chore: migrate grype to use mholt/archives instead of anchore fork #3036
Conversation
…ives Signed-off-by: Joonas Bergius <[email protected]>
github.com/anchore/archiver/3 with github.com/mholt/archives
|
Adding anchore/syft#4029 to this PR review for syft context. We're trying to get this removed throughout the tooling this week. |
Thanks @spiffcs, I also became aware of that (and anchore/syft#4339) as I was looking to make similar changes on the Syft side to address the very same issue, I am very glad to find that other people had already put the energy forward there 🙂 I'll take a look at both of those PRs to see if I should bring any improvements from them over to this. |
Signed-off-by: Joonas Bergius <[email protected]>
github.com/anchore/archiver/3 with github.com/mholt/archivesSigned-off-by: Joonas Bergius <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
|
@spiffcs Thanks! it looks like the checks are waiting for maintainer approval to run 🙂 |
|
@joonas Yep - just fixed a small resource leak and then I think this is good to go |
|
These are not 🔴 from the PR - it looks like one of our glue tools for CI bootstrapping has an issue. I am investigating this now. |
|
Github snowday again 🦄 - will retry this again this afternoon. |
* main: chore(deps): update tools to latest versions (anchore#3051) chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 (anchore#3059) chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (anchore#3060) chore(deps): bump github/codeql-action from 4.31.2 to 4.31.4 (anchore#3061) chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (anchore#3063) chore(deps): bump actions/setup-go in /.github/actions/bootstrap (anchore#3064) chore(deps): update anchore dependencies (anchore#3055) test: update quality gate db to latest version (anchore#3053) fix: normalize java runtime qualifiers in maven version comparisons (anchore#3034) chore(deps): update tools to latest versions (anchore#3045) fix: junit template use CDATA block to prevent XML parse errors (anchore#3019) feat: add basic VEX support for SBOM and other sources chore(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 (anchore#3046) chore(deps): bump github.com/opencontainers/selinux (anchore#3044) chore(deps): bump github.com/olekukonko/tablewriter from 1.1.0 to 1.1.1 (anchore#3039) keep nested loggers labeled (anchore#3040)
Signed-off-by: Christopher Phillips <[email protected]>
|
@spiffcs thanks so much! |
github.com/anchore/archiver/v3has a dependency ongithub.com/nwaples/rardecodeat v1.1.3, which sadly contains CVE-2025-11579.I'd like to remove the need for
github.com/anchore/archiver/v3, so I'm implementing the functionality Grype depends on archiver usinggithub.com/mholt/archives, which is intended as a replacement for archives.