Merge branch 'master' into ux_404

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+      uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+      uses: github/codeql-action/autobuild@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+      uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3

.github/workflows/publish-to-pypi.yaml

@@ -44,7 +44,7 @@ jobs:
         build
         --sdist --wheel --outdir dist/ .
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0
+      uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
         packages_dir: dist/

.github/workflows/scorecards.yml

@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6a89f57882288b3d2f190cda65000eec9e9ebb7c # v2.27.0
+        uses: github/codeql-action/upload-sarif@cb6549f9103a3855e5c5084c8f44b706e1b0a83f # v2.27.3
         with:
           sarif_file: results.sarif

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/importer.yaml

@@ -16,3 +16,7 @@ spec:
               # TODO(michaelkedar): ssh secrets
               # TODO(michaelkedar): single source of truth w/ terraform config
               - "--public_log_bucket=osv-test-public-import-logs"
+              # Note that with https://github.com/google/osv.dev/pull/2766
+              # addition per-repository settings make this *really* take effect, see
+              # https://github.com/google/osv.dev/pull/2837
+              - "--strict_validation=True"

deployment/terraform/environments/oss-vdb-test/main.tf

@@ -39,11 +39,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 5.44.0"
+      version = "~> 5.45.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 5.44.0"
+      version = "~> 5.45.0"
     }
     external = {
       source  = "hashicorp/external"

deployment/terraform/environments/oss-vdb/main.tf

@@ -37,11 +37,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 5.44.0"
+      version = "~> 5.45.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 5.44.0"
+      version = "~> 5.45.0"
     }
     external = {
       source  = "hashicorp/external"

docker/indexer/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.23.2-alpine@sha256:9dd2625a1ff2859b8d8b01d8f7822c0f528942fe56cfe7a1e7c38d3b8d72d679 AS GO_BUILD
+FROM golang:1.23.3-alpine@sha256:25db3a0508ff009054bf467f25e1ab395fced0f93b69459dd736ae523e61c781 AS GO_BUILD
 WORKDIR /build
 
 # Cache dependencies in these steps
@@ -24,7 +24,7 @@ RUN go mod download
 COPY ./ /build
 RUN CGO_ENABLED=0 ./build.sh
 
-FROM gcr.io/distroless/base-debian12@sha256:8fe31fb9d159141d9c3ff99f1fd287239d89d97ea95fea1f08f82ea5f2b544da
+FROM gcr.io/distroless/base-debian12@sha256:7a4bffcb07307d97aa731b50cb6ab22a68a8314426f4e4428335939b5b1943a5
 COPY --from=GO_BUILD build/indexer /indexer
 ENTRYPOINT ["/indexer"]
 CMD ["--help"]

docker/terraform/Dockerfile

@@ -1,12 +1,12 @@
 # Taken and modified from https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/terraform
 
-FROM golang:1.23.2-alpine@sha256:9dd2625a1ff2859b8d8b01d8f7822c0f528942fe56cfe7a1e7c38d3b8d72d679 AS GO_BUILD
+FROM golang:1.23.3-alpine@sha256:25db3a0508ff009054bf467f25e1ab395fced0f93b69459dd736ae523e61c781 AS GO_BUILD
 
 ARG TERRAFORM_VERSION
 WORKDIR /build/
 RUN GOBIN=$(pwd) go install github.com/hashicorp/terraform@v${TERRAFORM_VERSION}
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:0909bcf77e59a61a3430235d9be8f546907e72455eec196a59c8e18ee0df58f5
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:5fb06d62786edacb958f6d5a8a993eac3b747d84a7ca3c6433ae1f9a6df098e1
 
 COPY --from=GO_BUILD /build/terraform /usr/bin/terraform
 COPY entrypoint.bash /builder/entrypoint.bash

gcp/appengine/Dockerfile

@@ -1,5 +1,5 @@
 # Build the Javascript frontend
-FROM node:20.18@sha256:a5e0ed56f2c20b9689e0f7dd498cac7e08d2a3a283e92d9304e7b9b83e3c6ff3 AS FRONTEND3_BUILD
+FROM node:20.18@sha256:7eaecf12ba40043be19af57e2c7fba35d61f9b906128e3e4d11eda81b1ecb857 AS FRONTEND3_BUILD
 WORKDIR /build/frontend3
 
 # Install dependencies first for better caching

gcp/appengine/frontend3/src/templates/vulnerability.html

@@ -17,7 +17,7 @@ <h1 class="title">
           <a class="vulnerability-improvement-link" href="{{ vulnerability.human_source_link }}/improve">
             Suggest an improvement
           </a>
-        {% elif vulnerability.human_source_link -%}
+        {% elif vulnerability.human_source_link and not vulnerability.id.startswith("openSUSE-") -%}
           <div class="vulnerability-improvement-link">
           <a href="https://google.github.io/osv.dev/faq/#ive-found-something-wrong-with-the-data" target="_blank" rel="noopener noreferrer" title="Follow the Source link below and use its record feedback reporting mechanism">
             See a problem?
@@ -42,7 +42,7 @@ <h1 class="title">
           <dt>Import Source</dt>
           <dd><a href="{{ vulnerability.source_link }}" target="_blank" rel="noopener noreferrer">{{
               vulnerability.source }}</a></dd>
-          
+
           <dt>JSON Data</dt>
           <dd><a href="https://{{ api_url }}/v1/vulns/{{ vulnerability.id }}" target="_blank" rel="noopener noreferrer">
             https://{{ api_url }}/v1/vulns/{{ vulnerability.id }}</a>
@@ -379,4 +379,4 @@ <h3 class="mdc-layout-grid__cell--span-3">
     });
   });
 </script>
-{% endblock -%}
+{% endblock -%}

source.yaml

@@ -280,6 +280,7 @@
   bucket: 'resf-osv-data'
   db_prefix: ['RLSA-']
   ignore_git: False
+  human_link: 'https://errata.rockylinux.org/{{ BUG_ID }}'
   link: 'https://storage.googleapis.com/resf-osv-data/'
   editable: False
 
@@ -292,6 +293,7 @@
   bucket: 'resf-osv-data'
   db_prefix: ['RXSA-']
   ignore_git: False
+  human_link: 'https://errata.rockylinux.org/{{ BUG_ID }}'
   link: 'https://storage.googleapis.com/resf-osv-data/'
   editable: False