 1970-01-01 01:00:00.000000000 +0100 +++ new/grype-db-0.51.0/pkg/process/v6/transformers/github/test-fixtures/GHSA-qc55-vm3j-74gp.json 2026-02-06 13:53:02.000000000 +0100 @@ -0,0 +1,73 @@ +{ + "Vulnerability": {}, + "Advisory": { + "Classification": "GENERAL", + "Severity": "High", + "CVSS": { + "version": "3.0", + "vector_string": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "base_metrics": { + "base_score": 5.5, + "exploitability_score": 1.8, + "impact_score": 3.6, + "base_severity": "Medium" + }, + "status": "N/A" + }, + "cvss_severities": [ + { + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "version": "4.0", + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } + ], + "FixedIn": [ + { + "name": "jsnapy", + "identifier": "1.3.0", + "ecosystem": "python", + "namespace": "github:python", + "range": "< 1.3.0", + "available": { + "date": "2020-07-28", + "kind": "first-observed" + } + } + ], + "Summary": "JSNAPy allows unprivileged local users to alter files under the directory", + "url": "https://github.com/advisories/GHSA-qc55-vm3j-74gp";, + "CVE": [ + "CVE-2018-0023" + ], + "Metadata": { + "CVE": [ + "CVE-2018-0023" + ] + }, + "ghsaId": "GHSA-qc55-vm3j-74gp", + "published": "2018-07-12T20:30:36Z", + "updated": "2024-09-24T21:02:13Z", + "withdrawn": null, + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0023"; + }, + { + "url": "https://github.com/advisories/GHSA-qc55-vm3j-74gp"; + }, + { + "url": "https://kb.juniper.net/JSA10856"; + }, + { + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jsnapy/PYSEC-2018-84.yaml"; + }, + { + "url": "https://web.archive.org/web/20200227125151/http://www.securityfocus.com/bid/103745"; + } + ], + "namespace": "github:python" + } +} \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pkg/process/v6/transformers/github/transform.go new/grype-db-0.51.0/pkg/process/v6/transformers/github/transform.go --- old/grype-db-0.50.0/pkg/process/v6/transformers/github/transform.go 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/pkg/process/v6/transformers/github/transform.go 2026-02-06 13:53:02.000000000 +0100 @@ -264,7 +264,8 @@ }) } - if vulnerability.Advisory.CVSS != nil { + // If the new CVSSSeverities field isn't populated, fallback to the old CVSS property + if len(vulnerability.Advisory.CVSSSeverities) == 0 && vulnerability.Advisory.CVSS != nil { severities = append(severities, grypeDB.Severity{ Scheme: grypeDB.SeveritySchemeCVSS, Value: grypeDB.CVSSSeverity{ @@ -272,6 +273,16 @@ Version: vulnerability.Advisory.CVSS.Version, }, }) + } else { + for _, cvss := range vulnerability.Advisory.CVSSSeverities { + severities = append(severities, grypeDB.Severity{ + Scheme: grypeDB.SeveritySchemeCVSS, + Value: grypeDB.CVSSSeverity{ + Vector: cvss.Vector, + Version: cvss.Version, + }, + }) + } } return severities @@ -283,13 +294,23 @@ } func getReferences(vulnerability unmarshal.GitHubAdvisory) []grypeDB.Reference { - // TODO: The additional reference links are not currently captured in the vunnel result, but should be enhanced to - // https://github.com/anchore/vunnel/issues/646 to capture this + // Capture the GitHub Advisory URL as the first reference refs := []grypeDB.Reference{ { URL: vulnerability.Advisory.URL, }, } - return refs + for _, reference := range vulnerability.Advisory.References { + clean := strings.TrimSpace(reference.URL) + if clean == "" { + continue + } + // TODO there is other info we could be capturing too (source) + refs = append(refs, grypeDB.Reference{ + URL: clean, + }) + } + + return transformers.DeduplicateReferences(refs) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pkg/process/v6/transformers/github/transform_test.go new/grype-db-0.51.0/pkg/process/v6/transformers/github/transform_test.go --- old/grype-db-0.50.0/pkg/process/v6/transformers/github/transform_test.go 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/pkg/process/v6/transformers/github/transform_test.go 2026-02-06 13:53:02.000000000 +0100 @@ -322,6 +322,66 @@ }, }, }, + { + name: "test-fixtures/GHSA-qc55-vm3j-74gp.json", + expected: []grypeDB.VulnerabilityHandle{ + { + Name: "GHSA-qc55-vm3j-74gp", + ProviderID: "github", + Provider: &grypeDB.Provider{ + ID: "github", + Version: "1", + DateCaptured: &now, + }, + ModifiedDate: internal.ParseTime("2024-09-24T21:02:13Z"), + PublishedDate: internal.ParseTime("2018-07-12T20:30:36Z"), + WithdrawnDate: nil, + Status: grypeDB.VulnerabilityActive, + BlobValue: &grypeDB.VulnerabilityBlob{ + ID: "GHSA-qc55-vm3j-74gp", + Description: "JSNAPy allows unprivileged local users to alter files under the directory", + References: []grypeDB.Reference{ + { + URL: "https://github.com/advisories/GHSA-qc55-vm3j-74gp";, + }, + { + URL: "https://nvd.nist.gov/vuln/detail/CVE-2018-0023";, + }, + { + URL: "https://kb.juniper.net/JSA10856";, + }, + { + URL: "https://github.com/pypa/advisory-database/tree/main/vulns/jsnapy/PYSEC-2018-84.yaml";, + }, + { + URL: "https://web.archive.org/web/20200227125151/http://www.securityfocus.com/bid/103745";, + }, + }, + Aliases: []string{"CVE-2018-0023"}, + Severities: []grypeDB.Severity{ + { + Scheme: grypeDB.SeveritySchemeCHML, + Value: "high", + }, + { + Scheme: grypeDB.SeveritySchemeCVSS, + Value: grypeDB.CVSSSeverity{ + Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + Version: "3.0", + }, + }, + { + Scheme: grypeDB.SeveritySchemeCVSS, + Value: grypeDB.CVSSSeverity{ + Vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", + Version: "4.0", + }, + }, + }, + }, + }, + }, + }, } for _, tt := range tests { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pkg/process/v6/transformers/nvd/transform.go new/grype-db-0.51.0/pkg/process/v6/transformers/nvd/transform.go --- old/grype-db-0.50.0/pkg/process/v6/transformers/nvd/transform.go 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/pkg/process/v6/transformers/nvd/transform.go 2026-02-06 13:53:02.000000000 +0100 @@ -357,51 +357,5 @@ }) } - return deduplicateReferences(references) -} - -// deduplicateReferences removes duplicate references, where two references are considered -// identical if they have the same URL and their normalized, sorted tags are equal -func deduplicateReferences(references []grypeDB.Reference) []grypeDB.Reference { - var result []grypeDB.Reference - seenBefore := make(map[string][]grypeDB.Reference) - for _, ref := range references { - if _, anySeenRefs := seenBefore[ref.URL]; !anySeenRefs { - seenBefore[ref.URL] = []grypeDB.Reference{ref} - result = append(result, ref) - continue - } - alreadySeenRefs := seenBefore[ref.URL] - isDuplicate := false - // Check if this reference already exists for this URL - for _, already := range alreadySeenRefs { - if refsAreEqual(already, ref) { - isDuplicate = true - break - } - } - if !isDuplicate { - seenBefore[ref.URL] = append(seenBefore[ref.URL], ref) - result = append(result, ref) - } - } - - return result -} - -func refsAreEqual(a, b grypeDB.Reference) bool { - if a.URL != b.URL { - return false - } - - if len(a.Tags) != len(b.Tags) { - return false - } - - for i := range a.Tags { - if a.Tags[i] != b.Tags[i] { - return false - } - } - return true + return transformers.DeduplicateReferences(references) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pkg/process/v6/transformers/references.go new/grype-db-0.51.0/pkg/process/v6/transformers/references.go --- old/grype-db-0.50.0/pkg/process/v6/transformers/references.go 1970-01-01 01:00:00.000000000 +0100 +++ new/grype-db-0.51.0/pkg/process/v6/transformers/references.go 2026-02-06 13:53:02.000000000 +0100 @@ -0,0 +1,49 @@ +package transformers + +import grypeDB "github.com/anchore/grype/grype/db/v6" + +// deduplicateReferences removes duplicate references, where two references are considered +// identical if they have the same URL and their normalized, sorted tags are equal +func DeduplicateReferences(references []grypeDB.Reference) []grypeDB.Reference { + var result []grypeDB.Reference + seenBefore := make(map[string][]grypeDB.Reference) + for _, ref := range references { + if _, anySeenRefs := seenBefore[ref.URL]; !anySeenRefs { + seenBefore[ref.URL] = []grypeDB.Reference{ref} + result = append(result, ref) + continue + } + alreadySeenRefs := seenBefore[ref.URL] + isDuplicate := false + // Check if this reference already exists for this URL + for _, already := range alreadySeenRefs { + if refsAreEqual(already, ref) { + isDuplicate = true + break + } + } + if !isDuplicate { + seenBefore[ref.URL] = append(seenBefore[ref.URL], ref) + result = append(result, ref) + } + } + + return result +} + +func refsAreEqual(a, b grypeDB.Reference) bool { + if a.URL != b.URL { + return false + } + + if len(a.Tags) != len(b.Tags) { + return false + } + + for i := range a.Tags { + if a.Tags[i] != b.Tags[i] { + return false + } + } + return true +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pkg/provider/unmarshal/github_advisory.go new/grype-db-0.51.0/pkg/provider/unmarshal/github_advisory.go --- old/grype-db-0.50.0/pkg/provider/unmarshal/github_advisory.go 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/pkg/provider/unmarshal/github_advisory.go 2026-02-06 13:53:02.000000000 +0100 @@ -19,18 +19,25 @@ VectorString string `json:"vector_string"` Version string `json:"version"` } `json:"CVSS"` + CVSSSeverities []*struct { + Vector string `json:"vector"` + Version string `json:"version"` + } `json:"cvss_severities"` FixedIn []GithubFixedIn `json:"FixedIn"` Metadata struct { CVE []string `json:"CVE"` } `json:"Metadata"` - Severity string `json:"Severity"` - Summary string `json:"Summary"` - GhsaID string `json:"ghsaId"` - Namespace string `json:"namespace"` - URL string `json:"url"` - Published string `json:"published"` - Updated string `json:"updated"` - Withdrawn string `json:"withdrawn"` + Severity string `json:"Severity"` + Summary string `json:"Summary"` + GhsaID string `json:"ghsaId"` + Namespace string `json:"namespace"` + URL string `json:"url"` + Published string `json:"published"` + Updated string `json:"updated"` + Withdrawn string `json:"withdrawn"` + References []*struct { + URL string `json:"url"` + } `json:"references"` } `json:"Advisory"` } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/pyproject.toml new/grype-db-0.51.0/pyproject.toml --- old/grype-db-0.50.0/pyproject.toml 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/pyproject.toml 2026-02-06 13:53:02.000000000 +0100 @@ -152,7 +152,7 @@ "PLW2901", # "Outer for loop variable X overwritten by inner assignment target", not useful in most cases "RUF100", # no blanket "noqa" usage, can be improved over time, but not now "TRY003", # specifying long messages outside the exception class is excellent context! why is this an antipattern? - "UP038", # Use `X | Y` in `isinstance` call instead of `(X, Y)` -- not compatible with python 3.9 (even with __future__ import) + "COM812", # conflicts with ruff formatter ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/test/db/acceptance.sh new/grype-db-0.51.0/test/db/acceptance.sh --- old/grype-db-0.50.0/test/db/acceptance.sh 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/test/db/acceptance.sh 2026-02-06 13:53:02.000000000 +0100 @@ -17,7 +17,7 @@ title "Building DB" fi -DB_ID=$(grype-db-manager -v db build --schema-version $SCHEMA_VERSION) +DB_ID=$(grype-db-manager -v -c ./config/grype-db-manager/acceptance-pr.yaml db build --schema-version $SCHEMA_VERSION) if [ -z "$DB_ID" ]; then echo "Failed to create DB instance" @@ -26,4 +26,4 @@ title "Validating DB" -grype-db-manager -vv db validate $DB_ID +grype-db-manager -vv -c ./config/grype-db-manager/acceptance-pr.yaml db validate $DB_ID diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.50.0/uv.lock new/grype-db-0.51.0/uv.lock --- old/grype-db-0.50.0/uv.lock 2026-01-30 00:06:00.000000000 +0100 +++ new/grype-db-0.51.0/uv.lock 2026-02-06 13:53:02.000000000 +0100 @@ -4,30 +4,30 @@ [[package]] name = "boto3" -version = "1.42.29" +version = "1.42.38" source = { registry = "https://pypi.org/simple"; } dependencies = [ { name = "botocore" }, { name = "jmespath" }, { name = "s3transfer" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/5c/24/1dd85b64004103c2e60476d0fa8d78435f5fed9db1129cd2cd332784037a/boto3-1.42.29.tar.gz";, hash = "sha256:247e54f24116ad6792cfc14b274288383af3ec3433b0547da8a14a8bd6e81950", size = 112810, upload-time = "2026-01-15T20:36:39.404Z" } +sdist = { url = "https://files.pythonhosted.org/packages/e8/38/1e5eb348e41d97ca2b6164df28501409c2fe9bd34455c256dd87644b7c0e/boto3-1.42.38.tar.gz";, hash = "sha256:af2e5c08972d35fa4b4bc457031794343a6ddb1df5692db43302d5b5feaac23e", size = 112852, upload-time = "2026-01-29T20:39:37.786Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/51/30/2c25d7be8418e7f137ffece6097c68199dbd6996da645ec9b5a5a9647123/boto3-1.42.29-py3-none-any.whl";, hash = "sha256:6c9c4dece67bf72d82ba7dff48e33a56a87cdf9b16c8887f88ca7789a95d3317", size = 140574, upload-time = "2026-01-15T20:36:37.206Z" }, + { url = "https://files.pythonhosted.org/packages/ec/98/22e5f4f5ced6cf1aface4b438307a157e9cb7a4bcbd19f4b9dec89b0fe33/boto3-1.42.38-py3-none-any.whl";, hash = "sha256:b5a748b3fdddba8aa2988af0e462996ef72dc2760b0eab30329b9d201d4b38f2", size = 140606, upload-time = "2026-01-29T20:39:36.641Z" }, ] [[package]] name = "botocore" -version = "1.42.30" +version = "1.42.42" source = { registry = "https://pypi.org/simple"; } dependencies = [ { name = "jmespath" }, { name = "python-dateutil" }, { name = "urllib3" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/44/38/23862628a0eb044c8b8b3d7a9ad1920b3bfd6bce6d746d5a871e8382c7e4/botocore-1.42.30.tar.gz";, hash = "sha256:9bf1662b8273d5cc3828a49f71ca85abf4e021011c1f0a71f41a2ea5769a5116", size = 14891439, upload-time = "2026-01-16T20:37:13.77Z" } +sdist = { url = "https://files.pythonhosted.org/packages/7d/96/4eca9755ca444402c46c73cc8ff252c8eb73ab0ccf35ca76d89e7b7820ac/botocore-1.42.42.tar.gz";, hash = "sha256:cb75639f5ba7bf73b83ac18bcd87f07b7f484f302748da974dad2801a83a1d60", size = 14926585, upload-time = "2026-02-04T20:28:33.66Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/3d/8d/6d7b016383b1f74dd93611b1c5078bbaddaca901553ab886dcda87cae365/botocore-1.42.30-py3-none-any.whl";, hash = "sha256:97070a438cac92430bb7b65f8ebd7075224f4a289719da4ee293d22d1e98db02", size = 14566340, upload-time = "2026-01-16T20:37:10.94Z" }, + { url = "https://files.pythonhosted.org/packages/e6/51/aac7e419521d5519e13087a7198623655648c939822bd7f4bdc9ccbe07f9/botocore-1.42.42-py3-none-any.whl";, hash = "sha256:1c9df5fc31e9073a9aa956271c4007d72f5d342cafca5f4154ea099bc6f83085", size = 14600186, upload-time = "2026-02-04T20:28:29.268Z" }, ] [[package]] @@ -908,28 +908,28 @@ [[package]] name = "ruff" -version = "0.14.13" +version = "0.14.14" source = { registry = "https://pypi.org/simple"; } -sdist = { url = "https://files.pythonhosted.org/packages/50/0a/1914efb7903174b381ee2ffeebb4253e729de57f114e63595114c8ca451f/ruff-0.14.13.tar.gz";, hash = "sha256:83cd6c0763190784b99650a20fec7633c59f6ebe41c5cc9d45ee42749563ad47", size = 6059504, upload-time = "2026-01-15T20:15:16.918Z" } +sdist = { url = "https://files.pythonhosted.org/packages/2e/06/f71e3a86b2df0dfa2d2f72195941cd09b44f87711cb7fa5193732cb9a5fc/ruff-0.14.14.tar.gz";, hash = "sha256:2d0f819c9a90205f3a867dbbd0be083bee9912e170fd7d9704cc8ae45824896b", size = 4515732, upload-time = "2026-01-22T22:30:17.527Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/c3/ae/0deefbc65ca74b0ab1fd3917f94dc3b398233346a74b8bbb0a916a1a6bf6/ruff-0.14.13-py3-none-linux_armv6l.whl";, hash = "sha256:76f62c62cd37c276cb03a275b198c7c15bd1d60c989f944db08a8c1c2dbec18b", size = 13062418, upload-time = "2026-01-15T20:14:50.779Z" }, - { url = "https://files.pythonhosted.org/packages/47/df/5916604faa530a97a3c154c62a81cb6b735c0cb05d1e26d5ad0f0c8ac48a/ruff-0.14.13-py3-none-macosx_10_12_x86_64.whl";, hash = "sha256:914a8023ece0528d5cc33f5a684f5f38199bbb566a04815c2c211d8f40b5d0ed", size = 13442344, upload-time = "2026-01-15T20:15:07.94Z" }, - { url = "https://files.pythonhosted.org/packages/4c/f3/e0e694dd69163c3a1671e102aa574a50357536f18a33375050334d5cd517/ruff-0.14.13-py3-none-macosx_11_0_arm64.whl";, hash = "sha256:d24899478c35ebfa730597a4a775d430ad0d5631b8647a3ab368c29b7e7bd063", size = 12354720, upload-time = "2026-01-15T20:15:09.854Z" }, - { url = "https://files.pythonhosted.org/packages/c3/e8/67f5fcbbaee25e8fc3b56cc33e9892eca7ffe09f773c8e5907757a7e3bdb/ruff-0.14.13-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl";, hash = "sha256:9aaf3870f14d925bbaf18b8a2347ee0ae7d95a2e490e4d4aea6813ed15ebc80e", size = 12774493, upload-time = "2026-01-15T20:15:20.908Z" }, - { url = "https://files.pythonhosted.org/packages/6b/ce/d2e9cb510870b52a9565d885c0d7668cc050e30fa2c8ac3fb1fda15c083d/ruff-0.14.13-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl";, hash = "sha256:ac5b7f63dd3b27cc811850f5ffd8fff845b00ad70e60b043aabf8d6ecc304e09", size = 12815174, upload-time = "2026-01-15T20:15:05.74Z" }, - { url = "https://files.pythonhosted.org/packages/88/00/c38e5da58beebcf4fa32d0ddd993b63dfacefd02ab7922614231330845bf/ruff-0.14.13-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl";, hash = "sha256:78d2b1097750d90ba82ce4ba676e85230a0ed694178ca5e61aa9b459970b3eb9", size = 13680909, upload-time = "2026-01-15T20:15:14.537Z" }, - { url = "https://files.pythonhosted.org/packages/61/61/cd37c9dd5bd0a3099ba79b2a5899ad417d8f3b04038810b0501a80814fd7/ruff-0.14.13-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl";, hash = "sha256:7d0bf87705acbbcb8d4c24b2d77fbb73d40210a95c3903b443cd9e30824a5032", size = 15144215, upload-time = "2026-01-15T20:15:22.886Z" }, - { url = "https://files.pythonhosted.org/packages/56/8a/85502d7edbf98c2df7b8876f316c0157359165e16cdf98507c65c8d07d3d/ruff-0.14.13-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl";, hash = "sha256:a3eb5da8e2c9e9f13431032fdcbe7681de9ceda5835efee3269417c13f1fed5c", size = 14706067, upload-time = "2026-01-15T20:14:48.271Z" }, - { url = "https://files.pythonhosted.org/packages/7e/2f/de0df127feb2ee8c1e54354dc1179b4a23798f0866019528c938ba439aca/ruff-0.14.13-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl";, hash = "sha256:642442b42957093811cd8d2140dfadd19c7417030a7a68cf8d51fcdd5f217427", size = 14133916, upload-time = "2026-01-15T20:14:57.357Z" }, - { url = "https://files.pythonhosted.org/packages/0d/77/9b99686bb9fe07a757c82f6f95e555c7a47801a9305576a9c67e0a31d280/ruff-0.14.13-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl";, hash = "sha256:4acdf009f32b46f6e8864af19cbf6841eaaed8638e65c8dac845aea0d703c841", size = 13859207, upload-time = "2026-01-15T20:14:55.111Z" }, - { url = "https://files.pythonhosted.org/packages/7d/46/2bdcb34a87a179a4d23022d818c1c236cb40e477faf0d7c9afb6813e5876/ruff-0.14.13-py3-none-manylinux_2_31_riscv64.whl";, hash = "sha256:591a7f68860ea4e003917d19b5c4f5ac39ff558f162dc753a2c5de897fd5502c", size = 14043686, upload-time = "2026-01-15T20:14:52.841Z" }, - { url = "https://files.pythonhosted.org/packages/1a/a9/5c6a4f56a0512c691cf143371bcf60505ed0f0860f24a85da8bd123b2bf1/ruff-0.14.13-py3-none-musllinux_1_2_aarch64.whl";, hash = "sha256:774c77e841cc6e046fc3e91623ce0903d1cd07e3a36b1a9fe79b81dab3de506b", size = 12663837, upload-time = "2026-01-15T20:15:18.921Z" }, - { url = "https://files.pythonhosted.org/packages/fe/bb/b920016ece7651fa7fcd335d9d199306665486694d4361547ccb19394c44/ruff-0.14.13-py3-none-musllinux_1_2_armv7l.whl";, hash = "sha256:61f4e40077a1248436772bb6512db5fc4457fe4c49e7a94ea7c5088655dd21ae", size = 12805867, upload-time = "2026-01-15T20:14:59.272Z" }, - { url = "https://files.pythonhosted.org/packages/7d/b3/0bd909851e5696cd21e32a8fc25727e5f58f1934b3596975503e6e85415c/ruff-0.14.13-py3-none-musllinux_1_2_i686.whl";, hash = "sha256:6d02f1428357fae9e98ac7aa94b7e966fd24151088510d32cf6f902d6c09235e", size = 13208528, upload-time = "2026-01-15T20:15:03.732Z" }, - { url = "https://files.pythonhosted.org/packages/3b/3b/e2d94cb613f6bbd5155a75cbe072813756363eba46a3f2177a1fcd0cd670/ruff-0.14.13-py3-none-musllinux_1_2_x86_64.whl";, hash = "sha256:e399341472ce15237be0c0ae5fbceca4b04cd9bebab1a2b2c979e015455d8f0c", size = 13929242, upload-time = "2026-01-15T20:15:11.918Z" }, - { url = "https://files.pythonhosted.org/packages/6a/c5/abd840d4132fd51a12f594934af5eba1d5d27298a6f5b5d6c3be45301caf/ruff-0.14.13-py3-none-win32.whl";, hash = "sha256:ef720f529aec113968b45dfdb838ac8934e519711da53a0456038a0efecbd680", size = 12919024, upload-time = "2026-01-15T20:14:43.647Z" }, - { url = "https://files.pythonhosted.org/packages/c2/55/6384b0b8ce731b6e2ade2b5449bf07c0e4c31e8a2e68ea65b3bafadcecc5/ruff-0.14.13-py3-none-win_amd64.whl";, hash = "sha256:6070bd026e409734b9257e03e3ef18c6e1a216f0435c6751d7a8ec69cb59abef", size = 14097887, upload-time = "2026-01-15T20:15:01.48Z" }, - { url = "https://files.pythonhosted.org/packages/4d/e1/7348090988095e4e39560cfc2f7555b1b2a7357deba19167b600fdf5215d/ruff-0.14.13-py3-none-win_arm64.whl";, hash = "sha256:7ab819e14f1ad9fe39f246cfcc435880ef7a9390d81a2b6ac7e01039083dd247", size = 13080224, upload-time = "2026-01-15T20:14:45.853Z" }, + { url = "https://files.pythonhosted.org/packages/d2/89/20a12e97bc6b9f9f68343952da08a8099c57237aef953a56b82711d55edd/ruff-0.14.14-py3-none-linux_armv6l.whl";, hash = "sha256:7cfe36b56e8489dee8fbc777c61959f60ec0f1f11817e8f2415f429552846aed", size = 10467650, upload-time = "2026-01-22T22:30:08.578Z" }, + { url = "https://files.pythonhosted.org/packages/a3/b1/c5de3fd2d5a831fcae21beda5e3589c0ba67eec8202e992388e4b17a6040/ruff-0.14.14-py3-none-macosx_10_12_x86_64.whl";, hash = "sha256:6006a0082336e7920b9573ef8a7f52eec837add1265cc74e04ea8a4368cd704c", size = 10883245, upload-time = "2026-01-22T22:30:04.155Z" }, + { url = "https://files.pythonhosted.org/packages/b8/7c/3c1db59a10e7490f8f6f8559d1db8636cbb13dccebf18686f4e3c9d7c772/ruff-0.14.14-py3-none-macosx_11_0_arm64.whl";, hash = "sha256:026c1d25996818f0bf498636686199d9bd0d9d6341c9c2c3b62e2a0198b758de", size = 10231273, upload-time = "2026-01-22T22:30:34.642Z" }, + { url = "https://files.pythonhosted.org/packages/a1/6e/5e0e0d9674be0f8581d1f5e0f0a04761203affce3232c1a1189d0e3b4dad/ruff-0.14.14-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl";, hash = "sha256:f666445819d31210b71e0a6d1c01e24447a20b85458eea25a25fe8142210ae0e", size = 10585753, upload-time = "2026-01-22T22:30:31.781Z" }, + { url = "https://files.pythonhosted.org/packages/23/09/754ab09f46ff1884d422dc26d59ba18b4e5d355be147721bb2518aa2a014/ruff-0.14.14-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl";, hash = "sha256:3c0f18b922c6d2ff9a5e6c3ee16259adc513ca775bcf82c67ebab7cbd9da5bc8", size = 10286052, upload-time = "2026-01-22T22:30:24.827Z" }, + { url = "https://files.pythonhosted.org/packages/c8/cc/e71f88dd2a12afb5f50733851729d6b571a7c3a35bfdb16c3035132675a0/ruff-0.14.14-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl";, hash = "sha256:1629e67489c2dea43e8658c3dba659edbfd87361624b4040d1df04c9740ae906", size = 11043637, upload-time = "2026-01-22T22:30:13.239Z" }, + { url = "https://files.pythonhosted.org/packages/67/b2/397245026352494497dac935d7f00f1468c03a23a0c5db6ad8fc49ca3fb2/ruff-0.14.14-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl";, hash = "sha256:27493a2131ea0f899057d49d303e4292b2cae2bb57253c1ed1f256fbcd1da480", size = 12194761, upload-time = "2026-01-22T22:30:22.542Z" }, + { url = "https://files.pythonhosted.org/packages/5b/06/06ef271459f778323112c51b7587ce85230785cd64e91772034ddb88f200/ruff-0.14.14-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl";, hash = "sha256:01ff589aab3f5b539e35db38425da31a57521efd1e4ad1ae08fc34dbe30bd7df", size = 12005701, upload-time = "2026-01-22T22:30:20.499Z" }, + { url = "https://files.pythonhosted.org/packages/41/d6/99364514541cf811ccc5ac44362f88df66373e9fec1b9d1c4cc830593fe7/ruff-0.14.14-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl";, hash = "sha256:1cc12d74eef0f29f51775f5b755913eb523546b88e2d733e1d701fe65144e89b", size = 11282455, upload-time = "2026-01-22T22:29:59.679Z" }, + { url = "https://files.pythonhosted.org/packages/ca/71/37daa46f89475f8582b7762ecd2722492df26421714a33e72ccc9a84d7a5/ruff-0.14.14-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl";, hash = "sha256:bb8481604b7a9e75eff53772496201690ce2687067e038b3cc31aaf16aa0b974", size = 11215882, upload-time = "2026-01-22T22:29:57.032Z" }, + { url = "https://files.pythonhosted.org/packages/2c/10/a31f86169ec91c0705e618443ee74ede0bdd94da0a57b28e72db68b2dbac/ruff-0.14.14-py3-none-manylinux_2_31_riscv64.whl";, hash = "sha256:14649acb1cf7b5d2d283ebd2f58d56b75836ed8c6f329664fa91cdea19e76e66", size = 11180549, upload-time = "2026-01-22T22:30:27.175Z" }, + { url = "https://files.pythonhosted.org/packages/fd/1e/c723f20536b5163adf79bdd10c5f093414293cdf567eed9bdb7b83940f3f/ruff-0.14.14-py3-none-musllinux_1_2_aarch64.whl";, hash = "sha256:e8058d2145566510790eab4e2fad186002e288dec5e0d343a92fe7b0bc1b3e13", size = 10543416, upload-time = "2026-01-22T22:30:01.964Z" }, + { url = "https://files.pythonhosted.org/packages/3e/34/8a84cea7e42c2d94ba5bde1d7a4fae164d6318f13f933d92da6d7c2041ff/ruff-0.14.14-py3-none-musllinux_1_2_armv7l.whl";, hash = "sha256:e651e977a79e4c758eb807f0481d673a67ffe53cfa92209781dfa3a996cf8412", size = 10285491, upload-time = "2026-01-22T22:30:29.51Z" }, + { url = "https://files.pythonhosted.org/packages/55/ef/b7c5ea0be82518906c978e365e56a77f8de7678c8bb6651ccfbdc178c29f/ruff-0.14.14-py3-none-musllinux_1_2_i686.whl";, hash = "sha256:cc8b22da8d9d6fdd844a68ae937e2a0adf9b16514e9a97cc60355e2d4b219fc3", size = 10733525, upload-time = "2026-01-22T22:30:06.499Z" }, + { url = "https://files.pythonhosted.org/packages/6a/5b/aaf1dfbcc53a2811f6cc0a1759de24e4b03e02ba8762daabd9b6bd8c59e3/ruff-0.14.14-py3-none-musllinux_1_2_x86_64.whl";, hash = "sha256:16bc890fb4cc9781bb05beb5ab4cd51be9e7cb376bf1dd3580512b24eb3fda2b", size = 11315626, upload-time = "2026-01-22T22:30:36.848Z" }, + { url = "https://files.pythonhosted.org/packages/2c/aa/9f89c719c467dfaf8ad799b9bae0df494513fb21d31a6059cb5870e57e74/ruff-0.14.14-py3-none-win32.whl";, hash = "sha256:b530c191970b143375b6a68e6f743800b2b786bbcf03a7965b06c4bf04568167", size = 10502442, upload-time = "2026-01-22T22:30:38.93Z" }, + { url = "https://files.pythonhosted.org/packages/87/44/90fa543014c45560cae1fffc63ea059fb3575ee6e1cb654562197e5d16fb/ruff-0.14.14-py3-none-win_amd64.whl";, hash = "sha256:3dde1435e6b6fe5b66506c1dff67a421d0b7f6488d466f651c07f4cab3bf20fd", size = 11630486, upload-time = "2026-01-22T22:30:10.852Z" }, + { url = "https://files.pythonhosted.org/packages/9e/6a/40fee331a52339926a92e17ae748827270b288a35ef4a15c9c8f2ec54715/ruff-0.14.14-py3-none-win_arm64.whl";, hash = "sha256:56e6981a98b13a32236a72a8da421d7839221fa308b223b9283312312e5ac76c", size = 10920448, upload-time = "2026-01-22T22:30:15.417Z" }, ] [[package]] @@ -1091,7 +1091,7 @@ [[package]] name = "uv-dynamic-versioning" -version = "0.12.0" +version = "0.13.0" source = { registry = "https://pypi.org/simple"; } dependencies = [ { name = "dunamai" }, @@ -1099,9 +1099,9 @@ { name = "jinja2" }, { name = "tomlkit" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/ac/ae/66c95eca70db2a0d01212f05c6cb589e0668532daad10bbbf434f82ccfe7/uv_dynamic_versioning-0.12.0.tar.gz";, hash = "sha256:e853e0c5b2425a68005580325d4975a8c37b66015589ca45ef96e660fe0f8f16", size = 41499, upload-time = "2025-12-14T00:47:40.774Z" } +sdist = { url = "https://files.pythonhosted.org/packages/24/b7/46e3106071b85016237f6de589e99f614565d10a16af17b374d003272076/uv_dynamic_versioning-0.13.0.tar.gz";, hash = "sha256:3220cbf10987d862d78e9931957782a274fa438d33efb1fa26b8155353749e06", size = 38797, upload-time = "2026-01-19T09:45:33.366Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/b4/8b/1dace94e7786f40e5cbcebb3a43365832798e497bbbb7281557cef72cb4c/uv_dynamic_versioning-0.12.0-py3-none-any.whl";, hash = "sha256:2d2f1fb806c2e351d0d0a3840aaf7b3c6ce73757080b1ada4ac5dc44f7dd4c9e", size = 11477, upload-time = "2025-12-14T00:47:39.305Z" }, + { url = "https://files.pythonhosted.org/packages/28/4f/15d9ec8aaed4a78aca1b8f0368f0cdd3cca8a04a81edbf03bc9e12c1a188/uv_dynamic_versioning-0.13.0-py3-none-any.whl";, hash = "sha256:86d37b89fa2b6836a515301f74ea2d56a1bc59a46a74d66a24c869d1fc8f7585", size = 11480, upload-time = "2026-01-19T09:45:32.002Z" }, ] [[package]] @@ -1189,7 +1189,7 @@ [[package]] name = "yardstick" -version = "0.15.0" +version = "0.16.0" source = { registry = "https://pypi.org/simple"; } dependencies = [ { name = "click" }, @@ -1207,9 +1207,9 @@ { name = "xxhash" }, { name = "zstandard" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/e4/6b/3c3884d01e0c5a8c288e2effe840967ce38668ae30b30e8c9d97a75b5a30/yardstick-0.15.0.tar.gz";, hash = "sha256:980e205f93a495db6f233062491eb974b3d0d3d0a766e9a70c15abd99db12192", size = 149600, upload-time = "2025-10-23T20:51:57.365Z" } +sdist = { url = "https://files.pythonhosted.org/packages/83/48/cf4e4e9ccc2d6195e5a5b9ff218de8694ce39b5844aadc8e97fb94e24634/yardstick-0.16.0.tar.gz";, hash = "sha256:ffa894be5f39a5c746f7c3fe1bf86186f00e03565b3734b9cbd6b6a32f276018", size = 181740, upload-time = "2026-01-26T21:22:52.711Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/27/f0/82c2ba7953eb72f82a91aa6db35cccd35fdcdedc1529a4d754bc63cfd909/yardstick-0.15.0-py3-none-any.whl";, hash = "sha256:b60433e9cba8f0a82d8b533a42d6e63bf822899561c7e974e23ba44fd7d10457", size = 94886, upload-time = "2025-10-23T20:51:55.93Z" }, + { url = "https://files.pythonhosted.org/packages/3e/f4/14a0f44365050169f3100e19ca4a17f0aa0ef03b5a6458b580ad57001f7e/yardstick-0.16.0-py3-none-any.whl";, hash = "sha256:2fffeb11af224f95ea39736931158317bb34ec4e72903749c6568f17b26d731f", size = 105772, upload-time = "2026-01-26T21:22:53.852Z" }, ] [[package]] ++++++ grype-db.obsinfo ++++++ --- /var/tmp/diff_new_pack.9weiQt/_old 2026-02-09 15:35:24.400799412 +0100 +++ /var/tmp/diff_new_pack.9weiQt/_new 2026-02-09 15:35:24.420800253 +0100 @@ -1,5 +1,5 @@ name: grype-db -version: 0.50.0 -mtime: 1769727960 -commit: ebc5f8151645415711407e8edc248df8c89d5195 +version: 0.51.0 +mtime: 1770382382 +commit: 013670be3fbdc9eea9e85f19c549aa48f8320e55 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grype-db/vendor.tar.gz /work/SRC/openSUSE:Factory/.grype-db.new.1670/vendor.tar.gz differ: char 132, line 1
