Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package trivy for openSUSE:Factory checked in at 2026-04-28 11:57:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trivy (Old) and /work/SRC/openSUSE:Factory/.trivy.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trivy" Tue Apr 28 11:57:40 2026 rev:87 rq:1349537 version:0.70.0 Changes: -------- --- /work/SRC/openSUSE:Factory/trivy/trivy.changes 2026-03-22 14:13:55.169579363 +0100 +++ /work/SRC/openSUSE:Factory/.trivy.new.11940/trivy.changes 2026-04-28 12:01:36.902583722 +0200 @@ -1,0 +2,98 @@ +Mon Apr 27 08:37:23 UTC 2026 - Dirk Müller <[email protected]> + +- Update to version 0.70.0 ( + bsc#1260193, CVE-2026-33186, + bsc#1260971, CVE-2026-33747, + bsc#1261052, CVE-2026-33748, + bsc#1262389, CVE-2026-39984, + bsc#1262893, CVE-2026-34986): + * release: v0.70.0 [main] (#10105) + * chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#10496) + * chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#10526) + * chore(deps): bump the common group across 1 directory with 8 updates (#10540) + * chore(deps): bump the docker group across 1 directory with 2 updates (#10538) + * fix: use Development category for GoReleaser discussions (#10530) + * chore(deps): bump testcontainers-go to v0.42.0 (#10531) + * chore: update CODEOWNERS (#10529) + * chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#10511) + * chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#10510) + * chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 (#10449) + * ci: migrate from mkdocs-material-insiders to mkdocs-material (#10509) + * chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#10508) + * ci: update runners for workflows that interact with GitHub API (#10502) + * ci: rename tokens and update runners (#10500) + * ci: trigger helm chart publishing via helm-charts workflow (#10474) + * ci: remove ruleset update step from release-please workflow (#10499) + * ci: use large runner and replace ORG_REPO_TOKEN in release-please workflow (#10498) + * ci: trigger rpm/deb deployment via trivy-repo workflow (#10476) + * fix: remove os.Stdout from wazero module config (#10403) + * chore(deps): bump the common group across 1 directory with 22 updates (#10408) + * chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#10407) + * fix(flag): validate template file extension (#10296) + * fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without layer info (#10378) + * fix: handle Go 1.26 GOEXPERIMENT version format change (#10351) + * fix(python): handle multiple version specifiers in requirements.txt (#10361) + * ci: run Trivy version bump in trivy-action (#10272) + * fix(python): nil pointer dereference with optional poetry groups without dependencies (#10359) + * ci: replace personal email with github-actions[bot] in workflows (#10369) + * chore: replace smithy epoch parsing with stdlib time.Unix (#10286) + * test: update golden files for purl changes (#10372) + * ci: add zizmor to scan GitHub Actions workflows (#10322) + * refactor: log statuses as strings (#10285) + * ci: add build provenance attestations for release artifacts (#10316) + * fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#10368) + * fix(report): set correct sarif ROOTPATH uri when scanning a git repository (#10366) + * perf(plugin): optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#10325) + * docs: correct typos in CHANGELOG and diagram (#10320) + * chore: delete roadmap wf (#10295) + * ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3 (#10310) + * fix(cyclonedx): include CVSS v4 vulnerability ratings (#10313) + * fix: detected vulnerability fields in azure and mariner detector (#10275) + * ci: add persist-credentials: false to checkout steps (#10306) + * ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2 (#10270) + * chore(deps): bump the common group across 1 directory with 8 updates (#10248) + * chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#10257) + * chore(deps): bump the aws group across 1 directory with 6 updates (#10249) + * chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#10241) + * ci: remove apidiff workflow (#10259) + * chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible in the docker group across 1 directory (#10221) + * ci: bump golangci-lint to v2.10 in cache-test-assets (#10243) + * feat(java): add support for proxy configuration from Maven settings.xml (#10187) + * chore(deps): bump the github-actions group across 3 directories with 11 updates (#10242) + * feat(python): add pylock.toml support (#10137) + * chore: bump SPDX license IDs and exceptions to `v3.28.0` (#10233) + * docs: fix typos and upgrade insecure HTTP links to HTTPS (#10219) + * chore: bump golangci-lint to v2.10.0 (#10223) + * feat(misconf): support for azurerm_network_interface_security_group_association (#10215) + * ci: pin Docker Engine to v29 for integration tests (#10232) + * feat(go): detect version from ELF symbol table for binaries built with -trimpath (#10197) + * docs: migrate private registry documentation from GCR to GAR (#10208) + * chore(deps): bump the common group across 1 directory with 24 updates (#10206) + * chore(deps): update Docker client SDK to v29 (#10202) + * test: update Docker Engine integration tests for Docker API v0.29.0+ compatibility (#10199) + * fix(misconf): initialize custom annotation field if empty (#10123) + * feat(ubuntu): add eol data for 25.10 (#10181) + * docs: fix incorrect count of Python package managers (#10175) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#10179) + * feat(misconf): resolve Azure resources via resource_id (#10173) + * ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#10155) + * refactor: remove unused Insecure field from ServiceOption (#10113) + * refactor: reduce complexity of init in detect.go (#10163) + * feat(misconf): adapt ARM k8s clusters (#9696) (#10125) + * docs: update version endpoint example in client/server documentation (#10151) + * feat(vuln): skip third-party packages in common Detect function (#10129) + * ci: add composite action for Go setup (#10146) + * fix(misconf): apply check aliases when filtering results via .trivyignore (#10112) + * docs(terraform): add limitation for data sources and computed resource attributes (#10128) + * fix: update PhotonOS feed URL (#10122) + * feat(server): include server version info in JSON output for client/server mode (#10075) + * chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107) + * refactor: unify scanner error limit and compiler limit (#10106) + * ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#10103) + * fix(java): Disable overwriting exclusions (#10088) + * refactor(rust): use txtar format for cargo analyzer test data (#10104) + * feat(python): add pylock.toml (PEP 751) parser (#9632) + * chore(deps): bump the aws group across 1 directory with 6 updates (#10068) + * fix(server): exclude JavaDB and CheckBundle from /version endpoint (#10100) + +------------------------------------------------------------------- @@ -4 +102 @@ -- Update to version 0.69.3: +- Update to version 0.69.3 (CVE-2026-25934, bsc#1258094): @@ -19 +117,2 @@ -- Update to version 0.69.0 (bsc#1255366, CVE-2025-64702): +- Update to version 0.69.0 (bsc#1255366, CVE-2025-64702, + bsc#1258513, CVE-2025-69725): Old: ---- trivy-0.69.3.tar.zst New: ---- trivy-0.70.0.tar.zst ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trivy.spec ++++++ --- /var/tmp/diff_new_pack.zoZ3Ez/_old 2026-04-28 12:01:40.626737946 +0200 +++ /var/tmp/diff_new_pack.zoZ3Ez/_new 2026-04-28 12:01:40.638738443 +0200 @@ -17,7 +17,7 @@ Name: trivy -Version: 0.69.3 +Version: 0.70.0 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 @@ -27,7 +27,7 @@ Source1: vendor.tar.zst BuildRequires: golang-packaging BuildRequires: zstd -BuildRequires: golang(API) = 1.25 +BuildRequires: golang(API) = 1.26 Requires: ca-certificates Requires: git-core ++++++ _constraints ++++++ --- /var/tmp/diff_new_pack.zoZ3Ez/_old 2026-04-28 12:01:40.862747723 +0200 +++ /var/tmp/diff_new_pack.zoZ3Ez/_new 2026-04-28 12:01:40.890748883 +0200 @@ -2,7 +2,7 @@ <constraints> <hardware> <disk> - <size unit="G">14</size> + <size unit="G">16</size> </disk> </hardware> </constraints> ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.zoZ3Ez/_old 2026-04-28 12:01:41.034754848 +0200 +++ /var/tmp/diff_new_pack.zoZ3Ez/_new 2026-04-28 12:01:41.066756174 +0200 @@ -1,5 +1,5 @@ -mtime: 1774090807 -commit: 4199961cef36ece6827720152a48904fe8a48b7added4994e3fbfb367e08532d +mtime: 1777280877 +commit: 3195ae06ff16ec640a44ede4654dacc57f7c059c133c3558c50982900b9f3372 url: https://src.opensuse.org/dirkmueller/trivy.git revision: factory ++++++ _service ++++++ --- /var/tmp/diff_new_pack.zoZ3Ez/_old 2026-04-28 12:01:41.206761974 +0200 +++ /var/tmp/diff_new_pack.zoZ3Ez/_new 2026-04-28 12:01:41.246763631 +0200 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="manual"> <param name="url">https://github.com/aquasecurity/trivy</param> <param name="scm">git</param> - <param name="revision">v0.69.3</param> + <param name="revision">v0.70.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.zoZ3Ez/_old 2026-04-28 12:01:41.394769762 +0200 +++ /var/tmp/diff_new_pack.zoZ3Ez/_new 2026-04-28 12:01:41.410770425 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/aquasecurity/trivy</param> - <param name="changesrevision">6fb20c8edd70745d6b34bff0387b53b03c8a760a</param></service></servicedata> + <param name="changesrevision">8a3177aedf7ee0864920eb1852eef031cd3742b8</param></service></servicedata> (No newline at EOF) ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-27 11:07:57.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ trivy-0.69.3.tar.zst -> trivy-0.70.0.tar.zst ++++++ /work/SRC/openSUSE:Factory/trivy/trivy-0.69.3.tar.zst /work/SRC/openSUSE:Factory/.trivy.new.11940/trivy-0.70.0.tar.zst differ: char 7, line 1 ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/trivy/vendor.tar.zst /work/SRC/openSUSE:Factory/.trivy.new.11940/vendor.tar.zst differ: char 7, line 1
