Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package wolfictl for openSUSE:Factory
checked in at 2025-07-15 16:44:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/wolfictl (Old)
and /work/SRC/openSUSE:Factory/.wolfictl.new.7373 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wolfictl"
Tue Jul 15 16:44:51 2025 rev:5 rq:1293261 version:0.38.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/wolfictl/wolfictl.changes 2025-07-09
17:29:20.469884505 +0200
+++ /work/SRC/openSUSE:Factory/.wolfictl.new.7373/wolfictl.changes
2025-07-15 16:46:41.138644811 +0200
@@ -1,0 +2,24 @@
+Tue Jul 15 06:02:37 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to 0.38.2:
+ * scan: make max db allowed build age configurable by @hectorj2f
+ in #1677
+
+-------------------------------------------------------------------
+Tue Jul 15 05:58:46 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.38.1:
+ * scan: add a comment to justify the change to 118h
+ * scan: add a warning when age is older than 48h for now
+ * scan: add docs with the new flag
+ * scan: make max db allowed build age configurable
+ * linter: avoid false positives for double ampersand (#6)
+ * fix background process regex (#5)
+ * lint: detect multiline background processes without redirect
+ (#4)
+ * fix lint false positive for -d (#3)
+ * lint: detect daemon flags and redirects (#2)
+ * Refine background process lint regex
+ * lint: warn on background processes without redirect
+
+-------------------------------------------------------------------
Old:
----
wolfictl-0.38.0.obscpio
New:
----
wolfictl-0.38.2.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ wolfictl.spec ++++++
--- /var/tmp/diff_new_pack.2TVUea/_old 2025-07-15 16:46:42.546703125 +0200
+++ /var/tmp/diff_new_pack.2TVUea/_new 2025-07-15 16:46:42.550703290 +0200
@@ -17,7 +17,7 @@
Name: wolfictl
-Version: 0.38.0
+Version: 0.38.2
Release: 0
Summary: A CLI used to work with the Wolfi OSS project
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.2TVUea/_old 2025-07-15 16:46:42.582704616 +0200
+++ /var/tmp/diff_new_pack.2TVUea/_new 2025-07-15 16:46:42.586704782 +0200
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="revision">main</param>
- <param name="versionformat">v0.38.0</param>
+ <param name="versionformat">v0.38.2</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
</service>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.2TVUea/_old 2025-07-15 16:46:42.606705610 +0200
+++ /var/tmp/diff_new_pack.2TVUea/_new 2025-07-15 16:46:42.614705942 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/wolfi-dev/wolfictl</param>
- <param
name="changesrevision">e3eb49c76dc1f3a60090af4fdd51d22488c2f90f</param></service></servicedata>
+ <param
name="changesrevision">ed371971dc2ab60e6f4e7d792da9e7d8d90ea3b5</param></service></servicedata>
(No newline at EOF)
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/wolfictl/vendor.tar.gz
/work/SRC/openSUSE:Factory/.wolfictl.new.7373/vendor.tar.gz differ: char 133,
line 1
++++++ wolfictl-0.38.0.obscpio -> wolfictl-0.38.2.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/docs/cmd/wolfictl_scan.md
new/wolfictl-0.38.2/docs/cmd/wolfictl_scan.md
--- old/wolfictl-0.38.0/docs/cmd/wolfictl_scan.md 2025-07-08
09:07:14.000000000 +0200
+++ new/wolfictl-0.38.2/docs/cmd/wolfictl_scan.md 2025-07-14
21:23:23.000000000 +0200
@@ -94,18 +94,19 @@
### Options
```
- -a, --advisories-repo-dir string directory containing the advisories
repository
- -f, --advisory-filter string exclude vulnerability matches that are
referenced from the specified set of advisories (resolved|all|concluded)
- --build-log treat input as a package build log file
(or a directory that contains a packages.log file)
- -D, --disable-sbom-cache don't use the SBOM cache
- --distro string distro to use during vulnerability
matching (default "wolfi")
- -h, --help help for scan
- --local-file-grype-db string import a local grype db file
- -o, --output string output format (outline|json), defaults to
outline
- -r, --remote treat input(s) as the name(s) of
package(s) in the Wolfi package repository to download and scan the latest
versions of
- --require-zero exit 1 if any vulnerabilities are found
- -s, --sbom treat input(s) as SBOM(s) of APK(s)
instead of as actual APK(s)
- --use-cpes turn on all CPE matching in Grype
+ -a, --advisories-repo-dir string directory containing the advisories
repository
+ -f, --advisory-filter string exclude vulnerability matches that
are referenced from the specified set of advisories (resolved|all|concluded)
+ --build-log treat input as a package build log
file (or a directory that contains a packages.log file)
+ -D, --disable-sbom-cache don't use the SBOM cache
+ --distro string distro to use during vulnerability
matching (default "wolfi")
+ -h, --help help for scan
+ --local-file-grype-db string import a local grype db file
+ --max-allowed-built-age duration Max allowed age for vulnerability
database, age being the time since it was built. Default max age is 120h (or
five days) (default 120h0m0s)
+ -o, --output string output format (outline|json),
defaults to outline
+ -r, --remote treat input(s) as the name(s) of
package(s) in the Wolfi package repository to download and scan the latest
versions of
+ --require-zero exit 1 if any vulnerabilities are
found
+ -s, --sbom treat input(s) as SBOM(s) of APK(s)
instead of as actual APK(s)
+ --use-cpes turn on all CPE matching in Grype
```
### Options inherited from parent commands
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/docs/man/man1/wolfictl-scan.1
new/wolfictl-0.38.2/docs/man/man1/wolfictl-scan.1
--- old/wolfictl-0.38.0/docs/man/man1/wolfictl-scan.1 2025-07-08
09:07:14.000000000 +0200
+++ new/wolfictl-0.38.2/docs/man/man1/wolfictl-scan.1 2025-07-14
21:23:23.000000000 +0200
@@ -135,6 +135,10 @@
import a local grype db file
.PP
+\fB\-\-max\-allowed\-built\-age\fP=120h0m0s
+ Max allowed age for vulnerability database, age being the time since it
was built. Default max age is 120h (or five days)
+
+.PP
\fB\-o\fP, \fB\-\-output\fP=""
output format (outline|json), defaults to outline
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/go.mod new/wolfictl-0.38.2/go.mod
--- old/wolfictl-0.38.0/go.mod 2025-07-08 09:07:14.000000000 +0200
+++ new/wolfictl-0.38.2/go.mod 2025-07-14 21:23:23.000000000 +0200
@@ -68,6 +68,7 @@
require (
github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722
github.com/chainguard-dev/advisory-schema v0.37.12
+ github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
github.com/spf13/afero v1.14.0
)
@@ -206,7 +207,6 @@
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus
v1.2.1-0.20210315223345-82c243799c99 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
- github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-getter v1.7.8 // indirect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/pkg/cli/scan.go
new/wolfictl-0.38.2/pkg/cli/scan.go
--- old/wolfictl-0.38.0/pkg/cli/scan.go 2025-07-08 09:07:14.000000000 +0200
+++ new/wolfictl-0.38.2/pkg/cli/scan.go 2025-07-14 21:23:23.000000000 +0200
@@ -14,6 +14,7 @@
"sort"
"strings"
"sync"
+ "time"
"chainguard.dev/apko/pkg/apk/apk"
"chainguard.dev/apko/pkg/apk/auth"
@@ -235,6 +236,9 @@
opts := scan.DefaultOptions
opts.UseCPEs = p.useCPEMatching
opts.PathOfDatabaseArchiveToImport = p.localDBFilePath
+ if p.dbMaxAllowedBuildAge > 0 {
+ opts.MaxAllowedBuildAge = p.dbMaxAllowedBuildAge
+ }
// Immediately start a goroutine, so we can initialize the
vulnerability database.
// Once that's finished, we will start to pull sboms off of done as
they become ready.
@@ -338,6 +342,7 @@
disableSBOMCache bool
remoteScanning bool
useCPEMatching bool
+ dbMaxAllowedBuildAge time.Duration
}
func (p *scanParams) addFlagsTo(cmd *cobra.Command) {
@@ -352,6 +357,7 @@
cmd.Flags().BoolVarP(&p.disableSBOMCache, "disable-sbom-cache", "D",
false, "don't use the SBOM cache")
cmd.Flags().BoolVarP(&p.remoteScanning, "remote", "r", false, "treat
input(s) as the name(s) of package(s) in the Wolfi package repository to
download and scan the latest versions of")
cmd.Flags().BoolVar(&p.useCPEMatching, "use-cpes", false, "turn on all
CPE matching in Grype")
+ cmd.Flags().DurationVar(&p.dbMaxAllowedBuildAge,
"max-allowed-built-age", 120*time.Hour, "Max allowed age for vulnerability
database, age being the time since it was built. Default max age is 120h (or
five days)")
}
func (p *scanParams) resolveInputsToScan(ctx context.Context, args []string)
(inputs []string, cleanup func() error, err error) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/pkg/lint/rules.go
new/wolfictl-0.38.2/pkg/lint/rules.go
--- old/wolfictl-0.38.0/pkg/lint/rules.go 2025-07-08 09:07:14.000000000
+0200
+++ new/wolfictl-0.38.2/pkg/lint/rules.go 2025-07-14 21:23:23.000000000
+0200
@@ -21,6 +21,28 @@
)
var (
+ daemonFlags = []string{
+ `(?:^|\s)--daemon\b`,
+ `(?:^|\s)--daemonize\b`,
+ `(?:^|\s)--detach\b`,
+ `(?:^|\s)-daemon\b`,
+ }
+
+ redirPatterns = []string{
+ `>\s*\S+`,
+ `>>\s*\S+`,
+ `2>\s*\S+`,
+ `2>>\s*\S+`,
+ `&>\s*\S+`,
+ `&>>\s*\S+`,
+ `>\s*\S+.*2>&1`,
+ `2>&1.*>\s*\S+`,
+ `>\s*/dev/null`,
+ `2>\s*/dev/null`,
+ `&>\s*/dev/null`,
+ `\d+>&\d+`,
+ }
+
reValidSHA256 = regexp.MustCompile(`^[a-fA-F0-9]{64}$`)
reValidSHA512 = regexp.MustCompile(`^[a-fA-F0-9]{128}$`)
reValidSHA1 = regexp.MustCompile(`^[a-fA-F0-9]{40}$`)
@@ -43,6 +65,14 @@
hostEditDistanceExceptions = map[string]string{
"www.libssh.org": "www.libssh2.org",
}
+
+ // Detect background processes (commands ending with '&' or '& sleep
...') or daemonized commands
+ // reBackgroundProcess detects background processes (commands ending
with '&' or '& sleep ...')
+ // We explicitly avoid matching '&&' which is commonly used for command
chaining.
+ reBackgroundProcess =
regexp.MustCompile(`(?:^|[^&])&(?:\s*$|\s+sleep\b)`) // matches 'cmd &' or 'cmd
& sleep'
+ reDaemonProcess = regexp.MustCompile(`.*(?:` +
strings.Join(daemonFlags, "|") + `).*`)
+ // Detect output redirection in shell commands
+ reOutputRedirect = regexp.MustCompile(strings.Join(redirPatterns, "|"))
)
const gitCheckout = "git-checkout"
@@ -457,6 +487,47 @@
},
},
{
+ Name: "background-process-without-redirect",
+ Description: "test steps should redirect output when
running background processes",
+ Severity: SeverityWarning,
+ LintFunc: func(c config.Configuration) error {
+ checkSteps := func(steps []config.Pipeline)
error {
+ for _, s := range steps {
+ if s.Runs == "" {
+ continue
+ }
+ lines := strings.Split(s.Runs,
"\n")
+ for i, line := range lines {
+ checkLine := line
+ if
strings.Contains(line, "&") && i+1 < len(lines) {
+ checkLine +=
"\n" + lines[i+1]
+ }
+
+ needsRedirect :=
reBackgroundProcess.MatchString(checkLine) || reDaemonProcess.MatchString(line)
+ if needsRedirect &&
!reOutputRedirect.MatchString(line) {
+ return
fmt.Errorf("background process missing output redirect: %s",
strings.TrimSpace(line))
+ }
+ }
+ }
+ return nil
+ }
+
+ if c.Test != nil {
+ if err := checkSteps(c.Test.Pipeline);
err != nil {
+ return err
+ }
+ }
+ for _, sp := range c.Subpackages {
+ if sp.Test != nil {
+ if err :=
checkSteps(sp.Test.Pipeline); err != nil {
+ return err
+ }
+ }
+ }
+ return nil
+ },
+ },
+ {
Name: "valid-update-schedule",
Description: "update schedule config should contain a
valid period",
Severity: SeverityError,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/pkg/lint/rules_test.go
new/wolfictl-0.38.2/pkg/lint/rules_test.go
--- old/wolfictl-0.38.0/pkg/lint/rules_test.go 2025-07-08 09:07:14.000000000
+0200
+++ new/wolfictl-0.38.2/pkg/lint/rules_test.go 2025-07-14 21:23:23.000000000
+0200
@@ -469,6 +469,95 @@
wantErr: true,
matches: 1,
},
+ {
+ file: "background-process-no-redirect.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{
+ File: "background-process-no-redirect",
+ Errors: EvalRuleErrors{
+ {
+ Rule: Rule{
+ Name:
"background-process-without-redirect",
+ Severity:
SeverityWarning,
+ },
+ Error:
fmt.Errorf("[background-process-without-redirect]: background process missing
output redirect: croc relay --ports=1234 & (WARNING)"),
+ },
+ },
+ },
+ wantErr: false,
+ matches: 1,
+ },
+ {
+ file:
"background-process-multiline-no-redirect.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{
+ File:
"background-process-multiline-no-redirect",
+ Errors: EvalRuleErrors{
+ {
+ Rule: Rule{
+ Name:
"background-process-without-redirect",
+ Severity:
SeverityWarning,
+ },
+ Error:
fmt.Errorf("[background-process-without-redirect]: background process missing
output redirect: coredns & (WARNING)"),
+ },
+ },
+ },
+ wantErr: false,
+ matches: 1,
+ },
+ {
+ file: "background-process-with-redirect.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{},
+ wantErr: false,
+ matches: 0,
+ },
+ {
+ file: "double-ampersand-valid.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{},
+ wantErr: false,
+ matches: 0,
+ },
+ {
+ file: "daemon-flag-no-redirect.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{
+ File: "daemon-flag-no-redirect",
+ Errors: EvalRuleErrors{
+ {
+ Rule: Rule{
+ Name:
"background-process-without-redirect",
+ Severity:
SeverityWarning,
+ },
+ Error:
fmt.Errorf("[background-process-without-redirect]: background process missing
output redirect: croc relay --daemon (WARNING)"),
+ },
+ },
+ },
+ wantErr: false,
+ matches: 1,
+ },
+ {
+ file: "daemon-flag-with-redirect.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{},
+ wantErr: false,
+ matches: 0,
+ },
+ {
+ file: "avahi-no-daemon.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{},
+ wantErr: false,
+ matches: 0,
+ },
+ {
+ file: "cut-d-flag.yaml",
+ minSeverity: SeverityWarning,
+ want: EvalResult{},
+ wantErr: false,
+ matches: 0,
+ },
}
for _, tt := range tests {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/avahi-no-daemon.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/avahi-no-daemon.yaml
--- old/wolfictl-0.38.0/pkg/lint/testdata/files/avahi-no-daemon.yaml
1970-01-01 01:00:00.000000000 +0100
+++ new/wolfictl-0.38.2/pkg/lint/testdata/files/avahi-no-daemon.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,45 @@
+package:
+ name: avahi-no-daemon
+ version: 1.0.0
+ epoch: 0
+ description: Package running avahi commands without backgrounding
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/avahi/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ # AUTOGENERATED
+ - runs: |
+ avahi-browse --version
+ avahi-browse-domains --version
+ avahi-publish --version
+ avahi-publish-address --version
+ avahi-publish-service --version
+ avahi-resolve --version
+ avahi-resolve-address --version
+ avahi-resolve-host-name --version
+ avahi-set-host-name --version
+ avahi-autoipd --version
+ avahi-daemon --version
+ avahi-dnsconfd --version
+ avahi-browse --help
+ avahi-browse-domains --help
+ avahi-publish --help
+ avahi-publish-address --help
+ avahi-publish-service --help
+ avahi-resolve --help
+ avahi-resolve-address --help
+ avahi-resolve-host-name --help
+ avahi-set-host-name --help
+ avahi-autoipd --help
+ avahi-daemon --help
+ avahi-dnsconfd --help
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/background-process-multiline-no-redirect.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/background-process-multiline-no-redirect.yaml
---
old/wolfictl-0.38.0/pkg/lint/testdata/files/background-process-multiline-no-redirect.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/wolfictl-0.38.2/pkg/lint/testdata/files/background-process-multiline-no-redirect.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,45 @@
+package:
+ name: background-process-multiline-no-redirect
+ version: 1.0.0
+ epoch: 0
+ description: Package with multiline background process without redirect
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/background/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: |
+ cat > Corefile <<EOF
+ .:1053 {
+ file /home/build/db.wolfi.dev
+ log
+ errors
+ cache
+ }
+ EOF
+
+ cat > /home/build/db.wolfi.dev <<'EOF'
+ $TTL 3600
+ @ IN SOA ns1.wolfi.dev. admin.wolfi.dev. (
+ 20240101 ; Serial
+ 7200 ; Refresh
+ 3600 ; Retry
+ 1209600 ; Expire
+ 3600 ) ; Negative Cache TTL
+ ;
+ @ IN NS ns1.wolfi.dev.
+ ;
+ foo.wolfi.dev IN TXT "hi"
+ EOF
+
+ coredns &
+ sleep 2
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/background-process-no-redirect.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/background-process-no-redirect.yaml
---
old/wolfictl-0.38.0/pkg/lint/testdata/files/background-process-no-redirect.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/wolfictl-0.38.2/pkg/lint/testdata/files/background-process-no-redirect.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,20 @@
+package:
+ name: background-process-no-redirect
+ version: 1.0.0
+ epoch: 0
+ description: Package with background process without redirect
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/background/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: "croc relay --ports=1234 &"
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/background-process-with-redirect.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/background-process-with-redirect.yaml
---
old/wolfictl-0.38.0/pkg/lint/testdata/files/background-process-with-redirect.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/wolfictl-0.38.2/pkg/lint/testdata/files/background-process-with-redirect.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,20 @@
+package:
+ name: background-process-with-redirect
+ version: 1.0.0
+ epoch: 0
+ description: Package with background process with redirect
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/background/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: "croc relay --ports=1234 > croc.log 2>&1 &"
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/cut-d-flag.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/cut-d-flag.yaml
--- old/wolfictl-0.38.0/pkg/lint/testdata/files/cut-d-flag.yaml 1970-01-01
01:00:00.000000000 +0100
+++ new/wolfictl-0.38.2/pkg/lint/testdata/files/cut-d-flag.yaml 2025-07-14
21:23:23.000000000 +0200
@@ -0,0 +1,20 @@
+package:
+ name: cut-d-flag
+ version: 1.0.0
+ epoch: 0
+ description: Package using cut -d but not running daemon
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/cut/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: "getcap /usr/bin/fping | cut -d ' ' -f2 | grep -q -E
'^cap_net_raw=+ep$'"
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/daemon-flag-no-redirect.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/daemon-flag-no-redirect.yaml
--- old/wolfictl-0.38.0/pkg/lint/testdata/files/daemon-flag-no-redirect.yaml
1970-01-01 01:00:00.000000000 +0100
+++ new/wolfictl-0.38.2/pkg/lint/testdata/files/daemon-flag-no-redirect.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,20 @@
+package:
+ name: daemon-flag-no-redirect
+ version: 1.0.0
+ epoch: 0
+ description: Package with daemon flag without redirect
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/daemon/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: "croc relay --daemon"
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/daemon-flag-with-redirect.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/daemon-flag-with-redirect.yaml
--- old/wolfictl-0.38.0/pkg/lint/testdata/files/daemon-flag-with-redirect.yaml
1970-01-01 01:00:00.000000000 +0100
+++ new/wolfictl-0.38.2/pkg/lint/testdata/files/daemon-flag-with-redirect.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,20 @@
+package:
+ name: daemon-flag-with-redirect
+ version: 1.0.0
+ epoch: 0
+ description: Package with daemon flag and redirect
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/daemon/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: "croc relay --daemon > croc.log 2>&1"
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wolfictl-0.38.0/pkg/lint/testdata/files/double-ampersand-valid.yaml
new/wolfictl-0.38.2/pkg/lint/testdata/files/double-ampersand-valid.yaml
--- old/wolfictl-0.38.0/pkg/lint/testdata/files/double-ampersand-valid.yaml
1970-01-01 01:00:00.000000000 +0100
+++ new/wolfictl-0.38.2/pkg/lint/testdata/files/double-ampersand-valid.yaml
2025-07-14 21:23:23.000000000 +0200
@@ -0,0 +1,27 @@
+package:
+ name: double-ampersand-valid
+ version: 1.0.0
+ epoch: 0
+ description: Package with double ampersand not running background process
+ copyright:
+ - paths:
+ - "*"
+ attestation: TODO
+ license: GPL-2.0-only
+pipeline:
+ - uses: fetch
+ with:
+ uri: https://test.com/double/${{package.version}}.tar.gz
+ expected-sha256:
ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269
+test:
+ pipeline:
+ - runs: |
+ ruby - <<'RUBY'
+ unless client.identifier == 'client_id' &&
+ client.secret == 'client_secret' &&
+ client.redirect_uri == 'https://example.com/callback'
+ raise "Client configuration failed"
+ end
+ RUBY
+update:
+ enabled: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wolfictl-0.38.0/pkg/scan/apk.go
new/wolfictl-0.38.2/pkg/scan/apk.go
--- old/wolfictl-0.38.0/pkg/scan/apk.go 2025-07-08 09:07:14.000000000 +0200
+++ new/wolfictl-0.38.2/pkg/scan/apk.go 2025-07-14 21:23:23.000000000 +0200
@@ -37,6 +37,7 @@
sbomSyft "github.com/anchore/syft/syft/sbom"
"github.com/chainguard-dev/clog"
"github.com/charmbracelet/log"
+ "github.com/hako/durafmt"
"github.com/spf13/afero"
anchorelogger "github.com/wolfi-dev/wolfictl/pkg/anchorelog"
"github.com/wolfi-dev/wolfictl/pkg/sbom"
@@ -44,6 +45,8 @@
const (
mavenSearchBaseURL = "https://search.maven.org/solrsearch/select";
+
+ maxRecommendedBuildAge = 48 * time.Hour
)
var DefaultGrypeDBDir = path.Join(xdg.CacheHome, "wolfictl", "grype", "db")
@@ -166,6 +169,12 @@
// except for testing purposes.
DisableDatabaseAgeValidation bool
+ // MaxAllowedBuildAge defines the maximum allowed age for the
vulnerability database.
+ // If the database is older than this duration, it will be considered
invalid unless
+ // DisableDatabaseAgeValidation is set to true. If not specified, the
default value
+ // of 48 hours will be used.
+ MaxAllowedBuildAge time.Duration
+
// DisableSBOMCache controls whether the scanner will cache SBOMs
generated from
// APKs. If true, the scanner will not cache SBOMs or use existing
cached SBOMs.
DisableSBOMCache bool
@@ -173,7 +182,10 @@
// DefaultOptions is the recommended default configuration for a new Scanner.
// These options are suitable for most use scanning cases.
-var DefaultOptions = Options{}
+var DefaultOptions = Options{
+ // TODO(hectorj2f): This is a temporary change to 120h, ideally we
recommend to set that maximum built age to 48h.
+ MaxAllowedBuildAge: 120 * time.Hour,
+}
// NewScanner initializes the grype DB for reuse across multiple scans.
func NewScanner(opts Options) (*Scanner, error) {
@@ -182,11 +194,16 @@
dbDestDir = DefaultGrypeDBDir
}
+ maxAllowedBuildAge := opts.MaxAllowedBuildAge
+ if maxAllowedBuildAge == 0 {
+ maxAllowedBuildAge = 120 * time.Hour
+ }
+
installCfg := installation.Config{
DBRootDir: dbDestDir,
ValidateChecksum: true,
ValidateAge: !opts.DisableDatabaseAgeValidation,
- MaxAllowedBuiltAge: 48 * time.Hour,
+ MaxAllowedBuiltAge: maxAllowedBuildAge,
UpdateCheckMaxFrequency: 1 * time.Hour,
}
@@ -230,6 +247,14 @@
return nil, fmt.Errorf("failed to load vulnerability database:
%w", err)
}
+ // built time is defined in UTC,
+ // we should compare it against UTC
+ now := time.Now().UTC()
+ age := now.Sub(dbStatus.Built)
+ if age > maxRecommendedBuildAge {
+ fmt.Fprintf(os.Stdout, "WARNING: the vulnerability database was
built %s ago (max allowed age is %s but the recommended value is %s)\n",
durafmt.ParseShort(age), durafmt.ParseShort(maxAllowedBuildAge),
durafmt.ParseShort(maxRecommendedBuildAge))
+ }
+
if checksum == "" {
metadata, err := v6.ReadImportMetadata(afero.NewOsFs(),
filepath.Dir(dbStatus.Path))
if err != nil {
++++++ wolfictl.obsinfo ++++++
--- /var/tmp/diff_new_pack.2TVUea/_old 2025-07-15 16:46:43.306734602 +0200
+++ /var/tmp/diff_new_pack.2TVUea/_new 2025-07-15 16:46:43.310734767 +0200
@@ -1,5 +1,5 @@
name: wolfictl
-version: 0.38.0
-mtime: 1751958434
-commit: e3eb49c76dc1f3a60090af4fdd51d22488c2f90f
+version: 0.38.2
+mtime: 1752521003
+commit: ed371971dc2ab60e6f4e7d792da9e7d8d90ea3b5
