Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package reimage for openSUSE:Factory checked in at 2026-04-09 16:11:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/reimage (Old) and /work/SRC/openSUSE:Factory/.reimage.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "reimage" Thu Apr 9 16:11:46 2026 rev:5 rq:1345508 version:0.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/reimage/reimage.changes 2026-04-04 19:07:17.668822641 +0200 +++ /work/SRC/openSUSE:Factory/.reimage.new.21863/reimage.changes 2026-04-09 16:24:36.558177280 +0200 @@ -1,0 +2,12 @@ +Thu Apr 09 07:37:41 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.12.1: + * Features + - e2699ec feat(vulncheck): improve error reporting for exec + errors + * Bug fixes + - c2cad68 fix(vulncheck): small tweak to error checking + * Others + - 68cc02c Merge pull request #72 from cerbos/vulnchecklog + +------------------------------------------------------------------- Old: ---- reimage-0.12.0.obscpio New: ---- reimage-0.12.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ reimage.spec ++++++ --- /var/tmp/diff_new_pack.dWy4ek/_old 2026-04-09 16:24:37.590219756 +0200 +++ /var/tmp/diff_new_pack.dWy4ek/_new 2026-04-09 16:24:37.590219756 +0200 @@ -17,7 +17,7 @@ Name: reimage -Version: 0.12.0 +Version: 0.12.1 Release: 0 Summary: Tool for mass update of images for kubernetes manifests License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.dWy4ek/_old 2026-04-09 16:24:37.630221402 +0200 +++ /var/tmp/diff_new_pack.dWy4ek/_new 2026-04-09 16:24:37.638221731 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/cerbos/reimage</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.12.0</param> + <param name="revision">v0.12.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> @@ -11,7 +11,7 @@ <service name="set_version" mode="manual"> </service> <service name="go_modules" mode="manual"> - <param name="basename">reimage-0.12.0</param> + <param name="basename">reimage-0.12.1</param> </service> <!-- services below are running at buildtime --> <service name="tar" mode="buildtime"> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.dWy4ek/_old 2026-04-09 16:24:37.662222719 +0200 +++ /var/tmp/diff_new_pack.dWy4ek/_new 2026-04-09 16:24:37.666222884 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/cerbos/reimage</param> - <param name="changesrevision">e377b75b18b7ef5552b2b7892f23c170d66d70f0</param></service></servicedata> + <param name="changesrevision">68cc02cd57b7b1d1f0667496aed61db5cda43d76</param></service></servicedata> (No newline at EOF) ++++++ reimage-0.12.0.obscpio -> reimage-0.12.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/reimage-0.12.0/cmd/reimage/main.go new/reimage-0.12.1/cmd/reimage/main.go --- old/reimage-0.12.0/cmd/reimage/main.go 2026-04-02 13:05:19.000000000 +0200 +++ new/reimage-0.12.1/cmd/reimage/main.go 2026-04-08 11:21:07.000000000 +0200 @@ -16,6 +16,7 @@ "log/slog" "maps" "os" + "os/exec" "regexp" "slices" "strings" @@ -122,7 +123,7 @@ flag.StringVar(&a.GrafeasParent, "grafeas-parent", "", "value for the parent of the grafeas client (e.g. \"project/my-project-id\" for GCP") - flag.StringVar(&a.VulnCheckCommand, "vulncheck-command", "grype -q --by-cve -o json", "the command to run to retrieve vulnerability scans in trivy's JSON format (the image id will be added as an additional arg") + flag.StringVar(&a.VulnCheckCommand, "vulncheck-command", "grype --by-cve -o json", "the command to run to retrieve vulnerability scans in trivy's JSON format (the image id will be added as an additional arg") flag.StringVar(&a.VulnCheckFormat, "vulncheck-format", "grype-json", fmt.Sprintf("the output format of the vulncheck-command (%s)", strings.Join(reimage.VulnOutputFormats, ","))) flag.StringVar(&a.BinAuthzAttestor, "binauthz-attestor", "", "Google BinAuthz Attestor (e.g. projects/myproj/attestors/myattestor)") @@ -154,7 +155,7 @@ } if !slices.Contains(reimage.VulnOutputFormats, a.VulnCheckFormat) { - return &a, fmt.Errorf("unknown vulnerability command output format %q", a.VulnCheckFormat) + return &a, reimage.InvalidVulncheckOutputFormatError(a.VulnCheckFormat) } // What follows is horrid, and probably a sign of some abstraction breakdown @@ -465,7 +466,7 @@ cres, err := checker.Check(vcCtx, dig) if err != nil { - errs[i] = fmt.Errorf("image check failed %q, %w", img, err) + errs[i] = fmt.Errorf("image check failed %q, %w", img.Tag, err) return } @@ -487,6 +488,11 @@ // directly return err } + if _, ok := errors.AsType[reimage.InvalidVulncheckOutputFormatError](err); ok { + // if the vulcheck output format was invalid, just return that once + // directly + return err + } } maps.Copy(imgs, res) @@ -608,6 +614,24 @@ } continue } + if err, ok := errors.AsType[*reimage.ExecVulncheckCommandError](err); ok && err != nil { + attrs := []any{ + slog.String("err", err.Error()), + slog.String("image", err.Image), + slog.String("cmd", strings.Join(err.Command, " ")), + } + execErr := &exec.ExitError{} + if errors.As(err.Err, &execErr) { + attrs = append(attrs, slog.String("stderr", string(execErr.Stderr))) + } + + log.ErrorContext( + ctx, + "vulncheck exec failed", + attrs..., + ) + continue + } log.ErrorContext(ctx, fmt.Errorf("vulncheck failed, %w", err).Error()) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/reimage-0.12.0/vulnparser.go new/reimage-0.12.1/vulnparser.go --- old/reimage-0.12.0/vulnparser.go 2026-04-02 13:05:19.000000000 +0200 +++ new/reimage-0.12.1/vulnparser.go 2026-04-08 11:21:07.000000000 +0200 @@ -8,12 +8,23 @@ "encoding/json" "fmt" "os/exec" + "strings" "github.com/google/go-containerregistry/pkg/name" ) var VulnOutputFormats = []string{"trivy-json", "grype-json"} +type InvalidVulncheckOutputFormatError string + +func (e InvalidVulncheckOutputFormatError) Error() string { + return fmt.Sprintf( + "invalid vulncheck output format %q, (should be one of %s)", + string(e), + strings.Join(VulnOutputFormats, ","), + ) +} + // trivyJSONReport parses the JSON output of trivy -o json. type trivyJSONReport struct { Results []struct { @@ -92,22 +103,26 @@ return res, nil } +type ExecVulncheckCommandError struct { + Image string + Command []string + Err error +} + +func (eve *ExecVulncheckCommandError) Error() string { + return fmt.Sprintf("failed check of %s, %s", eve.Image, eve.Err.Error()) +} + +func (eve *ExecVulncheckCommandError) Unwrap() error { + return eve.Err +} + type ExecVulnGetter struct { Command []string OutFormat string } func (vc *ExecVulnGetter) GetVulnerabilities(ctx context.Context, dig name.Digest) ([]ImageVulnerability, error) { - args := vc.Command[1:] - args = append(args, dig.String()) - - //nolint:gosec - cmd := exec.CommandContext(ctx, vc.Command[0], args...) - bs, err := cmd.Output() - if err != nil { - return nil, err - } - type parser interface { ParseReport() ([]ImageVulnerability, error) } @@ -120,7 +135,21 @@ case "grype-json": tr = &grypeJSONReport{} default: - return nil, fmt.Errorf("unknown vulnerability scanner output format %q", vc.OutFormat) + return nil, InvalidVulncheckOutputFormatError(vc.OutFormat) + } + + args := vc.Command[1:] + args = append(args, dig.String()) + + //nolint:gosec + cmd := exec.CommandContext(ctx, vc.Command[0], args...) + bs, err := cmd.Output() + if err != nil { + return nil, &ExecVulncheckCommandError{ + Image: dig.Name(), + Command: append([]string{vc.Command[0]}, args...), + Err: err, + } } err = json.Unmarshal(bs, tr) ++++++ reimage.obsinfo ++++++ --- /var/tmp/diff_new_pack.dWy4ek/_old 2026-04-09 16:24:37.810228810 +0200 +++ /var/tmp/diff_new_pack.dWy4ek/_new 2026-04-09 16:24:37.814228975 +0200 @@ -1,5 +1,5 @@ name: reimage -version: 0.12.0 -mtime: 1775127919 -commit: e377b75b18b7ef5552b2b7892f23c170d66d70f0 +version: 0.12.1 +mtime: 1775640067 +commit: 68cc02cd57b7b1d1f0667496aed61db5cda43d76 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/reimage/vendor.tar.gz /work/SRC/openSUSE:Factory/.reimage.new.21863/vendor.tar.gz differ: char 13, line 1
