Skip to content

Lock file maintenance vulnfeeds #2304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andrewpollock merged 1 commit into from
Jun 12, 2024
Merged

Lock file maintenance vulnfeeds #2304

andrewpollock merged 1 commit into from
Jun 12, 2024

Conversation

@renovate-bot
Copy link
Collaborator

@renovate-bot renovate-bot commented Jun 11, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
lockFileMaintenance All locks refreshed
cloud.google.com/go/logging require minor v1.8.1 -> v1.10.0 age adoption passing confidence
cloud.google.com/go/secretmanager require minor v1.11.4 -> v1.13.1 age adoption passing confidence
github.com/atombender/go-jsonschema require minor v0.14.1 -> v0.16.0 age adoption passing confidence
github.com/go-git/go-git/v5 require minor v5.11.0 -> v5.12.0 age adoption passing confidence
github.com/google/osv-scanner require minor v1.4.3 -> v1.7.4 age adoption passing confidence
golang stage digest 9d8429e -> 9bdd569
golang.org/x/exp require digest 6522937 -> fc45aab age adoption passing confidence

🔧 This Pull Request updates lock files to use the latest dependency versions.

Release Notes

atombender/go-jsonschema (github.com/atombender/go-jsonschema)

v0.16.0

Compare Source

This release introduces several new improvements:

  • Improve support for non-case-sensitive languages
  • Make generated go more stable, and solve annoying big diffs
  • Fix generated code for non-nullable types with two options
  • Removes nil check for required properties
  • Add support for additionalProperties when other fields exist

What's Changed

New Contributors

Full Changelog: omissis/go-jsonschema@v0.15.0...v0.16.0

v0.15.0

Compare Source

This release introduces one new feature and a fix:

  • support for file:// schema in references
  • support for yaml file references

What's Changed

New Contributors

Full Changelog: omissis/go-jsonschema@v0.14.1...v0.15.0

go-git/go-git (github.com/go-git/go-git/v5)

v5.12.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.11.0...v5.12.0

google/osv-scanner (github.com/google/osv-scanner)

v1.7.4

Compare Source

Features:
Misc:
  • Bug #​968 Hide unimportant Debian vulnerabilities to reduce noise.

v1.7.3

Compare Source

Features:
Fixes:
  • Bug #​938 Ensure the sarif output has a stable order.
  • Bug #​922 Support filtering on alias IDs in Guided Remediation.

v1.7.2

Compare Source

Fixes:
  • Bug #​899 Guided Remediation: Parse paths in npmrc auth fields correctly.
  • Bug #​908 Fix rust call analysis by explicitly disabling stripping of debug info.
  • Bug #​914 Fix regression for go call analysis introduced in 1.7.0.

v1.7.1

Compare Source

(There is no Github release for this version)

Fixes
  • Bug #​856
    Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.
API Features
  • Feature #​781
    add MakeVersionRequestsWithContext()
  • Feature #​857
    API and networking related errors now has their own error and exit code (Exit Code 129)

v1.7.0

Compare Source

Features

  • Feature #​352 Guided Remediation
    Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
    See our docs for detailed usage instructions.

  • Feature #​805
    Include CVSS MaxSeverity in JSON output.

Fixes

  • Bug #​818
    Align GoVulncheck Go version with go.mod.

  • Bug #​797
    Don't traverse gitignored dirs for gitignore files.

Miscellaneous
  • #​831
    Remove version number from the release binary name.

v1.6.2

Compare Source

Features

  • Feature #​694
    Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to scan (currently the only commands is scan).
    By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

    This is a building block to adding the guided remediation feature. See issue #​352
    for more details!

  • Feature #​776
    Add pdm lockfile support.

API Features
  • Feature #​754
    Add dependency groups to flattened vulnerabilities output.

v1.6.1

Compare Source

v1.6.0/v1.6.1:

Features

  • Feature #​694 Add support for NuGet lock files version 2.

  • Feature #​655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

  • Feature #​702 Created an option to skip/disable upload to code scanning.

  • Feature #​732 Add option to not fail on vulnerability being found for GitHub Actions.

  • Feature #​729 Verify the spdx licenses passed in to the license allowlist.

Fixes

  • Bug #​736 Show ecosystem and version even if git is shown if the info exists.

  • Bug #​703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

  • Bug #​718 Fixed parsing of SBOMs generated by the latest CycloneDX.

  • Bug #​704 Get go stdlib version from go.mod.

API Features
  • Feature #​727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

Full Changelog: google/osv-scanner@v1.5.0...v1.6.0-alpha3

v1.6.0

Compare Source

Features

  • Feature #​694
    Add support for NuGet lock files version 2.

  • Feature #​655
    Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

  • Feature #​702
    Created an option to skip/disable upload to code scanning.

  • Feature #​732
    Add option to not fail on vulnerability being found for GitHub Actions.

  • Feature #​729
    Verify the spdx licenses passed in to the license allowlist.

Fixes

  • Bug #​736
    Show ecosystem and version even if git is shown if the info exists.

  • Bug #​703
    Return an error if both license scanning and local/offline scanning is enabled simultaneously.

  • Bug #​718
    Fixed parsing of SBOMs generated by the latest CycloneDX.

  • Bug #​704
    Get go stdlib version from go.mod.

API Features
  • Feature #​727
    Changes to Reporter methods to add verbosity levels and to deprecate functions.

v1.5.0

Compare Source

Features
Fixes
  • Bug #​639
    We now filter local packages from scans, and report the filtering of those packages.
  • Bug #​645
    Properly handle file/url paths on Windows.
  • Bug #​660
    Remove noise from failed lockfile parsing.
  • Bug #​649
    No longer include vendored libraries in C/C++ package analysis.
  • Bug #​634
    Fix filtering of aliases to also include non OSV aliases
Miscellaneous
  • The minimum go version has been updated to go1.21 from go1.18.

Configuration

📅 Schedule: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@forking-renovate
Copy link

forking-renovate bot commented Jun 11, 2024

ℹ Artifact update notice

File name: vulnfeeds/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 20 additional dependencies were updated

Details:

Package Change
cloud.google.com/go v0.110.8 -> v0.113.0
cloud.google.com/go/compute/metadata v0.2.3 -> v0.3.0
cloud.google.com/go/iam v1.1.3 -> v1.1.8
cloud.google.com/go/longrunning v0.5.2 -> v0.5.7
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c -> v1.0.0
github.com/golang/protobuf v1.5.3 -> v1.5.4
github.com/googleapis/gax-go/v2 v2.12.0 -> v2.12.4
github.com/package-url/packageurl-go v0.1.2 -> v0.1.3
github.com/sergi/go-diff v1.3.1 -> v1.3.2-0.20230802210424-5b0b94c5c0d3
github.com/skeema/knownhosts v1.2.1 -> v1.2.2
golang.org/x/crypto v0.21.0 -> v0.24.0
golang.org/x/mod v0.14.0 -> v0.18.0
golang.org/x/net v0.23.0 -> v0.26.0
golang.org/x/oauth2 v0.13.0 -> v0.20.0
golang.org/x/sync v0.5.0 -> v0.7.0
golang.org/x/sys v0.18.0 -> v0.21.0
golang.org/x/text v0.14.0 -> v0.16.0
golang.org/x/tools v0.16.0 -> v0.22.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 -> v0.0.0-20231012003039-104605ab7028
google.golang.org/api v0.149.0 -> v0.180.0

@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Jun 11, 2024
@andrewpollock andrewpollock added the rebase Tell renovate to rebase this PR label Jun 12, 2024
@forking-renovate forking-renovate bot removed the rebase Tell renovate to rebase this PR label Jun 12, 2024
@andrewpollock andrewpollock merged commit 3e80763 into google:master Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@andrewpollock andrewpollock andrewpollock approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot @andrewpollock