deps(deps): update all non-major dependencies#107
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Author
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
5cc9c31 to
bd3bc24
Compare
bd3bc24 to
0d885fb
Compare
0d885fb to
40304de
Compare
40304de to
6b0e3a2
Compare
6b0e3a2 to
33bea73
Compare
33bea73 to
af5faf3
Compare
af5faf3 to
4cc713e
Compare
4cc713e to
58c5f01
Compare
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Contributor
Author
|
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.4.2→v1.4.3v0.3.33→v0.3.154v0.0.111→v0.0.291v2.20.2→v2.32.0v1.34.2→v1.42.1v0.1.0→v0.1.161.23→1.26v0.31.0→v0.36.2v0.31.0→v0.36.2v0.31.0→v0.36.2v1.8.2→v1.13.3v0.19.0→v0.24.1Release Notes
go-logr/logr (github.com/go-logr/logr)
v1.4.3Compare Source
Minor release.
What's Changed
New Contributors
Full Changelog: go-logr/logr@v1.4.2...v1.4.3
kubescape/kubevuln (github.com/kubescape/kubevuln)
v0.3.154Compare Source
Description
This PR resolves the issue where
kubevulnfails to scan larger images (likewordpress:6.0.1-php7.4) due to the default gRPC message size limit of 4 MiB on the client-side/server-side communication channel withsbom-scanner.We raise the default message size limit on both ends to 128 MiB (
128 * 1024 * 1024bytes) to safely accommodate larger SBOM payloads.Changes
pkg/sbomscanner/v1/client.go):MaxgRPCMessageSize = 128 * 1024 * 1024.grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxgRPCMessageSize), grpc.MaxCallSendMsgSize(MaxgRPCMessageSize))togrpc.NewClient.cmd/sbom-scanner/main.go):grpc.NewServerwithgrpc.MaxRecvMsgSize(sbomscanner.MaxgRPCMessageSize)andgrpc.MaxSendMsgSize(sbomscanner.MaxgRPCMessageSize).pkg/sbomscanner/v1/integration_test.goandpkg/sbomscanner/v1/server_test.go):MaxgRPCMessageSizecall and server options.Closes #381
v0.3.153Compare Source
Problem
Scanning newer RPM-based images (e.g. recent
redis/UBI-style bases) fails in the SBOM scanner sidecar with:Fixes #378.
Root cause
Two changes combined to surface this:
syft v1.32.0 (introduced in
cd2e51c, "migrate to grype v0.99.1", 2025-09-17) addedensureSqliteDriverAvailable()to its RPM (redhat) cataloger. Newer RPM databases use the sqlite format (rpmdb.sqlite), and Syft now requires the consumer to register adatabase/sqldriver under the namesqlite— it does not bundle one.The SBOM scanner sidecar (
cmd/sbom-scanner+pkg/sbomscanner/v1, introduced in36cd416, "add SBOM scanner sidecar", 2026-03-23) generates SBOMs via Syft without importing grype. The maincmd/httpbinary transitively pullsglebarez/go-sqlite(which registers"sqlite") through grype's DB layer, so it works. The sidecar has no such transitive import, so the driver is never registered.Verified per-binary (redhat cataloger present / sqlite driver present):
cmd/httpcmd/clicmd/sbom-scannerFix
Register the pure-Go (CGO-free)
modernc.org/sqlitedriver via a blank import in the sidecar entrypoint (cmd/sbom-scanner/main.go).modernc.org/sqliteregisters under the name"sqlite", which is exactly what the cataloger'ssql.Open("sqlite", ...)needs.It is placed in the binary entrypoint, not the shared
pkg/sbomscanner/v1package, on purpose:cmd/httpimports that package and already has glebarez's"sqlite"driver, so a blank import there would cause asql: Register called twice for driver sqlitepanic at startup. Putting it incmd/sbom-scannerkeeps each binary at exactly one"sqlite"driver.Testing
cmd/sbom-scanner/sqlite_driver_test.go— asserts exactly one"sqlite"driver is registered (catches both the missing-driver regression and an accidental double registration) and that an in-memory sqlite DB opens + pings.go build ./cmd/...passes;go vet ./cmd/...clean."sqlite"drivers (no double-registration panic).🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
v0.3.152Compare Source
Problem
Registry image scans fail when the SBOM-scanner sidecar is enabled (
kubevuln.sbomScanner.enabled: true).normalizeImageIDis called twice on the sidecar path:adapters/v1/sidecar.go) normalizes the reference before sending the gRPCCreateSBOMRequest.scannerServer.CreateSBOM(pkg/sbomscanner/v1/server.go) normalizes it again.normalizeImageIDassumes itsimageIDargument is empty or a bare digest. But on the second call it is already a complete reference. Registry scans always send an empty image digest (the operator does not resolve a digest for registry scans), so:normalizeImageID("", tag)→ returns the tag.normalizeImageID(tag, tag)→tagis non-empty and not a digest, so it gets grafted ontoimageTagas a fake digest →repo@sha256:<tag>.The result is an unparseable reference and the scan fails immediately:
No SBOM is produced and the scan never completes. (The in-process path normalizes once and is unaffected, so this only reproduces with the sidecar enabled.)
Fix
Make
normalizeImageIDidempotent: ifimageIDis already a complete reference, return it unchanged —imageTag(no digest known → scanned by tag), orrepo@sha256:...).This is the minimal, defensive fix and does not change the single-normalization (in-process) path.
Alternative considered
scannerServer.CreateSBOMcould simply not re-normalize and treatreq.ImageIdas the final reference (the adapter already normalized it). That's cleaner architecturally but changes the gRPC contract assumption; happy to take that direction instead if preferred.Tests
Added regression cases to
TestNormalizeImageIDfor an already-normalized tag (the empty-digest case) and an already-normalized digest reference.go test ./pkg/sbomscanner/v1/ -run TestNormalizeImageIDpasses.Repro
kubevuln with
sbomScanner.enabled: true;POST /v1/scanRegistryImagewithimageTagset andimageHashempty.Summary by CodeRabbit
Release Notes
Bug Fixes
Tests
v0.3.151Compare Source
Self-hosted kubevuln startup could crash when
API_URLpointed to an in-cluster operator that does not implement the expected service-discovery route (404). In this state, kubevuln failed fast instead of using already-mounted static backend endpoints.Backend service resolution: add resilient fallback path
LoadBackendServicesConfigto resolve backend URLs in this order:services.json(existing behavior)API_URLdiscoveryclusterData.jsonstatic fields (backendOpenAPI+eventReceiverRestURL)API_URLdiscovery fails (including404), kubevuln now falls back to static config rather than terminating startup.Fallback observability and error reporting
API_URLdiscovery fails and kubevuln falls back toclusterData.json.errors.Join) so operators can see both failure causes.else).Static URL extraction from
clusterData.jsonbackendOpenAPIandeventReceiverRestURLfromclusterData.json, normalized to base service URLs consumed by backend adapters.scheme + host).apiServer*/reportReceiver*) that is not present in real cluster config.Docs: explicit backend URL precedence
docs/CONFIGURATION.mdunder backend services configuration.Focused regression coverage
API_URLis unsetAPI_URLdiscovery returns404v0.3.150Compare Source
This PR fixes a bug in the HTTP controller endpoints (GenerateSBOM, ScanCP, ScanCVE, ScanRegistry) where the request context was passed to asynchronous tasks submitted to the background worker pool. In Go 1.20+, the request context is cancelled as soon as the HTTP handler returns, resulting in the background worker aborting due to the cancelled context. Wrapping the context in
context.WithoutCancelfixes this. Added unit tests to verify.Summary by CodeRabbit
v0.3.149Compare Source
Summary by CodeRabbit
v0.3.146Compare Source
Summary
Add
NewGrypeAdapterFixedDBWithMatchers(useDefaultMatchers bool)alongside the existingNewGrypeAdapterFixedDB(). The existing function becomes a thin wrapper passingfalse, so no current callers need changes.Motivation
NewGrypeAdapter(listingURL, useDefaultMatchers)takes the flag and threads it intogetMatchers.NewGrypeAdapterFixedDB()doesn't accept the flag and leavesuseDefaultMatchers=false. Consumers like armosec/vulnerability-scanner override the global scanner withNewGrypeAdapterFixedDB()in tests — which means their CI runs against thefalsematcher path regardless of how production is configured. There's no clean way to align test and prod matcher mode short ofreflect+unsafeon the unexported field.This PR closes that gap: tests that need to mirror production matcher selection now have a dedicated constructor.
Compatibility
Non-breaking.
NewGrypeAdapterFixedDB()keeps the same signature and behavior (defaults touseDefaultMatchers=false). Internal callers inadapters/v1/grype_test.goandcore/services/scan_test.goare unaffected.Test plan
go build ./adapters/v1/cleanNewGrypeAdapterFixedDBWithMatchers(UseDefaultMatchers)once this landsContext
Downstream PR that needs this: armosec/vulnerability-scanner#38 — flips
UseDefaultMatcherstotrueto eliminate language-ecosystem CPE false positives (Ruby gemgitlab6.1.0 being flagged against GitLab CE/EE CVEs).🤖 Generated with Claude Code
Summary by CodeRabbit
v0.3.145Compare Source
Summary
Bumps Go dependencies to address High and Unknown severity security advisories affecting the
sbom-scannerbinary layer.github.com/cilium/ciliumgithub.com/docker/dockergolang.org/x/cryptogolang.org/x/netgolang.org/x/sysgithub.com/anchore/grypeadvisories (GHSA-6gxw-85q2-q646, GO-2025-4160) are intentionally excluded per project policy (grype version is not bumped independently).Test plan
go build ./...passes aftergo mod tidy🤖 Generated with Claude Code
v0.3.144Compare Source
Bumps github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
Commits
3c3be60Merge pull request #2137 from go-git/validate-v53fba897plumbing: format/packfile, cap delta chain depth in parsera97d660Merge pull request #2125 from hiddeco/v5/format-input-boundsaeaa125plumbing: format/objfile, require Header before Read1f38e17plumbing: format/packfile, bound inflate sizef7545a0plumbing: format/idxfile, bound nr by file size170b881Merge pull request #2116 from pjbgf/symlink-v57b6d994Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noopf0709b3git: Stop validating symlink target paths776d00fgit: Allow MkdirAll on worktree-root pathsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
v0.3.142Compare Source
Summary
GrypeAdapter.Ready()callsgrype.LoadVulnerabilityDBevery 24h to refresh the vulnerability DBg.storewas replaced with the new store without callingClose()on the old onevulnerability.Providerembedsio.Closer, so the SQLite file descriptor and GORM connection resources from the previous store were abandoned to the GC finalizer rather than closed explicitlyTest plan
go build ./adapters/v1/...passes (confirmed locally)go test ./adapters/v1/... -run TestGrype(requires Docker for the offline DB container)lsof -p <pid> | grep grype | wc -lshould stay at 1)Context
Identified during memory investigation of v0.3.132 → v0.3.137 upgrade. The leak was not visually detectable in the Grafana RSS graph (GC finalizers eventually close the store), but explicit resource management is correct regardless.
🤖 Generated with Claude Code
Summary by CodeRabbit
v0.3.141Compare Source
Bumps github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
Commits
bc930f4Merge pull request #2065 from go-git/commit-v5d315264plumbing: object, Reset object before decode6e1d348plumbing: object, Align Tree handling with upstreame134ba3tests: Skip double checks in Git v2.111971422tests: Add git conformance tests for signing verificationa387aa8plumbing: object, Add ErrMalformedTagf415670plumbing: object, Decode Tag headers via a state machine5b0cd38plumbing: object, Reject multi-signature commits at Verifyfe8ed62plumbing: object, Align Tag.EncodeWithoutSignature with Commit98e337dplumbing: object, Add support for Tag.SignatureSHA256Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
v0.3.138Compare Source
Summary by CodeRabbit
New Features
Chores
v0.3.137Compare Source
Summary by CodeRabbit
RiskAcceptanceconfiguration option to security settings.v0.3.136Compare Source
Summary by CodeRabbit
v0.3.134Compare Source
Memory-reduction rollout (NAUT-1283)
Reduces node-agent + kubevuln scan peak RSS by 30.7% on gitlab-ee
(1,621 MB → 1,123 MB), fitting a 1.5 GB cgroup with 377 MB margin.
Measured deltas (gitlab-ee, 113,836 files; kernel peak RSS via /usr/bin/time -v)
Initiative status
workerpool.New(1); kubevulnscanConcurrencydefaults to 1)Cross-repo PRs
Audit
Pre-merge audit confirmed no production-path consumer reads
sbom.Files[*].Digestsorsbom.Files[*].Metadatain node-agent,kubevuln, or kubescape/storage. The two storage consumers
(
containerprofile_processor.go:172,applicationprofile_processor.go:67)only read
f.Location.RealPath, which the directory walker stillpopulates regardless of file-cataloger disable. Selective indexing also
keeps 99.9% of the file-path coverage on gitlab-ee
(113,265 of 113,382 paths).
Reference:
shared-designs-and-docs/syft-memory-improvement/2026-04-28-rollout-design.mdSummary by CodeRabbit
Release Notes
Bug Fixes
Chores
v0.3.132Compare Source
Summary
proxyRegistryMap map[string]stringfield toConfig(mapstructure key:proxyRegistryMap) so operators can declare registry mirror mappings inclusterData.json.proxyRegistryMapfield toSyftAdapterand arewriteImageRefhelper that rewrites image pull references using simple string-prefix replacement, treatingdocker.ioandindex.docker.ioas equivalent.syft.GetSourcecall sites (initial pull, MANIFEST_UNKNOWN retry, 401 retry) use the rewrittenpullRef;imageID/imageTagvariables are untouched so SBOM annotations always record the original image reference.proxyRegistryMapis nil or empty, behaviour is identical to before.Test plan
go build ./...— passes with no errorsgo vet ./config/... ./cmd/...— cleango test ./adapters/v1/ -run TestNormalizeImageID— 6/6 passproxyRegistryMap: {"docker.io": "my-mirror.example.com"}in config and verify pulls are redirected🤖 Generated with Claude Code
Summary by CodeRabbit
v0.3.129Compare Source
Summary by CodeRabbit
v0.3.119Compare Source
Overview
Adds structured scan failure reporting to kubevuln. When a vulnerability scan fails (SBOM generation, CVE scan, or backend post), a
ScanFailureReportis sent toPOST /k8s/v2/scanFailure(careportreceiver). This feeds into the scan failure notification pipeline (SUB-7074) so users receive Slack/Teams alerts.What changed:
ReportScanFailure(ctx, failureCase, reason, scanErr)to thePlatformport interfaceBackendAdapter.ReportScanFailurebuilds aScanFailureReport(fromarmoapi-go/scanfailure) withWorkloads[]list includingImageHash,JobID,ContainerNameFailureReasonuses human-friendlyscanfailure.Reason*constants instead of raw error strings. Raw error preserved in separateErrorfield for R&D debugging.classifySBOMError()useserrors.As(*transport.Error)(Go 1.13 pattern) to detect auth failures, with string-based fallbacks forMANIFEST_UNKNOWN.classifySBOMStatus()mapsIncomplete/TooLargeSBOM statuses.RegistryName/IsRegistryScanwhenregistryNamearg is presentGenerateSBOM(),ScanCVE(),ScanCP(),ScanRegistry()at all 14 failure pointsError Classification
ReasonImageAuthFailederrors.As(*transport.Error)+ string fallbackReasonImageNotFoundstrings.Contains("MANIFEST_UNKNOWN")ReasonSBOMTooLargesbom.Status == TooLargeReasonSBOMIncompletesbom.Status == IncompleteReasonCVEMatchingFailedReasonResultUploadFailedReasonSBOMStorageFailedReasonSBOMGenerationFailedRelated issues/PRs
How to Test
go test ./adapters/v1/... -run TestBackendAdapter_ReportScanFailure -vgo test ./core/services/... -run TestClassify -vgo test ./...Summary by CodeRabbit
New Features
Tests
v0.3.114Compare Source
Summary
SBOM_SCANNER_SOCKETenv var, kubevuln uses the in-process SyftAdapter as beforeDesign
See kubevuln-sbom-sidecar-design.md — follows the same pattern as node-agent PR #753.
New files
pkg/sbomscanner/v1/proto/scanner.protopkg/sbomscanner/v1/server.gopkg/sbomscanner/v1/client.gocodes.Unavailablepkg/sbomscanner/v1/types.gocmd/sbom-scanner/main.goadapters/v1/sidecar.goSidecarSBOMAdapterimplementingports.SBOMCreatorModified files
cmd/http/main.goSBOM_SCANNER_SOCKETenv varbuild/Dockerfilekubevulnandsbom-scannerbinariesCompanion PR
Helm chart changes: kubescape/helm-charts (PR to follow)
Test plan
go test ./pkg/sbomscanner/v1/...— health, crash detection, context cancellation, normalizeImageIDErrScannerCrashed, readiness togglego test ./adapters/v1/...andgo test ./core/services/...— no regressions🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Tests
Chores
v0.3.110Compare Source
Bumps go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0.
Changelog
Sourced from go.opentelemetry.io/otel/sdk's changelog.