github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-16 21:46:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
437 Commits 40 Branches 45 Tags
2ef9a40437b4fd842592cf960c36fe7606471ffa
Commit Graph

437 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ramon Petgrave
2ef9a40437 minify test data 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 15:52:17 +00:00
Ramon Petgrave
944c9a6f4c singular print-attestation 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-19 00:32:31 +00:00
Ramon Petgrave
610ef6f1af verify reamining fields, print attestations 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-19 00:30:15 +00:00
Ramon Petgrave
13a74b5b4a embed the google vsa key, match against all signatures, match the subject digests 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 22:18:25 +00:00
Ramon Petgrave
ead4e9bf4e use utility to parse envelope, docs, use keyID 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 20:23:24 +00:00
Ramon Petgrave
edde0a8aca cleanup, more skeleton 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:48:42 +00:00
Ramon Petgrave
1f123f3c1d attempt to verify envelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:35:53 +00:00
Ramon Petgrave
2dc64f7bda vsa parser 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:35:24 +00:00
Ramon Petgrave
2f76f12ff3 different test example 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:34:37 +00:00
Ramon Petgrave
9704c97a22 parse dsse envelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-17 16:07:41 +00:00
Ramon Petgrave
a3a573a800 cleanup 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-17 16:06:50 +00:00
Ramon Petgrave
b90ede0bde rename to TrustedProducerID, allow muyltiple --subject-digest flags 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-14 18:15:25 +00:00
Ramon Petgrave
a25abe2323 testdata, sample invocation in README.md 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:28:58 +00:00
Ramon Petgrave
b5eb1473b8 skeletion verify-vsa command 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:28:08 +00:00
Ramon Petgrave
7980fdebf6 Changed success message to a more general "PASSED: SLSA verification passed" 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:22:56 +00:00
Ramon Petgrave
18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4 fix: use pr_number as env variable (#771) 
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4 chore: Update Renovate config (#769) 
# Summary

Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.

Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)
preset.

Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.

---------

Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc chore: fix pr-title-checker (#770) 
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2024-05-15 12:10:15 -04:00
Mend Renovate
e7a8f74b9c fix(deps): update dependency @actions/core to v1.10.1 (#717) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)

- Fix error message reference in oidc utils
[#&#8203;1511](https://togithub.com/actions/toolkit/pull/1511)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
 2024-05-07 14:09:48 -04:00
Ramon Petgrave
23160d82c0 feat: workflow to update actions dist (#760) 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 17:56:35 -04:00
Mend Renovate
9c4e2196d8 chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 (#763) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 16:01:16 +00:00
Mend Renovate
f787eeebf7 chore(deps): update golang:1.21 docker digest to d83472f (#764) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `81811f8` -> `d83472f` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-05-06 11:48:47 -04:00
Ramon Petgrave
637b07fdab chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758) 
https://github.com/slsa-framework/slsa-github-generator/issues/3576

Next step in 

https://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier

Creating new test data for slsa-github-generator@v2.0.0

# Instructions:

## diff to download-artifacts.sh

```
diff --git a/download-artifacts.sh b/download-artifacts.sh
old mode 100644
new mode 100755
index e5e218e8..49257ea6
--- a/download-artifacts.sh
+++ b/download-artifacts.sh
@@ -88,6 +88,10 @@ unzip_files() {
         rm -rf "${tmp_dir}"
         ;;
 
+    ./*.zip)
+        unzip -o "${zip_path}" -d "${output_path}"
+        ;;
+
     *)
         echo "unexpected file path: ${zip_path}"
         exit 1
@@ -167,7 +171,7 @@ rename_java_files "test-java-project-" "maven"
 rename_java_files "workflow_dispatch-" "gradle"
 
 # Files downloaded. Now copy them
-repo_path="../.."
+repo_path="/path/to/slsa-verifier"
 
 # Go builder files.
 copy_files "gha_go-binary-linux-amd64-" "${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}"
```

## download the artifacts

```
../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0
```

## docker github auth

```
gh auth login --scopes=read:packages
echo `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin
cosign save \
    --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \
    ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d
```

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-23 12:26:13 -04:00
Mend Renovate
ee32cbff7e chore(deps): update golang:1.21 docker digest to 81811f8 (#693) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `ec457a2` -> `81811f8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzAxLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-04-18 16:46:15 +00:00
Mend Renovate
79d225bb44 fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] (#723) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)
| `v2.2.0` -> `v2.2.4` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9)

### Summary
Cosign is susceptible to a denial of service by an attacker controlled
registry. An attacker who controls a remote registry can return a high
number of attestations and/or signatures to Cosign and cause Cosign to
enter a long loop resulting in an endless data attack. The root cause is
that Cosign loops through all attestations fetched from the remote
registry in `pkg/cosign.FetchAttestations`.

The attacker needs to compromise the registry or make a request to a
registry they control. When doing so, the attacker must return a high
number of attestations in the response to Cosign. The result will be
that the attacker can cause Cosign to go into a long or infinite loop
that will prevent other users from verifying their data. In Kyvernos
case, an attacker whose privileges are limited to making requests to the
cluster can make a request with an image reference to their own
registry, trigger the infinite loop and deny other users from completing
their admission requests. Alternatively, the attacker can obtain control
of the registry used by an organization and return a high number of
attestations instead the expected number of attestations.

The vulnerable loop in Cosign starts on line 154 below:

0044432284/pkg/cosign/fetch.go (L135-L196)

The `l` slice is controllable by an attacker who controls the remote
registry.

Many cloud-native projects consider the remote registry to be untrusted,
including Crossplane, Notary and Kyverno. We consider the same to be the
case for Cosign, since users are not in control of whether the registry
returns the expected data.

TUF's security model labels this type of vulnerability an ["Endless data
attack"](https://theupdateframework.io/security/), but an attacker could
use this as a type of rollback attack, in case the user attempts to
deploy a patched version of a vulnerable image; The attacker could
prevent this upgrade by causing Cosign to get stuck in an infinite loop
and never complete.

### Mitigation
The issue can be mitigated rather simply by setting a limit to the limit
of attestations that Cosign will loop through. The limit does not need
to be high to be within the vast majority of use cases and still prevent
the endless data attack.

####
[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc)

### Summary
A remote image with a malicious attachment can cause denial of service
of the host machine running Cosign. This can impact other services on
the machine that rely on having memory available such as a Redis
database which can result in data loss. It can also impact the
availability of other services on the machine that will not be available
for the duration of the machine denial.

### Details
The root cause of this issue is that Cosign reads the attachment from a
remote image entirely into memory without checking the size of the
attachment first. As such, a large attachment can make Cosign read a
large attachment into memory; If the attachments size is larger than the
machine has memory available, the machine will be denied of service. The
Go runtime will make a `SIGKILL` after a few seconds of system-wide
denial.

The root cause is that Cosign reads the contents of the attachments
entirely into memory on line 238 below:


9bc3ee309b/pkg/oci/remote/remote.go (L228-L239)

...and prior to that, neither Cosign nor go-containerregistry checks the
size of the attachment and enforces a max cap. In the case of a remote
layer of `f *attached`, go-containerregistry will invoke this API:


a0658aa1d0/pkg/v1/remote/layer.go (L36-L40)
```golang
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
```

Notice that the second argument to `rl.fetcher.fetchBlob` is
`verify.SizeUnknown` which results in not using the `io.LimitReader` in
`verify.ReadCloser`:

a0658aa1d0/internal/verify/verify.go (L82-L100)
```golang
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}
```

### Impact
This issue can allow a supply-chain escalation from a compromised
registry to the Cosign user: If an attacher has compromised a registry
or the account of an image vendor, they can include a malicious
attachment and hurt the image consumer.

### Remediation
Update to the latest version of Cosign, which limits the number of
attachments. An environment variable can override this value.

####
[CVE-2024-29903](https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv)

Maliciously-crafted software artifacts can cause denial of service of
the machine running Cosign, thereby impacting all services on the
machine. The root cause is that Cosign creates slices based on the
number of signatures, manifests or attestations in untrusted artifacts.
As such, the untrusted artifact can control the amount of memory that
Cosign allocates.

As an example, these lines demonstrate the problem:


286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)

This `Get()` method gets the manifest of the image, allocates a slice
equal to the length of the layers in the manifest, loops through the
layers and adds a new signature to the slice.

The exact issue is Cosign allocates excessive memory on the lines that
creates a slice of the same length as the manifests.

## Remediation

Update to the latest version of Cosign, where the number of
attestations, signatures and manifests has been limited to a reasonable
value.

## Cosign PoC

In the case of this API (also referenced above):


286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)

… The first line can contain a length that is safe for the system and
will not throw a runtime panic or be blocked by other safety mechanisms.
For the sake of argument, let’s say that the length of `m, err :=
s.Manifest()` is the max allowed (by the machine without throwing OOM
panics) manifests minus 1. When Cosign then allocates a new slice on
this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`,
Cosign will allocate more memory than is available and the machine will
be denied of service, causing Cosign and all other services on the
machine to be unavailable.

To illustrate the issue here, we run a modified version of
`TestSignedImageIndex()` in `pkg/oci/remote`:


14795db164/pkg/oci/remote/index_test.go (L31-L57)

Here, `wantLayers` is the number of manifests from these lines:


286a98a4a9/pkg/oci/remote/signatures.go (L56-L60)

To test this, we want to make `wantLayers` high enough to not cause a
memory on its own but still trigger the machine-wide OOM when a slice
gets create with the same length. On my local machine, it would take
hours to create a slice of layers that fulfils that criteria, so instead
I modify the Cosign production code to reflect a long list of manifests:

```golang
// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
        m, err := s.Manifest()
        if err != nil {
                return nil, err
        }
        // Here we imitate a long list of manifests
        ms := make([]byte, 2600000000) // imitate a long list of manifests
        signatures := make([]oci.Signature, 0, len(ms))
        panic("Done")
        //signatures := make([]oci.Signature, 0, len(m.Layers))
        for _, desc := range m.Layers {
```

With this modified code, if we can cause an OOM without triggering the
`panic("Done")`, we have succeeded.

---

### Release Notes

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4)

#### Bug Fixes

- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#&#8203;3661](https://togithub.com/sigstore/cosign/issues/3661))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#&#8203;3526](https://togithub.com/sigstore/cosign/issues/3526))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#&#8203;3541](https://togithub.com/sigstore/cosign/issues/3541))
- Honor creation timestamp for signatures again
([#&#8203;3549](https://togithub.com/sigstore/cosign/issues/3549))

#### Features

- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#&#8203;3578](https://togithub.com/sigstore/cosign/issues/3578))

#### Documentation

- add oci bundle spec
([#&#8203;3622](https://togithub.com/sigstore/cosign/issues/3622))
- Correct help text of triangulate cmd
([#&#8203;3551](https://togithub.com/sigstore/cosign/issues/3551))
- Correct help text of verify-attestation policy argument
([#&#8203;3527](https://togithub.com/sigstore/cosign/issues/3527))
- feat: add OVHcloud MPR registry tested with cosign
([#&#8203;3639](https://togithub.com/sigstore/cosign/issues/3639))

#### Testing

- Refactor e2e-tests.yml workflow
([#&#8203;3627](https://togithub.com/sigstore/cosign/issues/3627))
- Clean up and clarify e2e scripts
([#&#8203;3628](https://togithub.com/sigstore/cosign/issues/3628))
- Don't ignore transparency log in tests if possible
([#&#8203;3528](https://togithub.com/sigstore/cosign/issues/3528))
- Make E2E tests hermetic
([#&#8203;3499](https://togithub.com/sigstore/cosign/issues/3499))
- add e2e test for pkcs11 token signing
([#&#8203;3495](https://togithub.com/sigstore/cosign/issues/3495))

###
[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3)

#### Bug Fixes

- Fix race condition on verification with multiple signatures attached
to image
([#&#8203;3486](https://togithub.com/sigstore/cosign/issues/3486))
- fix(clean): Fix clean cmd for private registries
([#&#8203;3446](https://togithub.com/sigstore/cosign/issues/3446))
- Fixed BYO PKI verification
([#&#8203;3427](https://togithub.com/sigstore/cosign/issues/3427))

#### Features

- Allow for option in cosign attest and attest-blob to upload
attestation as supported in Rekor
([#&#8203;3466](https://togithub.com/sigstore/cosign/issues/3466))
- Add support for OpenVEX predicate type
([#&#8203;3405](https://togithub.com/sigstore/cosign/issues/3405))

#### Documentation

- Resolves
[#&#8203;3088](https://togithub.com/sigstore/cosign/issues/3088):
`version` sub-command expected behaviour documentation and testing
([#&#8203;3447](https://togithub.com/sigstore/cosign/issues/3447))
- add examples for cosign attach signature cmd
([#&#8203;3468](https://togithub.com/sigstore/cosign/issues/3468))

#### Misc

- Remove CertSubject function
([#&#8203;3467](https://togithub.com/sigstore/cosign/issues/3467))
- Use local rekor and fulcio instances in e2e tests
([#&#8203;3478](https://togithub.com/sigstore/cosign/issues/3478))

#### Contributors

-   aalsabag
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Colleen Murphy
-   Hayden B
-   Mukuls77
-   Omri Bornstein
-   Puerco
-   vivek kumar sahu

###
[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2)

v2.2.2 adds a new container with a shell,
`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.

For private deployments, we have also added an alias for
`--insecure-skip-log`, `--private-infrastructure`.

#### Bug Fixes

- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6
([#&#8203;3411](https://togithub.com/sigstore/cosign/issues/3411)) which
fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk
([#&#8203;3415](https://togithub.com/sigstore/cosign/issues/3415))
- Fix copy without any flag set
([#&#8203;3409](https://togithub.com/sigstore/cosign/issues/3409))
- Update cosign generate cmd to not include newline
([#&#8203;3393](https://togithub.com/sigstore/cosign/issues/3393))
- Fix idempotency error with signing
([#&#8203;3371](https://togithub.com/sigstore/cosign/issues/3371))

#### Features

- Add `--yes` flag `cosign import-key-pair` to skip the overwrite
confirmation.
([#&#8203;3383](https://togithub.com/sigstore/cosign/issues/3383))
- Use the timeout flag value in verify\* commands.
([#&#8203;3391](https://togithub.com/sigstore/cosign/issues/3391))
- add --private-infrastructure flag
([#&#8203;3369](https://togithub.com/sigstore/cosign/issues/3369))

#### Container Updates

- Bump builder image to use go1.21.4 and add new cosign image tags with
shell ([#&#8203;3373](https://togithub.com/sigstore/cosign/issues/3373))

#### Documentation

- Update SBOM_SPEC.md
([#&#8203;3358](https://togithub.com/sigstore/cosign/issues/3358))

#### Contributors

-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Hayden B
-   Lily Sturmann
-   Nikos Fotiou
-   Yonghe Zhao

###
[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1)

**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Please upgrade to this release ASAP**

#### Enhancements

- feat: Support basic auth and bearer auth login to registry
([#&#8203;3310](https://togithub.com/sigstore/cosign/issues/3310))
- add support for ignoring certificates with pkcs11
([#&#8203;3334](https://togithub.com/sigstore/cosign/issues/3334))
- Support ReplaceOp in Signatures
([#&#8203;3315](https://togithub.com/sigstore/cosign/issues/3315))
- feat: added ability to get image digest back via triangulate
([#&#8203;3255](https://togithub.com/sigstore/cosign/issues/3255))
- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom
([#&#8203;3247](https://togithub.com/sigstore/cosign/issues/3247))
- feat: add support attaching a Rekor bundle to a container
([#&#8203;3246](https://togithub.com/sigstore/cosign/issues/3246))
- feat: add support outputting rekor response on signing
([#&#8203;3248](https://togithub.com/sigstore/cosign/issues/3248))
- feat: improve dockerfile verify subcommand
([#&#8203;3264](https://togithub.com/sigstore/cosign/issues/3264))
- Add guard flag for experimental OCI 1.1 verify.
([#&#8203;3272](https://togithub.com/sigstore/cosign/issues/3272))
- Deprecate SBOM attachments
([#&#8203;3256](https://togithub.com/sigstore/cosign/issues/3256))
- feat: dedent line in cosign copy doc
([#&#8203;3244](https://togithub.com/sigstore/cosign/issues/3244))
- feat: add platform flag to cosign copy command
([#&#8203;3234](https://togithub.com/sigstore/cosign/issues/3234))
- Add SLSA 1.0 attestation support to cosign. Closes
[#&#8203;2860](https://togithub.com/sigstore/cosign/issues/2860)
([#&#8203;3219](https://togithub.com/sigstore/cosign/issues/3219))
- attest: pass OCI remote opts to att resolver.
([#&#8203;3225](https://togithub.com/sigstore/cosign/issues/3225))

#### Bug Fixes

-   Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent
([#&#8203;3245](https://togithub.com/sigstore/cosign/issues/3245))
- ci: add a OCI registry test for referrers support
([#&#8203;3253](https://togithub.com/sigstore/cosign/issues/3253))
- Fix ReplaceSignatures
([#&#8203;3292](https://togithub.com/sigstore/cosign/issues/3292))
- Stop using deprecated in_toto.ProvenanceStatement
([#&#8203;3243](https://togithub.com/sigstore/cosign/issues/3243))
- Fixes
[#&#8203;3236](https://togithub.com/sigstore/cosign/issues/3236),
disable SCT checking for a cosign verification when usin…
([#&#8203;3237](https://togithub.com/sigstore/cosign/issues/3237))
- fix: update error in `SignedEntity` to be more descriptive
([#&#8203;3233](https://togithub.com/sigstore/cosign/issues/3233))
- Fail timestamp verification if no root is provided
([#&#8203;3224](https://togithub.com/sigstore/cosign/issues/3224))

#### Documentation

- Add some docs about verifying in an air-gapped environment
([#&#8203;3321](https://togithub.com/sigstore/cosign/issues/3321))
- Update CONTRIBUTING.md
([#&#8203;3268](https://togithub.com/sigstore/cosign/issues/3268))
- docs: improves the Contribution guidelines
([#&#8203;3257](https://togithub.com/sigstore/cosign/issues/3257))
- Remove security policy
([#&#8203;3230](https://togithub.com/sigstore/cosign/issues/3230))

#### Others

- Set go to min 1.21 and update dependencies
([#&#8203;3327](https://togithub.com/sigstore/cosign/issues/3327))
- Update contact for code of conduct
([#&#8203;3266](https://togithub.com/sigstore/cosign/issues/3266))
- Update .ko.yaml
([#&#8203;3240](https://togithub.com/sigstore/cosign/issues/3240))

#### Contributors

-   AdamKorcz
-   Andres Galante
-   Appu
-   Billy Lynch
-   Bob Callaway
-   Caleb Woodbine
-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Gareth Healy
-   Hayden B
-   John Kjell
-   Jon Johnson
-   jonvnadelberg
-   Luiz Carvalho
-   Priya Wadhwa
-   Ramkumar Chinchani
-   Tosone
-   Ville Aikas
-   Vishal Choudhary
-   ziel

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-18 12:33:11 -04:00
Ramon Petgrave
8c9ed07f8f feat: fixes #547: add npm sigstore-tuf suport (#731) 
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
 - [x] Pending: https://github.com/sigstore/sigstore-go/pull/41
Uses the new
[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0)

Currently slsa-verifier has npmjs' attestation key hardcoded. But
sigstore now stores the same key within their own TUF root.

This PR 
- dynamically use the keyid specified in the sigstore bundle, rather
than the hardcoded keyid.
- uses an updated ([pending](
https://github.com/sigstore/sigstore-go/pull/41)) sigstore-go library
that allows us to fetch a signed and verified copy of the same key.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-16 17:21:49 +00:00
Mend Renovate
2a07cd6e3a fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 (#752) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools)
| `3.9.0` -> `3.11.0` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-04-03 00:55:07 +00:00
Ramon Petgrave
bcc39bf21a chore(deps): update npm dev (major) (#753) 
Redo of https://github.com/slsa-framework/slsa-verifier/pull/654

- Fix dev-dependencies related to es-lint that the renovate-bot couldn't
auto-fix

- a few commas automatically added by the new linter

- use node20 for tests to avoid caompatibility warnings

```
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@typescript-eslint/parser@7.5.0',
npm WARN EBADENGINE   required: { node: '^18.18.0 || >=20.0.0' },
npm WARN EBADENGINE   current: { node: 'v16.20.2', npm: '8.19.4' }
npm WARN EBADENGINE }
```

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
 2024-04-02 17:44:08 -07:00
Mend Renovate
0547bc3002 fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 (#751) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) |
`3.9.5` -> `3.9.6` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-plugin-api/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-plugin-api/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-plugin-api/3.9.5/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-plugin-api/3.9.5/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-02 18:46:09 +00:00
Mend Renovate
a8e21d5a83 chore(deps): update github-actions (major) (#719) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
major | `v3.6.0` -> `v4.1.1` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | major | `v3.1.5` -> `v4.2.5` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | major | `v3.0.2` -> `v4.1.4` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| major | `v3` -> `v4` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| major | `v3.8.2` -> `v4.0.2` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | major | `v3.1.3` -> `v4.3.1` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | major | `v2.24.8` -> `v3.24.9` |
|
[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action)
| action | major | `v3` -> `v4` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1)

##### What's Changed

- Update CODEOWNERS to Launch team by
[@&#8203;joshmgross](https://togithub.com/joshmgross) in
[https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510)
- Correct link to GitHub Docs by
[@&#8203;peterbe](https://togithub.com/peterbe) in
[https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511)
- Link to release page from what's new section by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514)

##### New Contributors

- [@&#8203;joshmgross](https://togithub.com/joshmgross) made their first
contribution in
[https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510)
- [@&#8203;peterbe](https://togithub.com/peterbe) made their first
contribution in
[https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.0...v4.1.1

###
[`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0)

- [Add support for partial checkout
filters](https://togithub.com/actions/checkout/pull/1396)

###
[`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0)

- [Support fetching without the --progress
option](https://togithub.com/actions/checkout/pull/1067)
-   [Update to node20](https://togithub.com/actions/checkout/pull/1436)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5):
4.2.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5)

#### What's Changed

- Fixed a bug where some configuration options in external files were
not being properly picked up --
[https://github.com/actions/dependency-review-action/pull/722](https://togithub.com/actions/dependency-review-action/pull/722)
-   Bump eslint from 8.56.0 to 8.57.0

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5

###
[`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4)

#### What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

#### New Contributors

- [@&#8203;sporkmonger](https://togithub.com/sporkmonger) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/721](https://togithub.com/actions/dependency-review-action/pull/721)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4

###
[`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3):
4.2.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3)

#### What's Changed

- Set comment as output by [@&#8203;jsoref](https://togithub.com/jsoref)
in
[https://github.com/actions/dependency-review-action/pull/698](https://togithub.com/actions/dependency-review-action/pull/698)
- Add support for calculating OpenSSF Scorecards by
[@&#8203;jhutchings1](https://togithub.com/jhutchings1) in
[https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709)
- Add outputs for the changes data by
[@&#8203;laughedelic](https://togithub.com/laughedelic) in
[https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707)

#### New Contributors

- [@&#8203;jhutchings1](https://togithub.com/jhutchings1) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709)
- [@&#8203;laughedelic](https://togithub.com/laughedelic) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3

###
[`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3):
4.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3)

Fixes a bug in 4.1.2 that would introduce comments in every pull
request, regardless of the user's configuration (see
[https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)).

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2):
4.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2)

#### What's Changed

- Expose dependency comment content by
[@&#8203;jsoref](https://togithub.com/jsoref) in
[https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2

###
[`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1):
4.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1)

#### What's Changed

- Bump `undici` to fix
[GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.11.17 to 20.11.19 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1

###
[`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0):
4.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add `warn-only` by [@&#8203;tgrall](https://togithub.com/tgrall) in
[https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432)

Added a new configuration option (`warn-only`, boolean) that makes the
action always succeed while still displaying found vulnerabilities in
the log.

- Create stale.yaml by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671)
- Use manual codeql config by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678)
- Multiple dependency updates (see the changelog below for more
information)

#### New Contributors

- [@&#8203;jonjanego](https://togithub.com/jonjanego) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671)
- [@&#8203;tgrall](https://togithub.com/tgrall) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0)

- Update action to Node 20 by
[@&#8203;takost](https://togithub.com/takost) in
[https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639)
-   Dependabot updates, see the full changelog for more details.

#### New Contributors

- [@&#8203;takost](https://togithub.com/takost) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact) by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/307](https://togithub.com/actions/download-artifact/pull/307)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.4

###
[`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3)

##### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/download-artifact/pull/292](https://togithub.com/actions/download-artifact/pull/292)
- Update toolkit dependency with updated unzip logic by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299)
- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact) by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/303](https://togithub.com/actions/download-artifact/pull/303)

##### New Contributors

- [@&#8203;bethanyj28](https://togithub.com/bethanyj28) made their first
contribution in
[https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2)

- Bump
[@&#8203;actions/artifacts](https://togithub.com/actions/artifacts) to
latest version to include [updated GHES host
check](https://togithub.com/actions/toolkit/pull/1648)

###
[`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1)

- Fix transient request timeouts
[https://github.com/actions/download-artifact/issues/249](https://togithub.com/actions/download-artifact/issues/249)
-   Bump `@actions/artifacts` to latest version

###
[`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0)

#### What's Changed

- Some cleanup by [@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/247](https://togithub.com/actions/download-artifact/pull/247)
- Fix default for run-id by [@&#8203;stchr](https://togithub.com/stchr)
in
[https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252)
- Support pattern matching to filter artifacts & merge to same directory
by [@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/259](https://togithub.com/actions/download-artifact/pull/259)

#### New Contributors

- [@&#8203;stchr](https://togithub.com/stchr) made their first
contribution in
[https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0)

#### What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes.
Artifacts created with versions v3 and below are not compatible with the
v4 actions. Uploads and downloads *must* use the same major actions
versions. There are also key differences from previous versions that may
require updates to your workflows.

For more information, please see:

1. The
[changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/)
post.
2. The
[README](https://togithub.com/actions/download-artifact/blob/main/README.md).
3. The [migration
documentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md).
4. As well as the underlying npm package,
[@&#8203;actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact)
documentation.

#### New Contributors

- [@&#8203;bflad](https://togithub.com/bflad) made their first
contribution in
[https://github.com/actions/download-artifact/pull/194](https://togithub.com/actions/download-artifact/pull/194)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v3...v4.0.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3...v4)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1)

- Bump
[@&#8203;actions/artifacts](https://togithub.com/actions/artifacts) to
latest version to include [updated GHES host
check](https://togithub.com/actions/toolkit/pull/1648)

###
[`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0)

##### What's Changed

- Reorganize upload code in prep for merge logic & add more tests by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504)
- Add sub-action to merge artifacts by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.3.0

###
[`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0)

##### What's Changed

- Ability to overwrite an Artifact by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/501](https://togithub.com/actions/upload-artifact/pull/501)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.2.0

###
[`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add migrations docs by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/482](https://togithub.com/actions/upload-artifact/pull/482)
- Update README.md by
[@&#8203;samuelwine](https://togithub.com/samuelwine) in
[https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492)
- Support artifact-url output by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/496](https://togithub.com/actions/upload-artifact/pull/496)
- Update readme to reflect new 500 artifact per job limit by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/497](https://togithub.com/actions/upload-artifact/pull/497)

#### New Contributors

- [@&#8203;samuelwine](https://togithub.com/samuelwine) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0)

#### What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.

For more information, see the
[@&#8203;actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact)
documentation.

#### New Contributors

- [@&#8203;vmjoseph](https://togithub.com/vmjoseph) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/464](https://togithub.com/actions/upload-artifact/pull/464)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v3...v4.0.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9)

###
[`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8)

###
[`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7)

###
[`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6)

###
[`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5)

###
[`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4)

###
[`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3)

###
[`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2)

###
[`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1)

###
[`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0)

###
[`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2)

###
[`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1)

###
[`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0)

###
[`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12)

###
[`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11)

###
[`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9)

</details>

<details>
<summary>golangci/golangci-lint-action
(golangci/golangci-lint-action)</summary>

###
[`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4)

[Compare
Source](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-01 15:26:46 +00:00
Mend Renovate
363e8da4fa chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 (#701) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `c623859` -> `1a8ece8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi42OC4xIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-01 08:13:46 -07:00
Ramon Petgrave
095d6f8200 feat: add ramonpetgrave64 as CODEOWNER (#750) 
adding myself as CODEOWNER

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-03-27 09:00:14 -07:00
Ramon Petgrave
fe539a2bde fix: use sigstore/pkg/fulcioroots to lessen deps (#746) 
We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`
with `"github.com/sigstore/sigstore/pkg/fulcioroots"`,
removing lot's of unneeded transitive dependencies like
`"github.com/aws/aws-sdk-go-v2"` and
`"github.com/Azure/go-autorest/autorest"` from our `go.mod`.

## Investigation

At
[deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws),
we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come
from `cosign/cosign`.

<img width="1110" alt="image"
src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c">

That's a good start, but this gives us only module-wide dependencies,
not package-level dependencies. We can instead use `go mod why <pkg>` to
get the package-level dependency chain.

Now we know that it's our `gha` package that imports a fulcio package,
which imports an aws package.

```
➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
```

Looking at our `gha` package we can see that the required methods from
fulcio are `Get()` and `GetIntermediates()`. Looking at the source
codes, we see that
`"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation
of these methods is the same as
`"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we
chose the latter's implementation, which happens to require fewer
module-level dependencies.

-
546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)
-
546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)
-
25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)

## Testing

- unit tests continue to pass
- manual test to verify a provenance with the steps in our
[readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder)

## Future Work

The sigstore-go library is meant to be a more long-term solution, for
replacing much of the sigstore-related functionality that slsa-verifier
implements directly.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-03-27 14:27:09 +00:00
laurentsimon
b1f986788d chore: Update @actions/github v6 (#749) 
Need to re-compile
https://github.com/slsa-framework/slsa-verifier/pull/720/files

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2024-03-26 22:03:42 +00:00
Mend Renovate
66a9f93df2 fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 (#718) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-core](https://maven.apache.org/) | `3.8.1` ->
`3.9.6` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-core/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-core/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-core/3.8.1/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-core/3.8.1/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-03-26 20:42:43 +00:00
Mend Renovate
449e404e2a fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] (#743) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go)
| `v1.32.0` -> `v1.33.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.32.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.32.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)

The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

### Release Notes

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-03-26 15:33:59 +00:00
laurentsimon
f315652a8c chore: Update doc and digests for v2.5.1 (#748) 
This sets the expected sha256 of the v2.5.1 slsa-verifier released
binary.

How to LGTM this PR (I'll work on a proper doc for this in
https://github.com/slsa-framework/slsa-github-generator/issues/112):

1. Download the binary and provenance from
https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1
2. Clone the slsa-verifier repo, compile and verify the provenance using
the steps described in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.5.1
```

The output hash should be the hash I'm updating to in this PR. If they
match, LGTM. If they don't, someone tampered with the released binary
and don't LGTM

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2024-03-26 08:11:24 -07:00
laurentsimon
eb7007070b feat: Update verifier version in GHA installer (#747) 
This is part of the release tests in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#dry-run
to verify that the Action installer works.

A follow up PR will be sent prior to release to update to `v2.5.0`

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
v2.5.1 		2024-03-25 14:54:53 +00:00
Mend Renovate
594b179564 chore(deps): update github-actions (#741) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | patch | `v3.1.0` -> `v3.1.5` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v2.22.1` -> `v2.24.8` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.1` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.9.0` -> `v1.10.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | patch | `v2.4.0` -> `v2.4.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://togithub.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://togithub.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5

###
[`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://togithub.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.4

###
[`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.3

###
[`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://togithub.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.2

###
[`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2)

##### What's Changed

- Update semver by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) in
[https://github.com/actions/setup-node/pull/861](https://togithub.com/actions/setup-node/pull/861)
- Update temp directory creation by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/859](https://togithub.com/actions/setup-node/pull/859)
- Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse)
from 7.15.4 to 7.23.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/setup-node/pull/870](https://togithub.com/actions/setup-node/pull/870)
- Add notice about binaries not being updated yet by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/872](https://togithub.com/actions/setup-node/pull/872)
- Update toolkit cache and core by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) and
[@&#8203;seongwon-privatenote](https://togithub.com/seongwon-privatenote)
in
[https://github.com/actions/setup-node/pull/875](https://togithub.com/actions/setup-node/pull/875)

**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.2

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.8`](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8)

###
[`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

###
[`v2.24.6`](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6)

###
[`v2.24.5`](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5)

###
[`v2.24.4`](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4)

###
[`v2.24.3`](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3)

###
[`v2.24.2`](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2)

###
[`v2.24.1`](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1)

###
[`v2.24.0`](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0)

###
[`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2)

###
[`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1)

###
[`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0)

###
[`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12)

###
[`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11)

###
[`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10)

###
[`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9)

###
[`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8)

###
[`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7)

###
[`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6)

###
[`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5)

###
[`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4)

###
[`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3)

###
[`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release \[v1.10.0] includes bug fixes and new features.

See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1)

#### What's Changed

- Fix a verification issue when verifying npm's publish attestations -
Low severity
https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9.
This part of the code remains *experimental*.

#### New Contributors

- [@&#8203;trishankatdatadog](https://togithub.com/trishankatdatadog)
made their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/702](https://togithub.com/slsa-framework/slsa-verifier/pull/702)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
v2.5.1-rc.0 		2024-03-22 00:59:31 -07:00
laurentsimon
dc7173b856 feat: Regression tests for builder v1.10.0 (#745) 
We need the pre-submit to pass. Merging can happen after the builder
release

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2024-03-21 08:48:59 -07:00
Hayden B
52c099b4d3 feat: Add support for DSSE Rekor type (#742) 
This is in preparation for switching over the Rekor entry type in the
slsa github generator to be the newer DSSE type. This adds support for
searching for both intoto v001 and dsse v001 entries.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
 2024-03-04 07:23:16 -08:00
Mend Renovate
bb41cb6ab2 fix(deps): update go (#498) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/go-openapi/runtime](https://togithub.com/go-openapi/runtime)
| `v0.26.2` -> `v0.27.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-openapi%2fruntime/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-openapi%2fruntime/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-openapi%2fruntime/v0.26.2/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-openapi%2fruntime/v0.26.2/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [github.com/go-openapi/swag](https://togithub.com/go-openapi/swag) |
`v0.22.7` -> `v0.22.8` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-openapi%2fswag/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-openapi%2fswag/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-openapi%2fswag/v0.22.7/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-openapi%2fswag/v0.22.7/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>go-openapi/runtime (github.com/go-openapi/runtime)</summary>

###
[`v0.27.0`](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0)

[Compare
Source](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0)

</details>

<details>
<summary>go-openapi/swag (github.com/go-openapi/swag)</summary>

###
[`v0.22.8`](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8)

[Compare
Source](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMjUuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-01-24 14:31:57 -08:00
Ramon Petgrave
74119b2a7f fix(deps): update go to 1.21 (#738) 
Fixing the existing PR
https://github.com/slsa-framework/slsa-verifier/pull/498 to also change
the github actions to use the go 1.21 sourced directly from `go.mod`.

-
07e64b653f/.github/workflows/builder_go_slsa3.yml (L56)
-
https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/7559933600/job/20584856777?pr=498


> ...
Error: We were unable to automatically build your code. Please replace
the call to the autobuild action with your custom build steps.
Encountered a fatal error while running
"/opt/hostedtoolcache/CodeQL/2.15.5/x64/codeql/go/tools/autobuild.sh".
Exit code was 1 and error was: 2024/01/17 18:06:58 Autobuilder was built
with go1.21.5, environment has go1.20.12
...

Also fixing some more lint checks about repeated strings

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
 2024-01-24 09:29:20 -08:00
saisatishkarra
9b2467f836 feat: fixes #724: add input for --provenance-repository while image verification (#736) 
@laurentsimon Added a new image verification cmd input
`--provenance-repository`
This replicates the feature of the `COSIGN_REPOSITORY` environment
variable when provenance is stored in a different repository/registry

Order of precedence:
- If input `--provenance-repository` is set, leverages the non-empty
input value
- If the env variable `COSIGN_REPOSITORY` is set, it is NOT consumed

README edit :
https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280

---------

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-01-22 18:10:11 +00:00
Ramon Petgrave
ceaebee236 fix: #642: don't use go-cmp for outputting diff (#737) 
Previously we used the go-cmp's Diff for displaying a human-friendly
diff between two structs in an error message.

I had intended to do a json print of the structs and do a line-by-line
diff. There is an internal library for calculating text diff, but I
don't see any external functions that expose it to make it available for
our use: https://pkg.go.dev/golang.org/x/tools/internal/diff

Instead, this we will simply display both structs in their own "actual"
and "expected" sections. The user can use their other tools to find a
human-friendly diff.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-01-17 10:05:28 -08:00
Ian Lewis
b804933f00 chore: Remove ianlewis from CODEOWNERS (#732) 
I'm not really contributing to slsa-verifier anymore.

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2024-01-16 08:32:34 -08:00
saisatishkarra
f09d99f91c feat: Add cosign registry opts for provenance registry (#729) 
triggered on specification of COSIGN_REPOSITORY env

---------

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-01-04 01:39:42 +00:00
laurentsimon
e77e0855b1 chore: Remove asraa from CODEOWNERS (#728) 
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-01-03 18:25:45 +00:00
laurentsimon
eecb791ed8 chore: Fix renovate.json (#727) 
Should fix https://github.com/slsa-framework/slsa-verifier/issues/726

Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-01-03 10:03:46 -08:00