Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apko for openSUSE:Factory checked in at 2024-05-24 19:51:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apko (Old) and /work/SRC/openSUSE:Factory/.apko.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apko" Fri May 24 19:51:50 2024 rev:8 rq:1176547 version:0.14.2 Changes: -------- --- /work/SRC/openSUSE:Factory/apko/apko.changes 2024-05-10 12:05:58.871323236 +0200 +++ /work/SRC/openSUSE:Factory/.apko.new.24587/apko.changes 2024-05-24 19:52:06.987650566 +0200 @@ -1,0 +2,34 @@ +Thu May 23 19:46:28 UTC 2024 - [email protected] + +- Update to version 0.14.2: + * spdx: Add test of SBOM of packages with custom licenses + * updated-dependencies: + - dependency-name: step-security/harden-runner + dependency-type: direct:production + update-type: version-update:semver-minor ... + - dependency-name: go.opentelemetry.io/otel + dependency-type: direct:production + update-type: version-update:semver-minor ... + * sbom: fixup merging LicensingInfos during Image SBOM generation + * build(deps): bump github/codeql-action from 3.25.4 to 3.25.6 + * build(deps): bump actions/checkout from 4.1.5 to 4.1.6 + * build(deps): bump github.com/package-url/packageurl-go + * gofmt + * Fix capitalisation style + * spdx: allow specifying custom license + * Bump go-apk + * Bump go-apk to pick up conflict fix + * build(deps): bump goreleaser/goreleaser-action from 5.0.0 to + 5.1.0 + * Bump go-apk + * linter + * Fix duplicates when overlaying the config with config with no + contents + * build(deps): bump sigs.k8s.io/release-utils from 0.8.1 to 0.8.2 + * build(deps): bump golangci/golangci-lint-action from 5.1.0 to + 6.0.1 + * build(deps): bump github/codeql-action from 3.25.3 to 3.25.4 + * build(deps): bump actions/checkout from 4.1.4 to 4.1.5 + * build(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0 + +------------------------------------------------------------------- Old: ---- apko-0.14.1.obscpio New: ---- apko-0.14.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apko.spec ++++++ --- /var/tmp/diff_new_pack.fis8hn/_old 2024-05-24 19:52:08.271697537 +0200 +++ /var/tmp/diff_new_pack.fis8hn/_new 2024-05-24 19:52:08.271697537 +0200 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: apko -Version: 0.14.1 +Version: 0.14.2 Release: 0 Summary: Build OCI images from APK packages directly without Dockerfile License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.fis8hn/_old 2024-05-24 19:52:08.311699001 +0200 +++ /var/tmp/diff_new_pack.fis8hn/_new 2024-05-24 19:52:08.315699146 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/apko</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.14.1</param> + <param name="revision">v0.14.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fis8hn/_old 2024-05-24 19:52:08.339700025 +0200 +++ /var/tmp/diff_new_pack.fis8hn/_new 2024-05-24 19:52:08.343700171 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/apko</param> - <param name="changesrevision">91e5c5e1baf31e19f6d3af3b0b6b81f849ce81da</param></service></servicedata> + <param name="changesrevision">5c68fe8f8274d9f70cdf8ce3bae7c7420653e79f</param></service></servicedata> (No newline at EOF) ++++++ apko-0.14.1.obscpio -> apko-0.14.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/.github/workflows/build-samples.yml new/apko-0.14.2/.github/workflows/build-samples.yml --- old/apko-0.14.1/.github/workflows/build-samples.yml 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/.github/workflows/build-samples.yml 2024-05-23 15:07:00.000000000 +0200 @@ -22,10 +22,10 @@ arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le] steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: go-version-file: 'go.mod' @@ -58,10 +58,10 @@ contents: read steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: go-version-file: 'go.mod' @@ -92,10 +92,10 @@ runs-on: ${{ matrix.platform }} steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: go-version-file: 'go.mod' @@ -120,10 +120,10 @@ contents: read steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: go-version-file: 'go.mod' @@ -158,10 +158,10 @@ contents: read steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: go-version-file: 'go.mod' @@ -196,10 +196,10 @@ contents: read steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: go-version: "1.21" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/.github/workflows/build.yaml new/apko-0.14.2/.github/workflows/build.yaml --- old/apko-0.14.1/.github/workflows/build.yaml 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/.github/workflows/build.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -15,11 +15,11 @@ contents: read steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 with: @@ -40,7 +40,7 @@ run: | make ci - - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v2.8.1 + - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v2.8.1 with: version: latest install-only: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/.github/workflows/codeql.yaml new/apko-0.14.2/.github/workflows/codeql.yaml --- old/apko-0.14.1/.github/workflows/codeql.yaml 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/.github/workflows/codeql.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -17,11 +17,11 @@ contents: read steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v3.0.0 with: @@ -29,7 +29,7 @@ check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 + uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 with: languages: go @@ -37,4 +37,4 @@ run: make apko - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 + uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/.github/workflows/go-tests.yaml new/apko-0.14.2/.github/workflows/go-tests.yaml --- old/apko-0.14.1/.github/workflows/go-tests.yaml 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/.github/workflows/go-tests.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -21,7 +21,7 @@ check-latest: true - name: Checkout code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Test run: make test diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/.github/workflows/release.yaml new/apko-0.14.2/.github/workflows/release.yaml --- old/apko-0.14.1/.github/workflows/release.yaml 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/.github/workflows/release.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -23,17 +23,17 @@ contents: write steps: - - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version-file: 'go.mod' - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v2.8.1 + - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v2.8.1 with: version: latest install-only: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/.github/workflows/verify.yaml new/apko-0.14.2/.github/workflows/verify.yaml --- old/apko-0.14.1/.github/workflows/verify.yaml 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/.github/workflows/verify.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -15,13 +15,13 @@ contents: read steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: "1.21" check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0 + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 timeout-minutes: 5 with: version: v1.54 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/go.mod new/apko-0.14.2/go.mod --- old/apko-0.14.1/go.mod 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/go.mod 2024-05-23 15:07:00.000000000 +0200 @@ -6,7 +6,7 @@ require ( github.com/chainguard-dev/clog v1.3.1 - github.com/chainguard-dev/go-apk v0.0.0-20240326195410-fa672ad75774 + github.com/chainguard-dev/go-apk v0.0.0-20240514202343-05db79c0242f github.com/charmbracelet/log v0.4.0 github.com/dominodatalab/os-release v0.0.0-20190522011736-bcdb4a3e3c2f github.com/go-git/go-git/v5 v5.12.0 @@ -16,19 +16,19 @@ github.com/invopop/jsonschema v0.12.0 github.com/jinzhu/copier v0.4.0 github.com/klauspost/pgzip v1.2.6 - github.com/package-url/packageurl-go v0.1.2 + github.com/package-url/packageurl-go v0.1.3 github.com/sigstore/cosign/v2 v2.2.4 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.9.0 github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0 - go.opentelemetry.io/otel v1.26.0 + go.opentelemetry.io/otel v1.27.0 golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 golang.org/x/sync v0.7.0 - golang.org/x/sys v0.19.0 + golang.org/x/sys v0.20.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/apimachinery v0.29.2 - sigs.k8s.io/release-utils v0.8.1 + sigs.k8s.io/release-utils v0.8.2 ) require ( @@ -75,13 +75,13 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-hclog v1.6.2 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-retryablehttp v0.7.5 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect - github.com/klauspost/compress v1.17.7 // indirect + github.com/klauspost/compress v1.17.8 // indirect github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -113,13 +113,13 @@ github.com/xanzy/ssh-agent v0.3.3 // indirect go.lsp.dev/uri v0.3.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/otel/metric v1.26.0 // indirect - go.opentelemetry.io/otel/trace v1.26.0 // indirect - golang.org/x/crypto v0.22.0 // indirect - golang.org/x/mod v0.16.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/tools v0.19.0 // indirect + go.opentelemetry.io/otel/metric v1.27.0 // indirect + go.opentelemetry.io/otel/trace v1.27.0 // indirect + golang.org/x/crypto v0.23.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/tools v0.21.0 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/go.sum new/apko-0.14.2/go.sum --- old/apko-0.14.1/go.sum 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/go.sum 2024-05-23 15:07:00.000000000 +0200 @@ -28,8 +28,8 @@ github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chainguard-dev/clog v1.3.1 h1:CDNCty5WKQhJzoOPubk0GdXt+bPQyargmfClqebrpaQ= github.com/chainguard-dev/clog v1.3.1/go.mod h1:cV516KZWqYc/phZsCNwF36u/KMGS+Gj5Uqeb8Hlp95Y= -github.com/chainguard-dev/go-apk v0.0.0-20240326195410-fa672ad75774 h1:HWWw1IsD74Wf7DeiMKFApS4RIZdK7pSwXLcLBgDDNL0= -github.com/chainguard-dev/go-apk v0.0.0-20240326195410-fa672ad75774/go.mod h1:ddQUEewlixFvuDz0n/+yVkYeW79+euCb6tOL1VyIOWU= +github.com/chainguard-dev/go-apk v0.0.0-20240514202343-05db79c0242f h1:TrHbtcSJcXZF9Uo18JNjVV644p4sMpsEty6yyjO2INU= +github.com/chainguard-dev/go-apk v0.0.0-20240514202343-05db79c0242f/go.mod h1:2tpUKTTAWl5dJmtvOwvSUjNRFp3oc7qOPqSW8I+XLDM= github.com/charmbracelet/lipgloss v0.10.0 h1:KWeXFSexGcfahHX+54URiZGkBFazf70JNMtwg/AFW3s= github.com/charmbracelet/lipgloss v0.10.0/go.mod h1:Wig9DSfvANsxqkRsqj6x87irdy123SR4dOXlKa91ciE= github.com/charmbracelet/log v0.4.0 h1:G9bQAcx8rWA2T3pWvx7YtPTPwgqpk7D68BX21IRW8ZM= @@ -129,8 +129,8 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I= -github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M= github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -149,8 +149,8 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg= -github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= +github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -198,8 +198,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= -github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4= -github.com/package-url/packageurl-go v0.1.2/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= +github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= +github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -269,12 +269,12 @@ go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= -go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs= -go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4= -go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30= -go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4= -go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA= -go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0= +go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg= +go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ= +go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik= +go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak= +go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw= +go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -282,16 +282,16 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -302,8 +302,8 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -332,15 +332,15 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -348,8 +348,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -358,8 +358,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= -golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -390,5 +390,5 @@ gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -sigs.k8s.io/release-utils v0.8.1 h1:qSA9p3vZzO6RAq7zvzupCZjR29+n3NK9DSJPe9bSf7w= -sigs.k8s.io/release-utils v0.8.1/go.mod h1:vrQ3eR1VmudgX4OUwr4pUZEkYLRms9bdbv06mr3kchQ= +sigs.k8s.io/release-utils v0.8.2 h1:BKCKabsVkxy/rTRdPeH2t/v2NSU8tMt0fYIWby3hxKQ= +sigs.k8s.io/release-utils v0.8.2/go.mod h1:u2Si4cUBWo2KBAL+7WB8d/HtwgqgssDAHepYu5+dpQY= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/build/types/image_configuration.go new/apko-0.14.2/pkg/build/types/image_configuration.go --- old/apko-0.14.1/pkg/build/types/image_configuration.go 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/pkg/build/types/image_configuration.go 2024-05-23 15:07:00.000000000 +0200 @@ -65,6 +65,16 @@ mergedIc := ImageConfiguration{} + // Merge packages, repositories and keyrings from base and overlay configurations + keyring := append([]string{}, baseIc.Contents.Keyring...) + keyring = append(keyring, ic.Contents.Keyring...) + + repos := append([]string{}, baseIc.Contents.Repositories...) + repos = append(repos, ic.Contents.Repositories...) + + pkgs := append([]string{}, baseIc.Contents.Packages...) + pkgs = append(pkgs, ic.Contents.Packages...) + // Copy the base configuration... if err := copier.Copy(&mergedIc, &baseIc); err != nil { return fmt.Errorf("failed to copy base configuration: %w", err) @@ -80,17 +90,9 @@ return fmt.Errorf("failed to copy merged configuration: %w", err) } - // Merge packages, repositories and keyrings. - keyring := append([]string{}, baseIc.Contents.Keyring...) - keyring = append(keyring, mergedIc.Contents.Keyring...) + // Finally, update the repeated fields to the merged ones. ic.Contents.Keyring = keyring - - repos := append([]string{}, baseIc.Contents.Repositories...) - repos = append(repos, mergedIc.Contents.Repositories...) ic.Contents.Repositories = repos - - pkgs := append([]string{}, baseIc.Contents.Packages...) - pkgs = append(pkgs, mergedIc.Contents.Packages...) ic.Contents.Packages = pkgs } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/build/types/image_configuration_test.go new/apko-0.14.2/pkg/build/types/image_configuration_test.go --- old/apko-0.14.1/pkg/build/types/image_configuration_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/build/types/image_configuration_test.go 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1,38 @@ +package types_test + +import ( + "context" + "crypto/sha256" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" + + "chainguard.dev/apko/pkg/build/types" +) + +func TestOverlayWithEmptyContents(t *testing.T) { + ctx := context.Background() + + configPath := filepath.Join("testdata", "overlay", "overlay.apko.yaml") + hasher := sha256.New() + ic := types.ImageConfiguration{} + + require.NoError(t, ic.Load(ctx, configPath, hasher)) + require.ElementsMatch(t, ic.Contents.Repositories, []string{"repository"}) + require.ElementsMatch(t, ic.Contents.Keyring, []string{"key"}) + require.ElementsMatch(t, ic.Contents.Packages, []string{"package"}) +} + +func TestOverlayWithAdditionalPackages(t *testing.T) { + ctx := context.Background() + + configPath := filepath.Join("testdata", "overlay", "overlay_with_package.apko.yaml") + hasher := sha256.New() + ic := types.ImageConfiguration{} + + require.NoError(t, ic.Load(ctx, configPath, hasher)) + require.ElementsMatch(t, ic.Contents.Repositories, []string{"repository"}) + require.ElementsMatch(t, ic.Contents.Keyring, []string{"key"}) + require.ElementsMatch(t, ic.Contents.Packages, []string{"package", "other_package"}) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/build/types/testdata/overlay/base.apko.yaml new/apko-0.14.2/pkg/build/types/testdata/overlay/base.apko.yaml --- old/apko-0.14.1/pkg/build/types/testdata/overlay/base.apko.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/build/types/testdata/overlay/base.apko.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1,7 @@ +contents: + repositories: + - "repository" + keyring: + - "key" + packages: + - "package" \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/build/types/testdata/overlay/overlay.apko.yaml new/apko-0.14.2/pkg/build/types/testdata/overlay/overlay.apko.yaml --- old/apko-0.14.1/pkg/build/types/testdata/overlay/overlay.apko.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/build/types/testdata/overlay/overlay.apko.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1 @@ +include: testdata/overlay/base.apko.yaml \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/build/types/testdata/overlay/overlay_with_package.apko.yaml new/apko-0.14.2/pkg/build/types/testdata/overlay/overlay_with_package.apko.yaml --- old/apko-0.14.1/pkg/build/types/testdata/overlay/overlay_with_package.apko.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/build/types/testdata/overlay/overlay_with_package.apko.yaml 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1,5 @@ +include: testdata/overlay/overlay.apko.yaml + +contents: + packages: + - "other_package" \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/sbom/generator/spdx/spdx.go new/apko-0.14.2/pkg/sbom/generator/spdx/spdx.go --- old/apko-0.14.1/pkg/sbom/generator/spdx/spdx.go 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/pkg/sbom/generator/spdx/spdx.go 2024-05-23 15:07:00.000000000 +0200 @@ -1,4 +1,4 @@ -// Copyright 2022, 2023 Chainguard, Inc. +// Copyright 2022-2024 Chainguard, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -90,10 +90,11 @@ }, LicenseListVersion: "3.16", }, - DataLicense: "CC0-1.0", - Namespace: "https://spdx.org/spdxdocs/apko/";, - Packages: []Package{}, - Relationships: []Relationship{}, + DataLicense: "CC0-1.0", + Namespace: "https://spdx.org/spdxdocs/apko/";, + Packages: []Package{}, + Relationships: []Relationship{}, + LicensingInfos: []LicensingInfo{}, } var imagePackage *Package layerPackage := sx.layerPackage(opts) @@ -252,6 +253,10 @@ return fmt.Errorf("copying element: %w", err) } + if err := mergeLicensingInfos(internalDoc, doc); err != nil { + return fmt.Errorf("merging LicensingInfos: %w", err) + } + // TODO: This loop seems very wrong. for id := range targetElementIDs { // Search for a package in the new SBOM describing the same thing @@ -315,6 +320,26 @@ return nil } +func mergeLicensingInfos(sourceDoc, targetDoc *Document) error { + var found bool + for _, sourceinfo := range sourceDoc.LicensingInfos { + found = false + for _, targetinfo := range targetDoc.LicensingInfos { + if targetinfo.LicenseID == sourceinfo.LicenseID { + if targetinfo.ExtractedText != sourceinfo.ExtractedText { + return fmt.Errorf("source & target LicenseID %s differ in Text", targetinfo.LicenseID) + } + found = true + break + } + } + if !found { + targetDoc.LicensingInfos = append(targetDoc.LicensingInfos, sourceinfo) + } + } + return nil +} + // ParseInternalSBOM opens an SBOM inside apks and func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document, error) { internalSBOM := &Document{} @@ -459,6 +484,7 @@ Packages []Package `json:"packages"` Relationships []Relationship `json:"relationships"` ExternalDocumentRefs []ExternalDocumentRef `json:"externalDocumentRefs,omitempty"` + LicensingInfos []LicensingInfo `json:"hasExtractedLicensingInfos,omitempty"` } type ExternalDocumentRef struct { @@ -467,6 +493,12 @@ SPDXDocument string `json:"spdxDocument"` } +// Can also contain name, comment, seeAlso +type LicensingInfo struct { + LicenseID string `json:"licenseId"` + ExtractedText string `json:"extractedText"` +} + type CreationInfo struct { Created string `json:"created"` // Date Creators []string `json:"creators"` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/sbom/generator/spdx/spdx_test.go new/apko-0.14.2/pkg/sbom/generator/spdx/spdx_test.go --- old/apko-0.14.1/pkg/sbom/generator/spdx/spdx_test.go 2024-05-07 16:36:20.000000000 +0200 +++ new/apko-0.14.2/pkg/sbom/generator/spdx/spdx_test.go 2024-05-23 15:07:00.000000000 +0200 @@ -60,6 +60,31 @@ }, } +var testCustomLicenseOpts = &options.Options{ + OS: struct { + Name string + ID string + Version string + }{ + Name: "unknown", + ID: "unknown", + Version: "3.0", + }, + FileName: "sbom", + Packages: []*apk.InstalledPackage{ + { + Package: apk.Package{ + Name: "font-ubuntu", + Version: "0.869-r1", + Arch: "x86_64", + Description: "Ubuntu font family", + License: "LicenseRef-ubuntu-font", + Origin: "font-ubuntu", + }, + }, + }, +} + func TestGenerate(t *testing.T) { dir := t.TempDir() fsys := apkfs.NewMemFS() @@ -70,6 +95,28 @@ require.FileExists(t, path) } +func TestGenerateCustomLicense(t *testing.T) { + spdx, err := os.ReadFile("testdata/font-ubuntu.spdx.json") + require.NoError(t, err) + + fsys := apkfs.NewMemFS() + fsys.MkdirAll("/var/lib/db/sbom", 0750) + + err = fsys.WriteFile("/var/lib/db/sbom/font-ubuntu.spdx.json", spdx, 0644) + require.NoError(t, err) + + sx := New(fsys) + path := filepath.Join(t.TempDir(), testCustomLicenseOpts.FileName+"."+sx.Ext()) + err = sx.Generate(testCustomLicenseOpts, path) + require.NoError(t, err) + + got, err := os.ReadFile(path) + require.NoError(t, err) + expected, err := os.ReadFile("testdata/expected.spdx.json") + require.NoError(t, err) + require.Equal(t, expected, got, "CustomLicense SPDX") +} + func TestReproducible(t *testing.T) { // Create two sboms based on the same input and ensure // they are identical diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/sbom/generator/spdx/testdata/expected.spdx.json new/apko-0.14.2/pkg/sbom/generator/spdx/testdata/expected.spdx.json --- old/apko-0.14.1/pkg/sbom/generator/spdx/testdata/expected.spdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/sbom/generator/spdx/testdata/expected.spdx.json 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1,62 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "sbom", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "0001-01-01T00:00:00Z", + "creators": [ + "Tool: apko (devel)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.16" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/apko/";, + "documentDescribes": [ + "SPDXRef-Package-" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-", + "name": "", + "versionInfo": "3.0", + "filesAnalyzed": false, + "description": "apko operating system layer", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: unknown", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/image?mediaType=\u0026os=linux", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-font-ubuntu-0.869-r1", + "name": "font-ubuntu", + "versionInfo": "0.869-r1", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "LicenseRef-ubuntu-font", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Wolfi", + "supplier": "Organization: Wolfi", + "copyrightText": "\n", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:apk/wolfi/[email protected]?arch=x86_64", + "referenceType": "purl" + } + ] + } + ], + "relationships": [], + "hasExtractedLicensingInfos": [ + { + "licenseId": "LicenseRef-ubuntu-font", + "extractedText": "-------------------------------\nUBUNTU FONT LICENCE Version 1.0\n-------------------------------\n\nPREAMBLE\nThis licence allows the licensed fonts to be used, studied, modified and\nredistributed freely. The fonts, including any derivative works, can be\nbundled, embedded, and redistributed provided the terms of this licence\nare met. The fonts and derivatives, however, cannot be released under\nany other licence. The requirement for fonts to remain under this\nlicence does not require any document created using the fonts or their\nderivatives to be published under this licence, as long as the primary\npurpose of the document is not to be a vehicle for the distribution of\nthe fonts.\n\nDEFINITIONS\n\"Font Software\" refers to the set of files released by the Copyright\nHolder(s) under this licence and clearly marked as such. This may\ninclude source files, build scripts and documentation.\n\n\"Original Version\" refers to the collection of Font Software c omponents\nas received under this licence.\n\n\"Modified Version\" refers to any derivative made by adding to, deleting,\nor substituting -- in part or in whole -- any of the components of the\nOriginal Version, by changing formats or by porting the Font Software to\na new environment.\n\n\"Copyright Holder(s)\" refers to all individuals and companies who have a\ncopyright ownership of the Font Software.\n\n\"Substantially Changed\" refers to Modified Versions which can be easily\nidentified as dissimilar to the Font Software by users of the Font\nSoftware comparing the Original Version with the Modified Version.\n\nTo \"Propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy. Propagation includes copying,\ndistribution (with or without modification and with or without charging\na redistribution fee), making available to the public, and in some\ncountries other activities as well.\n\nPERMISSION \u0026 CONDITIONS\nThis licence does not grant any rights under trademark law and all such\nrights are reserved.\n\nPermission is hereby granted, free of charge, to any person obtaining a\ncopy of the Font Software, to propagate the Font Software, subject to\nthe below conditions:\n\n1) Each copy of the Font Software must contain the above copyright\nnotice and this licence. These can be included either as stand-alone\ntext files, human-readable headers or in the appropriate machine-\nreadable metadata fields within text or binary files as long as those\nfields can be easily viewed by the user.\n\n2) The font name complies with the following:\n(a) The Original Version must retain its name, unmodified.\n(b) Modified Versions which are Substantially Changed must be renamed to\navoid use of the name of the Original Version or similar names entirely.\n(c) Modified Versions which are not Substantiall y Changed must be\nrenamed to both (i) retain the name of the Original Version and (ii) add\nadditional naming elements to distinguish the Modified Version from the\nOriginal Version. The name of such Modified Versions must be the name of\nthe Original Version, with \"derivative X\" where X represents the name of\nthe new work, appended to that name.\n\n3) The name(s) of the Copyright Holder(s) and any contributor to the\nFont Software shall not be used to promote, endorse or advertise any\nModified Version, except (i) as required by this licence, (ii) to\nacknowledge the contribution(s) of the Copyright Holder(s) or (iii) with\ntheir explicit written permission.\n\n4) The Font Software, modified or unmodified, in part or in whole, must\nbe distributed entirely under this licence, and must not be distributed\nunder any other licence. The requirement for fonts to remain under this\nlicence does not affect any document created using the Font Software,\nexcept any version of the Font S oftware extracted from a document\ncreated using the Font Software may only be distributed under this\nlicence.\n\nTERMINATION\nThis licence becomes null and void if any of the above conditions are\nnot met.\n\nDISCLAIMER\nTHE FONT SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF\nCOPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE\nCOPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\nINCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL\nDAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\nFROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER\nDEALINGS IN THE FONT SOFTWARE.\n" + } + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/sbom/generator/spdx/testdata/font-ubuntu.spdx.json new/apko-0.14.2/pkg/sbom/generator/spdx/testdata/font-ubuntu.spdx.json --- old/apko-0.14.1/pkg/sbom/generator/spdx/testdata/font-ubuntu.spdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/sbom/generator/spdx/testdata/font-ubuntu.spdx.json 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1,46 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "apk-font-ubuntu-0.869-r1", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2024-05-17T11:47:37Z", + "creators": [ + "Tool: melange (v0.16.10-25-gd1d302e)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.22" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/chainguard/melange/767cf0af732f06971ef597f395ff17081942b2e9";, + "documentDescribes": [ + "SPDXRef-Package-font-ubuntu-0.869-r1" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-font-ubuntu-0.869-r1", + "name": "font-ubuntu", + "versionInfo": "0.869-r1", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "LicenseRef-ubuntu-font", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Wolfi", + "supplier": "Organization: Wolfi", + "copyrightText": "\n", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:apk/wolfi/[email protected]?arch=x86_64", + "referenceType": "purl" + } + ] + } + ], + "relationships": [], + "hasExtractedLicensingInfos": [ + { + "licenseId": "LicenseRef-ubuntu-font", + "extractedText": "-------------------------------\nUBUNTU FONT LICENCE Version 1.0\n-------------------------------\n\nPREAMBLE\nThis licence allows the licensed fonts to be used, studied, modified and\nredistributed freely. The fonts, including any derivative works, can be\nbundled, embedded, and redistributed provided the terms of this licence\nare met. The fonts and derivatives, however, cannot be released under\nany other licence. The requirement for fonts to remain under this\nlicence does not require any document created using the fonts or their\nderivatives to be published under this licence, as long as the primary\npurpose of the document is not to be a vehicle for the distribution of\nthe fonts.\n\nDEFINITIONS\n\"Font Software\" refers to the set of files released by the Copyright\nHolder(s) under this licence and clearly marked as such. This may\ninclude source files, build scripts and documentation.\n\n\"Original Version\" refers to the collection of Font Software c omponents\nas received under this licence.\n\n\"Modified Version\" refers to any derivative made by adding to, deleting,\nor substituting -- in part or in whole -- any of the components of the\nOriginal Version, by changing formats or by porting the Font Software to\na new environment.\n\n\"Copyright Holder(s)\" refers to all individuals and companies who have a\ncopyright ownership of the Font Software.\n\n\"Substantially Changed\" refers to Modified Versions which can be easily\nidentified as dissimilar to the Font Software by users of the Font\nSoftware comparing the Original Version with the Modified Version.\n\nTo \"Propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy. Propagation includes copying,\ndistribution (with or without modification and with or without charging\na redistribution fee), making available to the public, and in some\ncountries other activities as well.\n\nPERMISSION \u0026 CONDITIONS\nThis licence does not grant any rights under trademark law and all such\nrights are reserved.\n\nPermission is hereby granted, free of charge, to any person obtaining a\ncopy of the Font Software, to propagate the Font Software, subject to\nthe below conditions:\n\n1) Each copy of the Font Software must contain the above copyright\nnotice and this licence. These can be included either as stand-alone\ntext files, human-readable headers or in the appropriate machine-\nreadable metadata fields within text or binary files as long as those\nfields can be easily viewed by the user.\n\n2) The font name complies with the following:\n(a) The Original Version must retain its name, unmodified.\n(b) Modified Versions which are Substantially Changed must be renamed to\navoid use of the name of the Original Version or similar names entirely.\n(c) Modified Versions which are not Substantiall y Changed must be\nrenamed to both (i) retain the name of the Original Version and (ii) add\nadditional naming elements to distinguish the Modified Version from the\nOriginal Version. The name of such Modified Versions must be the name of\nthe Original Version, with \"derivative X\" where X represents the name of\nthe new work, appended to that name.\n\n3) The name(s) of the Copyright Holder(s) and any contributor to the\nFont Software shall not be used to promote, endorse or advertise any\nModified Version, except (i) as required by this licence, (ii) to\nacknowledge the contribution(s) of the Copyright Holder(s) or (iii) with\ntheir explicit written permission.\n\n4) The Font Software, modified or unmodified, in part or in whole, must\nbe distributed entirely under this licence, and must not be distributed\nunder any other licence. The requirement for fonts to remain under this\nlicence does not affect any document created using the Font Software,\nexcept any version of the Font S oftware extracted from a document\ncreated using the Font Software may only be distributed under this\nlicence.\n\nTERMINATION\nThis licence becomes null and void if any of the above conditions are\nnot met.\n\nDISCLAIMER\nTHE FONT SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF\nCOPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE\nCOPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\nINCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL\nDAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\nFROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER\nDEALINGS IN THE FONT SOFTWARE.\n" + } + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.14.1/pkg/sbom/generator/spdx/testdata/generate.sh new/apko-0.14.2/pkg/sbom/generator/spdx/testdata/generate.sh --- old/apko-0.14.1/pkg/sbom/generator/spdx/testdata/generate.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/apko-0.14.2/pkg/sbom/generator/spdx/testdata/generate.sh 2024-05-23 15:07:00.000000000 +0200 @@ -0,0 +1,3 @@ +#!/bin/sh +curl -q https://packages.wolfi.dev/os/x86_64/font-ubuntu-0.869-r1.apk | tar Ozx var/lib/db/sbom/font-ubuntu-0.869-r1.spdx.json >font-ubuntu.spdx.json 2>/dev/null + ++++++ apko.obsinfo ++++++ --- /var/tmp/diff_new_pack.fis8hn/_old 2024-05-24 19:52:08.543707487 +0200 +++ /var/tmp/diff_new_pack.fis8hn/_new 2024-05-24 19:52:08.547707633 +0200 @@ -1,5 +1,5 @@ name: apko -version: 0.14.1 -mtime: 1715092580 -commit: 91e5c5e1baf31e19f6d3af3b0b6b81f849ce81da +version: 0.14.2 +mtime: 1716469620 +commit: 5c68fe8f8274d9f70cdf8ce3bae7c7420653e79f ++++++ vendor.tar.gz ++++++ ++++ 35944 lines of diff (skipped)
