Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package syft for openSUSE:Factory checked in at 2026-04-09 16:11:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/syft (Old) and /work/SRC/openSUSE:Factory/.syft.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft" Thu Apr 9 16:11:19 2026 rev:122 rq:1345477 version:1.42.4 Changes: -------- --- /work/SRC/openSUSE:Factory/syft/syft.changes 2026-03-20 21:21:51.490624731 +0100 +++ /work/SRC/openSUSE:Factory/.syft.new.21863/syft.changes 2026-04-09 16:23:37.691754494 +0200 @@ -1,0 +2,30 @@ +Thu Apr 09 08:02:56 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.42.4: + * Bug Fixes + - Similar Packages Should Be Aggregated [#1162] + - Support arangodb binary recent version [#4571 #4662 + @witchcraze] + - Support go binary various versions [#4687 #4694 @kzantow] + * Additional Changes + - update CPE dictionary index [#4745 @anchore-oss-update-bot] + - update CPE dictionary index [#4726 @anchore-oss-update-bot] + - Add a trust boundary section [#4716 @joshbressers] + * Dependencies + - chore(deps): update CPE dictionary index (#4745) + - chore(deps): update CPE dictionary index (#4726) + - chore(deps): update CPE dictionary index (#4715) + - chore(deps): update tool versions (#4706) + - chore(deps): bump slackapi/slack-github-action from 2.1.1 to + 3.0.1 (#4684) + - chore(deps): bump marocchino/sticky-pull-request-comment + (#4685) + - chore(deps): bump the go-minor-patch group with 2 updates + (#4697) + - chore(deps): bump actions/create-github-app-token from 2.2.1 + to 3.0.0 (#4699) + - chore(deps): update CPE dictionary index (#4689) + - chore(deps): ignore some dependabot deps (#4696) + - chore(deps): update tools to latest versions (#4690) + +------------------------------------------------------------------- Old: ---- syft-1.42.3.obscpio New: ---- syft-1.42.4.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ syft.spec ++++++ --- /var/tmp/diff_new_pack.B9yZ8k/_old 2026-04-09 16:23:39.291820348 +0200 +++ /var/tmp/diff_new_pack.B9yZ8k/_new 2026-04-09 16:23:39.291820348 +0200 @@ -17,7 +17,7 @@ Name: syft -Version: 1.42.3 +Version: 1.42.4 Release: 0 Summary: CLI tool and library for generating a Software Bill of Materials License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.B9yZ8k/_old 2026-04-09 16:23:39.339822324 +0200 +++ /var/tmp/diff_new_pack.B9yZ8k/_new 2026-04-09 16:23:39.343822489 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/syft</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.42.3</param> + <param name="revision">v1.42.4</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.B9yZ8k/_old 2026-04-09 16:23:39.371823641 +0200 +++ /var/tmp/diff_new_pack.B9yZ8k/_new 2026-04-09 16:23:39.375823806 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/syft</param> - <param name="changesrevision">860126c650c2d05b63b83a3895e41268162315a3</param></service></servicedata> + <param name="changesrevision">f6189175279981a79d8d8c15669c570f15a00568</param></service></servicedata> (No newline at EOF) ++++++ syft-1.42.3.obscpio -> syft-1.42.4.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/.binny.yaml new/syft-1.42.4/.binny.yaml --- old/syft-1.42.3/.binny.yaml 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/.binny.yaml 2026-04-08 19:06:28.000000000 +0200 @@ -1,8 +1,13 @@ +# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases) +cooldown: 7d + tools: + ## internal tools ############################################################################ + # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!) - name: binny version: - want: v0.12.0 + want: v0.13.0 method: github-release with: repo: anchore/binny @@ -10,7 +15,7 @@ # used to produce SBOMs during release - name: syft version: - want: latest + want: v1.42.3 method: github-release with: repo: anchore/syft @@ -23,10 +28,20 @@ with: repo: anchore/quill + # used at release to generate the changelog + - name: chronicle + version: + want: v0.8.0 + method: github-release + with: + repo: anchore/chronicle + + ## external tools ############################################################################ + # used for linting - name: golangci-lint version: - want: v2.11.3 + want: v2.11.4 method: github-release with: repo: golangci/golangci-lint @@ -58,7 +73,7 @@ # used to release all artifacts - name: goreleaser version: - want: v2.14.3 + want: v2.15.2 method: github-release with: repo: goreleaser/goreleaser @@ -71,14 +86,6 @@ with: repo: rinchsan/gosimports - # used at release to generate the changelog - - name: chronicle - version: - want: v0.8.0 - method: github-release - with: - repo: anchore/chronicle - # used during static analysis for license compliance - name: bouncer version: @@ -98,7 +105,7 @@ # used for triggering a release - name: gh version: - want: v2.88.1 + want: v2.89.0 method: github-release with: repo: cli/cli @@ -114,7 +121,7 @@ # used to upload test fixture cache - name: yq version: - want: v4.52.4 + want: v4.52.5 method: github-release with: repo: mikefarah/yq diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/SECURITY.md new/syft-1.42.4/SECURITY.md --- old/syft-1.42.3/SECURITY.md 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/SECURITY.md 2026-04-08 19:06:28.000000000 +0200 @@ -14,3 +14,23 @@ All support will be made on a best effort basis, so please indicate the "urgency level" of the vulnerability as Critical, High, Medium or Low. For more details, see our [security policy documentation](https://oss.anchore.com/docs/contributing/security/). + +## Trust Boundary + +Syft is a tool to scan content and product an SBOM. Syft is not a tool designed to scan malicious content. Detecting and properly reporting on purposely malicious artifacts is outside the scope of Syft's expected operating environment. + +There are many possible ways for malicious content to cause Syft to become confused or fail to include results in an SBOM. We do not consider this to be a security vulnerability. + +**Examples** +- Removing or altering a package lock file +- Removing or altering an RPM or DEB database +- A malicious archive that Syft will skip but the runtime may not +- Self modifying systems that change state when running + +We consider the security trust boundary for Syft to be anything that causes problems for the overall system running Syft, or Syft operating in a way that is dangerous to itself, the system, or the operator. + +**Examples** +- Filling up temp space permanently +- Syft executing arbitrary code when scanning an artifact +- Syft leaking secrets from the environment or configuration files into logs or SBOMs +- Syft operating outside of the expected artifact or directory (directory traversal) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/Taskfile.yaml new/syft-1.42.4/Taskfile.yaml --- old/syft-1.42.3/Taskfile.yaml 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/Taskfile.yaml 2026-04-08 19:06:28.000000000 +0200 @@ -10,7 +10,8 @@ # v1: when fixtures were located at test-fixtures dirs # v2: migration to testdata dirs - CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .PROJECT }}/test-fixture-cache:v2 + CACHE_REPO: oss-cache + CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .CACHE_REPO }}/syft-test-fixture-cache:v2 # static file dirs TOOL_DIR: .tool @@ -424,7 +425,7 @@ done oras_command+=" {{ .CACHE_PATHS_FILE }}" - oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }}" + oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CACHE_REPO }}" oras_command+=" --annotation fingerprint=$(cat {{ .CACHE_PATHS_FILE }} | {{ .YQ }} -r '.digest')" echo "Executing: $oras_command" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/go.mod new/syft-1.42.4/go.mod --- old/syft-1.42.3/go.mod 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/go.mod 2026-04-08 19:06:28.000000000 +0200 @@ -37,7 +37,7 @@ github.com/elliotchance/phpserialize v1.4.0 github.com/facebookincubator/nvdtools v0.1.5 github.com/github/go-spdx/v2 v2.4.0 - github.com/gkampitakis/go-snaps v0.5.20 + github.com/gkampitakis/go-snaps v0.5.21 github.com/go-git/go-billy/v5 v5.8.0 github.com/go-git/go-git/v5 v5.17.0 github.com/go-test/deep v1.1.1 @@ -88,7 +88,7 @@ golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 golang.org/x/mod v0.34.0 golang.org/x/net v0.52.0 - modernc.org/sqlite v1.46.1 + modernc.org/sqlite v1.46.2 ) require ( @@ -263,7 +263,7 @@ google.golang.org/protobuf v1.36.11 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 - modernc.org/libc v1.67.6 // indirect + modernc.org/libc v1.70.0 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/go.sum new/syft-1.42.4/go.sum --- old/syft-1.42.3/go.sum 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/go.sum 2026-04-08 19:06:28.000000000 +0200 @@ -414,8 +414,8 @@ github.com/github/go-spdx/v2 v2.4.0/go.mod h1:/5rwgS0txhGtRdUZwc02bTglzg6HK3FfuEbECKlK2Sg= github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= -github.com/gkampitakis/go-snaps v0.5.20 h1:FGKonEeQPJ12t7RQj6cTPa881fl5c8HYarMLv5vP7sg= -github.com/gkampitakis/go-snaps v0.5.20/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= +github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y= +github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4= github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0= github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= @@ -1514,18 +1514,18 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis= modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0= -modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc= -modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM= -modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA= -modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc= +modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw= +modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0= +modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM= +modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU= modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI= modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito= -modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE= -modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY= +modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo= +modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY= modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks= modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI= -modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI= -modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE= +modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw= +modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo= modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU= modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg= modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI= @@ -1534,8 +1534,8 @@ modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= -modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU= -modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA= +modernc.org/sqlite v1.46.2 h1:gkXQ6R0+AjxFC/fTDaeIVLbNLNrRoOK7YYVz5BKhTcE= +modernc.org/sqlite v1.46.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/classifier_cataloger_test.go new/syft-1.42.4/syft/pkg/cataloger/binary/classifier_cataloger_test.go --- old/syft-1.42.3/syft/pkg/cataloger/binary/classifier_cataloger_test.go 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/classifier_cataloger_test.go 2026-04-08 19:06:28.000000000 +0200 @@ -62,6 +62,28 @@ }, }, { + logicalFixture: "arangodb/3.12.5/linux-amd64", + expected: pkg.Package{ + Name: "arangodb", + Version: "3.12.5", + Type: "binary", + PURL: "pkg:generic/[email protected]", + Locations: locations("arangosh"), + Metadata: metadata("arangodb-binary"), + }, + }, + { + logicalFixture: "arangodb/3.12.5-2/linux-amd64", + expected: pkg.Package{ + Name: "arangodb", + Version: "3.12.5-2", + Type: "binary", + PURL: "pkg:generic/[email protected]", + Locations: locations("arangosh"), + Metadata: metadata("arangodb-binary"), + }, + }, + { logicalFixture: "postgres/15beta4/linux-amd64", expected: pkg.Package{ Name: "postgresql", @@ -727,6 +749,16 @@ { // TODO: find original binary... // note: cannot find the original binary, using a custom snippet based on the original snippet in the repo + logicalFixture: "go-version-hint/1.15-dev/any", + expected: pkg.Package{ + Name: "go", + Version: "1.15", + PURL: "pkg:generic/[email protected]", + Locations: locations("bin/go", "VERSION"), + Metadata: metadata("go-binary"), + }, + }, + { logicalFixture: "go-version-hint/1.15/any", expected: pkg.Package{ Name: "go", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/classifiers.go new/syft-1.42.4/syft/pkg/cataloger/binary/classifiers.go --- old/syft-1.42.3/syft/pkg/cataloger/binary/classifiers.go 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/classifiers.go 2026-04-08 19:06:28.000000000 +0200 @@ -76,10 +76,10 @@ `(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+)?)\x00`), binutils.SupportingEvidenceMatcher("VERSION*", m.FileContentsVersionMatcher( - `(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)\s`)), + `(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)`)), binutils.SupportingEvidenceMatcher("../VERSION*", m.FileContentsVersionMatcher( - `(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)\s`)), + `(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)`)), ), Package: "go", PURL: mustPURL("pkg:generic/go@version"), @@ -232,7 +232,7 @@ Class: "arangodb-binary", FileGlob: "**/arangosh", EvidenceMatcher: m.FileContentsVersionMatcher( - `(?m)\x00*(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?)\s\[linux\]`), + `(?m)\x00*(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?)\s(enterprise\s)?\[linux\]`), Package: "arangodb", PURL: mustPURL("pkg:generic/arangodb@version"), CPEs: singleCPE("cpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/capture-snippet.sh new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/capture-snippet.sh --- old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/capture-snippet.sh 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/capture-snippet.sh 2026-04-08 19:06:28.000000000 +0200 @@ -151,4 +151,4 @@ done -go run ./manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION" +go run ../internal/manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION" Binary files old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5/linux-amd64/arangosh and new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5/linux-amd64/arangosh differ Binary files old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5-2/linux-amd64/arangosh and new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5-2/linux-amd64/arangosh differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION --- old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION 2026-04-08 19:06:28.000000000 +0200 @@ -1 +1 @@ -go1.15 Fri 2003 \ No newline at end of file +go1.15 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION --- old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION 2026-04-08 19:06:28.000000000 +0200 @@ -0,0 +1 @@ +go1.15 Fri 2003 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go --- old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go 2026-04-08 19:06:28.000000000 +0200 @@ -0,0 +1 @@ +no version in this binary \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/config.yaml new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/config.yaml --- old/syft-1.42.3/syft/pkg/cataloger/binary/testdata/config.yaml 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/binary/testdata/config.yaml 2026-04-08 19:06:28.000000000 +0200 @@ -458,6 +458,20 @@ platform: linux/amd64 paths: - /usr/bin/arangosh + - name: arangodb + version: 3.12.5 + images: + - ref: arangodb:3.12.5@sha256:1f9278fe17b200cf3aea2c7bd7fd571221b5b41a49b835a397c47eb970c952d6 + platform: linux/amd64 + paths: + - /usr/bin/arangosh + - name: arangodb + version: 3.12.5-2 + images: + - ref: arangodb:3.12.5.2@sha256:5b0d1d2911ea864ea61d7e2357789004fe912606f5980cf481739601d7cb17a1 + platform: linux/amd64 + paths: + - /usr/bin/arangosh - version: 15.1 images: - ref: postgres:15.1@sha256:b4140dd3a62f364f16a82c1bd88d28b9887ecb47f07dbe2941237d073574d428 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json new/syft-1.42.4/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json --- old/syft-1.42.3/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json 2026-04-08 19:06:28.000000000 +0200 @@ -22,6 +22,9 @@ "github.com/apptainer/apptainer": [ "cpe:2.3:a:lfprojects:apptainer:*:*:*:*:*:go:*:*" ], + "github.com/aquasecurity/trivy/pkg/types": [ + "cpe:2.3:a:aquasec:trivy:*:*:*:*:*:go:*:*" + ], "github.com/argoproj/argo-workflows/v3": [ "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*" ], @@ -52,6 +55,12 @@ "github.com/ecnepsnai/web": [ "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*" ], + "github.com/free5gc/amf": [ + "cpe:2.3:a:free5gc:amf:*:*:*:*:*:go:*:*" + ], + "github.com/free5gc/go-upf": [ + "cpe:2.3:a:free5gc:go-upf:*:*:*:*:*:go:*:*" + ], "github.com/free5gc/smf": [ "cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*" ], @@ -1265,6 +1274,9 @@ "literate": [ "cpe:2.3:a:jenkins:literate:*:*:*:*:*:jenkins:*:*" ], + "loadninja": [ + "cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*" + ], "lockable-resources": [ "cpe:2.3:a:jenkins:lockable_resources:*:*:*:*:*:jenkins:*:*" ], @@ -2314,6 +2326,9 @@ "@ckeditor/ckeditor5-widget": [ "cpe:2.3:a:ckeditor:ckeditor5-widget:*:*:*:*:*:node.js:*:*" ], + "@coding-solo/godot-mcp": [ + "cpe:2.3:a:coding-solo:godot_mcp:*:*:*:*:*:*:*:*" + ], "@cookiex/deep": [ "cpe:2.3:a:cookiex-deep_project:cookiex-deep:*:*:*:*:*:node.js:*:*" ], @@ -2477,6 +2492,12 @@ "@thi.ng/egf": [ "cpe:2.3:a:\\@thi.ng\\/egf_project:\\@thi.ng\\/egf:*:*:*:*:*:node.js:*:*" ], + "@tinacms/cli": [ + "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*" + ], + "@tinacms/graphql": [ + "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*" + ], "@tiptap/extension-link": [ "cpe:2.3:a:tiptap:tiptap\\/extension-link:*:*:*:*:*:node.js:*:*" ], @@ -3076,6 +3097,9 @@ "defaults-deep": [ "cpe:2.3:a:defaults-deep_project:defaults-deep:*:*:*:*:*:node.js:*:*" ], + "defuddle": [ + "cpe:2.3:a:kepano:defuddle:*:*:*:*:*:node.js:*:*" + ], "desafio": [ "cpe:2.3:a:desafio_project:desafio:*:*:*:*:*:node.js:*:*" ], @@ -3279,6 +3303,9 @@ "express-openid-connect": [ "cpe:2.3:a:auth0:express_openid_connect:*:*:*:*:*:node.js:*:*" ], + "express-rate-limit": [ + "cpe:2.3:a:express-rate-limit:express-rate-limit:*:*:*:*:*:node.js:*:*" + ], "express-restify-mongoose": [ "cpe:2.3:a:express-restify-mongoose_project:express-restify-mongoose:*:*:*:*:*:node.js:*:*" ], @@ -3361,7 +3388,7 @@ "cpe:2.3:a:fibjs_project:fibjs:*:*:*:*:*:node.js:*:*" ], "file-type": [ - "cpe:2.3:a:file-type_project:file-type:*:*:*:*:*:node.js:*:*" + "cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*" ], "file-upload-with-preview": [ "cpe:2.3:a:johndatserakis:file-upload-with-preview:*:*:*:*:*:node.js:*:*" @@ -3611,6 +3638,9 @@ "hapi-auth-jwt2": [ "cpe:2.3:a:hapi-auth-jwt2_project:hapi-auth-jwt2:*:*:*:*:*:node.js:*:*" ], + "happy-dom": [ + "cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:nodejs:*:*" + ], "harp": [ "cpe:2.3:a:npmjs:harp:*:*:*:*:*:*:*:*" ], @@ -4018,6 +4048,9 @@ "koa-remove-trailing-slashes": [ "cpe:2.3:a:koa-remove-trailing-slashes_project:koa-remove-trailing-slashes:*:*:*:*:*:node.js:*:*" ], + "kysely": [ + "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*" + ], "lab6.brit95": [ "cpe:2.3:a:lab6.brit95_project:lab6.brit95:*:*:*:*:*:node.js:*:*" ], @@ -4157,6 +4190,9 @@ "madlib-object-utils": [ "cpe:2.3:a:springtree:madlib-object-utils:*:*:*:*:*:node.js:*:*" ], + "mailparser": [ + "cpe:2.3:a:nodemailer:mailparser:*:*:*:*:*:node.js:*:*" + ], "makerjs": [ "cpe:2.3:a:microsoft:maker.js:*:*:*:*:*:node.js:*:*" ], @@ -4398,7 +4434,8 @@ "cpe:2.3:a:mystem3_project:mystem3:*:*:*:*:*:node.js:*:*" ], "n8n": [ - "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*" + "cpe:2.3:a:n8n:n8n:*:*:*:*:community:node.js:*:*", + "cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:*" ], "nanoid": [ "cpe:2.3:a:nanoid_project:nanoid:*:*:*:*:*:node.js:*:*" @@ -4657,6 +4694,9 @@ "nuxt-api-party": [ "cpe:2.3:a:johannschopplich:nuxt_api_party:*:*:*:*:*:node.js:*:*" ], + "nuxt-og-image": [ + "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*" + ], "nw": [ "cpe:2.3:a:nwjs:nw:*:*:*:*:*:node.js:*:*" ], @@ -5317,6 +5357,9 @@ "sly07": [ "cpe:2.3:a:sly07_project:sly07:*:*:*:*:*:node.js:*:*" ], + "sm-crypto": [ + "cpe:2.3:a:juneandgreen:sm-crypto:*:*:*:*:*:node.js:*:*" + ], "smb": [ "cpe:2.3:a:smb_project:smb:*:*:*:*:*:node.js:*:*" ], @@ -5356,6 +5399,9 @@ "squirrelly": [ "cpe:2.3:a:squirrelly:squirrelly:*:*:*:*:*:node.js:*:*" ], + "srvx": [ + "cpe:2.3:a:h3:srvx:*:*:*:*:*:node.js:*:*" + ], "ssh2": [ "cpe:2.3:a:ssh2_project:ssh2:*:*:*:*:*:node.js:*:*" ], @@ -5476,6 +5522,9 @@ "terminal-kit": [ "cpe:2.3:a:terminal-kit_project:terminal-kit:*:*:*:*:*:node.js:*:*" ], + "terriajs-server": [ + "cpe:2.3:a:terria:terriajs-server:*:*:*:*:*:node.js:*:*" + ], "terser": [ "cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*" ], @@ -5491,6 +5540,9 @@ "timespan": [ "cpe:2.3:a:timespan_project:timespan:*:*:*:*:*:node.js:*:*" ], + "tinacms": [ + "cpe:2.3:a:ssw:tinacms:*:*:*:*:*:node.js:*:*" + ], "tiny-conf": [ "cpe:2.3:a:tiny-conf_project:tiny-conf:*:*:*:*:*:node.js:*:*" ], @@ -5599,6 +5651,9 @@ "ungit": [ "cpe:2.3:a:ungit_project:ungit:*:*:*:*:*:node.js:*:*" ], + "unhead": [ + "cpe:2.3:a:unjs:unhead:*:*:*:*:*:node.js:*:*" + ], "unicode": [ "cpe:2.3:a:unicode_project:unicode:*:*:*:*:*:node.js:*:*" ], @@ -5808,6 +5863,9 @@ "y18n": [ "cpe:2.3:a:y18n_project:y18n:*:*:*:*:*:node.js:*:*" ], + "yaml": [ + "cpe:2.3:a:eemeli:yaml:*:*:*:*:*:node.js:*:*" + ], "yargs-parser": [ "cpe:2.3:a:yargs:yargs-parser:*:*:*:*:*:node.js:*:*" ], @@ -5980,6 +6038,9 @@ "b2sdk": [ "cpe:2.3:a:backblaze:b2-sdk-python:*:*:*:*:*:*:*:*" ], + "black": [ + "cpe:2.3:a:python:black:*:*:*:*:*:python:*:*" + ], "blackduck": [ "cpe:2.3:a:synopsys:hub-rest-api-python:*:*:*:*:*:*:*:*" ], @@ -6047,6 +6108,9 @@ "datapizza-ai": [ "cpe:2.3:a:datapizza:datapizza_ai:*:*:*:*:*:*:*:*" ], + "dbt-common": [ + "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*" + ], "decorator": [ "cpe:2.3:a:python:decorator:*:*:*:*:*:*:*:*" ], @@ -6180,6 +6244,9 @@ "marshmallow": [ "cpe:2.3:a:marshmallow_project:marshmallow:*:*:*:*:*:python:*:*" ], + "mcp-memory-service": [ + "cpe:2.3:a:doobidoo:mcp-memory-service:*:*:*:*:*:*:*:*" + ], "mltable": [ "cpe:2.3:a:microsoft:azure_machine_learning_software_development_kit:*:*:*:*:*:*:*:*" ], @@ -6204,6 +6271,9 @@ "openapi-python-client": [ "cpe:2.3:a:openapi-python-client_project:openapi-python-client:*:*:*:*:*:*:*:*" ], + "openhands": [ + "cpe:2.3:a:openhands:openhands:*:*:*:*:*:python:*:*" + ], "openlit": [ "cpe:2.3:a:openlit:openlit_software_development_kit:*:*:*:*:*:python:*:*" ], @@ -6378,6 +6448,9 @@ "scoptrial": [ "cpe:2.3:a:scoptrial_project:scoptrial:*:*:*:*:*:pypi:*:*" ], + "semantic-kernel": [ + "cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*" + ], "sentry-sdk": [ "cpe:2.3:a:sentry:sentry_software_development_kit:*:*:*:*:*:python:*:*" ], @@ -6627,6 +6700,9 @@ "gon": [ "cpe:2.3:a:gon_project:gon:*:*:*:*:*:ruby:*:*" ], + "graphiti": [ + "cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*" + ], "gyazo": [ "cpe:2.3:a:gyazo_project:gyazo:*:*:*:*:*:ruby:*:*" ], @@ -7008,6 +7084,12 @@ "aws-lc-fips-sys": [ "cpe:2.3:a:amazon:aws-lc-fips-sys:*:*:*:*:*:rust:*:*" ], + "aws-lc-rs": [ + "cpe:2.3:a:amazon:aws-lc-rs:*:*:*:*:*:rust:*:*" + ], + "aws-lc-sys": [ + "cpe:2.3:a:amazon:aws-lc-sys:*:*:*:*:*:rust:*:*" + ], "axum-core": [ "cpe:2.3:a:axum-core_project:axum-core:*:*:*:*:*:rust:*:*" ], @@ -7512,6 +7594,12 @@ "youki": [ "cpe:2.3:a:youki-dev:youki:*:*:*:*:*:rust:*:*" ], + "zebra-chain": [ + "cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*" + ], + "zebra-consensus": [ + "cpe:2.3:a:zfnd:zebra-consensus:*:*:*:*:*:rust:*:*" + ], "zeroize_derive": [ "cpe:2.3:a:zeroize_derive_project:zeroize_derive:*:*:*:*:*:rust:*:*" ] @@ -9186,6 +9274,9 @@ "bravo-translate": [ "cpe:2.3:a:guelbetech:bravo_translate:*:*:*:*:*:wordpress:*:*" ], + "bread-butter": [ + "cpe:2.3:a:breadbutter:bread_\\\u0026_butter:*:*:*:*:*:wordpress:*:*" + ], "breadcrumbs-by-menu": [ "cpe:2.3:a:holest:breadcrumbs_by_menu:*:*:*:*:*:wordpress:*:*" ], @@ -10039,6 +10130,9 @@ "contact-form-7-paypal-add-on": [ "cpe:2.3:a:wpplugin:paypal_\\\u0026_stripe_add-on:*:*:*:*:*:wordpress:*:*" ], + "contact-form-7-recaptcha": [ + "cpe:2.3:a:iambriansreed:contact_form_7_recaptcha:*:*:*:*:*:wordpress:*:*" + ], "contact-form-7-simple-recaptcha": [ "cpe:2.3:a:contact_form_7_captcha_project:contact_form_7_captcha:*:*:*:*:*:wordpress:*:*" ], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-1.42.3/task.d/generate/cpe-index.yaml new/syft-1.42.4/task.d/generate/cpe-index.yaml --- old/syft-1.42.3/task.d/generate/cpe-index.yaml 2026-03-19 17:44:55.000000000 +0100 +++ new/syft-1.42.4/task.d/generate/cpe-index.yaml 2026-04-08 19:06:28.000000000 +0200 @@ -2,14 +2,15 @@ vars: CPE_CACHE_DIR: "syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/.cpe-cache" - CPE_CACHE_REGISTRY: "ghcr.io/anchore/syft/cpe-cache:latest" + CPE_CACHE_REGISTRY: "ghcr.io/anchore/oss-cache/cpe-cache:latest" + CPE_CACHE_REPO: "oss-cache" CPE_INDEX_OUTPUT: "syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json" CPE_GENERATOR_DIR: "syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator" tasks: cache:pull: - desc: Pull CPE cache from ORAS registry (ghcr.io/anchore/syft/cpe-cache:latest) - # deps: [tools] + desc: Pull CPE cache from ORAS registry (ghcr.io/anchore/oss-cache/cpe-cache:latest) + deps: [':tools'] cmds: - cmd: | set -eu @@ -116,7 +117,7 @@ # push compressed files to ORAS (from cache directory, so only basenames are used) echo "Pushing compressed files to registry..." "$oras_bin" push {{ .CPE_CACHE_REGISTRY }} $compressed_files \ - --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }} \ + --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CPE_CACHE_REPO }} \ --annotation org.opencontainers.image.created=$(date -u +"%Y-%m-%dT%H:%M:%SZ") # clean up compressed files ++++++ syft.obsinfo ++++++ --- /var/tmp/diff_new_pack.B9yZ8k/_old 2026-04-09 16:23:44.208022686 +0200 +++ /var/tmp/diff_new_pack.B9yZ8k/_new 2026-04-09 16:23:44.224023344 +0200 @@ -1,5 +1,5 @@ name: syft -version: 1.42.3 -mtime: 1773938695 -commit: 860126c650c2d05b63b83a3895e41268162315a3 +version: 1.42.4 +mtime: 1775667988 +commit: f6189175279981a79d8d8c15669c570f15a00568 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/syft/vendor.tar.gz /work/SRC/openSUSE:Factory/.syft.new.21863/vendor.tar.gz differ: char 13, line 1
