clair 4.7.3

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

release notes

Highlights:


The minimum TLS version is now 1.2.

Previously, servers also allowed 1.1 connections.


Claircore is updated to v1.5.25:



rhcc, rhel: support compression of sideband data

If a Clair instance is using local files for the data needed for the
`rhel` and `rhcc` indexers, this data may now be compressed. This should
allow for the files to fit within a Kubernetes ConfigMap, making some
deployments easier to wrangle.



datastore: add "delta" update interface

This change should allow for updaters to use fewer resources and consume
API-based data sources in the future. As of this change, no in-tree
updaters have been converted to this interface.



java: size buffers correctly before use

This should reduce memory consumption for indexing layers that have
deeply nested Java archives.



postgres: remove internal timeouts

Database queries now take as long as needed to execute. This shouldn't
negatively affect any working uses, and should make some slower or
less-optimized queries possible on larger instances.



integration: make PGVERSION a pattern

The behavior of the setup of an embedded PostgreSQL in integration tests
has changed. The relevant environment variable (`PGVERSION`) is now a
pattern instead of a literal version string. Note that a version string
would be a patten that matches itself, so that format continues to work.
Additionally, the version used is now read from the distributed

manifest, rather than hard-coded versions. Other than occasional network

calls to fetch this manifest, users shouldn't notice any difference.



alpine: add edge support

Alpine's `edge` version should now be supported for reporting.



rpm: support PGP V4 signatures

Rpm has apparently started using "current"/V4 PGP signatures, which
claircore was not handling. This adds support for these signatures.



jsonblob: add a disk buffering step

This improves "offline" operation by eagerly buffering output to disk
instead of creating a large in-memory data structure first.
This makes the API trickier but given that there's a single (known and

intended) user, this should be fine.



tarfs: check a potential interger overflow

This change fixes a potential integer overflow in tar handling code.
The possibility of exploiting this is effectively 0, as it would require

more bytes to represent a sufficiently large integer than is available

in the tar header.
See also: https://github.com/quay/claircore/security/code-scanning/5



gobin: take into account package replacements

Previously, there was a bug where package replacements were not
considered for go binaries.



all: purge http.DefaultClient usage

Some packages with less churn (`photon`, `oracle`, `aws`) were using
older ways of getting an `*http.Client` or using `http.DefaultClient`.
This change breaks some API in exchange for unifying the *http.Client

handling. The practical upshot is that it's much easier to control the

network contact surface.



all: share single FS implementation

Claircore components that deal with `Layer` objects now share a single
backing File and a single `fs.FS` implementation when using the `FS`
method. There should be no noticeable changes for users, but out-of-tree
implementations may want to move over to using the new FS method.
This change should improve memory usage.



libindex: move to O_TMPFILE fetcher

This release uses a new fetcher (the component responsible for pulling
layers locally) that makes use of the O_TMPFILE flag to open(2). This
ensures that layer files will be cleaned up even in the event of an
unclean shutdown, including being sent a KILL signal.







v4.7.3 - 2024-02-26
Admin

9517c7be: add a check for compatible migration version

See Also:  #1915

Chore

e5a896c9: v4.7.3 changelog bump
d17ee97b: update claircore to v1.5.25

See Also: #1990, #1957, #1942

Config

6ba32131: update minimum TLS version for server

See Also:  #1945

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.