rhel: deprecate updater in favor of VEX updater#73
Open
Conversation
crozzy
force-pushed
the
rhcc-updater-deprication
branch
2 times, most recently
from
0245cc1 to
796d9e4
Compare
crozzy
force-pushed
the
csaf-vex
branch
3 times, most recently
from
b7058eb to
c499c90
Compare
crozzy
force-pushed
the
rhcc-updater-deprication
branch
2 times, most recently
from
ff1aeea to
d7404d0
Compare
crozzy
force-pushed
the
csaf-vex
branch
13 times, most recently
from
7d90161 to
a5d8a67
Compare
crozzy
force-pushed
the
csaf-vex
branch
10 times, most recently
from
e9126f3 to
d43b87e
Compare
crozzy
force-pushed
the
rhcc-updater-deprication
branch
from
2d919d7 to
4214b21
Compare
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.17.10 to 1.17.11. - [Release notes](https://github.com/klauspost/compress/releases) - [Changelog](https://github.com/klauspost/compress/blob/master/.goreleaser.yml) - [Commits](klauspost/compress@v1.17.10...v1.17.11) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.4 to 1.20.5. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.20.4...v1.20.5) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [go.uber.org/mock](https://github.com/uber/mock) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/uber/mock/releases) - [Changelog](https://github.com/uber-go/mock/blob/main/CHANGELOG.md) - [Commits](uber-go/mock@v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: go.uber.org/mock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Disable more OSV ecosystems for situations where we already have a dedicated updater. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Currently Suse distributions are predefined in the code, this change adds dynamic support for two Suse distro flavors: suse.linux.enterprise.server and opensuse.leap. Signed-off-by: crozzy <joseph.crosland@gmail.com>
The parseFingerprint() function is the only one we use. Signed-off-by: crozzy <joseph.crosland@gmail.com>
There is a corner-case where an advisory can initially show products as known_affected then as known_not_affected. Because this updated advisory doesn't result in vulnerabilities the previous vulnerabilities associated with this advisory are carried forward. This change adds any advisories that don't lead to created vulnerabilities to the deleted slice in-order to ensure no existing vulnerabilities that could be related to this advisory are carried forward. In essence, it is as-if the advisory has been parsed from the deletions.csv file. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Refresh the README to be more in-line with the commands that exist in the Makefile. Also, bring the casing of Claircore in-line with convention (Claircore == good in prose, claircore == good in code, ClairCore == bad). Signed-off-by: crozzy <joseph.crosland@gmail.com>
Bumps the otel group with 1 update: [go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel/trace` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.31.0...v1.32.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/trace dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 7 updates: | Package | From | To | | --- | --- | --- | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.28.0` | `0.29.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.30.0` | `0.31.0` | | [golang.org/x/sync](https://github.com/golang/sync) | `0.8.0` | `0.9.0` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.26.0` | `0.27.0` | | [golang.org/x/text](https://github.com/golang/text) | `0.19.0` | `0.20.0` | | [golang.org/x/time](https://github.com/golang/time) | `0.7.0` | `0.8.0` | | [golang.org/x/tools](https://github.com/golang/tools) | `0.26.0` | `0.27.0` | Updates `golang.org/x/crypto` from 0.28.0 to 0.29.0 - [Commits](golang/crypto@v0.28.0...v0.29.0) Updates `golang.org/x/net` from 0.30.0 to 0.31.0 - [Commits](golang/net@v0.30.0...v0.31.0) Updates `golang.org/x/sync` from 0.8.0 to 0.9.0 - [Commits](golang/sync@v0.8.0...v0.9.0) Updates `golang.org/x/sys` from 0.26.0 to 0.27.0 - [Commits](golang/sys@v0.26.0...v0.27.0) Updates `golang.org/x/text` from 0.19.0 to 0.20.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.19.0...v0.20.0) Updates `golang.org/x/time` from 0.7.0 to 0.8.0 - [Commits](golang/time@v0.7.0...v0.8.0) Updates `golang.org/x/tools` from 0.26.0 to 0.27.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/time dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
crozzy
force-pushed
the
rhcc-updater-deprication
branch
2 times, most recently
from
e3ccb2f to
c3150ed
Compare
It was discovered that some OSV documents can order minor releases in the same affected.ranges object. This meant that only ever counted the last range in a vulnerability. This change gathers range information for the affected product and creates a vulnerability per range. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.33.1 to 1.34.1. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.33.1...v1.34.1) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: RTann <rtannenb@redhat.com>
For the RPM test we check the index report against the pyxis manifest for that image. The format of this manifest has recently changed when they started producing builds from Konflux, this change accounts for those changes. Signed-off-by: crozzy <joseph.crosland@gmail.com>
crozzy
force-pushed
the
rhcc-updater-deprication
branch
from
c3150ed to
4e56761
Compare
Bumps the golang-x group with 6 updates: | Package | From | To | | --- | --- | --- | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.29.0` | `0.30.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.31.0` | `0.32.0` | | [golang.org/x/sync](https://github.com/golang/sync) | `0.9.0` | `0.10.0` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.27.0` | `0.28.0` | | [golang.org/x/text](https://github.com/golang/text) | `0.20.0` | `0.21.0` | | [golang.org/x/tools](https://github.com/golang/tools) | `0.27.0` | `0.28.0` | Updates `golang.org/x/crypto` from 0.29.0 to 0.30.0 - [Commits](golang/crypto@v0.29.0...v0.30.0) Updates `golang.org/x/net` from 0.31.0 to 0.32.0 - [Commits](golang/net@v0.31.0...v0.32.0) Updates `golang.org/x/sync` from 0.9.0 to 0.10.0 - [Commits](golang/sync@v0.9.0...v0.10.0) Updates `golang.org/x/sys` from 0.27.0 to 0.28.0 - [Commits](golang/sys@v0.27.0...v0.28.0) Updates `golang.org/x/text` from 0.20.0 to 0.21.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.20.0...v0.21.0) Updates `golang.org/x/tools` from 0.27.0 to 0.28.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.27.0...v0.28.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.34.1 to 1.34.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.34.1...v1.34.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
crozzy
force-pushed
the
rhcc-updater-deprication
branch
4 times, most recently
from
95fb883 to
c0adc90
Compare
Bumps the golang-x group with 1 update: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.30.0 to 0.31.0 - [Commits](golang/crypto@v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the otel group with 1 update: [go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel/trace` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/trace dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <support@github.com>
We can extract vulnerability information about containers from the VEX data. This negates the need to look for it in the cvemap.xml file. This change modifies the VEX updater to allow for ingesting vulnerabilities in a way that can be matched my the RHCC matcher. Signed-off-by: crozzy <joseph.crosland@gmail.com>
crozzy
force-pushed
the
rhcc-updater-deprication
branch
from
c0adc90 to
4701605
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We can not extract vulnerability information about containers from the VEX data. This negates the need to look for it in the cvemap.xml file. This change modifies the VEX updater to allow for ingesting vulnerabilities in a way that can be matched my the RHCC matcher.