Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package syft for openSUSE:Factory checked in at 2023-02-02 18:08:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/syft (Old) and /work/SRC/openSUSE:Factory/.syft.new.32243 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft" Thu Feb 2 18:08:48 2023 rev:25 rq:1062582 version:0.69.1 Changes: -------- --- /work/SRC/openSUSE:Factory/syft/syft.changes 2023-02-01 16:39:08.773633704 +0100 +++ /work/SRC/openSUSE:Factory/.syft.new.32243/syft.changes 2023-02-02 18:18:48.547952104 +0100 @@ -1,0 +2,8 @@ +Thu Feb 02 06:48:23 UTC 2023 - ka...@b1-systems.de + +- Update to version 0.69.1: + * chore: update spdx/tools-golang to v0.5.0-rc1 (#1503) + * feat: update golang to 1.19 (#1526) + * Update syft bootstrap tools to latest versions. (#1525) + +------------------------------------------------------------------- Old: ---- syft-0.69.0.tar.gz New: ---- syft-0.69.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ syft.spec ++++++ --- /var/tmp/diff_new_pack.STsKke/_old 2023-02-02 18:18:49.519958048 +0100 +++ /var/tmp/diff_new_pack.STsKke/_new 2023-02-02 18:18:49.523958073 +0100 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: syft -Version: 0.69.0 +Version: 0.69.1 Release: 0 Summary: CLI tool and library for generating a Software Bill of Materials License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.STsKke/_old 2023-02-02 18:18:49.559958293 +0100 +++ /var/tmp/diff_new_pack.STsKke/_new 2023-02-02 18:18:49.563958317 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/syft</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.69.0</param> + <param name="revision">v0.69.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> @@ -16,7 +16,7 @@ <param name="compression">gz</param> </service> <service name="go_modules" mode="disabled"> - <param name="archive">syft-0.69.0.tar.gz</param> + <param name="archive">syft-0.69.1.tar.gz</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.STsKke/_old 2023-02-02 18:18:49.583958440 +0100 +++ /var/tmp/diff_new_pack.STsKke/_new 2023-02-02 18:18:49.587958464 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/syft</param> - <param name="changesrevision">b81c9805dcc9bf25dad7659fd9c2bbf7dd3f3d90</param></service></servicedata> + <param name="changesrevision">1530ef354ffaf59cef6a02c949f2cdb82353954f</param></service></servicedata> (No newline at EOF) ++++++ syft-0.69.0.tar.gz -> syft-0.69.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/.github/actions/bootstrap/action.yaml new/syft-0.69.1/.github/actions/bootstrap/action.yaml --- old/syft-0.69.0/.github/actions/bootstrap/action.yaml 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/.github/actions/bootstrap/action.yaml 2023-01-31 17:53:16.000000000 +0100 @@ -4,7 +4,7 @@ go-version: description: "Go version to install" required: true - default: "1.18.x" + default: "1.19.x" use-go-cache: description: "Restore go cache" required: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/.github/scripts/go-mod-tidy-check.sh new/syft-0.69.1/.github/scripts/go-mod-tidy-check.sh --- old/syft-0.69.0/.github/scripts/go-mod-tidy-check.sh 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/.github/scripts/go-mod-tidy-check.sh 2023-01-31 17:53:16.000000000 +0100 @@ -4,7 +4,7 @@ ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX") TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX") -trap "cp ${ORIGINAL_STATE_DIR}/* ./ && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT +trap "cp -p ${ORIGINAL_STATE_DIR}/* ./ && git update-index -q --refresh && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT # capturing original state of files... cp go.mod go.sum "${ORIGINAL_STATE_DIR}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/.github/scripts/json-schema-drift-check.sh new/syft-0.69.1/.github/scripts/json-schema-drift-check.sh --- old/syft-0.69.0/.github/scripts/json-schema-drift-check.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.69.1/.github/scripts/json-schema-drift-check.sh 2023-01-31 17:53:16.000000000 +0100 @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +set -u + +if ! git diff-index --quiet HEAD --; then + git diff-index HEAD -- + git --no-pager diff + echo "there are uncommitted changes, please commit them before running this check" + exit 1 +fi + +success=true + +if ! make generate-json-schema; then + echo "Generating json schema failed" + success=false +fi + +if ! git diff-index --quiet HEAD --; then + git diff-index HEAD -- + git --no-pager diff + echo "JSON schema drift detected!" + success=false +fi + +if ! $success; then + exit 1 +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/.github/workflows/release.yaml new/syft-0.69.1/.github/workflows/release.yaml --- old/syft-0.69.0/.github/workflows/release.yaml 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/.github/workflows/release.yaml 2023-01-31 17:53:16.000000000 +0100 @@ -9,7 +9,7 @@ - "v*" env: - GO_VERSION: "1.18.x" + GO_VERSION: "1.19.x" jobs: quality-gate: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/.github/workflows/update-bootstrap-tools.yml new/syft-0.69.1/.github/workflows/update-bootstrap-tools.yml --- old/syft-0.69.0/.github/workflows/update-bootstrap-tools.yml 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/.github/workflows/update-bootstrap-tools.yml 2023-01-31 17:53:16.000000000 +0100 @@ -6,7 +6,7 @@ workflow_dispatch: env: - GO_VERSION: "1.18.x" + GO_VERSION: "1.19.x" GO_STABLE_VERSION: true jobs: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/.github/workflows/update-stereoscope-release.yml new/syft-0.69.1/.github/workflows/update-stereoscope-release.yml --- old/syft-0.69.0/.github/workflows/update-stereoscope-release.yml 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/.github/workflows/update-stereoscope-release.yml 2023-01-31 17:53:16.000000000 +0100 @@ -6,7 +6,7 @@ workflow_dispatch: env: - GO_VERSION: "1.18.x" + GO_VERSION: "1.19.x" GO_STABLE_VERSION: true jobs: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/CONTRIBUTING.md new/syft-0.69.1/CONTRIBUTING.md --- old/syft-0.69.0/CONTRIBUTING.md 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/CONTRIBUTING.md 2023-01-31 17:53:16.000000000 +0100 @@ -1,4 +1,4 @@ -# Contributing to Syft +[#](#) Contributing to Syft If you are looking to contribute to this project and want to open a GitHub pull request ("PR"), there are a few guidelines of what we are looking for in patches. Make sure you go through this document and ensure that your code proposal is aligned. @@ -10,7 +10,7 @@ You will need to install Go. The version on https://go.dev works best, using the system golang doesn't always work the way you might expect. -At the time of writing, Go 1.19 does not work correctly with Syft. Please use Go 1.18 for now. +Refer to the go.mod file in the root of this repo for the recommended version of Go to install. You will also need Docker. There's no reason the system packages shouldn't work, but we used the official Docker package. You can find instructions for installing Docker in Debian [here](https://docs.docker.com/engine/install/debian/). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/Makefile new/syft-0.69.1/Makefile --- old/syft-0.69.0/Makefile 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/Makefile 2023-01-31 17:53:16.000000000 +0100 @@ -12,7 +12,7 @@ GOSIMPORTS_VERSION := v0.3.5 BOUNCER_VERSION := v0.4.0 CHRONICLE_VERSION := v0.5.1 -GORELEASER_VERSION := v1.14.1 +GORELEASER_VERSION := v1.15.0 YAJSV_VERSION := v1.4.1 COSIGN_VERSION := v1.13.1 QUILL_VERSION := v0.2.0 @@ -132,10 +132,7 @@ check-json-schema-drift: $(call title,Ensure there is no drift between the JSON schema and the code) - @git diff-index --quiet HEAD -- || (echo "there are uncommitted changes, please commit them before running this check" && false) - @make generate-json-schema || (echo "$(RED)$(BOLD)JSON schema drift detected!$(RESET)" && false) - @git diff-index --quiet HEAD -- || (echo "$(RED)$(BOLD)JSON schema drift detected!$(RESET)" && false) - + @.github/scripts/json-schema-drift-check.sh ## Testing targets ################################# diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/go.mod new/syft-0.69.1/go.mod --- old/syft-0.69.0/go.mod 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/go.mod 2023-01-31 17:53:16.000000000 +0100 @@ -1,6 +1,6 @@ module github.com/anchore/syft -go 1.18 +go 1.19 require ( github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d @@ -31,7 +31,7 @@ github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e github.com/sergi/go-diff v1.3.1 github.com/sirupsen/logrus v1.9.0 - github.com/spdx/tools-golang v0.4.0 + github.com/spdx/tools-golang v0.5.0-rc1 github.com/spf13/afero v1.9.3 github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 @@ -69,6 +69,7 @@ github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.2.0 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect + github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect github.com/containerd/containerd v1.6.12 // indirect github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/go.sum new/syft-0.69.1/go.sum --- old/syft-0.69.0/go.sum 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/go.sum 2023-01-31 17:53:16.000000000 +0100 @@ -138,6 +138,8 @@ github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8/go.mod h1:+gPap4jha079qzRTUaehv+UZ6sSdaNwkH0D3b6zhTuk= github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU= github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk= +github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc= +github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8= github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ= github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods= @@ -1046,8 +1048,8 @@ github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= -github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0= -github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM= +github.com/spdx/tools-golang v0.5.0-rc1 h1:ooCSe48QatlidqEFd+nSI308tyeNTR6NJvauUj3ApX8= +github.com/spdx/tools-golang v0.5.0-rc1/go.mod h1:LI6onw172PdO57Ob/hgnLDD4Y2PMnroeNT3wO/2WJJI= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/common/spdxhelpers/to_format_model.go new/syft-0.69.1/syft/formats/common/spdxhelpers/to_format_model.go --- old/syft-0.69.0/syft/formats/common/spdxhelpers/to_format_model.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/common/spdxhelpers/to_format_model.go 2023-01-31 17:53:16.000000000 +0100 @@ -8,8 +8,7 @@ "strings" "time" - "github.com/spdx/tools-golang/spdx/common" - spdx "github.com/spdx/tools-golang/spdx/v2_3" + "github.com/spdx/tools-golang/spdx" "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" @@ -23,7 +22,6 @@ ) const ( - spdxVersion = "SPDX-2.3" noAssertion = "NOASSERTION" ) @@ -40,11 +38,11 @@ // for the primary package purpose field: // https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field documentDescribesRelationship := &spdx.Relationship{ - RefA: common.DocElementID{ + RefA: spdx.DocElementID{ ElementRefID: "DOCUMENT", }, Relationship: string(DescribesRelationship), - RefB: common.DocElementID{ + RefB: spdx.DocElementID{ ElementRefID: "DOCUMENT", }, RelationshipComment: "", @@ -55,11 +53,11 @@ return &spdx.Document{ // 6.1: SPDX Version; should be in the format "SPDX-x.x" // Cardinality: mandatory, one - SPDXVersion: spdxVersion, + SPDXVersion: spdx.Version, // 6.2: Data License; should be "CC0-1.0" // Cardinality: mandatory, one - DataLicense: "CC0-1.0", + DataLicense: spdx.DataLicense, // 6.3: SPDX Identifier; should be "DOCUMENT" to represent mandatory identifier of SPDXRef-DOCUMENT // Cardinality: mandatory, one @@ -104,7 +102,7 @@ // 6.8: Creators: may have multiple keys for Person, Organization // and/or Tool // Cardinality: mandatory, one or many - Creators: []common.Creator{ + Creators: []spdx.Creator{ { Creator: "Anchore, Inc", CreatorType: "Organization", @@ -129,7 +127,7 @@ } } -func toSPDXID(identifiable artifact.Identifiable) common.ElementID { +func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID { id := "" if p, ok := identifiable.(pkg.Package); ok { id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID())) @@ -137,7 +135,7 @@ id = string(identifiable.ID()) } // NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here - return common.ElementID(id) + return spdx.ElementID(id) } // packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/) @@ -313,9 +311,9 @@ return results } -func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) { +func toPackageChecksums(p pkg.Package) ([]spdx.Checksum, bool) { filesAnalyzed := false - var checksums []common.Checksum + var checksums []spdx.Checksum switch meta := p.Metadata.(type) { // we generate digest for some Java packages // spdx.github.io/spdx-spec/package-information/#710-package-checksum-field @@ -325,8 +323,8 @@ filesAnalyzed = true for _, digest := range meta.ArchiveDigests { algo := strings.ToUpper(digest.Algorithm) - checksums = append(checksums, common.Checksum{ - Algorithm: common.ChecksumAlgorithm(algo), + checksums = append(checksums, spdx.Checksum{ + Algorithm: spdx.ChecksumAlgorithm(algo), Value: digest.Value, }) } @@ -339,20 +337,20 @@ break } algo = strings.ToUpper(algo) - checksums = append(checksums, common.Checksum{ - Algorithm: common.ChecksumAlgorithm(algo), + checksums = append(checksums, spdx.Checksum{ + Algorithm: spdx.ChecksumAlgorithm(algo), Value: hexStr, }) } return checksums, filesAnalyzed } -func toPackageOriginator(p pkg.Package) *common.Originator { +func toPackageOriginator(p pkg.Package) *spdx.Originator { kind, originator := Originator(p) if kind == "" || originator == "" { return nil } - return &common.Originator{ + return &spdx.Originator{ Originator: originator, OriginatorType: kind, } @@ -386,11 +384,11 @@ } result = append(result, &spdx.Relationship{ - RefA: common.DocElementID{ + RefA: spdx.DocElementID{ ElementRefID: toSPDXID(r.From), }, Relationship: string(relationshipType), - RefB: common.DocElementID{ + RefB: spdx.DocElementID{ ElementRefID: toSPDXID(r.To), }, RelationshipComment: comment, @@ -462,10 +460,10 @@ return results } -func toFileChecksums(digests []file.Digest) (checksums []common.Checksum) { - checksums = make([]common.Checksum, 0, len(digests)) +func toFileChecksums(digests []file.Digest) (checksums []spdx.Checksum) { + checksums = make([]spdx.Checksum, 0, len(digests)) for _, digest := range digests { - checksums = append(checksums, common.Checksum{ + checksums = append(checksums, spdx.Checksum{ Algorithm: toChecksumAlgorithm(digest.Algorithm), Value: digest.Value, }) @@ -473,9 +471,9 @@ return checksums } -func toChecksumAlgorithm(algorithm string) common.ChecksumAlgorithm { +func toChecksumAlgorithm(algorithm string) spdx.ChecksumAlgorithm { // this needs to be an uppercase version of our algorithm - return common.ChecksumAlgorithm(strings.ToUpper(algorithm)) + return spdx.ChecksumAlgorithm(strings.ToUpper(algorithm)) } func toFileTypes(metadata *source.FileMetadata) (ty []string) { @@ -517,7 +515,7 @@ // f file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */ // see: https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field // the above link contains the SPDX algorithm for a package verification code -func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVerificationCode { +func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVerificationCode { // key off of the contains relationship; // spdx validator will fail if a package claims to contain a file but no sha1 provided // if a sha1 for a file is provided then the validator will fail if the package does not have @@ -558,7 +556,7 @@ //nolint:gosec hasher := sha1.New() _, _ = hasher.Write([]byte(b.String())) - return &common.PackageVerificationCode{ + return &spdx.PackageVerificationCode{ // 7.9.1: Package Verification Code Value // Cardinality: mandatory, one Value: fmt.Sprintf("%+x", hasher.Sum(nil)), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/common/spdxhelpers/to_format_model_test.go new/syft-0.69.1/syft/formats/common/spdxhelpers/to_format_model_test.go --- old/syft-0.69.0/syft/formats/common/spdxhelpers/to_format_model_test.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/common/spdxhelpers/to_format_model_test.go 2023-01-31 17:53:16.000000000 +0100 @@ -4,8 +4,7 @@ "fmt" "testing" - "github.com/spdx/tools-golang/spdx/common" - spdx "github.com/spdx/tools-golang/spdx/v2_3" + "github.com/spdx/tools-golang/spdx" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -21,7 +20,7 @@ tests := []struct { name string pkg pkg.Package - expected []common.Checksum + expected []spdx.Checksum filesAnalyzed bool }{ { @@ -39,7 +38,7 @@ }, }, }, - expected: []common.Checksum{ + expected: []spdx.Checksum{ { Algorithm: "SHA1", Value: "1234", @@ -57,7 +56,7 @@ ArchiveDigests: []file.Digest{}, }, }, - expected: []common.Checksum{}, + expected: []spdx.Checksum{}, filesAnalyzed: false, }, { @@ -67,7 +66,7 @@ Version: "1.0.0", Language: pkg.Java, }, - expected: []common.Checksum{}, + expected: []spdx.Checksum{}, filesAnalyzed: false, }, { @@ -81,7 +80,7 @@ H1Digest: "h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=", }, }, - expected: []common.Checksum{ + expected: []spdx.Checksum{ { Algorithm: "SHA256", Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c", @@ -97,7 +96,7 @@ Language: pkg.Java, Metadata: struct{}{}, }, - expected: []common.Checksum{}, + expected: []spdx.Checksum{}, filesAnalyzed: false, }, } @@ -229,7 +228,7 @@ tests := []struct { name string digests []file.Digest - expected []common.Checksum + expected []spdx.Checksum }{ { name: "empty", @@ -246,7 +245,7 @@ Value: "meh", }, }, - expected: []common.Checksum{ + expected: []spdx.Checksum{ { Algorithm: "SHA256", Value: "deadbeefcafe", @@ -275,8 +274,8 @@ FileSystemID: "nowhere", } - docElementId := func(identifiable artifact.Identifiable) common.DocElementID { - return common.DocElementID{ + docElementId := func(identifiable artifact.Identifiable) spdx.DocElementID { + return spdx.DocElementID{ ElementRefID: toSPDXID(identifiable), } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/common/spdxhelpers/to_syft_model.go new/syft-0.69.1/syft/formats/common/spdxhelpers/to_syft_model.go --- old/syft-0.69.0/syft/formats/common/spdxhelpers/to_syft_model.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/common/spdxhelpers/to_syft_model.go 2023-01-31 17:53:16.000000000 +0100 @@ -6,7 +6,7 @@ "strconv" "strings" - spdx "github.com/spdx/tools-golang/spdx/v2_3" + "github.com/spdx/tools-golang/spdx" "github.com/anchore/packageurl-go" "github.com/anchore/syft/internal/log" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/common/spdxhelpers/to_syft_model_test.go new/syft-0.69.1/syft/formats/common/spdxhelpers/to_syft_model_test.go --- old/syft-0.69.0/syft/formats/common/spdxhelpers/to_syft_model_test.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/common/spdxhelpers/to_syft_model_test.go 2023-01-31 17:53:16.000000000 +0100 @@ -3,8 +3,7 @@ import ( "testing" - "github.com/spdx/tools-golang/spdx/common" - spdx "github.com/spdx/tools-golang/spdx/v2_3" + "github.com/spdx/tools-golang/spdx" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -246,9 +245,9 @@ RefType: "purl", }, }, - PackageChecksums: []common.Checksum{ + PackageChecksums: []spdx.Checksum{ { - Algorithm: common.SHA256, + Algorithm: spdx.SHA256, Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c", }, }, @@ -267,9 +266,9 @@ RefType: "purl", }, }, - PackageChecksums: []common.Checksum{ + PackageChecksums: []spdx.Checksum{ { - Algorithm: common.SHA1, + Algorithm: spdx.SHA1, Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c", }, }, @@ -288,9 +287,9 @@ RefType: "purl", }, }, - PackageChecksums: []common.Checksum{ + PackageChecksums: []spdx.Checksum{ { - Algorithm: common.SHA256, + Algorithm: spdx.SHA256, Value: "", }, }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/spdxjson/decoder.go new/syft-0.69.1/syft/formats/spdxjson/decoder.go --- old/syft-0.69.0/syft/formats/spdxjson/decoder.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/spdxjson/decoder.go 2023-01-31 17:53:16.000000000 +0100 @@ -4,14 +4,14 @@ "fmt" "io" - spdx "github.com/spdx/tools-golang/json" + "github.com/spdx/tools-golang/json" "github.com/anchore/syft/syft/formats/common/spdxhelpers" "github.com/anchore/syft/syft/sbom" ) func decoder(reader io.Reader) (s *sbom.SBOM, err error) { - doc, err := spdx.Load2_3(reader) + doc, err := json.Read(reader) if err != nil { return nil, fmt.Errorf("unable to decode spdx-json: %w", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/spdxtagvalue/decoder.go new/syft-0.69.1/syft/formats/spdxtagvalue/decoder.go --- old/syft-0.69.0/syft/formats/spdxtagvalue/decoder.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/spdxtagvalue/decoder.go 2023-01-31 17:53:16.000000000 +0100 @@ -4,14 +4,14 @@ "fmt" "io" - "github.com/spdx/tools-golang/tvloader" + "github.com/spdx/tools-golang/tagvalue" "github.com/anchore/syft/syft/formats/common/spdxhelpers" "github.com/anchore/syft/syft/sbom" ) func decoder(reader io.Reader) (*sbom.SBOM, error) { - doc, err := tvloader.Load2_3(reader) + doc, err := tagvalue.Read(reader) if err != nil { return nil, fmt.Errorf("unable to decode spdx-tag-value: %w", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.69.0/syft/formats/spdxtagvalue/encoder.go new/syft-0.69.1/syft/formats/spdxtagvalue/encoder.go --- old/syft-0.69.0/syft/formats/spdxtagvalue/encoder.go 2023-01-30 19:47:24.000000000 +0100 +++ new/syft-0.69.1/syft/formats/spdxtagvalue/encoder.go 2023-01-31 17:53:16.000000000 +0100 @@ -3,7 +3,7 @@ import ( "io" - "github.com/spdx/tools-golang/tvsaver" + "github.com/spdx/tools-golang/tagvalue" "github.com/anchore/syft/syft/formats/common/spdxhelpers" "github.com/anchore/syft/syft/sbom" @@ -11,5 +11,5 @@ func encoder(output io.Writer, s sbom.SBOM) error { model := spdxhelpers.ToFormatModel(s) - return tvsaver.Save2_3(model, output) + return tagvalue.Write(model, output) } ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/syft/vendor.tar.gz /work/SRC/openSUSE:Factory/.syft.new.32243/vendor.tar.gz differ: char 5, line 1