Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grype-db for openSUSE:Factory checked in at 2025-11-25 17:01:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grype-db (Old) and /work/SRC/openSUSE:Factory/.grype-db.new.14147 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grype-db" Tue Nov 25 17:01:27 2025 rev:23 rq:1319997 version:0.47.0 Changes: -------- --- /work/SRC/openSUSE:Factory/grype-db/grype-db.changes 2025-11-20 14:49:59.757408975 +0100 +++ /work/SRC/openSUSE:Factory/.grype-db.new.14147/grype-db.changes 2025-11-25 17:01:39.104154960 +0100 @@ -1,0 +2,11 @@ +Tue Nov 25 12:40:09 UTC 2025 - Johannes Kastl <[email protected]> + +- Update to version 0.47.0: + * Added Features + - Sort CVSS severities by version when there is a tie [#750 + @wagoodman] + * Bug Fixes + - increase max compression single file size to 25 GB [#758 + @westonsteimel] + +------------------------------------------------------------------- Old: ---- grype-db-0.46.2.obscpio New: ---- grype-db-0.47.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grype-db.spec ++++++ --- /var/tmp/diff_new_pack.XW0h2L/_old 2025-11-25 17:01:40.560216058 +0100 +++ /var/tmp/diff_new_pack.XW0h2L/_new 2025-11-25 17:01:40.564216226 +0100 @@ -17,7 +17,7 @@ Name: grype-db -Version: 0.46.2 +Version: 0.47.0 Release: 0 Summary: A vulnerability scanner for container images and filesystems License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.XW0h2L/_old 2025-11-25 17:01:40.628218912 +0100 +++ /var/tmp/diff_new_pack.XW0h2L/_new 2025-11-25 17:01:40.632219080 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/grype-db</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.46.2</param> + <param name="revision">v0.47.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.XW0h2L/_old 2025-11-25 17:01:40.668220590 +0100 +++ /var/tmp/diff_new_pack.XW0h2L/_new 2025-11-25 17:01:40.672220758 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/grype-db</param> - <param name="changesrevision">f5a813ae273cd2f50017b9041eea5f5ec70d399a</param></service></servicedata> + <param name="changesrevision">ce01830a81197b882445c351dbdbc36f50506215</param></service></servicedata> (No newline at EOF) ++++++ grype-db-0.46.2.obscpio -> grype-db-0.47.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.46.2/cmd/grype-db/cli/commands/cache_restore.go new/grype-db-0.47.0/cmd/grype-db/cli/commands/cache_restore.go --- old/grype-db-0.46.2/cmd/grype-db/cli/commands/cache_restore.go 2025-11-18 19:21:34.000000000 +0100 +++ new/grype-db-0.47.0/cmd/grype-db/cli/commands/cache_restore.go 2025-11-25 10:56:18.000000000 +0100 @@ -366,7 +366,7 @@ gb ) -const perFileReadLimit = 10 * gb +const perFileReadLimit = 25 * gb // safeCopy limits the copy from the reader. This is useful when extracting files from archives to // protect against decompression bomb attacks. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.46.2/go.mod new/grype-db-0.47.0/go.mod --- old/grype-db-0.46.2/go.mod 2025-11-18 19:21:34.000000000 +0100 +++ new/grype-db-0.47.0/go.mod 2025-11-25 10:56:18.000000000 +0100 @@ -8,7 +8,7 @@ github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d github.com/adrg/xdg v0.5.3 github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 - github.com/anchore/grype v0.104.0 + github.com/anchore/grype v0.104.1 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 github.com/anchore/syft v1.38.0 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de @@ -76,7 +76,6 @@ github.com/STARRY-S/zip v0.2.3 // indirect github.com/acobaugh/osrelease v0.1.0 // indirect github.com/agext/levenshtein v1.2.3 // indirect - github.com/anchore/archiver/v3 v3.5.3-0.20241210171143-5b1d8d1c7c51 // indirect github.com/anchore/clio v0.0.0-20250715152405-a0fa658e5084 // indirect github.com/anchore/fangs v0.0.0-20250716230140-94c22408c232 // indirect github.com/anchore/go-collections v0.0.0-20251016125210-a3c352120e8c // indirect @@ -181,7 +180,6 @@ github.com/gogo/protobuf v1.3.2 // indirect github.com/gohugoio/hashstructure v0.6.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect - github.com/golang/snappy v1.0.0 // indirect github.com/google/go-containerregistry v0.20.6 // indirect github.com/google/licensecheck v0.3.1 // indirect github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 // indirect @@ -231,7 +229,6 @@ github.com/muesli/termenv v0.16.0 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/nix-community/go-nix v0.0.0-20250101154619-4bdde671e0a1 // indirect - github.com/nwaples/rardecode v1.1.3 // indirect github.com/nwaples/rardecode/v2 v2.2.0 // indirect github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect github.com/olekukonko/errors v1.1.0 // indirect @@ -296,7 +293,7 @@ go.opentelemetry.io/otel/trace v1.37.0 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect go4.org v0.0.0-20230225012048-214862532bf5 // indirect - golang.org/x/crypto v0.44.0 // indirect + golang.org/x/crypto v0.45.0 // indirect golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect golang.org/x/mod v0.30.0 // indirect golang.org/x/net v0.47.0 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.46.2/go.sum new/grype-db-0.47.0/go.sum --- old/grype-db-0.46.2/go.sum 2025-11-18 19:21:34.000000000 +0100 +++ new/grype-db-0.47.0/go.sum 2025-11-25 10:56:18.000000000 +0100 @@ -130,8 +130,6 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/anchore/archiver/v3 v3.5.3-0.20241210171143-5b1d8d1c7c51 h1:yhk+P8lF3ZiROjmaVRao9WGTRo4b/wYjoKEiAHWrKwc= -github.com/anchore/archiver/v3 v3.5.3-0.20241210171143-5b1d8d1c7c51/go.mod h1:nwuGSd7aZp0rtYt79YggCGafz1RYsclE7pi3fhLwvuw= github.com/anchore/clio v0.0.0-20250715152405-a0fa658e5084 h1:7DUAXEdAxoANPlDgxYiaSRKnWnTygvdrrWhnmvEjNLg= github.com/anchore/clio v0.0.0-20250715152405-a0fa658e5084/go.mod h1:42dWox8z4//b898OIELsQnSdYq9q1aCXkwp5fKF+BEU= github.com/anchore/fangs v0.0.0-20250716230140-94c22408c232 h1:aVC6r9h5wGNh8BYTW3CXxOdPoZzY/bBRWne1NvSTlO8= @@ -157,8 +155,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ= github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg= github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= -github.com/anchore/grype v0.104.0 h1:pHaotNUt7VPTtaqzrnXX15v2YAXdEkc7lLYJsbsIFEo= -github.com/anchore/grype v0.104.0/go.mod h1:/bDVxRQRzJPD0hbH9bG5uvq3pDG/cD2DzFW+JFX9bvY= +github.com/anchore/grype v0.104.1 h1:tIP1pivUGpWFr1LHqkIiypSb8e40897vE4nPZk+9lBg= +github.com/anchore/grype v0.104.1/go.mod h1:1DQI9U/OL+xwmHzULVDoRRI84kstmP26IcBH1E3gSE4= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= github.com/anchore/stereoscope v0.1.13 h1:32GKF4+t8j0w+l6aOuEaofkPBLjlVCbsBCiVv3/+8u0= @@ -516,8 +514,6 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs= -github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -801,8 +797,6 @@ github.com/nix-community/go-nix v0.0.0-20250101154619-4bdde671e0a1/go.mod h1:qgCw4bBKZX8qMgGeEZzGFVT3notl42dBjNqO2jut0M0= github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249 h1:NHrXEjTNQY7P0Zfx1aMrNhpgxHmow66XQtm0aQLY0AE= github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249/go.mod h1:mpRZBD8SJ55OIICQ3iWH0Yz3cjzA61JdqMLoWXeB2+8= -github.com/nwaples/rardecode v1.1.3 h1:cWCaZwfM5H7nAD6PyEdcVnczzV8i/JtotnyW/dD9lEc= -github.com/nwaples/rardecode v1.1.3/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= github.com/nwaples/rardecode/v2 v2.2.0 h1:4ufPGHiNe1rYJxYfehALLjup4Ls3ck42CWwjKiOqu0A= github.com/nwaples/rardecode/v2 v2.2.0/go.mod h1:7uz379lSxPe6j9nvzxUZ+n7mnJNgjsRNb6IbvGVHRmw= github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc= @@ -1095,8 +1089,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU= -golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc= +golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= +golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.46.2/pkg/provider/unmarshal/nvd/cve.go new/grype-db-0.47.0/pkg/provider/unmarshal/nvd/cve.go --- old/grype-db-0.46.2/pkg/provider/unmarshal/nvd/cve.go 2025-11-18 19:21:34.000000000 +0100 +++ new/grype-db-0.47.0/pkg/provider/unmarshal/nvd/cve.go 2025-11-25 10:56:18.000000000 +0100 @@ -219,16 +219,19 @@ return iEntry.Type == Secondary } - // prefer NVD as primary source + // then compare by source (NVD preferred, then lexicographic) if iEntry.Source != jEntry.Source { if iEntry.Source == "[email protected]" { return false - } else if jEntry.Source == "[email protected]" { + } + if jEntry.Source == "[email protected]" { return true } + // for non-NVD sources, use lexicographic ordering (descending for Reverse sort) + return iEntry.Source > jEntry.Source } - // if types are the same, then compare by version + // finally, compare by version when type and source are the same (v4 > v3 > v2 > v1) iV := iEntry.version() jV := jEntry.version() return iV.LessThan(jV) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/grype-db-0.46.2/pkg/provider/unmarshal/nvd/cve_test.go new/grype-db-0.47.0/pkg/provider/unmarshal/nvd/cve_test.go --- old/grype-db-0.46.2/pkg/provider/unmarshal/nvd/cve_test.go 2025-11-18 19:21:34.000000000 +0100 +++ new/grype-db-0.47.0/pkg/provider/unmarshal/nvd/cve_test.go 2025-11-25 10:56:18.000000000 +0100 @@ -16,29 +16,29 @@ { name: "primary types sorted by version descending", input: CvssSummaries{ - {Type: Primary, Version: "2.0", Source: "A"}, - {Type: Primary, Version: "3.1", Source: "B"}, - {Type: Primary, Version: "3.0", Source: "C"}, - {Type: Primary, Version: "4.0", Source: "D"}, + {Type: Primary, Version: "2.0", Source: "same-source"}, + {Type: Primary, Version: "3.1", Source: "same-source"}, + {Type: Primary, Version: "3.0", Source: "same-source"}, + {Type: Primary, Version: "4.0", Source: "same-source"}, }, expected: CvssSummaries{ - {Type: Primary, Version: "4.0", Source: "D"}, - {Type: Primary, Version: "3.1", Source: "B"}, - {Type: Primary, Version: "3.0", Source: "C"}, - {Type: Primary, Version: "2.0", Source: "A"}, + {Type: Primary, Version: "4.0", Source: "same-source"}, + {Type: Primary, Version: "3.1", Source: "same-source"}, + {Type: Primary, Version: "3.0", Source: "same-source"}, + {Type: Primary, Version: "2.0", Source: "same-source"}, }, }, { name: "secondary types sorted by version descending", input: CvssSummaries{ - {Type: Secondary, Version: "2.0", Source: "D"}, - {Type: Secondary, Version: "3.1", Source: "E"}, - {Type: Secondary, Version: "3.0", Source: "F"}, + {Type: Secondary, Version: "2.0", Source: "same-source"}, + {Type: Secondary, Version: "3.1", Source: "same-source"}, + {Type: Secondary, Version: "3.0", Source: "same-source"}, }, expected: CvssSummaries{ - {Type: Secondary, Version: "3.1", Source: "E"}, - {Type: Secondary, Version: "3.0", Source: "F"}, - {Type: Secondary, Version: "2.0", Source: "D"}, + {Type: Secondary, Version: "3.1", Source: "same-source"}, + {Type: Secondary, Version: "3.0", Source: "same-source"}, + {Type: Secondary, Version: "2.0", Source: "same-source"}, }, }, { @@ -50,8 +50,8 @@ {Type: Primary, Version: "3.0", Source: "J"}, }, expected: CvssSummaries{ - {Type: Primary, Version: "3.0", Source: "J"}, {Type: Primary, Version: "2.0", Source: "H"}, + {Type: Primary, Version: "3.0", Source: "J"}, {Type: Secondary, Version: "3.1", Source: "G"}, {Type: Secondary, Version: "2.0", Source: "I"}, }, @@ -68,11 +68,11 @@ }, expected: CvssSummaries{ {Type: Primary, Version: "3.1", Source: "L"}, - {Type: Primary, Version: "3.0", Source: "O"}, {Type: Primary, Version: "2.0", Source: "M"}, + {Type: Primary, Version: "3.0", Source: "O"}, {Type: Secondary, Version: "3.1", Source: "K"}, - {Type: Secondary, Version: "3.0", Source: "P"}, {Type: Secondary, Version: "2.0", Source: "N"}, + {Type: Secondary, Version: "3.0", Source: "P"}, }, }, { @@ -141,8 +141,23 @@ {Type: Primary, Version: "3.0", Source: "R"}, }, expected: CvssSummaries{ + {Type: Primary, Version: "invalid", Source: "Q"}, // sorted by source (Q < R) {Type: Primary, Version: "3.0", Source: "R"}, - {Type: Primary, Version: "invalid", Source: "Q"}, // should use default "2.0" + }, + }, + { + name: "source takes priority over version, then version as tiebreaker", + input: CvssSummaries{ + {Type: Primary, Version: "4.0", Source: "other-source"}, + {Type: Primary, Version: "3.0", Source: "[email protected]"}, + {Type: Primary, Version: "2.0", Source: "[email protected]"}, + {Type: Primary, Version: "3.0", Source: "source-a"}, + }, + expected: CvssSummaries{ + {Type: Primary, Version: "3.0", Source: "[email protected]"}, + {Type: Primary, Version: "2.0", Source: "[email protected]"}, + {Type: Primary, Version: "4.0", Source: "other-source"}, + {Type: Primary, Version: "3.0", Source: "source-a"}, }, }, } ++++++ grype-db.obsinfo ++++++ --- /var/tmp/diff_new_pack.XW0h2L/_old 2025-11-25 17:01:54.712809921 +0100 +++ /var/tmp/diff_new_pack.XW0h2L/_new 2025-11-25 17:01:54.720810256 +0100 @@ -1,5 +1,5 @@ name: grype-db -version: 0.46.2 -mtime: 1763490094 -commit: f5a813ae273cd2f50017b9041eea5f5ec70d399a +version: 0.47.0 +mtime: 1764064578 +commit: ce01830a81197b882445c351dbdbc36f50506215 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grype-db/vendor.tar.gz /work/SRC/openSUSE:Factory/.grype-db.new.14147/vendor.tar.gz differ: char 39, line 1
