Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package trivy for openSUSE:Factory checked in at 2025-11-10 19:21:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trivy (Old) and /work/SRC/openSUSE:Factory/.trivy.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trivy" Mon Nov 10 19:21:00 2025 rev:82 rq:1316946 version:0.67.2 Changes: -------- --- /work/SRC/openSUSE:Factory/trivy/trivy.changes 2025-09-10 20:23:08.779506216 +0200 +++ /work/SRC/openSUSE:Factory/.trivy.new.1980/trivy.changes 2025-11-10 19:21:12.142063448 +0100 @@ -1,0 +2,55 @@ +Mon Nov 10 14:05:45 UTC 2025 - Dirk Müller <[email protected]> + +- Update to version 0.67.2 (bsc#1250625, CVE-2025-11065, + bsc#1248897, CVE-2025-58058): + * release: v0.67.2 [release/v0.67] (#9639) + * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638) + * release: v0.67.1 [release/v0.67] (#9614) + * fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631) + * fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629) + * fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615) + * fix(vex): don't use reused BOM [backport: release/v0.67] (#9612) + * release: v0.67.0 [main] (#9432) + * fix(vex): don't suppress vulns for packages with infinity loop (#9465) + * fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436) + * refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282) + * docs: clarify inline ignore limitations for resource-less checks (#9537) + * fix(k8s): disable parallel traversal with fs cache for k8s images (#9534) + * fix(misconf): handle tofu files in module detection (#9486) + * feat(seal): add seal support (#9370) + * docs: fix modules path and update code example (#9539) + * fix: close file descriptors and pipes on error paths (#9536) + * feat: add documentation URL for database lock errors (#9531) + * fix(db): Dowload database when missing but metadata still exists (#9393) + * feat(cloudformation): support default values and list results in Fn::FindInMap (#9515) + * fix(misconf): unmark cty values before access (#9495) + * feat(cli): change --list-all-pkgs default to true (#9510) + * fix(nodejs): parse workspaces as objects for package-lock.json files (#9518) + * refactor(fs): use underlyingPath to determine virtual files more reliably (#9302) + * refactor: remove google/wire dependency and implement manual DI (#9509) + * chore(deps): bump the aws group with 6 updates (#9481) + * chore(deps): bump the common group across 1 directory with 24 updates (#9507) + * fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497) + * docs: move info about `detection priority` into coverage section (#9469) + * feat(sbom): added support for CoreOS (#9448) + * fix(misconf): strip build metadata suffixes from image history (#9498) + * feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439) + * docs: Fix typo in terraform docs (#9492) + * feat(redhat): add os-release detection for RHEL-based images (#9458) + * ci(deps): add 3-day cooldown period for Dependabot updates (#9475) + * refactor: migrate from go-json-experiment to encoding/json/v2 (#9422) + * fix(vuln): compare `nuget` package names in lower case (#9456) + * chore: Update release flow to include chocolatey (#9460) + * docs: document eol supportability (#9434) + * docs(report): add nuanses about secret/license scanner in summary table (#9442) + * ci: use environment variables in GitHub Actions for improved security (#9433) + * chore: bump Go to 1.24.7 (#9435) + * fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330) + * ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425) + +------------------------------------------------------------------- +Mon Nov 10 10:32:06 UTC 2025 - Christopher Hofmann <[email protected]> + +- Fix version number shown for 'trivy -v' + +------------------------------------------------------------------- Old: ---- trivy-0.66.0.tar.zst New: ---- trivy-0.67.2.tar.zst ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trivy.spec ++++++ --- /var/tmp/diff_new_pack.UMraiB/_old 2025-11-10 19:21:15.050185541 +0100 +++ /var/tmp/diff_new_pack.UMraiB/_new 2025-11-10 19:21:15.054185709 +0100 @@ -1,7 +1,7 @@ # # spec file for package trivy # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: trivy -Version: 0.66.0 +Version: 0.67.2 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 @@ -27,7 +27,7 @@ Source1: vendor.tar.zst BuildRequires: golang-packaging BuildRequires: zstd -BuildRequires: golang(API) = 1.24 +BuildRequires: golang(API) = 1.25 Requires: ca-certificates Requires: git-core @@ -46,7 +46,8 @@ %build export CGO_ENABLED=1 -go build -o trivy -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X=main.version=%{version}" cmd/trivy/main.go +export GOEXPERIMENT=jsonv2 +go build -o trivy -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/aquasecurity/trivy/pkg/version/app.ver=%{version}" cmd/trivy/main.go %install install -D -m 755 trivy %{buildroot}/%{_bindir}/%{name} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.UMraiB/_old 2025-11-10 19:21:15.098187557 +0100 +++ /var/tmp/diff_new_pack.UMraiB/_new 2025-11-10 19:21:15.114188228 +0100 @@ -1,5 +1,5 @@ -mtime: 1757001936 -commit: 265147e787726a9af4061aae06ecc1932ff61a77bf7bda5c72ee86d1fd0da131 +mtime: 1762785671 +commit: 164877c6629cb2e90213000c34f05c349a050b059b858659c8e8dc8c72e8c662 url: https://src.opensuse.org/dirkmueller/trivy.git revision: factory ++++++ _service ++++++ --- /var/tmp/diff_new_pack.UMraiB/_old 2025-11-10 19:21:15.134189068 +0100 +++ /var/tmp/diff_new_pack.UMraiB/_new 2025-11-10 19:21:15.138189236 +0100 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="manual"> <param name="url">https://github.com/aquasecurity/trivy</param> <param name="scm">git</param> - <param name="revision">v0.66.0</param> + <param name="revision">v0.67.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.UMraiB/_old 2025-11-10 19:21:15.162190244 +0100 +++ /var/tmp/diff_new_pack.UMraiB/_new 2025-11-10 19:21:15.182191084 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/aquasecurity/trivy</param> - <param name="changesrevision">7bcb181268893fdd69ef4582588c040bb1036c33</param></service></servicedata> + <param name="changesrevision">60c57ad5ad7f270cecb51dff2dbf4d680114f6f8</param></service></servicedata> (No newline at EOF) ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-11-10 15:41:24.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ trivy-0.66.0.tar.zst -> trivy-0.67.2.tar.zst ++++++ /work/SRC/openSUSE:Factory/trivy/trivy-0.66.0.tar.zst /work/SRC/openSUSE:Factory/.trivy.new.1980/trivy-0.67.2.tar.zst differ: char 7, line 1 ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/trivy/vendor.tar.zst /work/SRC/openSUSE:Factory/.trivy.new.1980/vendor.tar.zst differ: char 7, line 1
