Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package syft for openSUSE:Factory checked in
at 2023-02-05 19:20:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/syft (Old)
and /work/SRC/openSUSE:Factory/.syft.new.4462 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft"
Sun Feb 5 19:20:21 2023 rev:26 rq:1063165 version:0.70.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/syft/syft.changes 2023-02-02
18:18:48.547952104 +0100
+++ /work/SRC/openSUSE:Factory/.syft.new.4462/syft.changes 2023-02-05
19:20:22.939619237 +0100
@@ -1,0 +2,11 @@
+Sat Feb 04 07:45:37 UTC 2023 - ka...@b1-systems.de
+
+- Update to version 0.70.0:
+ * fix: update config struct to not decode password/key (#1538)
+ * Update syft bootstrap tools to latest versions. (#1537)
+ * feat: add traefik classifier (#1504)
+ * fix: don't hardcode Cosign attest type (#1533)
+ * chore(deps): bump github.com/docker/docker (#1531)
+ * Update syft bootstrap tools to latest versions. (#1530)
+
+-------------------------------------------------------------------
Old:
----
syft-0.69.1.tar.gz
New:
----
syft-0.70.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ syft.spec ++++++
--- /var/tmp/diff_new_pack.lNjHGm/_old 2023-02-05 19:20:24.075625804 +0100
+++ /var/tmp/diff_new_pack.lNjHGm/_new 2023-02-05 19:20:24.079625826 +0100
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: syft
-Version: 0.69.1
+Version: 0.70.0
Release: 0
Summary: CLI tool and library for generating a Software Bill of
Materials
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.lNjHGm/_old 2023-02-05 19:20:24.119626058 +0100
+++ /var/tmp/diff_new_pack.lNjHGm/_new 2023-02-05 19:20:24.123626081 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/anchore/syft</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.69.1</param>
+ <param name="revision">v0.70.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -16,7 +16,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">syft-0.69.1.tar.gz</param>
+ <param name="archive">syft-0.70.0.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.lNjHGm/_old 2023-02-05 19:20:24.147626220 +0100
+++ /var/tmp/diff_new_pack.lNjHGm/_new 2023-02-05 19:20:24.147626220 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/anchore/syft</param>
- <param
name="changesrevision">1530ef354ffaf59cef6a02c949f2cdb82353954f</param></service></servicedata>
+ <param
name="changesrevision">9995950c70e849f9921919faffbfcf46401f71f3</param></service></servicedata>
(No newline at EOF)
++++++ syft-0.69.1.tar.gz -> syft-0.70.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.69.1/Makefile new/syft-0.70.0/Makefile
--- old/syft-0.69.1/Makefile 2023-01-31 17:53:16.000000000 +0100
+++ new/syft-0.70.0/Makefile 2023-02-03 19:06:14.000000000 +0100
@@ -8,11 +8,11 @@
SNAPSHOT_CMD := $(RELEASE_CMD) --skip-publish --skip-sign --snapshot
# Tool versions #################################
-GOLANGCILINT_VERSION := v1.50.1
+GOLANGCILINT_VERSION := v1.51.0
GOSIMPORTS_VERSION := v0.3.5
BOUNCER_VERSION := v0.4.0
CHRONICLE_VERSION := v0.5.1
-GORELEASER_VERSION := v1.15.0
+GORELEASER_VERSION := v1.15.1
YAJSV_VERSION := v1.4.1
COSIGN_VERSION := v1.13.1
QUILL_VERSION := v0.2.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.69.1/cmd/syft/cli/attest/attest.go
new/syft-0.70.0/cmd/syft/cli/attest/attest.go
--- old/syft-0.69.1/cmd/syft/cli/attest/attest.go 2023-01-31
17:53:16.000000000 +0100
+++ new/syft-0.70.0/cmd/syft/cli/attest/attest.go 2023-02-03
19:06:14.000000000 +0100
@@ -131,7 +131,7 @@
return
}
- args := []string{"attest", si.UserInput, "--type",
"custom", "--predicate", f.Name()}
+ args := []string{"attest", si.UserInput, "--predicate",
f.Name()}
if app.Attest.Key != "" {
args = append(args, "--key", app.Attest.Key)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.69.1/go.mod new/syft-0.70.0/go.mod
--- old/syft-0.69.1/go.mod 2023-01-31 17:53:16.000000000 +0100
+++ new/syft-0.70.0/go.mod 2023-02-03 19:06:14.000000000 +0100
@@ -53,7 +53,7 @@
github.com/Masterminds/sprig/v3 v3.2.3
github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
github.com/anchore/stereoscope v0.0.0-20221208011002-c5ff155d72f1
- github.com/docker/docker v20.10.23+incompatible
+ github.com/docker/docker v23.0.0+incompatible
github.com/google/go-containerregistry v0.13.0
github.com/invopop/jsonschema v0.7.0
github.com/knqyf263/go-rpmdb v0.0.0-20221030135625-4082a22221ce
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.69.1/go.sum new/syft-0.70.0/go.sum
--- old/syft-0.69.1/go.sum 2023-01-31 17:53:16.000000000 +0100
+++ new/syft-0.70.0/go.sum 2023-02-03 19:06:14.000000000 +0100
@@ -397,8 +397,8 @@
github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod
h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v20.10.10+incompatible/go.mod
h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v20.10.12+incompatible/go.mod
h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.23+incompatible
h1:1ZQUUYAdh+oylOT85aA2ZcfRp22jmLhoaEcVEfK8dyA=
-github.com/docker/docker v20.10.23+incompatible/go.mod
h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.0+incompatible
h1:L6c28tNyqZ4/ub9AZC9d5QUuunoHHfEH4/Ue+h/E5nE=
+github.com/docker/docker v23.0.0+incompatible/go.mod
h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.6.3/go.mod
h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
github.com/docker/docker-credential-helpers v0.6.4/go.mod
h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
github.com/docker/docker-credential-helpers v0.7.0
h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.69.1/internal/config/attest.go
new/syft-0.70.0/internal/config/attest.go
--- old/syft-0.69.1/internal/config/attest.go 2023-01-31 17:53:16.000000000
+0100
+++ new/syft-0.70.0/internal/config/attest.go 2023-02-03 19:06:14.000000000
+0100
@@ -3,8 +3,9 @@
import "github.com/spf13/viper"
type attest struct {
- Key string `yaml:"key" json:"key" mapstructure:"key"`
- Password string `yaml:"password" json:"password"
mapstructure:"password"`
+ // IMPORTANT: do not show the attestation key/password in any YAML/JSON
output (sensitive information)
+ Key string `yaml:"-" json:"-" mapstructure:"key"`
+ Password string `yaml:"-" json:"-" mapstructure:"password"`
}
func (cfg attest) loadDefaultValues(v *viper.Viper) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.69.1/syft/pkg/cataloger/binary/cataloger_test.go
new/syft-0.70.0/syft/pkg/cataloger/binary/cataloger_test.go
--- old/syft-0.69.1/syft/pkg/cataloger/binary/cataloger_test.go 2023-01-31
17:53:16.000000000 +0100
+++ new/syft-0.70.0/syft/pkg/cataloger/binary/cataloger_test.go 2023-02-03
19:06:14.000000000 +0100
@@ -20,6 +20,34 @@
expected pkg.Package
}{
{
+ name: "positive-traefik-2.9.6",
+ fixtureDir:
"test-fixtures/classifiers/positive/traefik-2.9.6",
+ expected: pkg.Package{
+ Name: "traefik",
+ Version: "2.9.6",
+ Type: "binary",
+ PURL: "pkg:generic/traefik@2.9.6",
+ Locations: singleLocation("traefik"),
+ Metadata: pkg.BinaryMetadata{
+ Classifier: "traefik-binary",
+ },
+ },
+ },
+ {
+ name: "positive-traefik-1.7.34",
+ fixtureDir:
"test-fixtures/classifiers/positive/traefik-1.7.34",
+ expected: pkg.Package{
+ Name: "traefik",
+ Version: "1.7.34",
+ Type: "binary",
+ PURL: "pkg:generic/traefik@1.7.34",
+ Locations: singleLocation("traefik"),
+ Metadata: pkg.BinaryMetadata{
+ Classifier: "traefik-binary",
+ },
+ },
+ },
+ {
name: "positive-memcached-1.6.18",
fixtureDir:
"test-fixtures/classifiers/positive/memcached-1.6.18",
expected: pkg.Package{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.69.1/syft/pkg/cataloger/binary/default_classifiers.go
new/syft-0.70.0/syft/pkg/cataloger/binary/default_classifiers.go
--- old/syft-0.69.1/syft/pkg/cataloger/binary/default_classifiers.go
2023-01-31 17:53:16.000000000 +0100
+++ new/syft-0.70.0/syft/pkg/cataloger/binary/default_classifiers.go
2023-02-03 19:06:14.000000000 +0100
@@ -165,4 +165,14 @@
Package: "memcached",
PURL: mustPURL("pkg:generic/memcached@version"),
},
+ {
+ Class: "traefik-binary",
+ FileGlob: "**/traefik",
+ EvidenceMatcher: fileContentsVersionMatcher(
+ // [NUL]v1.7.34[NUL]
+ // [NUL]2.9.6[NUL]
+
`(?m)\x00v?(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00`),
+ Package: "traefik",
+ PURL: mustPURL("pkg:generic/traefik@version"),
+ },
}
Binary files
old/syft-0.69.1/syft/pkg/cataloger/binary/test-fixtures/classifiers/positive/traefik-1.7.34/traefik
and
new/syft-0.70.0/syft/pkg/cataloger/binary/test-fixtures/classifiers/positive/traefik-1.7.34/traefik
differ
Binary files
old/syft-0.69.1/syft/pkg/cataloger/binary/test-fixtures/classifiers/positive/traefik-2.9.6/traefik
and
new/syft-0.70.0/syft/pkg/cataloger/binary/test-fixtures/classifiers/positive/traefik-2.9.6/traefik
differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.69.1/test/cli/packages_cmd_test.go
new/syft-0.70.0/test/cli/packages_cmd_test.go
--- old/syft-0.69.1/test/cli/packages_cmd_test.go 2023-01-31
17:53:16.000000000 +0100
+++ new/syft-0.70.0/test/cli/packages_cmd_test.go 2023-02-03
19:06:14.000000000 +0100
@@ -229,6 +229,20 @@
assertSuccessfulReturnCode,
},
},
+ {
+ name: "password and key not in config output",
+ args: []string{"packages", "-vvv", "-o", "json",
coverageImage},
+ env: map[string]string{
+ "SYFT_ATTEST_PASSWORD": "secret_password",
+ "SYFT_ATTEST_KEY": "secret_key_path",
+ },
+ assertions: []traitAssertion{
+ assertNotInOutput("secret_password"),
+ assertNotInOutput("secret_key_path"),
+ assertPackageCount(34),
+ assertSuccessfulReturnCode,
+ },
+ },
}
for _, test := range tests {
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/syft/vendor.tar.gz
/work/SRC/openSUSE:Factory/.syft.new.4462/vendor.tar.gz differ: char 5, line 1
