Merge pull request 'Update to 0.59.1' (#13) from dirkmueller/trivy:factory into factory

2025-02-27 04:05:03 +01:00 · 2025-02-27 04:05:03 +01:00 · b1620bb580
commit b1620bb580
parent 613bf3e03c 7ca63ef751
8 changed files with 80 additions and 9 deletions
--- a/2
+++ b/2
@ -2,7 +2,7 @@
  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/aquasecurity/trivy</param>
    <param name="scm">git</param>
-    <param name="revision">v0.59.0</param>
+    <param name="revision">v0.59.1</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="changesgenerate">enable</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">a58d6854dcfec0349daef27e180f2bdb5b380315</param></service></servicedata>
+              <param name="changesrevision">9aabfd2a91e7278384bce7ccc6841a1d2851feb0</param></service></servicedata>
--- a/jwe-avoid-unbounded-splits.patch
+++ b/jwe-avoid-unbounded-splits.patch
@ -0,0 +1,49 @@
 From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001
 From: Matthew McPherrin <mattm@letsencrypt.org>
 Date: Mon, 24 Feb 2025 15:06:34 -0500
 Subject: [PATCH] Don't allow unbounded amounts of splits (#167)
 In compact JWS/JWE, don't allow unbounded number of splits.
 Count to make sure there's the right number, then use SplitN.
 ---
 jwe.go      | 5 +++--
 jws.go      | 5 +++--
 jws_test.go | 3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)
 diff --git a/jwe.go b/jwe.go
 index 89f03ee..9f1322d 100644
 --- a/jwe.go
 +++ b/jwe.go
@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
 	keyAlgorithms []KeyAlgorithm,
 	contentEncryption []ContentEncryption,
 ) (*JSONWebEncryption, error) {
 -	parts := strings.Split(input, ".")
 -	if len(parts) != 5 {
 +	// Five parts is four separators
 +	if strings.Count(input, ".") != 4 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
 	}
 +	parts := strings.SplitN(input, ".", 5)
 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
 diff --git a/jws.go b/jws.go
 index 3a91230..d09d8ba 100644
 --- a/jws.go
 +++ b/jws.go
@@ -327,10 +327,11 @@ func parseSignedCompact(
 	payload []byte,
 	signatureAlgorithms []SignatureAlgorithm,
 ) (*JSONWebSignature, error) {
 -	parts := strings.Split(input, ".")
 -	if len(parts) != 3 {
 +	// Three parts is two separators
 +	if strings.Count(input, ".") != 2 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
 	}
 +	parts := strings.SplitN(input, ".", 3)
 	if parts[1] != "" && payload != nil {
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
--- a/trivy-0.59.0.tar.zst
+++ b/trivy-0.59.0.tar.zst
--- a/trivy-0.59.1.tar.zst
+++ b/trivy-0.59.1.tar.zst
--- a/trivy.changes
+++ b/trivy.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller <dmueller@suse.com>
 - add jwe-avoid-unbounded-splits.patch (bsc#1237618,
  CVE-2025-27144)
 -------------------------------------------------------------------
 Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com
 - Update to version 0.59.1:
  * release: v0.59.1 [release/v0.59] (#8334)
  * fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
  * chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
  * fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
  * fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
 -------------------------------------------------------------------
 Fri Feb  7 11:33:46 UTC 2025 - Dirk Müller <dmueller@suse.com>
@ -97,7 +113,8 @@ Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com
 - Update to version 0.58.2 (
      bsc#1234512, CVE-2024-45337,
-      bsc#1235265, CVE-2024-45338):
+      bsc#1235265, CVE-2024-45338,
      bsc#1232948, CVE-2024-51744):
  * release: v0.58.2 [release/v0.58] (#8216)
  * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
  * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
--- a/trivy.spec
+++ b/trivy.spec
@ -17,7 +17,7 @@
 Name:           trivy
-Version:        0.59.0
+Version:        0.59.1
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@ -25,6 +25,7 @@ Group:          System/Management
 URL:            https://github.com/aquasecurity/trivy
 Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
 Patch1:         jwe-avoid-unbounded-splits.patch
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
 BuildRequires:  golang(API) = 1.23
@ -44,6 +45,10 @@ name of the container.
 %prep
 %setup -a1
 (
  cd vendor/github.com/go-jose/go-jose/v4
 %patch -P 1 -p1
 )
 %build
 export CGO_ENABLED=1
--- a/vendor.tar.zst
+++ b/vendor.tar.zst