slsa-verifier

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-17 05:56:37 +00:00

Author	SHA1	Message	Date
Ramon Petgrave	9704c97a22	parse dsse envelope Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-17 16:07:41 +00:00
Ramon Petgrave	a3a573a800	cleanup Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-17 16:06:50 +00:00
Ramon Petgrave	b90ede0bde	rename to TrustedProducerID, allow muyltiple --subject-digest flags Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-14 18:15:25 +00:00
Ramon Petgrave	a25abe2323	testdata, sample invocation in README.md Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-13 22:28:58 +00:00
Ramon Petgrave	b5eb1473b8	skeletion verify-vsa command Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-13 22:28:08 +00:00
Ramon Petgrave	7980fdebf6	Changed success message to a more general "PASSED: SLSA verification passed" Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-13 22:22:56 +00:00
Ramon Petgrave	18c5f13b3e	fix: signoff commit (#767 ) Followup to https://github.com/slsa-framework/slsa-verifier/pull/760 Fix the .github/workflows/update-actions-dist-post-commit.yml workflow to also signoff commit # Testing - [x] Invoked this PR's branch copy of the workflow against #717, and it did signoff the commit. - `9670f76ab8` Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-22 16:45:20 +00:00
Ramon Petgrave	b55bf59ce4	fix: use pr_number as env variable (#771 ) changing the update-dist workflow to use the `pr_number` input as an env variable to avoid [script injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks). Our workflows are only invokable by our trusted maintainers so we should be okay. This is just an extra hardening measure. Open issue https://github.com/actions/runner/issues/1070#issuecomment-2113287699 ## Testing I confirmed the issue by invoking the workflow with `650 && echo SCRIPT INJECTION`, and it did also do the extra `echo` command. - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36 after invoking the workflow again with this PR's version, the problem is mitigated. - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8 - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7 Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-22 12:20:16 -04:00
Ian Lewis	87b5bae6d4	chore: Update Renovate config (#769 ) # Summary Updates renovate config to use the [`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices) preset rather than the `config:base` preset since `config:base` seems to be deprecated. Also updates the `schedule` config to use the [`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly) preset. Also adds a pre-submit to run the [`renovate-config-validator`](https://docs.renovatebot.com/config-validation/) to ensure that renovate config is valid. This pre-submit will need to be made required in the repository branch protection rule for `main` in the repository settings after this PR is merged. --------- Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianlewis@google.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-16 07:13:09 +09:00
Ian Lewis	138a2348fc	chore: fix pr-title-checker (#770 ) Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version comment. Signed-off-by: Ian Lewis <ianlewis@google.com>	2024-05-15 12:10:15 -04:00
Mend Renovate	e7a8f74b9c	fix(deps): update dependency @actions/core to v1.10.1 (#717 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core) ([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core)) \| [`1.10.0` -> `1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1) \| [![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/toolkit (@actions/core)</summary> ### [`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101) - Fix error message reference in oidc utils [#1511](https://togithub.com/actions/toolkit/pull/1511) </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: github-actions <github-actions@github.com>	2024-05-07 14:09:48 -04:00
Ramon Petgrave	23160d82c0	feat: workflow to update actions dist (#760 ) Add a new Post-Commit workflow, to make these renovate-bot updates a bit easier. Previously, we had to clone the PR locally, run `make package`, and then push to the PR. Now we would just need to use the github UI to invoke this new workflow against the PR number. We could also copy this over to the slsa-github-generator repo. > A workflow to run against renovate-bot's PRs, > such as `make package` after it updates the package.json and package-lock.json files. > The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. > Then a higher-privilege Job applies the diff and pushes the changes to the PR. > It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! ## Testing. Tested in my own private fork, where when applicable, it pushed a commit of changes to `dist/` folders - https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483 - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits - https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353 - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-06 17:56:35 -04:00
Mend Renovate	9c4e2196d8	chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 (#763 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| gcr.io/distroless/base \| final \| digest \| `1a8ece8` -> `53745e9` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-06 16:01:16 +00:00
Mend Renovate	f787eeebf7	chore(deps): update golang:1.21 docker digest to d83472f (#764 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| golang \| stage \| digest \| `81811f8` -> `d83472f` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-05-06 11:48:47 -04:00
Ramon Petgrave	637b07fdab	chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758 ) https://github.com/slsa-framework/slsa-github-generator/issues/3576 Next step in https://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier Creating new test data for slsa-github-generator@v2.0.0 # Instructions: ## diff to download-artifacts.sh ``` diff --git a/download-artifacts.sh b/download-artifacts.sh old mode 100644 new mode 100755 index e5e218e8..49257ea6 --- a/download-artifacts.sh +++ b/download-artifacts.sh @@ -88,6 +88,10 @@ unzip_files() { rm -rf "${tmp_dir}" ;; + ./.zip) + unzip -o "${zip_path}" -d "${output_path}" + ;; + ) echo "unexpected file path: ${zip_path}" exit 1 @@ -167,7 +171,7 @@ rename_java_files "test-java-project-" "maven" rename_java_files "workflow_dispatch-" "gradle" # Files downloaded. Now copy them -repo_path="../.." +repo_path="/path/to/slsa-verifier" # Go builder files. copy_files "gha_go-binary-linux-amd64-" "${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}" ``` ## download the artifacts ``` ../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0 ../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0 ../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0 ../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0 ``` ## docker github auth ``` gh auth login --scopes=read:packages echo `gh auth token` \| docker login ghcr.io -u ramonpetgrave64 --password-stdin cosign save \ --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \ ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d ``` --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-04-23 12:26:13 -04:00
Mend Renovate	ee32cbff7e	chore(deps): update golang:1.21 docker digest to 81811f8 (#693 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| golang \| stage \| digest \| `ec457a2` -> `81811f8` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzAxLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-04-18 16:46:15 +00:00
Mend Renovate	79d225bb44	fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] (#723 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign) \| `v2.2.0` -> `v2.2.4` \| [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9) ### Summary Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in `pkg/cosign.FetchAttestations`. The attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations. The vulnerable loop in Cosign starts on line 154 below: `0044432284/pkg/cosign/fetch.go (L135-L196)` The `l` slice is controllable by an attacker who controls the remote registry. Many cloud-native projects consider the remote registry to be untrusted, including Crossplane, Notary and Kyverno. We consider the same to be the case for Cosign, since users are not in control of whether the registry returns the expected data. TUF's security model labels this type of vulnerability an ["Endless data attack"](https://theupdateframework.io/security/), but an attacker could use this as a type of rollback attack, in case the user attempts to deploy a patched version of a vulnerable image; The attacker could prevent this upgrade by causing Cosign to get stuck in an infinite loop and never complete. ### Mitigation The issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack. #### [CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc) ### Summary A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial. ### Details The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a `SIGKILL` after a few seconds of system-wide denial. The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below: `9bc3ee309b/pkg/oci/remote/remote.go (L228-L239)` ...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of `f attached`, go-containerregistry will invoke this API: `a0658aa1d0/pkg/v1/remote/layer.go (L36-L40)` ```golang func (rl remoteLayer) Compressed() (io.ReadCloser, error) { // We don't want to log binary layers -- this can break terminals. ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs") return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest) } ``` Notice that the second argument to `rl.fetcher.fetchBlob` is `verify.SizeUnknown` which results in not using the `io.LimitReader` in `verify.ReadCloser`: `a0658aa1d0/internal/verify/verify.go (L82-L100)` ```golang func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) { w, err := v1.Hasher(h.Algorithm) if err != nil { return nil, err } r2 := io.TeeReader(r, w) // pass all writes to the hasher. if size != SizeUnknown { r2 = io.LimitReader(r2, size) // if we know the size, limit to that size. } return &and.ReadCloser{ Reader: &verifyReader{ inner: r2, hasher: w, expected: h, wantSize: size, }, CloseFunc: r.Close, }, nil } ``` ### Impact This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer. ### Remediation Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value. #### [CVE-2024-29903](https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv) Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. As an example, these lines demonstrate the problem: `286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)` This `Get()` method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice. The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. ## Remediation Update to the latest version of Cosign, where the number of attestations, signatures and manifests has been limited to a reasonable value. ## Cosign PoC In the case of this API (also referenced above): `286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)` … The first line can contain a length that is safe for the system and will not throw a runtime panic or be blocked by other safety mechanisms. For the sake of argument, let’s say that the length of `m, err := s.Manifest()` is the max allowed (by the machine without throwing OOM panics) manifests minus 1. When Cosign then allocates a new slice on this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`, Cosign will allocate more memory than is available and the machine will be denied of service, causing Cosign and all other services on the machine to be unavailable. To illustrate the issue here, we run a modified version of `TestSignedImageIndex()` in `pkg/oci/remote`: `14795db164/pkg/oci/remote/index_test.go (L31-L57)` Here, `wantLayers` is the number of manifests from these lines: `286a98a4a9/pkg/oci/remote/signatures.go (L56-L60)` To test this, we want to make `wantLayers` high enough to not cause a memory on its own but still trigger the machine-wide OOM when a slice gets create with the same length. On my local machine, it would take hours to create a slice of layers that fulfils that criteria, so instead I modify the Cosign production code to reflect a long list of manifests: ```golang // Get implements oci.Signatures func (s sigs) Get() ([]oci.Signature, error) { m, err := s.Manifest() if err != nil { return nil, err } // Here we imitate a long list of manifests ms := make([]byte, 2600000000) // imitate a long list of manifests signatures := make([]oci.Signature, 0, len(ms)) panic("Done") //signatures := make([]oci.Signature, 0, len(m.Layers)) for _, desc := range m.Layers { ``` With this modified code, if we can cause an OOM without triggering the `panic("Done")`, we have succeeded. --- ### Release Notes <details> <summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary> ### [`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224) [Compare Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4) #### Bug Fixes - Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv ([#3661](https://togithub.com/sigstore/cosign/issues/3661)) - ErrNoSignaturesFound should be used when there is no signature attached to an image. ([#3526](https://togithub.com/sigstore/cosign/issues/3526)) - fix semgrep issues for dgryski.semgrep-go ruleset ([#3541](https://togithub.com/sigstore/cosign/issues/3541)) - Honor creation timestamp for signatures again ([#3549](https://togithub.com/sigstore/cosign/issues/3549)) #### Features - Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly ([#3578](https://togithub.com/sigstore/cosign/issues/3578)) #### Documentation - add oci bundle spec ([#3622](https://togithub.com/sigstore/cosign/issues/3622)) - Correct help text of triangulate cmd ([#3551](https://togithub.com/sigstore/cosign/issues/3551)) - Correct help text of verify-attestation policy argument ([#3527](https://togithub.com/sigstore/cosign/issues/3527)) - feat: add OVHcloud MPR registry tested with cosign ([#3639](https://togithub.com/sigstore/cosign/issues/3639)) #### Testing - Refactor e2e-tests.yml workflow ([#3627](https://togithub.com/sigstore/cosign/issues/3627)) - Clean up and clarify e2e scripts ([#3628](https://togithub.com/sigstore/cosign/issues/3628)) - Don't ignore transparency log in tests if possible ([#3528](https://togithub.com/sigstore/cosign/issues/3528)) - Make E2E tests hermetic ([#3499](https://togithub.com/sigstore/cosign/issues/3499)) - add e2e test for pkcs11 token signing ([#3495](https://togithub.com/sigstore/cosign/issues/3495)) ### [`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223) [Compare Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3) #### Bug Fixes - Fix race condition on verification with multiple signatures attached to image ([#3486](https://togithub.com/sigstore/cosign/issues/3486)) - fix(clean): Fix clean cmd for private registries ([#3446](https://togithub.com/sigstore/cosign/issues/3446)) - Fixed BYO PKI verification ([#3427](https://togithub.com/sigstore/cosign/issues/3427)) #### Features - Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor ([#3466](https://togithub.com/sigstore/cosign/issues/3466)) - Add support for OpenVEX predicate type ([#3405](https://togithub.com/sigstore/cosign/issues/3405)) #### Documentation - Resolves [#3088](https://togithub.com/sigstore/cosign/issues/3088): `version` sub-command expected behaviour documentation and testing ([#3447](https://togithub.com/sigstore/cosign/issues/3447)) - add examples for cosign attach signature cmd ([#3468](https://togithub.com/sigstore/cosign/issues/3468)) #### Misc - Remove CertSubject function ([#3467](https://togithub.com/sigstore/cosign/issues/3467)) - Use local rekor and fulcio instances in e2e tests ([#3478](https://togithub.com/sigstore/cosign/issues/3478)) #### Contributors - aalsabag - Bob Callaway - Carlos Tadeu Panato Junior - Colleen Murphy - Hayden B - Mukuls77 - Omri Bornstein - Puerco - vivek kumar sahu ### [`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222) [Compare Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2) v2.2.2 adds a new container with a shell, `gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell. For private deployments, we have also added an alias for `--insecure-skip-log`, `--private-infrastructure`. #### Bug Fixes - chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 ([#3411](https://togithub.com/sigstore/cosign/issues/3411)) which fixes a bug with using Azure KMS - Don't require CT log keys if using a key/sk ([#3415](https://togithub.com/sigstore/cosign/issues/3415)) - Fix copy without any flag set ([#3409](https://togithub.com/sigstore/cosign/issues/3409)) - Update cosign generate cmd to not include newline ([#3393](https://togithub.com/sigstore/cosign/issues/3393)) - Fix idempotency error with signing ([#3371](https://togithub.com/sigstore/cosign/issues/3371)) #### Features - Add `--yes` flag `cosign import-key-pair` to skip the overwrite confirmation. ([#3383](https://togithub.com/sigstore/cosign/issues/3383)) - Use the timeout flag value in verify\ commands. ([#3391](https://togithub.com/sigstore/cosign/issues/3391)) - add --private-infrastructure flag ([#3369](https://togithub.com/sigstore/cosign/issues/3369)) #### Container Updates - Bump builder image to use go1.21.4 and add new cosign image tags with shell ([#3373](https://togithub.com/sigstore/cosign/issues/3373)) #### Documentation - Update SBOM_SPEC.md ([#3358](https://togithub.com/sigstore/cosign/issues/3358)) #### Contributors - Carlos Tadeu Panato Junior - Dylan Richardson - Hayden B - Lily Sturmann - Nikos Fotiou - Yonghe Zhao ### [`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221) [Compare Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1) Note: This release comes with a fix for CVE-2023-46737 described in this [Github Security Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Please upgrade to this release ASAP #### Enhancements - feat: Support basic auth and bearer auth login to registry ([#3310](https://togithub.com/sigstore/cosign/issues/3310)) - add support for ignoring certificates with pkcs11 ([#3334](https://togithub.com/sigstore/cosign/issues/3334)) - Support ReplaceOp in Signatures ([#3315](https://togithub.com/sigstore/cosign/issues/3315)) - feat: added ability to get image digest back via triangulate ([#3255](https://togithub.com/sigstore/cosign/issues/3255)) - feat: add `--only` flag in `cosign copy` to copy sign, att & sbom ([#3247](https://togithub.com/sigstore/cosign/issues/3247)) - feat: add support attaching a Rekor bundle to a container ([#3246](https://togithub.com/sigstore/cosign/issues/3246)) - feat: add support outputting rekor response on signing ([#3248](https://togithub.com/sigstore/cosign/issues/3248)) - feat: improve dockerfile verify subcommand ([#3264](https://togithub.com/sigstore/cosign/issues/3264)) - Add guard flag for experimental OCI 1.1 verify. ([#3272](https://togithub.com/sigstore/cosign/issues/3272)) - Deprecate SBOM attachments ([#3256](https://togithub.com/sigstore/cosign/issues/3256)) - feat: dedent line in cosign copy doc ([#3244](https://togithub.com/sigstore/cosign/issues/3244)) - feat: add platform flag to cosign copy command ([#3234](https://togithub.com/sigstore/cosign/issues/3234)) - Add SLSA 1.0 attestation support to cosign. Closes [#2860](https://togithub.com/sigstore/cosign/issues/2860) ([#3219](https://togithub.com/sigstore/cosign/issues/3219)) - attest: pass OCI remote opts to att resolver. ([#3225](https://togithub.com/sigstore/cosign/issues/3225)) #### Bug Fixes - Merge pull request from GHSA-vfp6-jrw2-99g9 - fix: allow cosign download sbom when image is absent ([#3245](https://togithub.com/sigstore/cosign/issues/3245)) - ci: add a OCI registry test for referrers support ([#3253](https://togithub.com/sigstore/cosign/issues/3253)) - Fix ReplaceSignatures ([#3292](https://togithub.com/sigstore/cosign/issues/3292)) - Stop using deprecated in_toto.ProvenanceStatement ([#3243](https://togithub.com/sigstore/cosign/issues/3243)) - Fixes [#3236](https://togithub.com/sigstore/cosign/issues/3236), disable SCT checking for a cosign verification when usin… ([#3237](https://togithub.com/sigstore/cosign/issues/3237)) - fix: update error in `SignedEntity` to be more descriptive ([#3233](https://togithub.com/sigstore/cosign/issues/3233)) - Fail timestamp verification if no root is provided ([#3224](https://togithub.com/sigstore/cosign/issues/3224)) #### Documentation - Add some docs about verifying in an air-gapped environment ([#3321](https://togithub.com/sigstore/cosign/issues/3321)) - Update CONTRIBUTING.md ([#3268](https://togithub.com/sigstore/cosign/issues/3268)) - docs: improves the Contribution guidelines ([#3257](https://togithub.com/sigstore/cosign/issues/3257)) - Remove security policy ([#3230](https://togithub.com/sigstore/cosign/issues/3230)) #### Others - Set go to min 1.21 and update dependencies ([#3327](https://togithub.com/sigstore/cosign/issues/3327)) - Update contact for code of conduct ([#3266](https://togithub.com/sigstore/cosign/issues/3266)) - Update .ko.yaml ([#3240](https://togithub.com/sigstore/cosign/issues/3240)) #### Contributors - AdamKorcz - Andres Galante - Appu - Billy Lynch - Bob Callaway - Caleb Woodbine - Carlos Tadeu Panato Junior - Dylan Richardson - Gareth Healy - Hayden B - John Kjell - Jon Johnson - jonvnadelberg - Luiz Carvalho - Priya Wadhwa - Ramkumar Chinchani - Tosone - Ville Aikas - Vishal Choudhary - ziel </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-04-18 12:33:11 -04:00
Ramon Petgrave	8c9ed07f8f	feat: fixes #547 : add npm sigstore-tuf suport (#731 ) Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547 - [x] Pending: https://github.com/sigstore/sigstore-go/pull/41 Uses the new [sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0) Currently slsa-verifier has npmjs' attestation key hardcoded. But sigstore now stores the same key within their own TUF root. This PR - dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid. - uses an updated ([pending]( https://github.com/sigstore/sigstore-go/pull/41)) sigstore-go library that allows us to fetch a signed and verified copy of the same key. --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-04-16 17:21:49 +00:00
Mend Renovate	2a07cd6e3a	fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 (#752 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools) \| `3.9.0` -> `3.11.0` \| [![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-04-03 00:55:07 +00:00
Ramon Petgrave	bcc39bf21a	chore(deps): update npm dev (major) (#753 ) Redo of https://github.com/slsa-framework/slsa-verifier/pull/654 - Fix dev-dependencies related to es-lint that the renovate-bot couldn't auto-fix - a few commas automatically added by the new linter - use node20 for tests to avoid caompatibility warnings ``` npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: '@typescript-eslint/parser@7.5.0', npm WARN EBADENGINE required: { node: '^18.18.0 \|\| >=20.0.0' }, npm WARN EBADENGINE current: { node: 'v16.20.2', npm: '8.19.4' } npm WARN EBADENGINE } ``` --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Co-authored-by: Mend Renovate <bot@renovateapp.com>	2024-04-02 17:44:08 -07:00
Mend Renovate	0547bc3002	fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 (#751 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) \| `3.9.5` -> `3.9.6` \| [![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-plugin-api/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-plugin-api/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-plugin-api/3.9.5/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-plugin-api/3.9.5/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-04-02 18:46:09 +00:00
Mend Renovate	a8e21d5a83	chore(deps): update github-actions (major) (#719 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/checkout](https://togithub.com/actions/checkout) \| action \| major \| `v3.6.0` -> `v4.1.1` \| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| major \| `v3.1.5` -> `v4.2.5` \| \| [actions/download-artifact](https://togithub.com/actions/download-artifact) \| action \| major \| `v3.0.2` -> `v4.1.4` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| major \| `v3` -> `v4` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| major \| `v3.8.2` -> `v4.0.2` \| \| [actions/upload-artifact](https://togithub.com/actions/upload-artifact) \| action \| major \| `v3.1.3` -> `v4.3.1` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| major \| `v2.24.8` -> `v3.24.9` \| \| [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) \| action \| major \| `v3` -> `v4` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@joshmgross](https://togithub.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@peterbe](https://togithub.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514) ##### New Contributors - [@joshmgross](https://togithub.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - [@peterbe](https://togithub.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) Full Changelog: https://github.com/actions/checkout/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) ### [`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0) - [Support fetching without the --progress option](https://togithub.com/actions/checkout/pull/1067) - [Update to node20](https://togithub.com/actions/checkout/pull/1436) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5): 4.2.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5) #### What's Changed - Fixed a bug where some configuration options in external files were not being properly picked up -- [https://github.com/actions/dependency-review-action/pull/722](https://togithub.com/actions/dependency-review-action/pull/722) - Bump eslint from 8.56.0 to 8.57.0 Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4) #### What's Changed Fixed a bug in the output of OpenSSF cards for GitHub Actions. #### New Contributors - [@sporkmonger](https://togithub.com/sporkmonger) made their first contribution in [https://github.com/actions/dependency-review-action/pull/721](https://togithub.com/actions/dependency-review-action/pull/721) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4 ### [`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3): 4.2.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3) #### What's Changed - Set comment as output by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/698](https://togithub.com/actions/dependency-review-action/pull/698) - Add support for calculating OpenSSF Scorecards by [@jhutchings1](https://togithub.com/jhutchings1) in [https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709) - Add outputs for the changes data by [@laughedelic](https://togithub.com/laughedelic) in [https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707) #### New Contributors - [@jhutchings1](https://togithub.com/jhutchings1) made their first contribution in [https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709) - [@laughedelic](https://togithub.com/laughedelic) made their first contribution in [https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3 ### [`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3): 4.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3) Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see [https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)). Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2) #### What's Changed - Expose dependency comment content by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2 ### [`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1): 4.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1) #### What's Changed - Bump `undici` to fix [GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g) - Bump [@types/node](https://togithub.com/types/node) from 20.11.17 to 20.11.19 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0): 4.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0) #### What's Changed - Add `warn-only` by [@tgrall](https://togithub.com/tgrall) in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Added a new configuration option (`warn-only`, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log. - Create stale.yaml by [@jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - Use manual codeql config by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678) - Multiple dependency updates (see the changelog below for more information) #### New Contributors - [@jonjanego](https://togithub.com/jonjanego) made their first contribution in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - [@tgrall](https://togithub.com/tgrall) made their first contribution in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0) - Update action to Node 20 by [@takost](https://togithub.com/takost) in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) - Dependabot updates, see the full changelog for more details. #### New Contributors - [@takost](https://togithub.com/takost) made their first contribution in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4) ##### What's Changed - Update [@actions/artifact](https://togithub.com/actions/artifact) by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/307](https://togithub.com/actions/download-artifact/pull/307) Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.4 ### [`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3) ##### What's Changed - Update release-new-action-version.yml by [@konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/download-artifact/pull/292](https://togithub.com/actions/download-artifact/pull/292) - Update toolkit dependency with updated unzip logic by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299) - Update [@actions/artifact](https://togithub.com/actions/artifact) by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/303](https://togithub.com/actions/download-artifact/pull/303) ##### New Contributors - [@bethanyj28](https://togithub.com/bethanyj28) made their first contribution in [https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299) Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1) - Fix transient request timeouts [https://github.com/actions/download-artifact/issues/249](https://togithub.com/actions/download-artifact/issues/249) - Bump `@actions/artifacts` to latest version ### [`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Some cleanup by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/247](https://togithub.com/actions/download-artifact/pull/247) - Fix default for run-id by [@stchr](https://togithub.com/stchr) in [https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252) - Support pattern matching to filter artifacts & merge to same directory by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/259](https://togithub.com/actions/download-artifact/pull/259) #### New Contributors - [@stchr](https://togithub.com/stchr) made their first contribution in [https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252) Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0) #### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows. For more information, please see: 1. The [changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/) post. 2. The [README](https://togithub.com/actions/download-artifact/blob/main/README.md). 3. The [migration documentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md). 4. As well as the underlying npm package, [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. #### New Contributors - [@bflad](https://togithub.com/bflad) made their first contribution in [https://github.com/actions/download-artifact/pull/194](https://togithub.com/actions/download-artifact/pull/194) Full Changelog: https://github.com/actions/download-artifact/compare/v3...v4.0.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4) [Compare Source](https://togithub.com/actions/setup-node/compare/v3...v4) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) ##### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504) - Add sub-action to merge artifacts by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505) Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.3.0 ### [`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0) ##### What's Changed - Ability to overwrite an Artifact by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/501](https://togithub.com/actions/upload-artifact/pull/501) Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.2.0 ### [`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Add migrations docs by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/482](https://togithub.com/actions/upload-artifact/pull/482) - Update README.md by [@samuelwine](https://togithub.com/samuelwine) in [https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492) - Support artifact-url output by [@konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/496](https://togithub.com/actions/upload-artifact/pull/496) - Update readme to reflect new 500 artifact per job limit by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/497](https://togithub.com/actions/upload-artifact/pull/497) #### New Contributors - [@samuelwine](https://togithub.com/samuelwine) made their first contribution in [https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492) Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0) #### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. For more information, see the [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. #### New Contributors - [@vmjoseph](https://togithub.com/vmjoseph) made their first contribution in [https://github.com/actions/upload-artifact/pull/464](https://togithub.com/actions/upload-artifact/pull/464) Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v4.0.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9) ### [`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8) ### [`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7) ### [`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) ### [`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) ### [`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) ### [`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) ### [`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) ### [`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) ### [`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) ### [`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) ### [`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1) ### [`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0) ### [`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) ### [`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11) ### [`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9) </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4) [Compare Source](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4) </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-04-01 15:26:46 +00:00
Mend Renovate	363e8da4fa	chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 (#701 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| gcr.io/distroless/base \| final \| digest \| `c623859` -> `1a8ece8` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi42OC4xIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-04-01 08:13:46 -07:00
Ramon Petgrave	095d6f8200	feat: add ramonpetgrave64 as CODEOWNER (#750 ) adding myself as CODEOWNER Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-03-27 09:00:14 -07:00
Ramon Petgrave	fe539a2bde	fix: use sigstore/pkg/fulcioroots to lessen deps (#746 ) We've long had the problem that slsa-verifier has too many dependencies. This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"` with `"github.com/sigstore/sigstore/pkg/fulcioroots"`, removing lot's of unneeded transitive dependencies like `"github.com/aws/aws-sdk-go-v2"` and `"github.com/Azure/go-autorest/autorest"` from our `go.mod`. ## Investigation At [deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws), we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come from `cosign/cosign`. <img width="1110" alt="image" src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c"> That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use `go mod why <pkg>` to get the package-level dependency chain. Now we know that it's our `gha` package that imports a fulcio package, which imports an aws package. ``` ➜ slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/ # github.com/aws/aws-sdk-go-v2 github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio github.com/sigstore/cosign/v2/cmd/cosign/cli/options github.com/awslabs/amazon-ecr-credential-helper/ecr-login github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api github.com/aws/aws-sdk-go-v2/config github.com/aws/aws-sdk-go-v2/internal/ini github.com/aws/aws-sdk-go-v2 ``` Looking at our `gha` package we can see that the required methods from fulcio are `Get()` and `GetIntermediates()`. Looking at the source codes, we see that `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation of these methods is the same as `"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies. - `546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)` - `546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)` - `25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)` ## Testing - unit tests continue to pass - manual test to verify a provenance with the steps in our [readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder) ## Future Work The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-03-27 14:27:09 +00:00
laurentsimon	b1f986788d	chore: Update @actions/github v6 (#749 ) Need to re-compile https://github.com/slsa-framework/slsa-verifier/pull/720/files Signed-off-by: laurentsimon <laurentsimon@google.com>	2024-03-26 22:03:42 +00:00
Mend Renovate	66a9f93df2	fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 (#718 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [org.apache.maven:maven-core](https://maven.apache.org/) \| `3.8.1` -> `3.9.6` \| [![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-core/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-core/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-core/3.8.1/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-core/3.8.1/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2024-03-26 20:42:43 +00:00
Mend Renovate	449e404e2a	fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] (#743 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) \| `v1.32.0` -> `v1.33.0` \| [![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.32.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.32.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. --- ### Release Notes <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2024-03-26 15:33:59 +00:00
laurentsimon	f315652a8c	chore: Update doc and digests for v2.5.1 (#748 ) This sets the expected sha256 of the v2.5.1 slsa-verifier released binary. How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1 2. Clone the slsa-verifier repo, compile and verify the provenance using the steps described in https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.5.1 ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2024-03-26 08:11:24 -07:00
laurentsimon	eb7007070b	feat: Update verifier version in GHA installer (#747 ) This is part of the release tests in https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#dry-run to verify that the Action installer works. A follow up PR will be sent prior to release to update to `v2.5.0` --------- Signed-off-by: laurentsimon <laurentsimon@google.com> v2.5.1	2024-03-25 14:54:53 +00:00
Mend Renovate	594b179564	chore(deps): update github-actions (#741 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| patch \| `v3.1.0` -> `v3.1.5` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| patch \| `v3.8.1` -> `v3.8.2` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.22.1` -> `v2.24.8` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| patch \| `v2.3.0` -> `v2.3.1` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| minor \| `v1.9.0` -> `v1.10.0` \| \| [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) \| action \| patch \| `v2.4.0` -> `v2.4.1` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5): 3.1.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5) #### What's Changed - Smaller `per_page` when requesting diff by [@hmaurer](https://togithub.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649) - Update dependencies: - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.13.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630) - Bump prettier from 3.0.3 to 3.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629) - Bump [@types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.11 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637) - Bump nodemon from 3.0.1 to 3.0.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636) - Replace pip -> pypi in PURL examples by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638) - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.15.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644) - Bump eslint from 8.53.0 to 8.56.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640) - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.16.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645) - Bump prettier from 3.1.0 to 3.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4): 3.1.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4) #### What's Changed - Fixed a [bug](https://togithub.com/actions/dependency-review-action/issues/618) with severity filtering when using the `allow_ghsas` option: [https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623). - Updates dependencies: - Bump [@types/node](https://togithub.com/types/node) from 16.18.61 to 16.18.62 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619) action/pull/620 - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625) - Bump typescript from 5.2.2 to 5.3.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.4 ### [`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3): 3.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3) #### What's Changed - Fixes purl "version must be percent-encoded" by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.3 ### [`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2): 3.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2) #### What's Changed - Fix a regression for setups using self-hosted runners behind HTTP proxies:[@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.2 ### [`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1): 3.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1) #### What's Changed - Update a bunch of dependencies, including major version upgrades for `octokit`, `@actions/github` and `typescript`. Full Changelog: https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2) ##### What's Changed - Update semver by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/861](https://togithub.com/actions/setup-node/pull/861) - Update temp directory creation by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/859](https://togithub.com/actions/setup-node/pull/859) - Bump [@babel/traverse](https://togithub.com/babel/traverse) from 7.15.4 to 7.23.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/870](https://togithub.com/actions/setup-node/pull/870) - Add notice about binaries not being updated yet by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/872](https://togithub.com/actions/setup-node/pull/872) - Update toolkit cache and core by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) and [@seongwon-privatenote](https://togithub.com/seongwon-privatenote) in [https://github.com/actions/setup-node/pull/875](https://togithub.com/actions/setup-node/pull/875) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.8.2 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.24.8`](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8) ### [`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) ### [`v2.24.6`](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6) ### [`v2.24.5`](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5) ### [`v2.24.4`](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4) ### [`v2.24.3`](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3) ### [`v2.24.2`](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2) ### [`v2.24.1`](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1) ### [`v2.24.0`](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0) ### [`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2) ### [`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1) ### [`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) ### [`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) ### [`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) ### [`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) ### [`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) ### [`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) ### [`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) ### [`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) ### [`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282) - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0) Release \[v1.10.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0). ##### v1.10.0: TUF fix - The cosign TUF roots were fixed ([#3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350)). More details [here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid). ##### v1.10.0: Gradle Builder - The Gradle Builder was fixed when the project root is the same as the repository root ([#2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727)) ##### v1.10.0: Go Builder - The `go-version-file` input was fixed so that it can find the `go.mod` file ([#2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661)) ##### v1.10.0: Container Generator - A new `provenance-repository` input was added to allow reading provenance from a different container repository than the image itself ([#2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956)) ### [`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1) This is an un-finalized release. See the [CHANGELOG](./CHANGELOG.md) for details. </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1) #### What's Changed - Fix a verification issue when verifying npm's publish attestations - Low severity https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9. This part of the code remains experimental. #### New Contributors - [@trishankatdatadog](https://togithub.com/trishankatdatadog) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/702](https://togithub.com/slsa-framework/slsa-verifier/pull/702) Full Changelog: https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1 </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> v2.5.1-rc.0	2024-03-22 00:59:31 -07:00
laurentsimon	dc7173b856	feat: Regression tests for builder v1.10.0 (#745 ) We need the pre-submit to pass. Merging can happen after the builder release --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2024-03-21 08:48:59 -07:00
Hayden B	52c099b4d3	feat: Add support for DSSE Rekor type (#742 ) This is in preparation for switching over the Rekor entry type in the slsa github generator to be the newer DSSE type. This adds support for searching for both intoto v001 and dsse v001 entries. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>	2024-03-04 07:23:16 -08:00
Mend Renovate	bb41cb6ab2	fix(deps): update go (#498 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [github.com/go-openapi/runtime](https://togithub.com/go-openapi/runtime) \| `v0.26.2` -> `v0.27.0` \| [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-openapi%2fruntime/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-openapi%2fruntime/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-openapi%2fruntime/v0.26.2/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-openapi%2fruntime/v0.26.2/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| \| [github.com/go-openapi/swag](https://togithub.com/go-openapi/swag) \| `v0.22.7` -> `v0.22.8` \| [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-openapi%2fswag/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-openapi%2fswag/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-openapi%2fswag/v0.22.7/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-openapi%2fswag/v0.22.7/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>go-openapi/runtime (github.com/go-openapi/runtime)</summary> ### [`v0.27.0`](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0) [Compare Source](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0) </details> <details> <summary>go-openapi/swag (github.com/go-openapi/swag)</summary> ### [`v0.22.8`](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8) [Compare Source](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8) </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMjUuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-01-24 14:31:57 -08:00
Ramon Petgrave	74119b2a7f	fix(deps): update go to 1.21 (#738 ) Fixing the existing PR https://github.com/slsa-framework/slsa-verifier/pull/498 to also change the github actions to use the go 1.21 sourced directly from `go.mod`. - `07e64b653f/.github/workflows/builder_go_slsa3.yml (L56)` - https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file - https://github.com/slsa-framework/slsa-verifier/actions/runs/7559933600/job/20584856777?pr=498 > ... Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.15.5/x64/codeql/go/tools/autobuild.sh". Exit code was 1 and error was: 2024/01/17 18:06:58 Autobuilder was built with go1.21.5, environment has go1.20.12 ... Also fixing some more lint checks about repeated strings --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Co-authored-by: Mend Renovate <bot@renovateapp.com>	2024-01-24 09:29:20 -08:00
saisatishkarra	9b2467f836	feat: fixes #724 : add input for --provenance-repository while image verification (#736 ) @laurentsimon Added a new image verification cmd input `--provenance-repository` This replicates the feature of the `COSIGN_REPOSITORY` environment variable when provenance is stored in a different repository/registry Order of precedence: - If input `--provenance-repository` is set, leverages the non-empty input value - If the env variable `COSIGN_REPOSITORY` is set, it is NOT consumed README edit : https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280 --------- Signed-off-by: saisatishkarra <saisatish.karra@konghq.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2024-01-22 18:10:11 +00:00
Ramon Petgrave	ceaebee236	fix: #642 : don't use go-cmp for outputting diff (#737 ) Previously we used the go-cmp's Diff for displaying a human-friendly diff between two structs in an error message. I had intended to do a json print of the structs and do a line-by-line diff. There is an internal library for calculating text diff, but I don't see any external functions that expose it to make it available for our use: https://pkg.go.dev/golang.org/x/tools/internal/diff Instead, this we will simply display both structs in their own "actual" and "expected" sections. The user can use their other tools to find a human-friendly diff. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-01-17 10:05:28 -08:00
Ian Lewis	b804933f00	chore: Remove ianlewis from CODEOWNERS (#732 ) I'm not really contributing to slsa-verifier anymore. Signed-off-by: Ian Lewis <ianlewis@google.com>	2024-01-16 08:32:34 -08:00
saisatishkarra	f09d99f91c	feat: Add cosign registry opts for provenance registry (#729 ) triggered on specification of COSIGN_REPOSITORY env --------- Signed-off-by: saisatishkarra <saisatish.karra@konghq.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2024-01-04 01:39:42 +00:00
laurentsimon	e77e0855b1	chore: Remove asraa from CODEOWNERS (#728 ) Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2024-01-03 18:25:45 +00:00
laurentsimon	eecb791ed8	chore: Fix renovate.json (#727 ) Should fix https://github.com/slsa-framework/slsa-verifier/issues/726 Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2024-01-03 10:03:46 -08:00
Ian Lewis	fcc8bf32f5	ci: Make renovate schedule monthly (#725 ) Makes renovate create PRs for dependency updates monthly rather than weekly. https://docs.renovatebot.com/presets-schedule/#schedulemonthly Also sets vulnerability PRs to be scheduled daily. https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-12-05 15:55:59 -08:00
Mend Renovate	b72da83344	chore(deps): update github-actions (#695 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/checkout](https://togithub.com/actions/checkout) \| action \| minor \| `v3.5.3` -> `v3.6.0` \| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| minor \| `v3.0.7` -> `v3.1.0` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| patch \| `v3.8.0` -> `v3.8.1` \| \| [actions/upload-artifact](https://togithub.com/actions/upload-artifact) \| action \| patch \| `v3.1.2` -> `v3.1.3` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.21.4` -> `v2.22.1` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| minor \| `v2.2.0` -> `v2.3.0` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| minor \| `v1.8.0` -> `v1.9.0` \| \| [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) \| action \| minor \| `v2.3.0` -> `v2.4.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - New: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - New: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - New: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - New: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v18.16.9 by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@AdamKorcz](https://togithub.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@enteraga6](https://togithub.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - [@enteraga6](https://togithub.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) Full Changelog: https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-12-01 22:18:37 +00:00
laurentsimon	e986dfc0ff	feat: Digest for new release (#722 ) #label:release v2.4.1 How to LGTM this PR: Ensure you have installed the GitHub client from https://cli.github.com. If it is not installed in your `PATH`, set `export GH=/path/to/your/gh` Set your `export GH_TOKEN=...` Use [verify-release.sh](./verify-release.sh) script in this repository: ``` bash verify-release v2.4.1 ``` Once it completes, you will see the last line `Verifying artifact /tmp/tmp.SomeRanDOm/` and do: ```bash sha256sum /tmp/tmp.SomeRanDOm/* \| grep -v intoto ``` This will print out the hashes. Compare them to the changes in this PR --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-11-07 17:23:25 -08:00
laurentsimon	7e1e47d7d7	docs: update release doc and rm binary (#716 ) Signed-off-by: laurentsimon <laurentsimon@google.com> v2.4.1-rc.1 v2.4.1	2023-10-16 13:44:13 -07:00
Mend Renovate	a7d5c7b0f1	fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.5 (#669 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) \| `3.6.3` -> `3.9.5` \| [![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-plugin-api/3.9.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-plugin-api/3.9.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-plugin-api/3.6.3/3.9.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-plugin-api/3.6.3/3.9.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> v2.4.1-rc.0	2023-10-10 02:06:04 +00:00
Mend Renovate	088a626879	fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.9.0 (#667 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools) \| `3.6.0` -> `3.9.0` \| [![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.6.0/3.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.6.0/3.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMTEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-10-10 01:00:37 +00:00
laurentsimon	2184d9d604	chore: bump versions (#715 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-10-10 00:27:33 +00:00
laurentsimon	3b171c4140	feat: Address unresolved comments from #705 (#708 ) closes https://github.com/slsa-framework/slsa-verifier/issues/707 Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-10-09 23:17:48 +00:00
dependabot[bot]	8602109f3f	chore(deps): bump org.apache.maven:maven-core from 3.2.5 to 3.8.1 in /experimental/maven-plugin (#713 ) Bumps [org.apache.maven:maven-core](https://github.com/apache/maven) from 3.2.5 to 3.8.1. <details> <summary>Commits</summary> <ul> <li><a href="`05c21c65bd`"><code>05c21c6</code></a> [maven-release-plugin] prepare release maven-3.8.1</li> <li><a href="`d295dc362f`"><code>d295dc3</code></a> [MNG-7128] keep blocked attribute from mirrors in artifact repositories</li> <li><a href="`a46906806a`"><code>a469068</code></a> next version in branch 3.8.x is 3.8.1-SNAPSHOT</li> <li><a href="`dad8a3e1c5`"><code>dad8a3e</code></a> [maven-release-plugin] prepare for next development iteration</li> <li><a href="`6aa1f4acf5`"><code>6aa1f4a</code></a> [maven-release-plugin] prepare release maven-3.8.0</li> <li><a href="`907d53ad32`"><code>907d53a</code></a> [MNG-7118] block HTTP repositories by default</li> <li><a href="`899465aeec`"><code>899465a</code></a> [MNG-7117] add support for blocked mirror</li> <li><a href="`fa79cb22e4`"><code>fa79cb2</code></a> [MNG-7116] add support for mirrorOf external:http:*</li> <li><a href="`e5f6634e17`"><code>e5f6634</code></a> use Maven Resolver 1.6.2</li> <li><a href="`09f77da9b0`"><code>09f77da</code></a> [MNG-7119] Upgrade Maven Wagon to 3.4.3</li> <li>Additional commits viewable in <a href="https://github.com/apache/maven/compare/maven-3.2.5...maven-3.8.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.maven:maven-core&package-manager=maven&previous-version=3.2.5&new-version=3.8.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-10-09 23:04:57 +00:00

1 2 3 4 5 ...

428 Commits