Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2 #3834

Merged
merged 5 commits into from
Jan 31, 2024
Merged

🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2 #3834

merged 5 commits into from
Jan 31, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 31, 2024

Bumps github.com/google/osv-scanner from 1.6.1 to 1.6.2.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.6.2

Features

  • [Feature #694](google/osv-scanner#694) OSV-Scanner now has subcommands! The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

    This is a building block to adding the guided remediation feature. See [issue #352](google/osv-scanner#352) for more details!

  • [Feature #776](google/osv-scanner#776) Add pdm lockfile support.

API Features

New Contributors

Full Changelog: google/osv-scanner@v1.6.1...v1.6.2

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.6.2:

Features

  • [Feature #694](google/osv-scanner#694) Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

    This is a building block to adding the guided remediation feature. See [issue #352](google/osv-scanner#352) for more details!

  • [Feature #776](google/osv-scanner#776) Add pdm lockfile support.

API Features

v1.6.0:

Features

Fixes

... (truncated)

Commits
  • 5b4066c Update changelog for 1.6.2 (#779)
  • 2d2efde chore(deps): update golang:alpine docker digest to a6a7f1f (#772)
  • 741923c chore(deps): update alpine:3.19 docker digest to c5b1261 (#771)
  • c050cea Add pdm lockfile support (#776)
  • 96b1e4e Guided Remediation: Make VulnerabilityClient for OSV queries (#773)
  • cbdceae Do not fail if no lockfiles found in github action (#774)
  • 4528ca2 Guided Remediation: Add computation for all relaxation patches (#766)
  • 93c2c7f Parse severities for guided remediation (#767)
  • 354fda5 Add pictures to github action docs (#768)
  • 251b676 Guided Remediation: Add dependency relaxation & re-resolution (#765)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2
dd1919e 
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.1 to 1.6.2.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.6.1...v1.6.2)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from a team as a code owner January 31, 2024 08:34
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jan 31, 2024
@dependabot dependabot bot requested review from spencerschrock and raghavkaul and removed request for a team January 31, 2024 08:34
@dependabot dependabot bot temporarily deployed to integration-test January 31, 2024 08:34 Inactive
@codecov Codecov
Copy link

codecov bot commented Jan 31, 2024
edited
Loading

Codecov Report

Merging #3834 (3682621) into main (e10dbb1) will decrease coverage by 6.71%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3834      +/-   ##
==========================================
- Coverage   75.55%   68.84%   -6.71%     
==========================================
  Files         232      232              
  Lines       15784    15784              
==========================================
- Hits        11925    10867    -1058     
- Misses       3122     4250    +1128     
+ Partials      737      667      -70

@spencerschrock
specify go patch version
2514aec 
go mod tidy requires this. I was able to delete the toolchain directive,
and it wasn't added back.

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
bump dockerfiles to 1.21.6 so the build works
031428a 
Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
Merge branch 'main' into dependabot/go_modules/github.com/google/osv-…
5402c9c 
…scanner-1.6.2

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
Copy link
Member

Since osv-scanner specifies go1.21.5, our version had to get bumped too (go mod tidy added the patch version).

I was able to delete the toolchain version without go mod tidy adding it back.

raghavkaul
raghavkaul approved these changes Jan 31, 2024
View reviewed changes
Copy link
Contributor

@raghavkaul raghavkaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@spencerschrock
bump go version used in codeql workflow
3682621 
github runners currently use Go 1.20 by default,
which doesn't understand 1.21.x format.

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock spencerschrock enabled auto-merge (squash) January 31, 2024 18:48
@spencerschrock spencerschrock merged commit 6f816c8 into main Jan 31, 2024
38 checks passed
@spencerschrock spencerschrock deleted the dependabot/go_modules/github.com/google/osv-scanner-1.6.2 branch January 31, 2024 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raghavkaul raghavkaul raghavkaul approved these changes

@spencerschrock spencerschrock Awaiting requested review from spencerschrock spencerschrock is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spencerschrock @raghavkaul