merge to release #125

nam20485 · 2023-11-26T17:33:03Z

No description provided.

…le and then descend into that directory and one below to find the top-level ODB++ design directories (so that archives that expand w/ no toplevel dir are handled, i.e. .zip's, the same where the archive contains a directory with the toplevel dirs inside of it)

…i.e. .Z, .z)

…a data files

…in misc/info file

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@0565240...4a13e50) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.0.0 to 5.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/build-push-action/releases">docker/build-push-action's releases</a>.</em></p> <blockquote> <h2>v5.1.0</h2> <ul> <li>Add <code>annotations</code> input by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/992">docker/build-push-action#992</a></li> <li>Add <code>secret-envs</code> input by <a href="https://github.com/elias-lundgren"><code>@elias-lundgren</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/980">docker/build-push-action#980</a></li> <li>Bump <code>@babel/traverse</code> from 7.17.3 to 7.23.2 in <a href="https://redirect.github.com/docker/build-push-action/pull/991">docker/build-push-action#991</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.13.0-rc.1 to 0.14.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/990">docker/build-push-action#990</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1006">docker/build-push-action#1006</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v5.0.0...v5.1.0">https://github.com/docker/build-push-action/compare/v5.0.0...v5.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/build-push-action/commit/4a13e500e55cf31b7a5d59a38ab2040ab0f42f56"><code>4a13e50</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1006">#1006</a> from docker/dependabot/npm_and_yarn/docker/actions-t...</li> <li><a href="https://github.com/docker/build-push-action/commit/74166686865cdc289a02f214871fb53447b73447"><code>7416668</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/b4f76a5dc6a67282180eddc6d460f23bc97bfcbc"><code>b4f76a5</code></a> chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.13.0 to 0.14.0</li> <li><a href="https://github.com/docker/build-push-action/commit/b7feb766fae338d85274c87a9d0f24c09690dbe2"><code>b7feb76</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1005">#1005</a> from crazy-max/ci-inspect</li> <li><a href="https://github.com/docker/build-push-action/commit/fae8018297c67066fff64a6e9c319c86f89b8982"><code>fae8018</code></a> ci: inspect sbom and provenance</li> <li><a href="https://github.com/docker/build-push-action/commit/b625868b13c3feb675cabbf9bfeb52ae94166606"><code>b625868</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1004">#1004</a> from crazy-max/ci-update-buildx</li> <li><a href="https://github.com/docker/build-push-action/commit/5193ef1da6ea0d66de97d22817c258b203ade96a"><code>5193ef1</code></a> ci: update buildx to latest</li> <li><a href="https://github.com/docker/build-push-action/commit/d3afd779e409ac26db5374fb27fe4aae9f6adb42"><code>d3afd77</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/991">#991</a> from docker/dependabot/npm_and_yarn/babel/traverse-7....</li> <li><a href="https://github.com/docker/build-push-action/commit/7a786bb2b9408f7f997564f677248fabd4b886d5"><code>7a786bb</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/992">#992</a> from crazy-max/annotations</li> <li><a href="https://github.com/docker/build-push-action/commit/c66ae3adcfbf698ecd851c6bb782654a0c6ffcae"><code>c66ae3a</code></a> chore: update generated content</li> <li>Additional commits viewable in <a href="https://github.com/docker/build-push-action/compare/0565240e2d4ab88bba5387d719585280857ece09...4a13e500e55cf31b7a5d59a38ab2040ab0f42f56">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=docker/build-push-action&package-manager=github_actions&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [actions/github-script](https://github.com/actions/github-script) from 6.4.1 to 7.0.1. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@d7906e4...60a0d83) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/scout-action](https://github.com/docker/scout-action) from 1.0.9 to 1.1.0. - [Release notes](https://github.com/docker/scout-action/releases) - [Commits](docker/scout-action@4e9ac4d...704685e) --- updated-dependencies: - dependency-name: docker/scout-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/scout-action](https://github.com/docker/scout-action) from 1.0.9 to 1.1.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/scout-action/commit/704685e6e6dc4462258fb11d36d3a14ca7bda1e6"><code>704685e</code></a> Update from 15db50f1841611d47f0d2c45866462f1857a5ba4</li> <li><a href="https://github.com/docker/scout-action/commit/80fc6e99dd73c7d09db18aa7d4006bebb3f5c11a"><code>80fc6e9</code></a> Update from 67c68bc01ec721f0c8a9b5831d61648088952d4c</li> <li>See full diff in <a href="https://github.com/docker/scout-action/compare/4e9ac4df44fb56797da111fce8185f7fbffd5a09...704685e6e6dc4462258fb11d36d3a14ca7bda1e6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=docker/scout-action&package-manager=github_actions&previous-version=1.0.9&new-version=1.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@74483a3...66b90a5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

@v2

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>2.22.7 - 16 Nov 2023</h2> <ul> <li>Add a deprecation warning for customers using CodeQL version 2.11.5 and earlier. These versions of CodeQL were discontinued on 8 November 2023 alongside GitHub Enterprise Server 3.7, and will be unsupported by CodeQL Action v2.23.0 and later. <a href="https://redirect.github.com/github/codeql-action/pull/1993">#1993</a> <ul> <li>If you are using one of these versions, please update to CodeQL CLI version 2.11.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.</li> <li>Alternatively, if you want to continue using a version of the CodeQL CLI between 2.10.5 and 2.11.5, you can replace <code>github/codeql-action/*@v2</code> by <code>github/codeql-action/*@v2.22.7</code> in your code scanning workflow to ensure you continue using this version of the CodeQL Action.</li> </ul> </li> </ul> <h2>2.22.6 - 14 Nov 2023</h2> <ul> <li>Customers running Python analysis on macOS using version 2.14.6 or earlier of the CodeQL CLI should upgrade to CodeQL CLI version 2.15.0 or later. If you do not wish to upgrade the CodeQL CLI, ensure that you are using Python version 3.11 or earlier, as CodeQL version 2.14.6 and earlier do not support Python 3.12. You can achieve this by adding a <a href="https://github.com/actions/setup-python"><code>setup-python</code></a> step to your code scanning workflow before the step that invokes <code>github/codeql-action/init</code>.</li> <li>Update default CodeQL bundle version to 2.15.2. <a href="https://redirect.github.com/github/codeql-action/pull/1978">#1978</a></li> </ul> <h2>2.22.5 - 27 Oct 2023</h2> <p>No user facing changes.</p> <h2>2.22.4 - 20 Oct 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.15.1. <a href="https://redirect.github.com/github/codeql-action/pull/1953">#1953</a></li> <li>Users will begin to see warnings on Node.js 16 deprecation in their Actions logs on code scanning runs starting October 23, 2023. <ul> <li>All code scanning workflows should continue to succeed regardless of the warning.</li> <li>The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20.</li> <li>For more information, and to communicate with the maintaining team, please use <a href="https://redirect.github.com/github/codeql-action/issues/1959">this issue</a>.</li> </ul> </li> </ul> <h2>2.22.3 - 13 Oct 2023</h2> <ul> <li>Provide an authentication token when downloading the CodeQL Bundle from the API of a GitHub Enterprise Server instance. <a href="https://redirect.github.com/github/codeql-action/pull/1945">#1945</a></li> </ul> <h2>2.22.2 - 12 Oct 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.15.0. <a href="https://redirect.github.com/github/codeql-action/pull/1938">#1938</a></li> <li>Improve the log output when an error occurs in an invocation of the CodeQL CLI. <a href="https://redirect.github.com/github/codeql-action/pull/1927">#1927</a></li> </ul> <h2>2.22.1 - 09 Oct 2023</h2> <ul> <li>Add a workaround for Python 3.12, which is not supported in CodeQL CLI version 2.14.6 or earlier. If you are running an analysis on Windows and using Python 3.12 or later, the CodeQL Action will switch to running Python 3.11. In this case, if Python 3.11 is not found, then the workflow will fail. <a href="https://redirect.github.com/github/codeql-action/pull/1928">#1928</a></li> </ul> <h2>2.22.0 - 06 Oct 2023</h2> <ul> <li>The CodeQL Action now requires CodeQL version 2.10.5 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.21.8. <a href="https://redirect.github.com/github/codeql-action/pull/1907">#1907</a></li> <li>The CodeQL Action no longer runs ML-powered queries. For more information, including details on our investment in AI-powered security technology, see <a href="https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/">"CodeQL code scanning deprecates ML-powered alerts."</a> <a href="https://redirect.github.com/github/codeql-action/pull/1910">#1910</a></li> <li>Fix a bug which prevented tracing of projects using Go 1.21 and above on Linux. <a href="https://redirect.github.com/github/codeql-action/pull/1909">#1909</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/66b90a5db151a8042fa97405c6cf843bbe433f7b"><code>66b90a5</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1995">#1995</a> from github/update-v2.22.7-10f05151c</li> <li><a href="https://github.com/github/codeql-action/commit/bc9ddc2841925c46ff40882ceeda54ab618f3e18"><code>bc9ddc2</code></a> Update changelog for v2.22.7</li> <li><a href="https://github.com/github/codeql-action/commit/10f05151c5b1b373a07845f59fa8b84780fd8828"><code>10f0515</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1981">#1981</a> from github/aeisenberg/delete-analysis-after-upload</li> <li><a href="https://github.com/github/codeql-action/commit/4e80a803545d4447769e731bf2e03deeca398189"><code>4e80a80</code></a> Use delay instead of wait</li> <li><a href="https://github.com/github/codeql-action/commit/df9b50ee5f2d128a79c7bfbcefec62fc46c85b95"><code>df9b50e</code></a> Address comments from review</li> <li><a href="https://github.com/github/codeql-action/commit/0d0a53cb13a3d7e73a70582e3e846fd04745744a"><code>0d0a53c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1993">#1993</a> from github/henrymercer/deprecation-changenote</li> <li><a href="https://github.com/github/codeql-action/commit/df6aced52825e24276cdf8d0132829e2b9e369ce"><code>df6aced</code></a> Update CHANGELOG.md</li> <li><a href="https://github.com/github/codeql-action/commit/0cd63ca7a54f6bb6ae2e653f3f1cd4317709873a"><code>0cd63ca</code></a> Add changelog note for CodeQL v2.10.5 deprecation</li> <li><a href="https://github.com/github/codeql-action/commit/b9e85da0b50da6c2215d4a712a274631d3e8e61e"><code>b9e85da</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1992">#1992</a> from github/henrymercer/ghes-3.7-deprecation</li> <li><a href="https://github.com/github/codeql-action/commit/779838b8492657abe9d176622e818969b0bc0ee8"><code>779838b</code></a> Prepare for CodeQL v2.10.* deprecation</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/74483a38d39275f33fcff5f35b679b5ca4a26a99...66b90a5db151a8042fa97405c6cf843bbe433f7b">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2.22.5&new-version=2.22.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@fde92ac...7bbfa03) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.2 to 3.1.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/dependency-review-action/releases">actions/dependency-review-action's releases</a>.</em></p> <blockquote> <h2>3.1.3</h2> <h2>What's Changed</h2> <ul> <li>Fixes purl "version must be percent-encoded" by <a href="https://github.com/theztefan"><code>@theztefan</code></a> in <a href="https://redirect.github.com/actions/dependency-review-action/pull/617">actions/dependency-review-action#617</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/dependency-review-action/compare/v3...v3.1.3">https://github.com/actions/dependency-review-action/compare/v3...v3.1.3</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/dependency-review-action/commit/7bbfa034e752445ea40215fff1c3bf9597993d3f"><code>7bbfa03</code></a> bumping to 3.1.3</li> <li><a href="https://github.com/actions/dependency-review-action/commit/26f1ad912021e9231641d9bebecf646ca79dd257"><code>26f1ad9</code></a> Merge pull request <a href="https://redirect.github.com/actions/dependency-review-action/issues/617">#617</a> from theztefan/purl-encoding-error</li> <li><a href="https://github.com/actions/dependency-review-action/commit/152d8e2defc2c92d852e1783ca9bbf1f9ea9d22e"><code>152d8e2</code></a> Prettier</li> <li><a href="https://github.com/actions/dependency-review-action/commit/b99756ecd3d6ecab164d021960b799b84ee9f3fd"><code>b99756e</code></a> encode string for pUrl</li> <li>See full diff in <a href="https://github.com/actions/dependency-review-action/compare/fde92acd0840415674c16b39c7d703fc28bc511e...7bbfa034e752445ea40215fff1c3bf9597993d3f">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/dependency-review-action&package-manager=github_actions&previous-version=3.1.2&new-version=3.1.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps debian from bookworm-20231030 to bookworm-20231120. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

…lass shared between EdaDatFile and ComponentsFile

Bumps debian from bookworm-20231030 to bookworm-20231120. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=debian&package-manager=docker&previous-version=bookworm-20231030&new-version=bookworm-20231120)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps debian from `3c189c2` to `133a1f2`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps debian from `3c189c2` to `133a1f2`. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=debian&package-manager=docker&previous-version=bookworm-20231120&new-version=bookworm-20231120)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

github-actions · 2023-11-26T17:39:05Z

🔍 Vulnerabilities of `nam20485/odbdesign:pr-125`

📦 Image Reference nam20485/odbdesign:pr-125

digest	`sha256:03fb40a8e530ae8f37753d46d4d43724ff25e4cce0aeecb560c590c0efdee706`
vulnerabilities
platform	linux/amd64
size	39 MB
packages	126

📦 Base Image debian:12-slim

also known as	`12.2-slim` `bookworm-20231120-slim` `bookworm-slim`
digest	`sha256:93ff361288a7c365614a5791efa3633ce4224542afb6b53a1790330a8e52fc7d`
vulnerabilities

tar 1.34+dfsg-1.2 (deb)

pkg:deb/debian/[email protected]+dfsg-1.2?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1.34+dfsg-1.2`
Fixed version	Not Fixed

Description

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

Affected range	`>=1.34+dfsg-1.2`
Fixed version	Not Fixed

Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

perl 5.36.0-7 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=5.36.0-7`
Fixed version	Not Fixed

Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Affected range	`>=5.36.0-7`
Fixed version	Not Fixed

Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

shadow 1:4.13+dfsg1-1 (deb)

pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1:4.13+dfsg1-1`
Fixed version	Not Fixed

Description

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).

Affected range	`>=1:4.13+dfsg1-1`
Fixed version	Not Fixed

Description

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

glibc 2.36-9+deb12u3 (deb)

pkg:deb/debian/[email protected]+deb12u3?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.36-9+deb12u2`
Fixed version	Not Fixed

Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Affected range	`>=2.36-9+deb12u2`
Fixed version	Not Fixed

Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

util-linux 2.38.1-5 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.38.1-5`
Fixed version	Not Fixed

Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

libgcrypt20 1.10.1-3 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1.10.1-3`
Fixed version	Not Fixed

Description

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

coreutils 9.1-1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=9.1-1`
Fixed version	Not Fixed

Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

apt 2.6.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.6.1`
Fixed version	Not Fixed

Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

gnutls28 3.7.9-2 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=3.7.9-2`
Fixed version	Not Fixed

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

util-linux 2.38.1-5+b1 (deb)

pkg:deb/debian/[email protected]+b1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.38.1-5`
Fixed version	Not Fixed

Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

systemd 252.17-1~deb12u1 (deb)

pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=252.17-1~deb12u1`
Fixed version	Not Fixed

Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

gnupg2 2.2.40-1.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.2.40-1.1`
Fixed version	Not Fixed

Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

gcc-12 12.2.0-14 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=12.2.0-14`
Fixed version	Not Fixed

Description

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

github-actions · 2023-11-26T17:39:07Z

Recommended fixes for image `nam20485/odbdesign:pr-125`

Base image is debian:12-slim

Name	bookworm-20231120-slim
Digest	sha256:93ff361288a7c365614a5791efa3633ce4224542afb6b53a1790330a8e52fc7d
Vulnerabilities
Pushed	5 days ago
Size	29 MB
Packages	126
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): 12.2-slim, bookworm-20231120-slim, bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
`stable-slim` Tag is preferred tag Also known as: stable-20231120-slim	Benefits: Same OS detected Image is smaller by 9 B Tag is preferred tag Tag was pushed more recently Image has same number of vulnerabilities Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 29 MB Flavor: debian OS: 11 Slim: ✅	5 days ago
`12` Tag is latest Also known as: 12.2 bookworm bookworm-20231120 latest	Benefits: Same OS detected Tag is latest Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 50 MB Flavor: debian OS: 12	5 days ago

github-actions · 2023-11-26T17:39:24Z

Overview

Image reference	`ghcr.io/nam20485/odbdesign:release-latest`	`nam20485/odbdesign:pr-125`
- digest	`123754eb396a`	`03fb40a8e530`
- provenance	`85a4565`	`0bce68f`
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	35 MB	39 MB (+4.4 MB)
- packages	126	126
Base Image	`debian:12-slim` also known as: • `12.2-slim` • `bookworm-slim`	`debian:12-slim` also known as: • `12.2-slim` • `bookworm-20231120-slim` • `bookworm-slim`
- vulnerabilities

Labels (3 changes)

± 3 changed

6 unchanged

 org.opencontainers.image.authors=https://github.com/nam20485
-org.opencontainers.image.created=2023-10-29T13:58:39.103Z
+org.opencontainers.image.created=2023-11-26T17:33:55.047Z
 org.opencontainers.image.description=A free open source cross-platform C++ library for parsing ODB++ Design archives, accessing their data, and building net list product models. Exposed via a REST API and packaged inside of a Docker image.
 org.opencontainers.image.licenses=MIT
-org.opencontainers.image.revision=85a4565d02dac3f57002c533719097f434578d03
+org.opencontainers.image.revision=0bce68f0b11a5bbdfd0936b83bc6ee9ef29fbdff
 org.opencontainers.image.source=https://github.com/nam20485/OdbDesign
 org.opencontainers.image.title=OdbDesign
 org.opencontainers.image.url=https://github.com/nam20485/OdbDesign
-org.opencontainers.image.version=release-368
+org.opencontainers.image.version=pr-125

nam20485 added 30 commits October 28, 2023 11:23

add log to stderr if archive read open fails

13b13a5

enable pr comments for dependency-review workflow

6f1af62

add dependency and OpenSSF Security Scorecard badges

e35b5d5

handle compressed Unix archives (i.e. *.Z, *.z)

0ef9cac

remove unreachable return statement to fix warning

99557bc

change static consts strings from std::string to char*

b95ccdf

add GetDirectory() to hold file's parent directory

d0b47b6

handle eda data files that are compressed with old Unix compression (…

04201d0

…i.e. .Z, .z)

move getUncompressedFilePath into ArchiveExtractor class

ffbc8d3

rename method

92dd075

handle compressed .Z components file

de3f85f

add parse_error exception class

94a2425

catch (and re-throw) all exceptions

d7c8550

catch (and re-throw) all exceptions

4f2f5f6

use throw_parse_error macro when encountering errors in parsing of ed…

f27b06d

…a data files

allow passing in header text when building parse_error message

fc01520

add logging for starting and stopping parsing all design files

9adae37

add parse_error support for layer component file parsing

eb41ac7

clear vectors in ~EdaDataFile dtor

c2ec67f

log elapsed time to parse the design

46e0196

do not fail parsing when finding an attribute w/ a name but no value …

8632831

…in misc/info file

refactor parse_error to split data out into a parse_info struct

3b906b7

refactor parse files to use parse_info instead of parse_error

20a1df5

make sure to close ifstream's when finished

0591103

remove extraneous try/catch and re-throw's

00e519c

add StopWatch class

cb08601

use StopWatch class to print elapsed time for parsing designs

6575fc9

add CODEOWNERS file

9703a9e

formatting

8587058

nam20485 and others added 24 commits November 19, 2023 15:15

Merge branch 'nam20485' of github.com:nam20485/OdbDesign into nam20485

91eb659

open and close file stream on each log file write

d9d2859

Bump debian from bookworm-20231030 to bookworm-20231120

98cbd62

Bumps debian from bookworm-20231030 to bookworm-20231120. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

add BoardSide::Neither

19ca7a1

convert ComponentLayerDirectory into ComponentsFile

63e6f75

create componentsfile.proto and move PropertyRecord out to a common c…

70968a5

…lass shared between EdaDatFile and ComponentsFile

add #include <vector>

ba443dc

Bump debian from 3c189c2 to 133a1f2

4ed0ae9

Bumps debian from `3c189c2` to `133a1f2`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

Merge branch 'development' into nam20485

8403cf6

Merge branch 'development' into nam20485

726b38b

merge to development (#121)

d723dd2

merge to main (#124)

779b180

nam20485 enabled auto-merge November 26, 2023 17:33

nam20485 disabled auto-merge November 26, 2023 18:23

nam20485 merged commit 2b1568e into release Nov 26, 2023
17 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

merge to release #125

merge to release #125

nam20485 commented Nov 26, 2023

github-actions bot commented Nov 26, 2023

github-actions bot commented Nov 26, 2023

github-actions bot commented Nov 26, 2023

merge to release #125

merge to release #125

Conversation

nam20485 commented Nov 26, 2023

github-actions bot commented Nov 26, 2023

🔍 Vulnerabilities of nam20485/odbdesign:pr-125

github-actions bot commented Nov 26, 2023

Recommended fixes for image nam20485/odbdesign:pr-125

Refresh base image

Change base image

github-actions bot commented Nov 26, 2023

Overview

🔍 Vulnerabilities of `nam20485/odbdesign:pr-125`

Recommended fixes for image `nam20485/odbdesign:pr-125`