Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grype-db for openSUSE:Factory
checked in at 2025-04-17 16:07:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grype-db (Old)
and /work/SRC/openSUSE:Factory/.grype-db.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grype-db"
Thu Apr 17 16:07:55 2025 rev:9 rq:1270066 version:0.33.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/grype-db/grype-db.changes 2025-04-10
22:01:00.677017229 +0200
+++ /work/SRC/openSUSE:Factory/.grype-db.new.30101/grype-db.changes
2025-04-20 19:55:46.506406283 +0200
@@ -1,0 +2,9 @@
+Wed Apr 16 15:49:44 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.33.0:
+ * Added Features
+ - allow db hydration during build [#558 @westonsteimel]
+ * Additional Changes
+ - Fix processing of github-action entries [#556 @wagoodman]
+
+-------------------------------------------------------------------
Old:
----
grype-db-0.32.0.obscpio
New:
----
grype-db-0.33.0.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grype-db.spec ++++++
--- /var/tmp/diff_new_pack.7T76V0/_old 2025-04-20 19:55:48.170475947 +0200
+++ /var/tmp/diff_new_pack.7T76V0/_new 2025-04-20 19:55:48.174476114 +0200
@@ -17,7 +17,7 @@
Name: grype-db
-Version: 0.32.0
+Version: 0.33.0
Release: 0
Summary: A vulnerability scanner for container images and filesystems
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.7T76V0/_old 2025-04-20 19:55:48.202477286 +0200
+++ /var/tmp/diff_new_pack.7T76V0/_new 2025-04-20 19:55:48.206477454 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/anchore/grype-db</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.32.0</param>
+ <param name="revision">v0.33.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.7T76V0/_old 2025-04-20 19:55:48.230478459 +0200
+++ /var/tmp/diff_new_pack.7T76V0/_new 2025-04-20 19:55:48.234478626 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/anchore/grype-db</param>
- <param
name="changesrevision">e1cdd057953847cf092640100b6b106199453865</param></service></servicedata>
+ <param
name="changesrevision">99143e6451c02525a81ea74677ccef6433d55200</param></service></servicedata>
(No newline at EOF)
++++++ grype-db-0.32.0.obscpio -> grype-db-0.33.0.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-db-0.32.0/cmd/grype-db/cli/commands/build.go
new/grype-db-0.33.0/cmd/grype-db/cli/commands/build.go
--- old/grype-db-0.32.0/cmd/grype-db/cli/commands/build.go 2025-04-08
11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/cmd/grype-db/cli/commands/build.go 2025-04-15
15:40:01.000000000 +0200
@@ -119,6 +119,7 @@
Timestamp: earliest,
IncludeCPEParts: cfg.IncludeCPEParts,
InferNVDFixVersions: cfg.InferNVDFixVersions,
+ Hydrate: cfg.Hydrate,
})
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-db-0.32.0/cmd/grype-db/cli/options/build.go
new/grype-db-0.33.0/cmd/grype-db/cli/options/build.go
--- old/grype-db-0.32.0/cmd/grype-db/cli/options/build.go 2025-04-08
11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/cmd/grype-db/cli/options/build.go 2025-04-15
15:40:01.000000000 +0200
@@ -19,6 +19,7 @@
// unbound options
IncludeCPEParts []string `yaml:"include-cpe-parts"
json:"include-cpe-parts" mapstructure:"include-cpe-parts"`
InferNVDFixVersions bool `yaml:"infer-nvd-fix-versions"
json:"infer-nvd-fix-versions" mapstructure:"infer-nvd-fix-versions"`
+ Hydrate bool `yaml:"hydrate" json:"hydrate"
mapstructure:"hydrate"`
}
func DefaultBuild() Build {
@@ -28,6 +29,7 @@
SchemaVersion: process.DefaultSchemaVersion,
IncludeCPEParts: []string{"a", "h", "o"},
InferNVDFixVersions: true,
+ Hydrate: false,
}
}
@@ -59,6 +61,7 @@
// set default values for non-bound struct items
v.SetDefault("build.include-cpe-parts", o.IncludeCPEParts)
v.SetDefault("build.infer-nvd-fix-versions", o.InferNVDFixVersions)
+ v.SetDefault("build.hydrate", o.Hydrate)
return o.DBLocation.BindFlags(flags, v)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-db-0.32.0/pkg/process/build.go
new/grype-db-0.33.0/pkg/process/build.go
--- old/grype-db-0.32.0/pkg/process/build.go 2025-04-08 11:56:22.000000000
+0200
+++ new/grype-db-0.33.0/pkg/process/build.go 2025-04-15 15:40:01.000000000
+0200
@@ -7,6 +7,7 @@
"time"
"github.com/dustin/go-humanize"
+ "github.com/spf13/afero"
"github.com/anchore/grype-db/internal/log"
"github.com/anchore/grype-db/pkg/data"
@@ -26,6 +27,7 @@
Timestamp time.Time
IncludeCPEParts []string
InferNVDFixVersions bool
+ Hydrate bool
}
func Build(cfg BuildConfig) error {
@@ -62,7 +64,17 @@
return err
}
- return writer.Close()
+ if err := writer.Close(); err != nil {
+ return err
+ }
+
+ if cfg.Hydrate && cfg.SchemaVersion > 5 {
+ if err := hydrate(cfg); err != nil {
+ return err
+ }
+ }
+
+ return nil
}
type providerResults struct {
@@ -176,6 +188,24 @@
return nil
}
+
+func hydrate(cfg BuildConfig) error {
+ hydrator := grypeDBv6.Hydrater()
+ fs := afero.NewOsFs()
+
+ if err := hydrator(cfg.Directory); err != nil {
+ return fmt.Errorf("failed to hydrate db: %w", err)
+ }
+
+ doc, err := grypeDBv6.WriteImportMetadata(fs, cfg.Directory, "grype db
build")
+ if err != nil {
+ return fmt.Errorf("failed to write checksums file: %w", err)
+ }
+
+ log.WithFields("digest", doc.Digest).Trace("captured DB digest")
+
+ return nil
+}
func logDropped(droppedElementsByProvider, droppedSchemaElements
map[string]int) {
sortedKeys := func(m map[string]int) []string {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-db-0.32.0/pkg/process/v5/transformers/github/transform.go
new/grype-db-0.33.0/pkg/process/v5/transformers/github/transform.go
--- old/grype-db-0.32.0/pkg/process/v5/transformers/github/transform.go
2025-04-08 11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/pkg/process/v5/transformers/github/transform.go
2025-04-15 15:40:01.000000000 +0200
@@ -1,6 +1,7 @@
package github
import (
+ "errors"
"fmt"
"strings"
@@ -13,6 +14,8 @@
syftPkg "github.com/anchore/syft/syft/pkg"
)
+var errSkip = fmt.Errorf("skipping advisory")
+
func buildGrypeNamespace(group string) (namespace.Namespace, error) {
feedGroupComponents := strings.Split(group, ":")
@@ -24,10 +27,13 @@
syftLanguage := syftPkg.LanguageByName(feedGroupLang)
if syftLanguage == syftPkg.UnknownLanguage {
- // For now map nuget to dotnet as the language.
- if feedGroupLang == "nuget" {
+ switch feedGroupLang {
+ case "nuget":
syftLanguage = syftPkg.Dotnet
- } else {
+ case "github-action":
+ // we don't want to error out on this, but grype at
this version does not support github-action matching
+ return nil, errSkip
+ default:
return nil, fmt.Errorf("unable to determine grype
namespace for enterprise namespace=%s", group)
}
}
@@ -54,6 +60,9 @@
grypeNamespace, err :=
buildGrypeNamespace(vulnerability.Advisory.Namespace)
if err != nil {
+ if errors.Is(err, errSkip) {
+ return nil, nil
+ }
return nil, err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-db-0.32.0/pkg/process/v5/transformers/github/transform_test.go
new/grype-db-0.33.0/pkg/process/v5/transformers/github/transform_test.go
--- old/grype-db-0.32.0/pkg/process/v5/transformers/github/transform_test.go
2025-04-08 11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/pkg/process/v5/transformers/github/transform_test.go
2025-04-15 15:40:01.000000000 +0200
@@ -22,6 +22,7 @@
tests := []struct {
group string
namespace namespace.Namespace
+ wantErr require.ErrorAssertionFunc
}{
{
group: "github:python",
@@ -51,12 +52,24 @@
group: "github:rust",
namespace: language.NewNamespace("github",
syftPkg.Rust, ""),
},
+ {
+ group: "github:github-action",
+ wantErr: func(t require.TestingT, err error, i
...interface{}) {
+ assert.Error(t, err)
+ assert.ErrorIs(t, errSkip, err)
+ },
+ },
}
for _, test := range tests {
+ if test.wantErr == nil {
+ test.wantErr = require.NoError
+ }
ns, err := buildGrypeNamespace(test.group)
-
- assert.NoError(t, err)
+ test.wantErr(t, err)
+ if err != nil {
+ return
+ }
assert.Equal(t, test.namespace, ns)
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-db-0.32.0/pkg/process/v6/archive.go
new/grype-db-0.33.0/pkg/process/v6/archive.go
--- old/grype-db-0.32.0/pkg/process/v6/archive.go 2025-04-08
11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/pkg/process/v6/archive.go 2025-04-15
15:40:01.000000000 +0200
@@ -65,8 +65,13 @@
)
tarPath := filepath.Join(dbDir, tarName)
+ files := []string{v6.VulnerabilityDBFileName}
- if err := populateTar(dbDir, tarName, v6.VulnerabilityDBFileName); err
!= nil {
+ if _, err := os.Stat(path.Join(dbDir, v6.ImportMetadataFileName)); err
== nil {
+ files = append(files, v6.ImportMetadataFileName)
+ }
+
+ if err := populateTar(dbDir, tarName, files...); err != nil {
return err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-db-0.32.0/pkg/process/v6/transformers/github/transform.go
new/grype-db-0.33.0/pkg/process/v6/transformers/github/transform.go
--- old/grype-db-0.32.0/pkg/process/v6/transformers/github/transform.go
2025-04-08 11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/pkg/process/v6/transformers/github/transform.go
2025-04-15 15:40:01.000000000 +0200
@@ -164,6 +164,12 @@
return pkg.RpmPkg
case "deb":
return pkg.DebPkg
+ case "github-action":
+ return pkg.GithubActionPkg
+ }
+ ty := pkg.TypeByName(ecosystem)
+ if ty != pkg.UnknownPkg {
+ return ty
}
log.Warnf("using unknown ecosystem intead of syft pkg type (this will
probably cause issues when matching): %q", ecosystem)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-db-0.32.0/pkg/process/v6/transformers/github/transform_test.go
new/grype-db-0.33.0/pkg/process/v6/transformers/github/transform_test.go
--- old/grype-db-0.32.0/pkg/process/v6/transformers/github/transform_test.go
2025-04-08 11:56:22.000000000 +0200
+++ new/grype-db-0.33.0/pkg/process/v6/transformers/github/transform_test.go
2025-04-15 15:40:01.000000000 +0200
@@ -13,6 +13,7 @@
"github.com/anchore/grype-db/pkg/provider"
"github.com/anchore/grype-db/pkg/provider/unmarshal"
grypeDB "github.com/anchore/grype/grype/db/v6"
+ "github.com/anchore/syft/syft/pkg"
)
func TestTransform(t *testing.T) {
@@ -541,6 +542,51 @@
}
})
}
+}
+
+func TestGetPackageType(t *testing.T) {
+ tests := []struct {
+ ecosystem string
+ expectedType pkg.Type
+ }{
+ {"composer", pkg.PhpComposerPkg},
+ {"Composer", pkg.PhpComposerPkg}, // testing case insensitivity
+ {"COMPOSER", pkg.PhpComposerPkg}, // testing case insensitivity
+ {"rust", pkg.RustPkg},
+ {"cargo", pkg.RustPkg},
+ {"dart", pkg.DartPubPkg},
+ {"nuget", pkg.DotnetPkg},
+ {".net", pkg.DotnetPkg},
+ {"go", pkg.GoModulePkg},
+ {"golang", pkg.GoModulePkg},
+ {"maven", pkg.JavaPkg},
+ {"java", pkg.JavaPkg},
+ {"npm", pkg.NpmPkg},
+ {"pypi", pkg.PythonPkg},
+ {"python", pkg.PythonPkg},
+ {"pip", pkg.PythonPkg},
+ {"swift", pkg.SwiftPkg},
+ {"rubygems", pkg.GemPkg},
+ {"ruby", pkg.GemPkg},
+ {"gem", pkg.GemPkg},
+ {"apk", pkg.ApkPkg},
+ {"rpm", pkg.RpmPkg},
+ {"deb", pkg.DebPkg},
+ {"github-action", pkg.GithubActionPkg},
+
+ // test for unknown type fallback
+ {"unknown-ecosystem", pkg.Type("unknown-ecosystem")},
+ {"", pkg.Type("")},
+ }
+
+ for _, tc := range tests {
+ t.Run(tc.ecosystem, func(t *testing.T) {
+ gotType := getPackageType(tc.ecosystem)
+ if gotType != tc.expectedType {
+ t.Errorf("getPackageType(%q) = %v, want %v",
tc.ecosystem, gotType, tc.expectedType)
+ }
+ })
+ }
}
func loadFixture(t *testing.T, path string) []unmarshal.GitHubAdvisory {
++++++ grype-db.obsinfo ++++++
--- /var/tmp/diff_new_pack.7T76V0/_old 2025-04-20 19:55:58.126892762 +0200
+++ /var/tmp/diff_new_pack.7T76V0/_new 2025-04-20 19:55:58.154893934 +0200
@@ -1,5 +1,5 @@
name: grype-db
-version: 0.32.0
-mtime: 1744106182
-commit: e1cdd057953847cf092640100b6b106199453865
+version: 0.33.0
+mtime: 1744724401
+commit: 99143e6451c02525a81ea74677ccef6433d55200
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/grype-db/vendor.tar.gz
/work/SRC/openSUSE:Factory/.grype-db.new.30101/vendor.tar.gz differ: char 6,
line 1
