Update docs for 1.8.0/1.8.1 #1057
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Factored out the CVSS Score parsing from the table output into its own
function to reuse it in guided remediation. The new function also
returns the human-readable rating string ("LOW", "HIGH", etc.) which I
will end up using for the interactive guided remediation mode.
I also made some changes to the table output of the scores:
- Always render the scores to 1 decimal place, so `6.0` instead of just
`6`
- Display `0.0` if the CVSS score actually evaluates to 0, vs nothing
when there is no severity listed
Following on from #765, adds `ComputeRelaxPatches` for generating the possible remediation options after a relock. Also added a new(ish) cache for OSV API requests, which speeds up the above quite a bit.
This is to match the decision made when creating `exit_code_redirect.sh` to not fail if no lockfiles are found. With the reporter the action will still fail when lockfiles are not found, this just updates it so that it will not fail now.
Implementing #766 (comment) - Created `VulnerabilityClient` interface for OSV queries & to store cache - Renamed `ResolutionClient` to `DependencyClient` - Made new `ResolutionClient` struct, that's just both `DependencyClient` and `VulnerabilityClient` together
Add support for parsing package information from `pdm.lock` -files used by `pdm`, package and dependency manager for Python (https://pdm-project.org/latest/)
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | alpine | final | digest | `51b6726` -> `c5b1261` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `fd78f2f` -> `a6a7f1f` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
There's a new vulnerability in one of the test packages that's started being picked up.
The datasource and `DependencyClient` for querying the npm registry API directly, instead of relying on deps.dev. Also, parses `.npmrc` configs to allow resolution of requirements from private registries. Practically unchanged from what we had internally, besides a bunch of linting complaints.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3alpha](https://github.com/google/deps.dev) | require | digest | `00b51ef` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/resolve](https://github.com/google/deps.dev) | require | digest | `00b51ef` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/semver](https://github.com/google/deps.dev) | require | digest | `1e316b8` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) | require | minor | `v0.4.12` -> `v0.5.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/ianlancetaylor/demangle](https://github.com/ianlancetaylor/demangle) | require | digest | `964b1d5` -> `1f824a1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) | require | patch | `v6.5.3` -> `v6.5.4` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [go](https://go.dev/) ([source](https://github.com/golang/go)) | golang | patch | `1.21.5` -> `1.21.6` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/exp | require | digest | `1b97071` -> `2c58cdc` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | require | minor | `v1.60.1` -> `v1.61.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) | require | minor | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)</summary> ### [`v0.5.2`](https://github.com/gkampitakis/go-snaps/compare/v0.5.1...v0.5.2) [Compare Source](https://github.com/gkampitakis/go-snaps/compare/v0.5.1...v0.5.2) ### [`v0.5.1`](https://github.com/gkampitakis/go-snaps/releases/tag/v0.5.1) [Compare Source](https://github.com/gkampitakis/go-snaps/compare/v0.5.0...v0.5.1) #### What's Changed - fix: replace `Print` with `Println` by [@​G-Rath](https://github.com/G-Rath) in [https://github.com/gkampitakis/go-snaps/pull/94](https://github.com/gkampitakis/go-snaps/pull/94) **Full Changelog**: gkampitakis/go-snaps@v0.5.0...v0.5.1 ### [`v0.5.0`](https://github.com/gkampitakis/go-snaps/releases/tag/v0.5.0) [Compare Source](https://github.com/gkampitakis/go-snaps/compare/v0.4.12...v0.5.0) #### What's Changed - docs: improve readme code formatting and grammar by [@​G-Rath](https://github.com/G-Rath) in [https://github.com/gkampitakis/go-snaps/pull/85](https://github.com/gkampitakis/go-snaps/pull/85) - docs: improve `TestMain` references by [@​G-Rath](https://github.com/G-Rath) in [https://github.com/gkampitakis/go-snaps/pull/86](https://github.com/gkampitakis/go-snaps/pull/86) - chore(docs): minor improvements by [@​gkampitakis](https://github.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/89](https://github.com/gkampitakis/go-snaps/pull/89) - chore: clean up test mocks and change getTestID param order by [@​gkampitakis](https://github.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/92](https://github.com/gkampitakis/go-snaps/pull/92) - feat: don't create multiple snapshots when -test.count>1 by [@​gkampitakis](https://github.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/90](https://github.com/gkampitakis/go-snaps/pull/90) #### Breaking changes ❗ On `v0.5.0` when running tests with `test.count>1` flag a call to create a snapshot will not create multiple instances of the same snapshot, but it will create the snapshot once and then subsequent execution will test against that snapshot. Look at issue [https://github.com/gkampitakis/go-snaps/issues/87](https://github.com/gkampitakis/go-snaps/issues/87) #### New Contributors - [@​G-Rath](https://github.com/G-Rath) made their first contribution in [https://github.com/gkampitakis/go-snaps/pull/85](https://github.com/gkampitakis/go-snaps/pull/85) **Full Changelog**: gkampitakis/go-snaps@v0.4.12...v0.5.0 </details> <details> <summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary> ### [`v6.5.4`](https://github.com/jedib0t/go-pretty/releases/tag/v6.5.4) [Compare Source](https://github.com/jedib0t/go-pretty/compare/v6.5.3...v6.5.4) #### What's Changed - table: fix SuppressTrailingSpaces removing spaces from the beginning by [@​ilya-lesikov](https://github.com/ilya-lesikov) in [https://github.com/jedib0t/go-pretty/pull/295](https://github.com/jedib0t/go-pretty/pull/295) - table: fix documentation for merges by [@​jedib0t](https://github.com/jedib0t) in [https://github.com/jedib0t/go-pretty/pull/296](https://github.com/jedib0t/go-pretty/pull/296) #### New Contributors - [@​ilya-lesikov](https://github.com/ilya-lesikov) made their first contribution in [https://github.com/jedib0t/go-pretty/pull/295](https://github.com/jedib0t/go-pretty/pull/295) **Full Changelog**: jedib0t/go-pretty@v6.5.3...v6.5.4 </details> <details> <summary>golang/go (go)</summary> ### [`v1.21.6`](https://github.com/golang/go/compare/go1.21.5...go1.21.6) </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.61.0`](https://github.com/grpc/grpc-go/releases/tag/v1.61.0): Release 1.61.0 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.60.1...v1.61.0) ### New Features - resolver: provide method, `AuthorityOverrider`, to allow resolver.Builders to override the default authority for a `ClientConn`. (EXPERIMENTAL) ([#​6752](https://github.com/grpc/grpc-go/issues/6752)) - Special Thanks: [@​Aditya-Sood](https://github.com/Aditya-Sood) - xds: add support for mTLS Credentials in xDS bootstrap ([gRFC A65](github.com/grpc/proposal/blob/8c31bfedded5f0a51c4933e9e9a8246122f9c41a/A65-xds-mtls-creds-in-bootstrap.md)) ([#​6757](https://github.com/grpc/grpc-go/issues/6757)) - Special Thanks: [@​atollena](https://github.com/atollena) - server: add `grpc.WaitForHandlers` `ServerOption` to cause `Server.Stop` to block until method handlers return. (EXPERIMENTAL) ([#​6922](https://github.com/grpc/grpc-go/issues/6922)) ### Performance Improvements - grpc: skip compression of empty messages as an optimization ([#​6842](https://github.com/grpc/grpc-go/issues/6842)) - Special Thanks: [@​jroper](https://github.com/jroper) - orca: use atomic pointer to improve performance in server metrics recorder ([#​6799](https://github.com/grpc/grpc-go/issues/6799)) - Special Thanks: [@​danielzhaotongliu](https://github.com/danielzhaotongliu) ### Bug Fixes - client: correctly enable TCP keepalives with OS defaults on windows ([#​6863](https://github.com/grpc/grpc-go/issues/6863)) - Special Thanks: [@​mmatczuk](https://github.com/mmatczuk) - server: change some stream operations to return `UNAVAILABLE` instead of `UNKNOWN` when underlying connection is broken ([#​6891](https://github.com/grpc/grpc-go/issues/6891)) - Special Thanks: [@​mustafasen81](https://github.com/mustafasen81) - server: fix `GracefulStop` to block until all method handlers return (v1.60 regression). ([#​6922](https://github.com/grpc/grpc-go/issues/6922)) - server: fix two bugs that could lead to panics at shutdown when using [`NumStreamWorkers`](https://pkg.go.dev/google.golang.org/grpc#NumStreamWorkers) (EXPERIMENTAL). ([#​6856](https://github.com/grpc/grpc-go/issues/6856)) - reflection: do not send invalid descriptors to clients for files that cannot be fully resolved ([#​6771](https://github.com/grpc/grpc-go/issues/6771)) - Special Thanks: [@​jhump](https://github.com/jhump) - xds: don't fail channel/server startup when xds creds is specified, but bootstrap is missing certificate providers ([#​6848](https://github.com/grpc/grpc-go/issues/6848)) - xds: Atomically read and write xDS security configuration client side ([#​6796](https://github.com/grpc/grpc-go/issues/6796)) - xds/server: fix RDS handling for non-inline route configs ([#​6915](https://github.com/grpc/grpc-go/issues/6915)) </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://github.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://github.com/golang/protobuf/issues/1584) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | minor | `v4.2.0` -> `v4.3.1` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | action | patch | `v3.1.4` -> `v3.1.6` | | [github/codeql-action](https://github.com/github/codeql-action) | action | minor | `v3.23.1` -> `v3.24.0` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.1`](https://github.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://github.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@​actions/artifacts](https://github.com/actions/artifacts) to latest version to include [updated GHES host check](https://github.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://github.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://github.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) ##### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@​robherley](https://github.com/robherley) in [https://github.com/actions/upload-artifact/pull/504](https://github.com/actions/upload-artifact/pull/504) - Add sub-action to merge artifacts by [@​robherley](https://github.com/robherley) in [https://github.com/actions/upload-artifact/pull/505](https://github.com/actions/upload-artifact/pull/505) **Full Changelog**: actions/upload-artifact@v4...v4.3.0 </details> <details> <summary>codecov/codecov-action (codecov/codecov-action)</summary> ### [`v3.1.6`](https://github.com/codecov/codecov-action/releases/tag/v3.1.6) [Compare Source](https://github.com/codecov/codecov-action/compare/v3.1.5...v3.1.6) **Full Changelog**: codecov/codecov-action@v3.1.5...v3.1.6 ### [`v3.1.5`](https://github.com/codecov/codecov-action/releases/tag/v3.1.5) [Compare Source](https://github.com/codecov/codecov-action/compare/v3.1.4...v3.1.5) #### What's Changed - action.yml: Update to Node.js 20 by [@​hallabro](https://github.com/hallabro) in [https://github.com/codecov/codecov-action/pull/1228](https://github.com/codecov/codecov-action/pull/1228) #### New Contributors - [@​hallabro](https://github.com/hallabro) made their first contribution in [https://github.com/codecov/codecov-action/pull/1228](https://github.com/codecov/codecov-action/pull/1228) **Full Changelog**: codecov/codecov-action@v3.1.4...v3.1.5 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.0`](https://github.com/github/codeql-action/compare/v3.23.2...v3.24.0) [Compare Source](https://github.com/github/codeql-action/compare/v3.23.2...v3.24.0) ### [`v3.23.2`](https://github.com/github/codeql-action/compare/v3.23.1...v3.23.2) [Compare Source](https://github.com/github/codeql-action/compare/v3.23.1...v3.23.2) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.15.5 to 1.16.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.16.2 / 2024-02-04</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j">GHSA-xc9x-jj77-9p9j</a> for more information.</li> </ul> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5">v2.12.5</a> from v2.12.4. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <hr /> <p>sha256 checksums:</p> <pre><code>69ba15d2a2498324489ed63850997f0b8f684260114ea81116d3082f16551d2d nokogiri-1.16.2-aarch64-linux.gem 6a05ce42e3587a40cf8936ece0beaa5d32922254215d2e8cf9ad40588bb42e57 nokogiri-1.16.2-arm-linux.gem c957226c8e36b31be6a3afb8602e2128282bf8b40ea51016c4cd21aa2608d3f8 nokogiri-1.16.2-arm64-darwin.gem 122652bfc338cd8a54a692ac035e245e41fd3b8283299202ca26e7a7d50db310 nokogiri-1.16.2-java.gem 7344b5072ca69fc5bedb61cb01a3b765b93a27aae5a2a845c2ba7200e4345074 nokogiri-1.16.2-x64-mingw-ucrt.gem a2a5e184a424111a0d5b77947986484920ad708009c667f061e8d02035c562dd nokogiri-1.16.2-x64-mingw32.gem 833efddeb51a6c2c9f6356295623c2b2e0d50050d468695c59bd929162953323 nokogiri-1.16.2-x86-linux.gem e67fc0418dffaff9dc8b1dc65f0605282c3fee9488832d0223b620b4319e0b53 nokogiri-1.16.2-x86-mingw32.gem 5def799e5f139f21a79d7cf71172313a7b6fb0e4b2a31ab9bd5d4ad305994539 nokogiri-1.16.2-x86_64-darwin.gem 5b146240ac6ec6c40fd4367623e74442bca45a542bd3282b1d4d18b07b8e5dfe nokogiri-1.16.2-x86_64-linux.gem 68922ee5cde27497d995c46f2821957bae961947644eed2822d173daf7567f9c nokogiri-1.16.2.gem </code></pre> <h2>v1.16.1 / 2024-02-03</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.4">v2.12.4</a> from v2.12.3. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <h3>Fixed</h3> <ul> <li>[CRuby] <code>XML::Reader</code> defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/2891">#2891</a> (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3090">#3090</a> (<a href="https://github.com/adfoster-r7"><code>@adfoster-r7</code></a>)</li> <li>[CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3116">#3116</a>] (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3100">#3100</a>] (<a href="https://github.com/stevecheckoway"><code>@stevecheckoway</code></a>)</li> </ul> <hr /> <p>sha256 checksums:</p> <pre><code>a541f35e5b9798a0c97300f9ee18f4217da2a2945a6d5499e4123b9018f9cafc nokogiri-1.16.1-aarch64-linux.gem 6b82affd195000ab2f9c36cc08744ec2d2fcf6d8da88d59a2db67e83211f7c69 nokogiri-1.16.1-arm-linux.gem </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.16.2 / 2024-02-04</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j">GHSA-xc9x-jj77-9p9j</a> for more information.</li> </ul> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5">v2.12.5</a> from v2.12.4. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <h2>v1.16.1 / 2024-02-03</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.4">v2.12.4</a> from v2.12.3. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <h3>Fixed</h3> <ul> <li>[CRuby] <code>XML::Reader</code> defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/2891">#2891</a> (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3090">#3090</a> (<a href="https://github.com/adfoster-r7"><code>@adfoster-r7</code></a>)</li> <li>[CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3116">#3116</a>] (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3100">#3100</a>] (<a href="https://github.com/stevecheckoway"><code>@stevecheckoway</code></a>)</li> </ul> <h2>v1.16.0 / 2023-12-27</h2> <h3>Notable Changes</h3> <h4>Ruby</h4> <p>This release introduces native gem support for Ruby 3.3.</p> <p>This release ends support for Ruby 2.7, for which <a href="https://www.ruby-lang.org/en/downloads/branches/">upstream support ended 2023-03-31</a>.</p> <h4>Pattern matching</h4> <p>This version marks <em>official support</em> for the pattern matching API in <code>XML::Attr</code>, <code>XML::Document</code>, <code>XML::DocumentFragment</code>, <code>XML::Namespace</code>, <code>XML::Node</code>, and <code>XML::NodeSet</code> (and their subclasses), originally introduced as an experimental feature in v1.14.0. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</p> <p>Documentation on what can be matched:</p> <ul> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Attr.html?h=deconstruct#method-i-deconstruct_keys"><code>XML::Attr#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Document.html?h=deconstruct#method-i-deconstruct_keys"><code>XML::Document#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Namespace.html?h=deconstruct+namespace#method-i-deconstruct_keys"><code>XML::Namespace#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Node.html?h=deconstruct#method-i-deconstruct_keys"><code>XML::Node#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct"><code>XML::DocumentFragment#deconstruct</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/NodeSet.html?h=deconstruct#method-i-deconstruct"><code>XML::NodeSet#deconstruct</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/673756fdd69d1036874b7d7250cc38a51fd4d7b8"><code>673756f</code></a> version bump to v1.16.2</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/74ffd67a8efb9972657e5c4625fd8419bbccbe06"><code>74ffd67</code></a> dep: update libxml to 2.12.5 (branch v1.16.x) (<a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3122">#3122</a>)</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/0d4018dc7009580659c101fc41efb3babcfec229"><code>0d4018d</code></a> dep: update libxml2 to v2.12.5</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/f33a25f4378df33912ebc6b4ebc0f9e8e80ddfa8"><code>f33a25f</code></a> dep: remove patch from <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3112">#3112</a> which has been released upstream</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e99416896a182bc520a7940bbe286ec33597ab2b"><code>e994168</code></a> version bump to v1.16.1</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/77ea2f228c20e79c848ca2906813ea5b5010281b"><code>77ea2f2</code></a> dev: add files to manifest ignore list</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/756f27c6b7a23294d84bdcca5e03a639d0dd7421"><code>756f27c</code></a> build(deps): bump actions/{download,upload}-artifact from 3 to 4</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/464f8d41eb73ca9c6dae0b366afcf5f4e8bff342"><code>464f8d4</code></a> .gitignore: clangd-related files</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/2beeb960691df28dd5ebf828192c65b60250670f"><code>2beeb96</code></a> doc: update CHANGELOG</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/a26536d7a41fd40c52940e165bb5a4f6b4c39662"><code>a26536d</code></a> fix: apply upstream patch for in-context parsing (<a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3116">#3116</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.15.5...v1.16.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/osv-scanner/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds the lockfile parsing for in-place updating. Code is mostly unchanged from what exists internally, mostly just split it up into multiple files. I've reused and added to the existing (public) npm structs, but this shouldn't impact the scan action.
Adding in-place update computation, for finding 'drop-in' fixes of vulns in indirect dependencies. I did end up rewriting a lot of this, so I'd appreciate a more thorough review of this PR. Something to note for the future: unlike what happens internally, the returned patches can be incompatible with each other (i.e. could possibly suggest two different versions for the same package). I'll need to make sure the caller handles this possibility.
Just the `osv-scanner fix` flag parsing, the command itself doesn't do anything. I'd appreciate opinions on the naming/aliasing of the flags.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://github.com/github/codeql-action) | action | patch | `v3.24.0` -> `v3.24.1` | | [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | action | patch | `v3.7.0` -> `v3.7.1` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.1`](https://github.com/github/codeql-action/compare/v3.24.0...v3.24.1) [Compare Source](https://github.com/github/codeql-action/compare/v3.24.0...v3.24.1) </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v3.7.1`](https://github.com/golangci/golangci-lint-action/compare/v3.7.0...v3.7.1) [Compare Source](https://github.com/golangci/golangci-lint-action/compare/v3.7.0...v3.7.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github-pages](https://github.com/github/pages-gem) | `"~> 228"` -> `"~> 230"` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>github/pages-gem (github-pages)</summary> ### [`v230`](https://github.com/github/pages-gem/releases/tag/v230) [Compare Source](https://github.com/github/pages-gem/compare/v229...v230) #### What's Changed - Bump docker/login-action from 2 to 3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/github/pages-gem/pull/907](https://github.com/github/pages-gem/pull/907) - Bump docker/build-push-action from 4 to 5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/github/pages-gem/pull/905](https://github.com/github/pages-gem/pull/905) - Bump docker/setup-buildx-action from 2 to 3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/github/pages-gem/pull/906](https://github.com/github/pages-gem/pull/906) - Bump Jekyll to 3.9.5 by [@​yoannchaudet](https://github.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/908](https://github.com/github/pages-gem/pull/908) **Full Changelog**: github/pages-gem@v229...v230 ### [`v229`](https://github.com/github/pages-gem/releases/tag/v229) [Compare Source](https://github.com/github/pages-gem/compare/v228...v229) #### What's Changed - Bump docker/metadata-action from 4 to 5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/github/pages-gem/pull/889](https://github.com/github/pages-gem/pull/889) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/github/pages-gem/pull/888](https://github.com/github/pages-gem/pull/888) - Fixes `$github-pages health-check` NoMethodError by [@​edward](https://github.com/edward) in [https://github.com/github/pages-gem/pull/878](https://github.com/github/pages-gem/pull/878) - Support Ruby 3.2+, fixes [#​879](https://github.com/github/pages-gem/issues/879) by [@​fulldecent](https://github.com/fulldecent) in [https://github.com/github/pages-gem/pull/880](https://github.com/github/pages-gem/pull/880) - Create publish-gem.yml by [@​tsusdere](https://github.com/tsusdere) in [https://github.com/github/pages-gem/pull/898](https://github.com/github/pages-gem/pull/898) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/github/pages-gem/pull/900](https://github.com/github/pages-gem/pull/900) - Enable multi arch docker image build by [@​rngtng](https://github.com/rngtng) in [https://github.com/github/pages-gem/pull/884](https://github.com/github/pages-gem/pull/884) - Bring back proper support for Ruby 3.x by [@​yoannchaudet](https://github.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/901](https://github.com/github/pages-gem/pull/901) - Bump dependencies (patch and minor only) by [@​yoannchaudet](https://github.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/902](https://github.com/github/pages-gem/pull/902) - Fix release script by [@​yoannchaudet](https://github.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/903](https://github.com/github/pages-gem/pull/903) - Another publish script fix by [@​yoannchaudet](https://github.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/904](https://github.com/github/pages-gem/pull/904) #### New Contributors - [@​edward](https://github.com/edward) made their first contribution in [https://github.com/github/pages-gem/pull/878](https://github.com/github/pages-gem/pull/878) - [@​fulldecent](https://github.com/fulldecent) made their first contribution in [https://github.com/github/pages-gem/pull/880](https://github.com/github/pages-gem/pull/880) - [@​tsusdere](https://github.com/tsusdere) made their first contribution in [https://github.com/github/pages-gem/pull/898](https://github.com/github/pages-gem/pull/898) - [@​rngtng](https://github.com/rngtng) made their first contribution in [https://github.com/github/pages-gem/pull/884](https://github.com/github/pages-gem/pull/884) **Full Changelog**: github/pages-gem@v228...v229 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3alpha](https://github.com/google/deps.dev) | require | digest | `c339c64` -> `1729b62` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/resolve](https://github.com/google/deps.dev) | require | digest | `c339c64` -> `1729b62` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/semver](https://github.com/google/deps.dev) | require | digest | `c339c64` -> `1729b62` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [go](https://go.dev/) ([source](https://github.com/golang/go)) | golang | minor | `1.21.6` -> `1.22.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/exp | require | digest | `2c58cdc` -> `ec58324` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/mod | require | minor | `v0.14.0` -> `v0.15.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/term | require | minor | `v0.16.0` -> `v0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | require | patch | `v1.61.0` -> `v1.61.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>golang/go (go)</summary> ### [`v1.22.0`](https://github.com/golang/go/compare/go1.21.7...go1.22rc1) ### [`v1.21.7`](https://github.com/golang/go/compare/go1.21.6...go1.21.7) </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.61.1`](https://github.com/grpc/grpc-go/releases/tag/v1.61.1): Release 1.61.1 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.61.0...v1.61.1) ### Bug Fixes - server: wait to close connection until incoming socket is drained (with timeout) to prevent data loss on client-side ([#​6977](https://github.com/grpc/grpc-go/issues/6977)) - Special Thanks: [@​s-matyukevich](https://github.com/s-matyukevich) for discovering the root cause </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `a6a7f1f` -> `8e96e6c` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Adds the `osv-scanner/[VERSION]` user agent the grpc requests going to the deps.dev API. I thought it'd be nice to for deps.dev to be able to see which traffic is coming from license scanning and guided remediation. CC: @josieang
Update main with new docs updates. --------- Signed-off-by: Hayley Denbraver <[email protected]> Co-authored-by: Hayley Denbraver <[email protected]> Co-authored-by: josieang <[email protected]> Co-authored-by: Giovanni Bozzano <[email protected]> Co-authored-by: Xueqin Cui <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: Mend Renovate <[email protected]> Co-authored-by: Jahan Chaware <[email protected]> Co-authored-by: Holly Gong <[email protected]>
It actually can be used now 🎉 This is basically re-written from the internal equivalent, but it should be functionally similar. Probably will end up extracting some code to use with the interactive code when I end up needing it. imo, non-interactive mode is currently too opaque to be generally useful - there's no indication of what vulnerabilities exist and which get fixed.
PoC of container scanning using stereoscope. The feature is currently behind the `--experimental-oci-image` flag.
The final part to open source 🎉 I really want to spend some time refactoring all of this, but it's probably better to get this out there sooner rather than later. To help with reviewing, the first commit (e366995) is basically a direct copy-paste from the internal code, with things only renamed to the new counterparts in osv-scanner - it should all already have been reviewed. [You can see new things to review by comparing the other commits against that first one.](https://github.com/google/osv-scanner/pull/811/files/e3669953445e7744b08dc079f92d3fc990150296..HEAD)
This PR adds the implementation for Maven version suggester: - The latest version of the specified package is returned based on the given options. - A version range requirement will be replaced to the latest version if this version does not satisfy the constraint. - Major updates can be ignored with option `NoMajorUpdates` set to true.
The package name is now `suggester`.
This PR adds the implementation to read and write Maven manifest file (pom.xml) for automated updates: - Read: parse pom.xml and convert `maven.Project` to `Manifest` - Write: update pom.xml with the given `ManifestPatch` This is the internally reviewed version.
I've used the `dep.Dev` type in the in-place parsed graph to flag dev dependencies. Ideally, I'd also be able to do the same with the relock graph, it's just that the npm resolver does not resolve any dev dependencies
lipgloss v0.11.0 made it so that all the `Style` methods no longer mutate the style, which I was relying on.
There are two places that we call `mergeParents()`: - Merging data from parent pom.xml files - Importing dependency management from another project In `mergeParents()`, we first check if `relativePath` is defined to know if we can parse parent locally. However, this only applies for the first case but not for importing dependency management. Also, once we start fetching parent pom.xml from upstream, we should no longer parse locally. This PR adds `allowLocal` to `mergeParents()` to specify if we allow parsing local parent pom.xml, and once a parent is fetched from upstream, `allowLocal` is set to false. --------- Co-authored-by: Rex P <[email protected]>
I'd like feedback on the config yaml schema, the filter message and it's behaviour if the version is empty (it filters any version of that package). This is in response to #814
The base docker images are pinned to go 1.21. With 8fd553a, this breaks the GitHub reusable workflows. This PR pins the images to [the official 1.21.11 one](https://hub.docker.com/layers/library/golang/1.21.11-alpine3.19/images/sha256-6c5f76c897971f1b6ff0e447941440889016b18805812660a83b5275e862298d?context=explore). This should fix the issue.
#531 This PR merges parent pom.xml by paring locally or fetching from upstream (Maven Central for now). When merging a parent pom.xml, only `pom` packaging is allowed. Once we fetch a parent from upstream, parsing from local is no longer allowed. The project is also interpolated to get rid of properties, and dependencies are also processed (dedup and import).
Updates/Adds Go patch version to docs
Add go binary scanning extractor, and use it in image scanning. This shows quite a few false positives that can be resolved with call analysis, which will be implemented in a followup PR.
Remove busybox from alpine SBOM to get a more consistent unit test.
Update `deps.dev` dependencies to make sure we are using the latest version of Maven resolver
This is a short-term solution to unblock the workflow.
Currently flags `experimental-offline` and `experimental-local-db` are confusing sometimes. This PR renames `experimental-local-db` to `experimental-download-database` to make it more explicit whether to download the database or not. For now, `experimental-download-database` only works when `experimental-offline` is set. `internal/local` is also modified to reflect the change in the naming and meaning of this flag.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | action | major | `v5.1.0` -> `v6.0.0` | --- ### Release Notes <details> <summary>goreleaser/goreleaser-action (goreleaser/goreleaser-action)</summary> ### [`v6.0.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.0.0) [Compare Source](https://github.com/goreleaser/goreleaser-action/compare/v5.1.0...v6.0.0) > \[!WARNING] > **This is a breaking change!** > > Follow the instructions [here](https://goreleaser.com/blog/goreleaser-v2/#upgrading) to upgrade! #### What's Changed - feat!: use "~> v2" as default by [@​caarlos0](https://github.com/caarlos0) in [https://github.com/goreleaser/goreleaser-action/pull/463](https://github.com/goreleaser/goreleaser-action/pull/463) **Full Changelog**: goreleaser/goreleaser-action@v5...v6.0.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
[](https://renovatebot.com) This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | minor | `1.21.11-alpine3.19` -> `1.22.4-alpine3.19` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | patch | `v4.1.6` -> `v4.1.7` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | action | minor | `v4.4.1` -> `v4.5.0` | | [github/codeql-action](https://github.com/github/codeql-action) | action | patch | `v3.25.8` -> `v3.25.10` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.7`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417) [Compare Source](https://github.com/actions/checkout/compare/v4.1.6...v4.1.7) - Bump the minor-npm-dependencies group across 1 directory with 4 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/actions/checkout/pull/1739](https://github.com/actions/checkout/pull/1739) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/actions/checkout/pull/1697](https://github.com/actions/checkout/pull/1697) - Check out other refs/\* by commit by [@​orhantoy](https://github.com/orhantoy) in [https://github.com/actions/checkout/pull/1774](https://github.com/actions/checkout/pull/1774) - Pin actions/checkout's own workflows to a known, good, stable version. by [@​jww3](https://github.com/jww3) in [https://github.com/actions/checkout/pull/1776](https://github.com/actions/checkout/pull/1776) </details> <details> <summary>codecov/codecov-action (codecov/codecov-action)</summary> ### [`v4.5.0`](https://github.com/codecov/codecov-action/compare/v4.4.1...v4.5.0) [Compare Source](https://github.com/codecov/codecov-action/compare/v4.4.1...v4.5.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.10`](https://github.com/github/codeql-action/compare/v3.25.9...v3.25.10) [Compare Source](https://github.com/github/codeql-action/compare/v3.25.9...v3.25.10) ### [`v3.25.9`](https://github.com/github/codeql-action/compare/v3.25.8...v3.25.9) [Compare Source](https://github.com/github/codeql-action/compare/v3.25.8...v3.25.9) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3](https://github.com/google/deps.dev) | `v3.0.0-20240611045547-af20eef0f1eb` -> `v3.0.0-20240617015216-b147e04533eb` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [deps.dev/util/maven](https://github.com/google/deps.dev) | `af20eef` -> `b147e04` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | [deps.dev/util/resolve](https://github.com/google/deps.dev) | `af20eef` -> `b147e04` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | [deps.dev/util/semver](https://github.com/google/deps.dev) | `af20eef` -> `b147e04` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `v0.19.1` -> `v0.19.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | golang.org/x/exp | `fc45aab` -> `7f521ea` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) | `v1.34.1` -> `v1.34.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | --- ### Release Notes <details> <summary>google/go-containerregistry (github.com/google/go-containerregistry)</summary> ### [`v0.19.2`](https://github.com/google/go-containerregistry/releases/tag/v0.19.2) [Compare Source](https://github.com/google/go-containerregistry/compare/v0.19.1...v0.19.2) #### What's Changed - Add JSON marshalling funcs for Digest. by [@​wlynch](https://github.com/wlynch) in [https://github.com/google/go-containerregistry/pull/1915](https://github.com/google/go-containerregistry/pull/1915) - registry: Implement Range requests for blobs by [@​jonjohnsonjr](https://github.com/jonjohnsonjr) in [https://github.com/google/go-containerregistry/pull/1917](https://github.com/google/go-containerregistry/pull/1917) - Support podman auth file REGISTRY_AUTH_FILE. by [@​zhaoyonghe](https://github.com/zhaoyonghe) in [https://github.com/google/go-containerregistry/pull/1914](https://github.com/google/go-containerregistry/pull/1914) - feat: crane mutate platform by [@​joshwlewis](https://github.com/joshwlewis) in [https://github.com/google/go-containerregistry/pull/1919](https://github.com/google/go-containerregistry/pull/1919) - Add Context support to auth methods by [@​jonjohnsonjr](https://github.com/jonjohnsonjr) in [https://github.com/google/go-containerregistry/pull/1949](https://github.com/google/go-containerregistry/pull/1949) - Fix windows race condition when writing image with duplicate layers by [@​dgannon991](https://github.com/dgannon991) in [https://github.com/google/go-containerregistry/pull/1921](https://github.com/google/go-containerregistry/pull/1921) - Add -O shorthand for --omit-digest-tags to crane. by [@​smoser](https://github.com/smoser) in [https://github.com/google/go-containerregistry/pull/1958](https://github.com/google/go-containerregistry/pull/1958) #### New Contributors - [@​wlynch](https://github.com/wlynch) made their first contribution in [https://github.com/google/go-containerregistry/pull/1915](https://github.com/google/go-containerregistry/pull/1915) - [@​zhaoyonghe](https://github.com/zhaoyonghe) made their first contribution in [https://github.com/google/go-containerregistry/pull/1914](https://github.com/google/go-containerregistry/pull/1914) - [@​joshwlewis](https://github.com/joshwlewis) made their first contribution in [https://github.com/google/go-containerregistry/pull/1919](https://github.com/google/go-containerregistry/pull/1919) - [@​dgannon991](https://github.com/dgannon991) made their first contribution in [https://github.com/google/go-containerregistry/pull/1921](https://github.com/google/go-containerregistry/pull/1921) - [@​smoser](https://github.com/smoser) made their first contribution in [https://github.com/google/go-containerregistry/pull/1958](https://github.com/google/go-containerregistry/pull/1958) **Full Changelog**: google/go-containerregistry@v0.19.1...v0.19.2 </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.34.2`](https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.34.2) [Compare Source](https://github.com/protocolbuffers/protobuf-go/compare/v1.34.1...v1.34.2) Minor feature: - [CL/589336](https://go.dev/cl/589336): gofeatures: allow setting legacy_unmarshal_json_enum feature at file level Minor bug fixes: - [CL/588875](https://go.dev/cl/588875): types/descriptorpb: regenerate using latest protobuf v27.0 release - [CL/586396](https://go.dev/cl/586396): internal/impl: fix size cache semantics with lazy decoding - [CL/585736](https://go.dev/cl/585736): reflect/protodesc: remove obsolete JSON name check from desc validator - [CL/588976](https://go.dev/cl/588976): reflect/protoreflect: FieldDescriptor.Kind should never be GroupKind for maps or fields of map entry </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
#35 In this PR, `MavenResolverExtrator` is invoked when scanning pom.xml to report vulnerabilities in transitive dependencies. However, the default Maven extractor is still being used with offline mode.
Add documentation for the newly added config package override feature #814
Prepare for release
`--rm-dist` was deprecated in favor of `--clean`
](https://renovatebot.com){kind=link}
followup #1052 Signed-off-by: Rui Chen <[email protected]>
The goreleaser action was broken so I cannot release the 1.8.0 tag. I've just re-labelled 1.8.0 -> 1.8.1 in the changelog (since there's no actual difference between them), but let me know if you would prefer to have both. --------- Co-authored-by: Rex P <[email protected]>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
1 similar comment
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
internal/image/fixtures/test-node_modules-npm-empty.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-npm-empty.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-npm-full.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-npm-full.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-npm-full.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-npm-full.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-pnpm-empty.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-pnpm-full.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-yarn-empty.Dockerfile
Dismissed
Show dismissed
Hide dismissed
internal/image/fixtures/test-node_modules-yarn-full.Dockerfile
Dismissed
Show dismissed
Hide dismissed
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.