Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package osv-scanner for openSUSE:Factory checked in at 2026-06-19 16:36:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/osv-scanner (Old) and /work/SRC/openSUSE:Factory/.osv-scanner.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "osv-scanner" Fri Jun 19 16:36:38 2026 rev:46 rq:1360442 version:2.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/osv-scanner/osv-scanner.changes 2026-05-08 16:48:05.111937648 +0200 +++ /work/SRC/openSUSE:Factory/.osv-scanner.new.1956/osv-scanner.changes 2026-06-19 17:19:59.231215381 +0200 @@ -1,0 +2,61 @@ +Fri Jun 19 05:16:00 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 2.4.0: + * Features: + - Feature #2815 Add support for the CycloneDX 1.7 specification + (bumps cyclonedx-go to v0.11.0). + - Feature #2799 Enable .csproj and Central Package Management + (nugetcpm) source scanning plugins by default. + - Feature #2871 Extract and parse Alpine OS distro version + (e.g. Alpine:v3.17, Alpine:edge) from PURL distro qualifiers + to scan packages under their respective Alpine ecosystems. + - Feature #2801 Enable the swift/packageresolved plugin by + default to support SwiftURL vulnerability scans. + - Feature #2666 Add a Docker-based variant of the pre-commit + hook in .pre-commit-hooks.yaml to avoid local compilation. + - Feature #2637 Add a new configuration setting + ScanGoModVersion (disabled by default) to avoid parsing + toolchain version directives directly from go.mod, preventing + misleading warnings. + - Feature #2772 Scan container images built with Canonical + Chisel by enabling the os/chisel extractor plugin. + * Fixes: + - Bug #2807 Sanitize package name, source, and version fields + in the vertical output format to prevent GitHub Actions + workflow command injection vulnerabilities from crafted lock + files. + - Bug #2876 Improve HTML scan report usability by supporting + standard click modifiers (Ctrl/Cmd/middle click) to open + vulnerabilities in new tabs, and preserving scroll position + when switching tabs. + - Bug #2783 Keep transitive dependency scanning enabled when + specifying the --offline-vulnerabilities flag. + - Bug #2808 Deduplicate equivalent OSV matcher requests before + executing bulk queries to reduce API overhead. + - Bug #2837 Prevent panics during offline matcher scans (e.g. + on unsupported GitHub Actions ecosystem) by avoiding parsing + errors when checking version ranges. + - Bug #2836 Ensure the scanner returns an exit code of 0 when + --help or -h is explicitly requested. + * Misc: + - Update Go version to 1.26.4. + - Update osv-scalibr to v0.4.6-0.20260612031204-164402d9140e. + - Tag built Docker and GitHub Action images with the major + version (e.g. :v2) to allow users to pin to a major version + (#2857). + * Dependencies + - chore(deps): update golang.org/x/{crypto,net,sys} (#2853) + - chore(deps): update golang docker tag to v1.26.3 (#2811) + - fix(deps): update osv-scanner minor (#2851) + - build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to + 5.19.1 in the go_modules group across 1 directory (#2822) + - chore(deps): update workflows (#2852) + - chore(deps): update workflows (#2764) + - fix(deps): update osv-scanner minor (#2812) + - chore(deps): lock file maintenance (#2834) + - build(deps): bump faraday from 2.14.1 to 2.14.2 in /docs in + the bundler group across 1 directory (#2817) + - fix(deps): update osv-scanner minor (#2763) + - chore(deps): lock file maintenance (#2718) + +------------------------------------------------------------------- Old: ---- osv-scanner-2.3.8.obscpio New: ---- osv-scanner-2.4.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ osv-scanner.spec ++++++ --- /var/tmp/diff_new_pack.JPvcR8/_old 2026-06-19 17:20:30.812302407 +0200 +++ /var/tmp/diff_new_pack.JPvcR8/_new 2026-06-19 17:20:30.812302407 +0200 @@ -17,14 +17,14 @@ Name: osv-scanner -Version: 2.3.8 +Version: 2.4.0 Release: 0 Summary: Vulnerability scanner written in Go License: Apache-2.0 URL: https://github.com/google/osv-scanner Source: osv-scanner-%{version}.tar.gz Source1: vendor.tar.gz -BuildRequires: go1.26 >= 1.26.2 +BuildRequires: go1.26 >= 1.26.4 %description Use OSV-Scanner to find existing vulnerabilities affecting your project's ++++++ _service ++++++ --- /var/tmp/diff_new_pack.JPvcR8/_old 2026-06-19 17:20:30.856303922 +0200 +++ /var/tmp/diff_new_pack.JPvcR8/_new 2026-06-19 17:20:30.860304059 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/google/osv-scanner</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v2.3.8</param> + <param name="revision">v2.4.0</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.JPvcR8/_old 2026-06-19 17:20:30.884304886 +0200 +++ /var/tmp/diff_new_pack.JPvcR8/_new 2026-06-19 17:20:30.892305162 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/google/osv-scanner</param> - <param name="changesrevision">408fcd6f8707999a29e7ba45e15809764cf24f67</param></service></servicedata> + <param name="changesrevision">b56b5191101d5f27d4787d5583d8d01e9518a7af</param></service></servicedata> (No newline at EOF) ++++++ osv-scanner-2.3.8.obscpio -> osv-scanner-2.4.0.obscpio ++++++ ++++ 40608 lines of diff (skipped) ++++++ osv-scanner.obsinfo ++++++ --- /var/tmp/diff_new_pack.JPvcR8/_old 2026-06-19 17:20:32.520361202 +0200 +++ /var/tmp/diff_new_pack.JPvcR8/_new 2026-06-19 17:20:32.524361340 +0200 @@ -1,5 +1,5 @@ name: osv-scanner -version: 2.3.8 -mtime: 1778216075 -commit: 408fcd6f8707999a29e7ba45e15809764cf24f67 +version: 2.4.0 +mtime: 1781787327 +commit: b56b5191101d5f27d4787d5583d8d01e9518a7af ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/osv-scanner/vendor.tar.gz /work/SRC/openSUSE:Factory/.osv-scanner.new.1956/vendor.tar.gz differ: char 13, line 1
