Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package syft for openSUSE:Factory checked in
at 2022-11-22 16:10:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/syft (Old)
and /work/SRC/openSUSE:Factory/.syft.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft"
Tue Nov 22 16:10:02 2022 rev:14 rq:1037138 version:0.62.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/syft/syft.changes 2022-11-19
18:09:15.266415969 +0100
+++ /work/SRC/openSUSE:Factory/.syft.new.1597/syft.changes 2022-11-22
16:10:11.182031029 +0100
@@ -1,0 +2,8 @@
+Mon Nov 21 15:12:29 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 0.62.1:
+ * fix: sort relationships in SPDX output (#1350)
+ * chore: add debug logging for decode errors (#1352)
+ * feat(npm): handle aliases in package-lock.json (#1349)
+
+-------------------------------------------------------------------
Old:
----
syft-0.62.0.tar.gz
New:
----
syft-0.62.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ syft.spec ++++++
--- /var/tmp/diff_new_pack.hwVrvd/_old 2022-11-22 16:10:12.826039370 +0100
+++ /var/tmp/diff_new_pack.hwVrvd/_new 2022-11-22 16:10:12.834039411 +0100
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: syft
-Version: 0.62.0
+Version: 0.62.1
Release: 0
Summary: CLI tool and library for generating a Software Bill of
Materials
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.hwVrvd/_old 2022-11-22 16:10:12.890039695 +0100
+++ /var/tmp/diff_new_pack.hwVrvd/_new 2022-11-22 16:10:12.898039735 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/anchore/syft</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.62.0</param>
+ <param name="revision">v0.62.1</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -16,7 +16,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">syft-0.62.0.tar.gz</param>
+ <param name="archive">syft-0.62.1.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.hwVrvd/_old 2022-11-22 16:10:12.942039958 +0100
+++ /var/tmp/diff_new_pack.hwVrvd/_new 2022-11-22 16:10:12.950039999 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/anchore/syft</param>
- <param
name="changesrevision">da4b2df57640e03f273a2e7e9b04eca40555e139</param></service></servicedata>
+ <param
name="changesrevision">098e61dcc81d7a6d666bc62a2166c9b8f32c61bc</param></service></servicedata>
(No newline at EOF)
++++++ syft-0.62.0.tar.gz -> syft-0.62.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/common/spdxhelpers/to_format_model.go
new/syft-0.62.1/syft/formats/common/spdxhelpers/to_format_model.go
--- old/syft-0.62.0/syft/formats/common/spdxhelpers/to_format_model.go
2022-11-18 19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/formats/common/spdxhelpers/to_format_model.go
2022-11-21 15:26:24.000000000 +0100
@@ -105,7 +105,7 @@
},
Packages: toPackages(s.Artifacts.PackageCatalog),
Files: toFiles(s),
- Relationships: toRelationships(s.Relationships),
+ Relationships: toRelationships(s.RelationshipsSorted()),
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.0/syft/formats/common/testutils/utils.go
new/syft-0.62.1/syft/formats/common/testutils/utils.go
--- old/syft-0.62.0/syft/formats/common/testutils/utils.go 2022-11-18
19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/formats/common/testutils/utils.go 2022-11-21
15:26:24.000000000 +0100
@@ -2,8 +2,10 @@
import (
"bytes"
+ "math/rand"
"strings"
"testing"
+ "time"
"github.com/sergi/go-diff/diffmatchpatch"
"github.com/stretchr/testify/assert"
@@ -12,6 +14,7 @@
"github.com/anchore/stereoscope/pkg/filetree"
"github.com/anchore/stereoscope/pkg/image"
"github.com/anchore/stereoscope/pkg/imagetest"
+ "github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/linux"
"github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/sbom"
@@ -276,3 +279,25 @@
return catalog
}
+
+//nolint:gosec
+func AddSampleFileRelationships(s *sbom.SBOM) {
+ catalog := s.Artifacts.PackageCatalog.Sorted()
+ s.Artifacts.FileMetadata = map[source.Coordinates]source.FileMetadata{}
+
+ files := []string{"/f1", "/f2", "/d1/f3", "/d2/f4", "/z1/f5", "/a1/f6"}
+ rnd := rand.New(rand.NewSource(time.Now().UnixNano()))
+ rnd.Shuffle(len(files), func(i, j int) { files[i], files[j] = files[j],
files[i] })
+
+ for _, f := range files {
+ meta := source.FileMetadata{}
+ coords := source.Coordinates{RealPath: f}
+ s.Artifacts.FileMetadata[coords] = meta
+
+ s.Relationships = append(s.Relationships, artifact.Relationship{
+ From: catalog[0],
+ To: coords,
+ Type: artifact.ContainsRelationship,
+ })
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.0/syft/formats/formats.go
new/syft-0.62.1/syft/formats/formats.go
--- old/syft-0.62.0/syft/formats/formats.go 2022-11-18 19:42:55.000000000
+0100
+++ new/syft-0.62.1/syft/formats/formats.go 2022-11-21 15:26:24.000000000
+0100
@@ -2,10 +2,12 @@
import (
"bytes"
+ "errors"
"fmt"
"io"
"strings"
+ "github.com/anchore/syft/internal/log"
"github.com/anchore/syft/syft/formats/cyclonedxjson"
"github.com/anchore/syft/syft/formats/cyclonedxxml"
"github.com/anchore/syft/syft/formats/github"
@@ -35,6 +37,9 @@
func Identify(by []byte) sbom.Format {
for _, f := range Formats() {
if err := f.Validate(bytes.NewReader(by)); err != nil {
+ if !errors.Is(err, sbom.ErrValidationNotSupported) {
+ log.Debugf("format %s returned err: %+v",
f.ID(), err)
+ }
continue
}
return f
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.0/syft/formats/spdxjson/encoder_test.go
new/syft-0.62.1/syft/formats/spdxjson/encoder_test.go
--- old/syft-0.62.0/syft/formats/spdxjson/encoder_test.go 2022-11-18
19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/formats/spdxjson/encoder_test.go 2022-11-21
15:26:24.000000000 +0100
@@ -5,10 +5,7 @@
"regexp"
"testing"
- "github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/formats/common/testutils"
- "github.com/anchore/syft/syft/sbom"
- "github.com/anchore/syft/syft/source"
)
var updateSpdxJson = flag.Bool("update-spdx-json", false, "update the *.golden
files for spdx-json encoders")
@@ -36,7 +33,7 @@
func TestSPDXRelationshipOrder(t *testing.T) {
testImage := "image-simple"
s := testutils.ImageInput(t, testImage, testutils.FromSnapshot())
- addRelationships(&s)
+ testutils.AddSampleFileRelationships(&s)
testutils.AssertEncoderAgainstGoldenImageSnapshot(t,
Format(),
s,
@@ -46,23 +43,6 @@
)
}
-func addRelationships(s *sbom.SBOM) {
- catalog := s.Artifacts.PackageCatalog.Sorted()
- s.Artifacts.FileMetadata = map[source.Coordinates]source.FileMetadata{}
-
- for _, f := range []string{"/f1", "/f2", "/d1/f3", "/d2/f4", "/z1/f5",
"/a1/f6"} {
- meta := source.FileMetadata{}
- coords := source.Coordinates{RealPath: f}
- s.Artifacts.FileMetadata[coords] = meta
-
- s.Relationships = append(s.Relationships, artifact.Relationship{
- From: catalog[0],
- To: coords,
- Type: artifact.ContainsRelationship,
- })
- }
-}
-
func spdxJsonRedactor(s []byte) []byte {
// each SBOM reports the time it was generated, which is not useful
during snapshot testing
s = regexp.MustCompile(`"created": .*`).ReplaceAll(s,
[]byte("redacted"))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
new/syft-0.62.1/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
---
old/syft-0.62.0/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
2022-11-18 19:42:55.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
2022-11-21 15:26:24.000000000 +0100
@@ -3,14 +3,14 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "/some/path",
- "documentNamespace":
"https://anchore.com/syft/dir/some/path-0f9b165e-1819-43cb-bd58-f61c1c23d6cf";,
+ "documentNamespace":
"https://anchore.com/syft/dir/some/path-4bf54cdd-0a0f-4560-bf4f-39cac2ef7a5b";,
"creationInfo": {
"licenseListVersion": "3.18",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-v0.42.0-bogus"
],
- "created": "2022-11-11T19:24:55Z",
+ "created": "2022-11-19T13:46:57Z",
"comment": ""
},
"packages": [
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
new/syft-0.62.1/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
---
old/syft-0.62.0/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
2022-11-18 19:42:55.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
2022-11-21 15:26:24.000000000 +0100
@@ -3,14 +3,14 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "user-image-input",
- "documentNamespace":
"https://anchore.com/syft/image/user-image-input-5841d063-c3ef-406b-91b4-8a702ef45ce9";,
+ "documentNamespace":
"https://anchore.com/syft/image/user-image-input-102ca7dc-3d1e-46d2-b130-28968831ebcc";,
"creationInfo": {
"licenseListVersion": "3.18",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-v0.42.0-bogus"
],
- "created": "2022-11-11T19:24:55Z",
+ "created": "2022-11-19T13:46:57Z",
"comment": ""
},
"packages": [
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
new/syft-0.62.1/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
---
old/syft-0.62.0/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
2022-11-18 19:42:55.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
2022-11-21 15:26:24.000000000 +0100
@@ -3,14 +3,14 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "user-image-input",
- "documentNamespace":
"https://anchore.com/syft/image/user-image-input-8755f340-f205-4bf2-a909-94c623670734";,
+ "documentNamespace":
"https://anchore.com/syft/image/user-image-input-55ad4afc-ecdc-46a4-8bc3-36b3e72da5d1";,
"creationInfo": {
"licenseListVersion": "3.18",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-v0.42.0-bogus"
],
- "created": "2022-11-11T19:24:55Z",
+ "created": "2022-11-19T13:46:57Z",
"comment": ""
},
"packages": [
@@ -133,12 +133,12 @@
},
{
"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
- "relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd",
+ "relatedSpdxElement": "SPDXRef-839d99ee67d9d174",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
- "relatedSpdxElement": "SPDXRef-c6f5b29dca12661f",
+ "relatedSpdxElement": "SPDXRef-9c2f7510199b17f6",
"relationshipType": "CONTAINS"
},
{
@@ -148,12 +148,12 @@
},
{
"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
- "relatedSpdxElement": "SPDXRef-839d99ee67d9d174",
+ "relatedSpdxElement": "SPDXRef-c6f5b29dca12661f",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
- "relatedSpdxElement": "SPDXRef-9c2f7510199b17f6",
+ "relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd",
"relationshipType": "CONTAINS"
}
]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.0/syft/formats/spdxtagvalue/decoder.go
new/syft-0.62.1/syft/formats/spdxtagvalue/decoder.go
--- old/syft-0.62.0/syft/formats/spdxtagvalue/decoder.go 2022-11-18
19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/formats/spdxtagvalue/decoder.go 2022-11-21
15:26:24.000000000 +0100
@@ -13,7 +13,7 @@
func decoder(reader io.Reader) (*sbom.SBOM, error) {
doc, err := tvloader.Load2_3(reader)
if err != nil {
- return nil, fmt.Errorf("unable to decode spdx-json: %w", err)
+ return nil, fmt.Errorf("unable to decode spdx-tag-value: %w",
err)
}
return spdxhelpers.ToSyftModel(doc)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxtagvalue/encoder_test.go
new/syft-0.62.1/syft/formats/spdxtagvalue/encoder_test.go
--- old/syft-0.62.0/syft/formats/spdxtagvalue/encoder_test.go 2022-11-18
19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/formats/spdxtagvalue/encoder_test.go 2022-11-21
15:26:24.000000000 +0100
@@ -67,6 +67,19 @@
)
}
+func TestSPDXRelationshipOrder(t *testing.T) {
+ testImage := "image-simple"
+ s := testutils.ImageInput(t, testImage, testutils.FromSnapshot())
+ testutils.AddSampleFileRelationships(&s)
+ testutils.AssertEncoderAgainstGoldenImageSnapshot(t,
+ Format(),
+ s,
+ testImage,
+ *updateSpdxTagValue,
+ spdxTagValueRedactor,
+ )
+}
+
func spdxTagValueRedactor(s []byte) []byte {
// each SBOM reports the time it was generated, which is not useful
during snapshot testing
s = regexp.MustCompile(`Created: .*`).ReplaceAll(s, []byte("redacted"))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
---
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
2022-11-18 19:42:55.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
2022-11-21 15:26:24.000000000 +0100
@@ -2,11 +2,11 @@
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: foobar/baz
-DocumentNamespace:
https://anchore.com/syft/dir/foobar/baz-3d730196-4510-4ee4-9743-9322dd27cee7
+DocumentNamespace:
https://anchore.com/syft/dir/foobar/baz-62bc0aae-2b37-4c86-ab79-63c6fc4198ed
LicenseListVersion: 3.18
Creator: Organization: Anchore, Inc
Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-18T14:21:45Z
+Created: 2022-11-19T13:48:30Z
##### Package: @at-sign
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
---
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
1970-01-01 01:00:00.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
2022-11-21 15:26:24.000000000 +0100
@@ -0,0 +1,79 @@
+SPDXVersion: SPDX-2.3
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-DOCUMENT
+DocumentName: user-image-input
+DocumentNamespace:
https://anchore.com/syft/image/user-image-input-cc20e416-9c74-401c-b4aa-245556bada5e
+LicenseListVersion: 3.18
+Creator: Organization: Anchore, Inc
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-11-19T13:48:30Z
+
+##### Unpackaged files
+
+FileName: /f1
+SPDXID: SPDXRef-5265a4dde3edbf7c
+FileType: OTHER
+LicenseConcluded: NOASSERTION
+
+FileName: /z1/f5
+SPDXID: SPDXRef-839d99ee67d9d174
+FileType: OTHER
+LicenseConcluded: NOASSERTION
+
+FileName: /a1/f6
+SPDXID: SPDXRef-9c2f7510199b17f6
+FileType: OTHER
+LicenseConcluded: NOASSERTION
+
+FileName: /d2/f4
+SPDXID: SPDXRef-c641caa71518099f
+FileType: OTHER
+LicenseConcluded: NOASSERTION
+
+FileName: /d1/f3
+SPDXID: SPDXRef-c6f5b29dca12661f
+FileType: OTHER
+LicenseConcluded: NOASSERTION
+
+FileName: /f2
+SPDXID: SPDXRef-f9e49132a4b96ccd
+FileType: OTHER
+LicenseConcluded: NOASSERTION
+
+##### Package: package-2
+
+PackageName: package-2
+SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4
+PackageVersion: 2.0.1
+PackageDownloadLocation: NOASSERTION
+FilesAnalyzed: false
+PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt
+PackageLicenseConcluded: NONE
+PackageLicenseDeclared: NONE
+PackageCopyrightText: NOASSERTION
+ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:2:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
+
+##### Package: package-1
+
+PackageName: package-1
+SPDXID: SPDXRef-Package-python-package-1-66ba429119b8bec6
+PackageVersion: 1.0.1
+PackageDownloadLocation: NOASSERTION
+FilesAnalyzed: false
+PackageSourceInfo: acquired package info from installed python package
manifest file: /somefile-1.txt
+PackageLicenseConcluded: MIT
+PackageLicenseDeclared: MIT
+PackageCopyrightText: NOASSERTION
+ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl a-purl-1
+
+##### Relationships
+
+Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS
SPDXRef-5265a4dde3edbf7c
+Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS
SPDXRef-839d99ee67d9d174
+Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS
SPDXRef-9c2f7510199b17f6
+Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS
SPDXRef-c641caa71518099f
+Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS
SPDXRef-c6f5b29dca12661f
+Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS
SPDXRef-f9e49132a4b96ccd
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
---
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
2022-11-18 19:42:55.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
2022-11-21 15:26:24.000000000 +0100
@@ -2,11 +2,11 @@
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: /some/path
-DocumentNamespace:
https://anchore.com/syft/dir/some/path-b6078c95-5b97-462d-acb3-9e74bc9ddb43
+DocumentNamespace:
https://anchore.com/syft/dir/some/path-7a4b2140-6669-4a28-80dd-5c8e795c5da0
LicenseListVersion: 3.18
Creator: Organization: Anchore, Inc
Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-18T14:21:44Z
+Created: 2022-11-19T13:48:30Z
##### Package: package-2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
---
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
2022-11-18 19:42:55.000000000 +0100
+++
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
2022-11-21 15:26:24.000000000 +0100
@@ -2,11 +2,11 @@
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: user-image-input
-DocumentNamespace:
https://anchore.com/syft/image/user-image-input-aa272d1e-8bb4-411f-a554-4c9a16ea66fb
+DocumentNamespace:
https://anchore.com/syft/image/user-image-input-baff7ada-85cb-403e-90d7-05b0c6d79490
LicenseListVersion: 3.18
Creator: Organization: Anchore, Inc
Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-18T14:21:45Z
+Created: 2022-11-19T13:48:30Z
##### Package: package-2
Binary files
old/syft-0.62.0/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
and
new/syft-0.62.1/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.0/syft/pkg/cataloger/javascript/package.go
new/syft-0.62.1/syft/pkg/cataloger/javascript/package.go
--- old/syft-0.62.0/syft/pkg/cataloger/javascript/package.go 2022-11-18
19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/pkg/cataloger/javascript/package.go 2022-11-21
15:26:24.000000000 +0100
@@ -44,14 +44,29 @@
}
func newPackageLockV1Package(resolver source.FileResolver, location
source.Location, name string, u lockDependency) pkg.Package {
+ version := u.Version
+
+ const aliasPrefixPackageLockV1 = "npm:"
+
+ // Handles type aliases
https://github.com/npm/rfcs/blob/main/implemented/0001-package-aliases.md
+ if strings.HasPrefix(version, aliasPrefixPackageLockV1) {
+ // this is an alias.
+ // `"version": "npm:canonical-name@X.Y.Z"`
+ canonicalPackageAndVersion :=
version[len(aliasPrefixPackageLockV1):]
+ versionSeparator :=
strings.LastIndex(canonicalPackageAndVersion, "@")
+
+ name = canonicalPackageAndVersion[:versionSeparator]
+ version = canonicalPackageAndVersion[versionSeparator+1:]
+ }
+
return finalizeLockPkg(
resolver,
location,
pkg.Package{
Name: name,
- Version: u.Version,
+ Version: version,
Locations: source.NewLocationSet(location),
- PURL: packageURL(name, u.Version),
+ PURL: packageURL(name, version),
Language: pkg.JavaScript,
Type: pkg.NpmPkg,
},
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/pkg/cataloger/javascript/parse_package_lock.go
new/syft-0.62.1/syft/pkg/cataloger/javascript/parse_package_lock.go
--- old/syft-0.62.0/syft/pkg/cataloger/javascript/parse_package_lock.go
2022-11-18 19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/pkg/cataloger/javascript/parse_package_lock.go
2022-11-21 15:26:24.000000000 +0100
@@ -75,6 +75,11 @@
}
}
+ // handles alias names
+ if pkgMeta.Name != "" {
+ name = pkgMeta.Name
+ }
+
pkgs = append(pkgs, newPackageLockV2Package(resolver,
reader.Location, getNameFromPath(name), pkgMeta))
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/pkg/cataloger/javascript/parse_package_lock_test.go
new/syft-0.62.1/syft/pkg/cataloger/javascript/parse_package_lock_test.go
--- old/syft-0.62.0/syft/pkg/cataloger/javascript/parse_package_lock_test.go
2022-11-18 19:42:55.000000000 +0100
+++ new/syft-0.62.1/syft/pkg/cataloger/javascript/parse_package_lock_test.go
2022-11-21 15:26:24.000000000 +0100
@@ -193,3 +193,57 @@
}
pkgtest.TestFileParser(t, fixture, parsePackageLock, expectedPkgs,
expectedRelationships)
}
+
+func TestParsePackageLockAlias(t *testing.T) {
+ var expectedRelationships []artifact.Relationship
+ commonPkgs := []pkg.Package{
+ {
+ Name: "case",
+ Version: "1.6.2",
+ PURL: "pkg:npm/case@1.6.2",
+ Language: pkg.JavaScript,
+ Type: pkg.NpmPkg,
+ },
+ {
+ Name: "case",
+ Version: "1.6.3",
+ PURL: "pkg:npm/case@1.6.3",
+ Language: pkg.JavaScript,
+ Type: pkg.NpmPkg,
+ },
+ {
+ Name: "@bundled-es-modules/chai",
+ Version: "4.2.2",
+ PURL: "pkg:npm/%40bundled-es-modules/chai@4.2.2",
+ Language: pkg.JavaScript,
+ Type: pkg.NpmPkg,
+ },
+ }
+
+ v2Pkg := pkg.Package{
+ Name: "alias-check",
+ Version: "1.0.0",
+ PURL: "pkg:npm/alias-check@1.0.0",
+ Language: pkg.JavaScript,
+ Type: pkg.NpmPkg,
+ Licenses: []string{"ISC"},
+ }
+
+ packageLockV1 := "test-fixtures/pkg-lock/alias-package-lock-1.json"
+ packageLockV2 := "test-fixtures/pkg-lock/alias-package-lock-2.json"
+ packageLocks := []string{packageLockV1, packageLockV2}
+
+ for _, packageLock := range packageLocks {
+ expected := make([]pkg.Package, len(commonPkgs))
+ copy(expected, commonPkgs)
+
+ if packageLock == packageLockV2 {
+ expected = append(expected, v2Pkg)
+ }
+
+ for i := range expected {
+
expected[i].Locations.Add(source.NewLocation(packageLock))
+ }
+ pkgtest.TestFileParser(t, packageLock, parsePackageLock,
expected, expectedRelationships)
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-1.json
new/syft-0.62.1/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-1.json
---
old/syft-0.62.0/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-1.json
1970-01-01 01:00:00.000000000 +0100
+++
new/syft-0.62.1/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-1.json
2022-11-21 15:26:24.000000000 +0100
@@ -0,0 +1,23 @@
+{
+ "name": "alias-check",
+ "version": "1.0.0",
+ "lockfileVersion": 1,
+ "requires": true,
+ "dependencies": {
+ "case": {
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/case/-/case-1.6.2.tgz";,
+ "integrity":
"sha512-ll380ZRoraT7mUK2G92UbH+FJVD5AwdVIAYk9xhV1tauh0carDgYByUD1HhjCWsWgxrfQvCeHvtfj7IYR6TKeg=="
+ },
+ "case-alias": {
+ "version": "npm:case@1.6.3",
+ "resolved": "https://registry.npmjs.org/case/-/case-1.6.3.tgz";,
+ "integrity":
"sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ=="
+ },
+ "chai": {
+ "version": "npm:@bundled-es-modules/chai@4.2.2",
+ "resolved":
"https://registry.npmjs.org/@bundled-es-modules/chai/-/chai-4.2.2.tgz";,
+ "integrity":
"sha512-iGmVYw2/zJCoqyKTtWEYCtFmMyi8WmACQKtky0lpNyEKWX0YIOpKWGD7saMXL+tPpllss0otilxV0SLwyi3Ytg=="
+ }
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.0/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-2.json
new/syft-0.62.1/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-2.json
---
old/syft-0.62.0/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-2.json
1970-01-01 01:00:00.000000000 +0100
+++
new/syft-0.62.1/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/alias-package-lock-2.json
2022-11-21 15:26:24.000000000 +0100
@@ -0,0 +1,58 @@
+{
+ "name": "alias-check",
+ "version": "1.0.0",
+ "lockfileVersion": 2,
+ "requires": true,
+ "packages": {
+ "": {
+ "name": "alias-check",
+ "version": "1.0.0",
+ "license": "ISC",
+ "dependencies": {
+ "case": "1.6.2",
+ "case-alias": "npm:case@^1.6.3",
+ "chai": "npm:@bundled-es-modules/chai@^4.2.2"
+ }
+ },
+ "node_modules/case": {
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/case/-/case-1.6.2.tgz";,
+ "integrity":
"sha512-ll380ZRoraT7mUK2G92UbH+FJVD5AwdVIAYk9xhV1tauh0carDgYByUD1HhjCWsWgxrfQvCeHvtfj7IYR6TKeg==",
+ "engines": {
+ "node": ">= 0.8.0"
+ }
+ },
+ "node_modules/case-alias": {
+ "name": "case",
+ "version": "1.6.3",
+ "resolved": "https://registry.npmjs.org/case/-/case-1.6.3.tgz";,
+ "integrity":
"sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==",
+ "engines": {
+ "node": ">= 0.8.0"
+ }
+ },
+ "node_modules/chai": {
+ "name": "@bundled-es-modules/chai",
+ "version": "4.2.2",
+ "resolved":
"https://registry.npmjs.org/@bundled-es-modules/chai/-/chai-4.2.2.tgz";,
+ "integrity":
"sha512-iGmVYw2/zJCoqyKTtWEYCtFmMyi8WmACQKtky0lpNyEKWX0YIOpKWGD7saMXL+tPpllss0otilxV0SLwyi3Ytg=="
+ }
+ },
+ "dependencies": {
+ "case": {
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/case/-/case-1.6.2.tgz";,
+ "integrity":
"sha512-ll380ZRoraT7mUK2G92UbH+FJVD5AwdVIAYk9xhV1tauh0carDgYByUD1HhjCWsWgxrfQvCeHvtfj7IYR6TKeg=="
+ },
+ "case-alias": {
+ "version": "npm:case@1.6.3",
+ "resolved": "https://registry.npmjs.org/case/-/case-1.6.3.tgz";,
+ "integrity":
"sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ=="
+ },
+ "chai": {
+ "version": "npm:@bundled-es-modules/chai@4.2.2",
+ "resolved":
"https://registry.npmjs.org/@bundled-es-modules/chai/-/chai-4.2.2.tgz";,
+ "integrity":
"sha512-iGmVYw2/zJCoqyKTtWEYCtFmMyi8WmACQKtky0lpNyEKWX0YIOpKWGD7saMXL+tPpllss0otilxV0SLwyi3Ytg=="
+ }
+ }
+}
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/syft/vendor.tar.gz
/work/SRC/openSUSE:Factory/.syft.new.1597/vendor.tar.gz differ: char 5, line 1
