Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package syft for openSUSE:Factory checked in
at 2022-11-29 13:23:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/syft (Old)
and /work/SRC/openSUSE:Factory/.syft.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft"
Tue Nov 29 13:23:20 2022 rev:15 rq:1038824 version:0.62.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/syft/syft.changes 2022-11-22
16:10:11.182031029 +0100
+++ /work/SRC/openSUSE:Factory/.syft.new.1597/syft.changes 2022-11-29
13:23:21.537987372 +0100
@@ -1,0 +2,9 @@
+Mon Nov 28 18:06:04 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 0.62.2:
+ * fix: guard for locations < 1 in alpmdb parse (#1366)
+ * fix: remove cabal.project.freeze panic on last pkg (#1363)
+ * fix: requirements.txt - return unicode only letter/num for version (#1361)
+ * Update syft bootstrap tools to latest versions. (#1356)
+
+-------------------------------------------------------------------
Old:
----
syft-0.62.1.tar.gz
New:
----
syft-0.62.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ syft.spec ++++++
--- /var/tmp/diff_new_pack.HQOeZA/_old 2022-11-29 13:23:23.785998493 +0100
+++ /var/tmp/diff_new_pack.HQOeZA/_new 2022-11-29 13:23:23.789998513 +0100
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: syft
-Version: 0.62.1
+Version: 0.62.2
Release: 0
Summary: CLI tool and library for generating a Software Bill of
Materials
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.HQOeZA/_old 2022-11-29 13:23:23.829998711 +0100
+++ /var/tmp/diff_new_pack.HQOeZA/_new 2022-11-29 13:23:23.829998711 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/anchore/syft</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.62.1</param>
+ <param name="revision">v0.62.2</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -16,7 +16,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">syft-0.62.1.tar.gz</param>
+ <param name="archive">syft-0.62.2.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.HQOeZA/_old 2022-11-29 13:23:23.849998810 +0100
+++ /var/tmp/diff_new_pack.HQOeZA/_new 2022-11-29 13:23:23.849998810 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/anchore/syft</param>
- <param
name="changesrevision">098e61dcc81d7a6d666bc62a2166c9b8f32c61bc</param></service></servicedata>
+ <param
name="changesrevision">0cbd0cc70377d5b1b11b808fbbf9ddec450c68ee</param></service></servicedata>
(No newline at EOF)
++++++ syft-0.62.1.tar.gz -> syft-0.62.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.1/Makefile new/syft-0.62.2/Makefile
--- old/syft-0.62.1/Makefile 2022-11-21 15:26:24.000000000 +0100
+++ new/syft-0.62.2/Makefile 2022-11-28 16:43:18.000000000 +0100
@@ -13,7 +13,7 @@
GOSIMPORTS_VERSION = v0.3.4
BOUNCER_VERSION = v0.4.0
CHRONICLE_VERSION = v0.4.2
-GORELEASER_VERSION = v1.12.3
+GORELEASER_VERSION = v1.13.0
YAJSV_VERSION = v1.4.1
COSIGN_VERSION = v1.13.1
QUILL_VERSION = v0.2.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.62.1/syft/pkg/cataloger/alpm/parse_alpm_db.go
new/syft-0.62.2/syft/pkg/cataloger/alpm/parse_alpm_db.go
--- old/syft-0.62.1/syft/pkg/cataloger/alpm/parse_alpm_db.go 2022-11-21
15:26:24.000000000 +0100
+++ new/syft-0.62.2/syft/pkg/cataloger/alpm/parse_alpm_db.go 2022-11-28
16:43:18.000000000 +0100
@@ -42,10 +42,12 @@
if err != nil {
return nil, nil, err
}
+
pkgFiles, err := parseMtree(r)
if err != nil {
return nil, nil, err
}
+
// The replace the files found the the pacman database with the files
from the mtree These contain more metadata and
// thus more useful.
metadata.Files = pkgFiles
@@ -106,6 +108,10 @@
if err != nil {
return nil, err
}
+
+ if len(locs) == 0 {
+ return nil, fmt.Errorf("could not find file: %s", path)
+ }
// TODO: Should we maybe check if we found the file
dbContentReader, err := resolver.FileContentsByLocation(locs[0])
if err != nil {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.1/syft/pkg/cataloger/haskell/parse_cabal_freeze.go
new/syft-0.62.2/syft/pkg/cataloger/haskell/parse_cabal_freeze.go
--- old/syft-0.62.1/syft/pkg/cataloger/haskell/parse_cabal_freeze.go
2022-11-21 15:26:24.000000000 +0100
+++ new/syft-0.62.2/syft/pkg/cataloger/haskell/parse_cabal_freeze.go
2022-11-28 16:43:18.000000000 +0100
@@ -34,6 +34,14 @@
line = strings.TrimSpace(line)
startPkgEncoding, endPkgEncoding := strings.Index(line,
"any.")+4, strings.Index(line, ",")
+ // case where comma not found for last package in constraint
list
+ if endPkgEncoding == -1 {
+ endPkgEncoding = len(line)
+ }
+ if startPkgEncoding >= endPkgEncoding || startPkgEncoding < 0 {
+ continue
+ }
+
line = line[startPkgEncoding:endPkgEncoding]
fields := strings.Split(line, " ==")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.1/syft/pkg/cataloger/haskell/test-fixtures/cabal.project.freeze
new/syft-0.62.2/syft/pkg/cataloger/haskell/test-fixtures/cabal.project.freeze
---
old/syft-0.62.1/syft/pkg/cataloger/haskell/test-fixtures/cabal.project.freeze
2022-11-21 15:26:24.000000000 +0100
+++
new/syft-0.62.2/syft/pkg/cataloger/haskell/test-fixtures/cabal.project.freeze
2022-11-28 16:43:18.000000000 +0100
@@ -12,6 +12,6 @@
any.RSA ==2.4.1,
any.SHA ==1.6.4.4,
void -safe,
- any.Spock ==0.14.0.0,
-
+ any.Spock ==0.14.0.0
+
index-state: hackage.haskell.org 2022-07-07T01:01:53Z
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.1/syft/pkg/cataloger/python/parse_requirements.go
new/syft-0.62.2/syft/pkg/cataloger/python/parse_requirements.go
--- old/syft-0.62.1/syft/pkg/cataloger/python/parse_requirements.go
2022-11-21 15:26:24.000000000 +0100
+++ new/syft-0.62.2/syft/pkg/cataloger/python/parse_requirements.go
2022-11-28 16:43:18.000000000 +0100
@@ -4,6 +4,7 @@
"bufio"
"fmt"
"strings"
+ "unicode"
"github.com/anchore/syft/internal/log"
"github.com/anchore/syft/syft/artifact"
@@ -47,8 +48,14 @@
log.WithFields("path", reader.RealPath).Warnf("unable
to parse requirements.txt line: %q", line)
continue
}
+
+ // check if the version contains hash declarations on the same
line
+ version, _ := parseVersionAndHashes(parts[1])
+
name := strings.TrimSpace(parts[0])
- version := strings.TrimSpace(parts[1])
+ version = strings.TrimFunc(version, func(r rune) bool {
+ return !unicode.IsLetter(r) && !unicode.IsNumber(r)
+ })
packages = append(packages, newPackageForIndex(name, version,
reader.Location))
}
@@ -59,6 +66,15 @@
return packages, nil, nil
}
+func parseVersionAndHashes(version string) (string, []string) {
+ parts := strings.Split(version, "--hash=")
+ if len(parts) < 2 {
+ return version, nil
+ }
+
+ return parts[0], parts[1:]
+}
+
// trimRequirementsTxtLine removes content from the given requirements.txt line
// that should not be considered for parsing.
func trimRequirementsTxtLine(line string) string {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.1/syft/pkg/cataloger/python/parse_requirements_test.go
new/syft-0.62.2/syft/pkg/cataloger/python/parse_requirements_test.go
--- old/syft-0.62.1/syft/pkg/cataloger/python/parse_requirements_test.go
2022-11-21 15:26:24.000000000 +0100
+++ new/syft-0.62.2/syft/pkg/cataloger/python/parse_requirements_test.go
2022-11-28 16:43:18.000000000 +0100
@@ -37,6 +37,22 @@
Language: pkg.Python,
Type: pkg.PythonPkg,
},
+ {
+ Name: "argh",
+ Version: "0.26.2",
+ PURL: "pkg:pypi/argh@0.26.2",
+ Locations: locations,
+ Language: pkg.Python,
+ Type: pkg.PythonPkg,
+ },
+ {
+ Name: "argh",
+ Version: "0.26.3",
+ PURL: "pkg:pypi/argh@0.26.3",
+ Locations: locations,
+ Language: pkg.Python,
+ Type: pkg.PythonPkg,
+ },
}
var expectedRelationships []artifact.Relationship
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.62.1/syft/pkg/cataloger/python/test-fixtures/requires/requirements.txt
new/syft-0.62.2/syft/pkg/cataloger/python/test-fixtures/requires/requirements.txt
---
old/syft-0.62.1/syft/pkg/cataloger/python/test-fixtures/requires/requirements.txt
2022-11-21 15:26:24.000000000 +0100
+++
new/syft-0.62.2/syft/pkg/cataloger/python/test-fixtures/requires/requirements.txt
2022-11-28 16:43:18.000000000 +0100
@@ -10,3 +10,7 @@
numpyNew; sys_platform == 'win32'
numpy >= 3.4.1; sys_platform == 'win32'
Mopidy-Dirble ~= 1.1 # Compatible release. Same as >= 1.1, == 1.*
+argh==0.26.2 \
+
--hash=sha256:a9b3aaa1904eeb78e32394cd46c6f37ac0fb4af6dc488daa58971bdc7d7fcaf3 \
+
--hash=sha256:e9535b8c84dc9571a48999094fda7f33e63c3f1b74f3e5f3ac0105a58405bb65
+argh==0.26.3
--hash=sha256:a9b3aaa1904eeb78e32394cd46c6f37ac0fb4af6dc488daa58971bdc7d7fcaf3
--hash=sha256:e9535b8c84dc9571a48999094fda7f33e63c3f1b74f3e5f3ac0105a58405bb65
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/syft/vendor.tar.gz
/work/SRC/openSUSE:Factory/.syft.new.1597/vendor.tar.gz differ: char 5, line 1
