From 9a2cff01b02520d1bbf2089216529e1628b26d39 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 16:39:27 +0000 Subject: [PATCH 01/39] chore: bump github.com/stretchr/testify from 1.8.2 to 1.8.4 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.4. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.4) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 321b5fa8..161c3262 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/open-policy-agent/opa v0.49.1 github.com/owenrumney/go-sarif v1.1.1 github.com/spiffe/go-spiffe/v2 v2.1.6 - github.com/stretchr/testify v1.8.2 + github.com/stretchr/testify v1.8.4 github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 go.step.sm/crypto v0.25.2 golang.org/x/sys v0.13.0 diff --git a/go.sum b/go.sum index 83db0dcd..620aa8e4 100644 --- a/go.sum +++ b/go.sum @@ -188,17 +188,13 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spiffe/go-spiffe/v2 v2.1.6 h1:4SdizuQieFyL9eNU+SPiCArH4kynzaKOOj0VvM8R7Xo= github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 h1:GAUgHyg4ss2DDTIYG9RuVxap2smkAGtzpXcOvNxlLic= From 5f74d751a871d090c0941976dfc503c92634a556 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 16:48:50 +0000 Subject: [PATCH 02/39] chore: bump k8s.io/apimachinery from 0.26.10 to 0.26.11 Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.26.10 to 0.26.11. - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.26.10...v0.26.11) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 161c3262..8c909e8c 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( golang.org/x/sys v0.13.0 google.golang.org/grpc v1.56.3 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/apimachinery v0.26.10 + k8s.io/apimachinery v0.26.11 ) require ( @@ -92,7 +92,7 @@ require ( golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index 620aa8e4..6eb449f5 100644 --- a/go.sum +++ b/go.sum @@ -331,8 +331,8 @@ google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpX google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -356,8 +356,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/apimachinery v0.26.10 h1:aE+J2KIbjctFqPp3Y0q4Wh2PD+l1p2g3Zp4UYjSvtGU= -k8s.io/apimachinery v0.26.10/go.mod h1:iT1ZP4JBP34wwM+ZQ8ByPEQ81u043iqAcsJYftX9amM= +k8s.io/apimachinery v0.26.11 h1:w//840HHdwSRKqD15j9YX9HLlU6RPlfrvW0xEhLk2+0= +k8s.io/apimachinery v0.26.11/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/utils v0.0.0-20230115233650-391b47cb4029 h1:L8zDtT4jrxj+TaQYD0k8KNlr556WaVQylDXswKmX+dE= From 86c89679c49618840b1fb224bb4bdd231d5220f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 16:56:54 +0000 Subject: [PATCH 03/39] chore: bump github.com/mattn/go-isatty from 0.0.17 to 0.0.20 Bumps [github.com/mattn/go-isatty](https://github.com/mattn/go-isatty) from 0.0.17 to 0.0.20. - [Commits](https://github.com/mattn/go-isatty/compare/v0.0.17...v0.0.20) --- updated-dependencies: - dependency-name: github.com/mattn/go-isatty dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 8c909e8c..d6334ada 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425 github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d github.com/go-git/go-git/v5 v5.5.2 - github.com/mattn/go-isatty v0.0.17 + github.com/mattn/go-isatty v0.0.20 github.com/open-policy-agent/opa v0.49.1 github.com/owenrumney/go-sarif v1.1.1 github.com/spiffe/go-spiffe/v2 v2.1.6 diff --git a/go.sum b/go.sum index 6eb449f5..d85bcf3e 100644 --- a/go.sum +++ b/go.sum @@ -136,8 +136,8 @@ github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA= github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -285,11 +285,11 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= From 3e8628339da6a093505d3e8ec60971b1eaf8547c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 17:04:39 +0000 Subject: [PATCH 04/39] chore: bump github.com/open-policy-agent/opa from 0.49.1 to 0.49.2 Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.49.1 to 0.49.2. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.49.1...v0.49.2) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d6334ada..cbf48743 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d github.com/go-git/go-git/v5 v5.5.2 github.com/mattn/go-isatty v0.0.20 - github.com/open-policy-agent/opa v0.49.1 + github.com/open-policy-agent/opa v0.49.2 github.com/owenrumney/go-sarif v1.1.1 github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 diff --git a/go.sum b/go.sum index d85bcf3e..f38cfc2a 100644 --- a/go.sum +++ b/go.sum @@ -146,8 +146,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/open-policy-agent/opa v0.49.1 h1:hXnKOmzVk8TyCTHEoHTZvYjAqwOBS9n+3mf4zmdDtP0= -github.com/open-policy-agent/opa v0.49.1/go.mod h1:Wvc+vpbXuYxhKk0uvhTxmDmZ3rjSXtqYJBtGAPNoJ6E= +github.com/open-policy-agent/opa v0.49.2 h1:n8ntRq/yDWy+cmYaqSLrHXmrT3tX8WlK28vjFQdC6W8= +github.com/open-policy-agent/opa v0.49.2/go.mod h1:7L3lN5qe8xboRmEHxC5lGjo5KsRMdK+CCLiFoOCP7rU= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE= From 2bdd1c6b0412bd48f4ae14c6e897206aec372985 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 22:19:43 +0000 Subject: [PATCH 05/39] chore: bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md) - [Commits](https://github.com/go-jose/go-jose/compare/v3.0.0...v3.0.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index cbf48743..6d6c876c 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/cloudflare/circl v1.3.3 // indirect github.com/coreos/go-oidc/v3 v3.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/go-jose/go-jose/v3 v3.0.0 // indirect + github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect diff --git a/go.sum b/go.sum index f38cfc2a..dea9197c 100644 --- a/go.sum +++ b/go.sum @@ -70,8 +70,9 @@ github.com/go-git/go-git-fixtures/v4 v4.3.1 h1:y5z6dd3qi8Hl+stezc8p3JxDkoTRqMAlK github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo= github.com/go-git/go-git/v5 v5.5.2 h1:v8lgZa5k9ylUw+OR/roJHTxR4QItsNFI5nKtAXFuynw= github.com/go-git/go-git/v5 v5.5.2/go.mod h1:BE5hUJ5yaV2YMxhmaP4l6RBQ08kMxKSPD4BlxtH7OjI= -github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= +github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= From 7ec4004d63166656252caa58520ee54bbeaae3c8 Mon Sep 17 00:00:00 2001 From: Benji Visser Date: Sun, 3 Dec 2023 10:36:27 -0800 Subject: [PATCH 06/39] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1c9c198..8c2afc51 100644 --- a/README.md +++ b/README.md @@ -196,7 +196,7 @@ The attestation types are used when we evaluate policy against these attestation Attestations are only as secure as the data that feeds them. Where possible cryptographic material should be validated, evidence of validation should be included in the attestation for out-of-band validation. -Examples of cryptographic validation is found in the [GCP](https://github.com/testifysec/witness/tree/main/pkg/attestation/gcp-iit), [AWS](https://github.com/testifysec/witness/blob/main/pkg/attestation/aws-iid/aws-iid.go), and [GitLab](https://github.com/testifysec/witness/tree/main/pkg/attestation/gitlab) attestors. +Examples of cryptographic validation is found in the [GCP](https://github.com/in-toto/go-witness/blob/main/attestation/gcp-iit/gcp-iit.go), [AWS](https://github.com/in-toto/go-witness/blob/main/attestation/aws-iid/aws-iid.go), and [GitLab](https://github.com/in-toto/go-witness/blob/main/attestation/gitlab/gitlab.go) attestors. ## Attestor Life Cycle From 1d30fe243a863d8dae0799c1553b4fc51f8ffa76 Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Mon, 4 Dec 2023 21:30:48 +0000 Subject: [PATCH 07/39] Refactoring error messages to use %w formatting directive and fix logging issue (#85) * refactored to handle error wrapping inside the log package Signed-off-by: chaosinthecrd * using %w directive wherever possible Signed-off-by: chaosinthecrd --------- Signed-off-by: chaosinthecrd --- attestation/aws-iid/aws-iid.go | 26 ++++++++++++------------- attestation/commandrun/tracing_linux.go | 4 ++-- attestation/context.go | 2 +- attestation/factory.go | 2 +- attestation/gcp-iit/gcp-iit.go | 15 +++++++------- attestation/github/github.go | 4 ++-- attestation/gitlab/gitlab.go | 6 +++--- attestation/maven/maven.go | 4 ++-- attestation/oci/oci.go | 10 +++++----- attestation/sarif/sarif.go | 4 ++-- log/log.go | 22 ++++++++++++++++++--- policy/policy.go | 2 +- signer/file/file.go | 10 +++++----- source/verified.go | 2 +- verify.go | 2 +- 15 files changed, 66 insertions(+), 49 deletions(-) diff --git a/attestation/aws-iid/aws-iid.go b/attestation/aws-iid/aws-iid.go index fd9ad36b..874fbd6d 100644 --- a/attestation/aws-iid/aws-iid.go +++ b/attestation/aws-iid/aws-iid.go @@ -134,12 +134,12 @@ func (a *Attestor) getIID() error { svc := ec2metadata.New(&a.session, a.conf) iid, err := svc.GetDynamicData(docPath) if err != nil { - return fmt.Errorf("failed to get instance identity document: %v", err) + return fmt.Errorf("failed to get instance identity document: %w", err) } sig, err := svc.GetDynamicData(sigPath) if err != nil { - return fmt.Errorf("failed to get signature: %v", err) + return fmt.Errorf("failed to get signature: %w", err) } a.RawIID = iid @@ -147,7 +147,7 @@ func (a *Attestor) getIID() error { err = json.Unmarshal([]byte(a.RawIID), &a.EC2InstanceIdentityDocument) if err != nil { - return fmt.Errorf("failed to unmarshal iid: %v", err) + return fmt.Errorf("failed to unmarshal iid: %w", err) } return nil @@ -161,17 +161,17 @@ func (a *Attestor) Verify() error { docHash := sha256.Sum256([]byte(a.RawIID)) sigBytes, err := base64.StdEncoding.DecodeString(a.RawSig) if err != nil { - return fmt.Errorf("failed to decode signature: %v", err) + return fmt.Errorf("failed to decode signature: %w", err) } pubKey, err := getAWSCAPublicKey() if err != nil { - return fmt.Errorf("failed to get AWS public key: %v", err) + return fmt.Errorf("failed to get AWS public key: %w", err) } pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { - return fmt.Errorf("failed to marshal public key: %v", err) + return fmt.Errorf("failed to marshal public key: %w", err) } pem := pem.EncodeToMemory(&pem.Block{ @@ -182,12 +182,12 @@ func (a *Attestor) Verify() error { a.PublicKey = string(pem) if err != nil { - return fmt.Errorf("failed to encode public key: %v", err) + return fmt.Errorf("failed to encode public key: %w", err) } err = rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, docHash[:], sigBytes) if err != nil { - log.Debugf("(attestation/aws-iid) failed to verify signature: %v", err) + log.Debugf("(attestation/aws-iid) failed to verify signature: %w", err) return nil } @@ -200,25 +200,25 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.InstanceID), hashes); err == nil { subjects[fmt.Sprintf("instanceid:%s", a.EC2InstanceIdentityDocument.InstanceID)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws instanceid subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws instanceid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.AccountID), hashes); err == nil { subjects[fmt.Sprintf("accountid:%s", a.EC2InstanceIdentityDocument.AccountID)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws accountid subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws accountid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.ImageID), hashes); err == nil { subjects[fmt.Sprintf("imageid:%s", a.EC2InstanceIdentityDocument.ImageID)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws imageid subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws imageid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.PrivateIP), hashes); err == nil { subjects[fmt.Sprintf("privateip:%s", a.EC2InstanceIdentityDocument.PrivateIP)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws privateip subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws privateip subject: %w", err) } return subjects @@ -232,7 +232,7 @@ func getAWSCAPublicKey() (*rsa.PublicKey, error) { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { - return nil, fmt.Errorf("failed to parse certificate: %v", err) + return nil, fmt.Errorf("failed to parse certificate: %w", err) } return cert.PublicKey.(*rsa.PublicKey), nil diff --git a/attestation/commandrun/tracing_linux.go b/attestation/commandrun/tracing_linux.go index c9e63dc2..e9cce1bd 100644 --- a/attestation/commandrun/tracing_linux.go +++ b/attestation/commandrun/tracing_linux.go @@ -112,12 +112,12 @@ func (p *ptraceContext) runTrace() error { if status.Stopped() && isPtraceTrap { injectedSig = 0 if err := p.nextSyscall(pid); err != nil { - log.Debugf("(tracing) got error while processing syscall: %v", err) + log.Debugf("(tracing) got error while processing syscall: %w", err) } } if err := unix.PtraceSyscall(pid, injectedSig); err != nil { - log.Debugf("(tracing) got error from ptrace syscall: %v", err) + log.Debugf("(tracing) got error from ptrace syscall: %w", err) } } } diff --git a/attestation/context.go b/attestation/context.go index 80bab148..d0e1a455 100644 --- a/attestation/context.go +++ b/attestation/context.go @@ -185,7 +185,7 @@ func (ctx *AttestationContext) runAttestor(attestor Attestor) error { log.Infof("Starting %v attestor...", attestor.Name()) startTime := time.Now() if err := attestor.Attest(ctx); err != nil { - log.Errorf("Error running %v attestor: %v", attestor.Name(), err) + log.Errorf("Error running %v attestor: %w", attestor.Name(), err) ctx.completedAttestors = append(ctx.completedAttestors, CompletedAttestor{ Attestor: attestor, StartTime: startTime, diff --git a/attestation/factory.go b/attestation/factory.go index cfcf2cc6..ef50a60c 100644 --- a/attestation/factory.go +++ b/attestation/factory.go @@ -35,7 +35,7 @@ type Attestor interface { } // Subjecter allows attestors to expose bits of information that will be added to -// the in-toto statement as subjects. External services such as Rekor and Archivist +// the in-toto statement as subjects. External services such as Rekor and Archivista // use in-toto subjects as indexes back to attestations. type Subjecter interface { Subjects() map[string]cryptoutil.DigestSet diff --git a/attestation/gcp-iit/gcp-iit.go b/attestation/gcp-iit/gcp-iit.go index d970acc8..c2cdfdbd 100644 --- a/attestation/gcp-iit/gcp-iit.go +++ b/attestation/gcp-iit/gcp-iit.go @@ -102,6 +102,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { tokenURL := identityTokenURL(defaultIdentityTokenHost, defaultServiceAccount) identityToken, err := getMetadata(tokenURL) if err != nil { + // status.Errorf does not support %w directive return status.Errorf(codes.Internal, "unable to retrieve valid identity token: %v", err) } @@ -150,7 +151,7 @@ func (a *Attestor) getInstanceData() { for k, v := range endpoints { data, err := getMetadata(v) if err != nil { - log.Warnf("failed to retrieve gcp metadata from %v: %v", v, err) + log.Warnf("failed to retrieve gcp metadata from %v: %w", v, err) continue } metadata[k] = string(data) @@ -165,7 +166,7 @@ func (a *Attestor) getInstanceData() { projID, projNum, err := parseJWTProjectInfo(a.JWT) if err != nil { - log.Warnf("unable to parse gcp project info from JWT: %v\n", err) + log.Warnf("unable to parse gcp project info from JWT: %w\n", err) } a.ProjectID = projID @@ -179,31 +180,31 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.InstanceID), hashes); err == nil { subjects[fmt.Sprintf("instanceid:%v", a.InstanceID)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp instanceid subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp instanceid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.InstanceHostname), hashes); err == nil { subjects[fmt.Sprintf("instancename:%v", a.InstanceHostname)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp instancename subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp instancename subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectID), hashes); err == nil { subjects[fmt.Sprintf("projectid:%v", a.ProjectID)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp projectid subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp projectid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectNumber), hashes); err == nil { subjects[fmt.Sprintf("projectnumber:%v", a.ProjectNumber)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp projectnumber subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp projectnumber subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ClusterUID), hashes); err == nil { subjects[fmt.Sprintf("clusteruid:%v", a.ClusterUID)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp clusteruid subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp clusteruid subject: %w", err) } return subjects diff --git a/attestation/github/github.go b/attestation/github/github.go index ef394210..cece9c0c 100644 --- a/attestation/github/github.go +++ b/attestation/github/github.go @@ -140,13 +140,13 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if pipelineSubj, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.PipelineUrl), hashes); err == nil { subjects[fmt.Sprintf("pipelineurl:%v", a.PipelineUrl)] = pipelineSubj } else { - log.Debugf("(attestation/github) failed to record github pipelineurl subject: %v", err) + log.Debugf("(attestation/github) failed to record github pipelineurl subject: %w", err) } if projectSubj, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectUrl), hashes); err == nil { subjects[fmt.Sprintf("projecturl:%v", a.ProjectUrl)] = projectSubj } else { - log.Debugf("(attestation/github) failed to record github projecturl subject: %v", err) + log.Debugf("(attestation/github) failed to record github projecturl subject: %w", err) } return subjects diff --git a/attestation/gitlab/gitlab.go b/attestation/gitlab/gitlab.go index ba0b9517..5d6c1a80 100644 --- a/attestation/gitlab/gitlab.go +++ b/attestation/gitlab/gitlab.go @@ -122,19 +122,19 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.PipelineUrl), hashes); err == nil { subjects[fmt.Sprintf("pipelineurl:%v", a.PipelineUrl)] = ds } else { - log.Debugf("(attestation/gitlab) failed to record gitlab pipelineurl subject: %v", err) + log.Debugf("(attestation/gitlab) failed to record gitlab pipelineurl subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.JobUrl), hashes); err == nil { subjects[fmt.Sprintf("joburl:%v", a.JobUrl)] = ds } else { - log.Debugf("(attestation/gitlab) failed to record gitlab joburl subject: %v", err) + log.Debugf("(attestation/gitlab) failed to record gitlab joburl subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectUrl), hashes); err == nil { subjects[fmt.Sprintf("projecturl:%v", a.ProjectUrl)] = ds } else { - log.Debugf("(attestation/gitlab) failed to record gitlab projecturl subject: %v", err) + log.Debugf("(attestation/gitlab) failed to record gitlab projecturl subject: %w", err) } return subjects diff --git a/attestation/maven/maven.go b/attestation/maven/maven.go index 801852a8..985b4ab1 100644 --- a/attestation/maven/maven.go +++ b/attestation/maven/maven.go @@ -121,14 +121,14 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(projectSubject), hashes); err == nil { subjects[projectSubject] = ds } else { - log.Debugf("(attestation/maven) failed to record %v subject: %v", projectSubject, err) + log.Debugf("(attestation/maven) failed to record %v subject: %w", projectSubject, err) } for _, dep := range a.Dependencies { depSubject := fmt.Sprintf("dependency:%v/%v@%v", dep.GroupId, dep.ArtifactId, dep.Version) depDigest, err := cryptoutil.CalculateDigestSetFromBytes([]byte(depSubject), hashes) if err != nil { - log.Debugf("(attestation/maven) failed to record %v subject: %v", depSubject, err) + log.Debugf("(attestation/maven) failed to record %v subject: %w", depSubject, err) } subjects[depSubject] = depDigest diff --git a/attestation/oci/oci.go b/attestation/oci/oci.go index de8f3386..f16569af 100644 --- a/attestation/oci/oci.go +++ b/attestation/oci/oci.go @@ -99,7 +99,7 @@ func (m *Manifest) getImageID(ctx *attestation.AttestationContext, tarFilePath s imageID, err := cryptoutil.CalculateDigestSetFromBytes(b, ctx.Hashes()) if err != nil { - log.Debugf("(attestation/oci) error calculating image id: %v", err) + log.Debugf("(attestation/oci) error calculating image id: %w", err) return nil, err } @@ -127,18 +127,18 @@ func (a *Attestor) RunType() attestation.RunType { func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { if err := a.getCandidate(ctx); err != nil { - log.Debugf("(attestation/oci) error getting candidate: %v", err) + log.Debugf("(attestation/oci) error getting candidate: %w", err) return err } if err := a.parseMaifest(ctx); err != nil { - log.Debugf("(attestation/oci) error parsing manifest: %v", err) + log.Debugf("(attestation/oci) error parsing manifest: %w", err) return err } imageID, err := a.Manifest[0].getImageID(ctx, a.tarFilePath) if err != nil { - log.Debugf("(attestation/oci) error getting image id: %v", err) + log.Debugf("(attestation/oci) error getting image id: %w", err) return err } @@ -241,7 +241,7 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { for _, tag := range a.ImageTags { hash, err := cryptoutil.CalculateDigestSetFromBytes([]byte(tag), hashes) if err != nil { - log.Debugf("(attestation/oci) error calculating image tag: %v", err) + log.Debugf("(attestation/oci) error calculating image tag: %w", err) continue } subj[fmt.Sprintf("imagetag:%s", tag)] = hash diff --git a/attestation/sarif/sarif.go b/attestation/sarif/sarif.go index c5e09972..8c21d8ca 100644 --- a/attestation/sarif/sarif.go +++ b/attestation/sarif/sarif.go @@ -71,7 +71,7 @@ func (a *Attestor) RunType() attestation.RunType { func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { if err := a.getCandidate(ctx); err != nil { - log.Debugf("(attestation/sarif) error getting candidate: %v", err) + log.Debugf("(attestation/sarif) error getting candidate: %w", err) return err } @@ -113,7 +113,7 @@ func (a *Attestor) getCandidate(ctx *attestation.AttestationContext) error { //check to see if we can unmarshal into sarif type if err := json.Unmarshal(reportBytes, &a.Report); err != nil { - log.Debugf("(attestation/sarif) error unmarshaling report: %v", err) + log.Debugf("(attestation/sarif) error unmarshaling report: %w", err) continue } diff --git a/log/log.go b/log/log.go index 3949f272..14d54256 100644 --- a/log/log.go +++ b/log/log.go @@ -14,6 +14,10 @@ package log +import ( + "fmt" +) + var log Logger = SilentLogger{} // Logger is used by witness library code to print out relevant information at runtime. @@ -40,7 +44,8 @@ func GetLogger() Logger { } func Errorf(format string, args ...interface{}) { - log.Errorf(format, args...) + err := fmt.Errorf(format, args...) + log.Error(err) } func Error(args ...interface{}) { @@ -48,7 +53,13 @@ func Error(args ...interface{}) { } func Warnf(format string, args ...interface{}) { - log.Warnf(format, args...) + // We want to wrap the error if there is one. + for _, a := range args { + if _, ok := a.(error); ok { + err := fmt.Errorf(format, args...) + log.Warn(err) + } + } } func Warn(args ...interface{}) { @@ -56,7 +67,12 @@ func Warn(args ...interface{}) { } func Debugf(format string, args ...interface{}) { - log.Debugf(format, args...) + for _, a := range args { + if _, ok := a.(error); ok { + err := fmt.Errorf(format, args...) + log.Debug(err) + } + } } func Debug(args ...interface{}) { diff --git a/policy/policy.go b/policy/policy.go index c4f57deb..b6456b1f 100644 --- a/policy/policy.go +++ b/policy/policy.go @@ -238,7 +238,7 @@ func (step Step) checkFunctionaries(verifiedStatements []source.VerifiedCollecti for _, verifier := range verifiedStatement.Verifiers { verifierID, err := verifier.KeyID() if err != nil { - log.Debugf("(policy) skipping verifier: could not get key id: %v", err) + log.Debugf("(policy) skipping verifier: could not get key id: %w", err) continue } diff --git a/signer/file/file.go b/signer/file/file.go index a52247f8..95256daa 100644 --- a/signer/file/file.go +++ b/signer/file/file.go @@ -110,20 +110,20 @@ func New(opts ...Option) FileSignerProvider { func (fsp FileSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, error) { keyFile, err := os.Open(fsp.KeyPath) if err != nil { - return nil, fmt.Errorf("failed to open key file: %v", err) + return nil, fmt.Errorf("failed to open key file: %w", err) } defer keyFile.Close() key, err := cryptoutil.TryParseKeyFromReader(keyFile) if err != nil { - return nil, fmt.Errorf("failed to load key: %v", err) + return nil, fmt.Errorf("failed to load key: %w", err) } signerOpts := []cryptoutil.SignerOption{} if fsp.CertPath != "" { leaf, err := loadCert(fsp.CertPath) if err != nil { - return nil, fmt.Errorf("failed to load certificate: %v", err) + return nil, fmt.Errorf("failed to load certificate: %w", err) } signerOpts = append(signerOpts, cryptoutil.SignWithCertificate(leaf)) @@ -134,7 +134,7 @@ func (fsp FileSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, er for _, path := range fsp.IntermediatePaths { cert, err := loadCert(path) if err != nil { - return nil, fmt.Errorf("failed to load intermediate: %v", err) + return nil, fmt.Errorf("failed to load intermediate: %w", err) } intermediates = append(intermediates, cert) @@ -149,7 +149,7 @@ func (fsp FileSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, er func loadCert(path string) (*x509.Certificate, error) { certFile, err := os.Open(path) if err != nil { - return nil, fmt.Errorf("failed to load certificate: %v", err) + return nil, fmt.Errorf("failed to load certificate: %w", err) } defer certFile.Close() diff --git a/source/verified.go b/source/verified.go index 7b9c92bb..0bbc0058 100644 --- a/source/verified.go +++ b/source/verified.go @@ -50,7 +50,7 @@ func (s *VerifiedSource) Search(ctx context.Context, collectionName string, subj for _, toVerify := range unverified { envelopeVerifiers, err := toVerify.Envelope.Verify(s.verifyOpts...) if err != nil { - log.Debugf("(verified source) skipping envelope: couldn't verify enveloper's signature with the policy's verifiers: %+v", err) + log.Debugf("(verified source) skipping envelope: couldn't verify enveloper's signature with the policy's verifiers: %w", err) continue } diff --git a/verify.go b/verify.go index daa91902..857aa09b 100644 --- a/verify.go +++ b/verify.go @@ -32,7 +32,7 @@ func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelo decoder := json.NewDecoder(r) envelope := dsse.Envelope{} if err := decoder.Decode(&envelope); err != nil { - return envelope, fmt.Errorf("failed to parse dsse envelope: %v", err) + return envelope, fmt.Errorf("failed to parse dsse envelope: %w", err) } _, err := envelope.Verify(dsse.VerifyWithVerifiers(verifiers...)) From eac781cfac9a85a444f8fe48bb4c88f50d74c82c Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 4 Dec 2023 21:37:10 -0800 Subject: [PATCH 08/39] [StepSecurity] Apply security best practices (#86) Signed-off-by: StepSecurity Bot --- .github/workflows/codeql.yml | 78 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 27 +++++++++ .github/workflows/golangci-lint.yml | 11 +++- .github/workflows/scorecards.yml | 76 ++++++++++++++++++++++++ .github/workflows/verify-licence.yml | 12 +++- .github/workflows/witness.yml | 13 +++-- .pre-commit-config.yaml | 14 +++++ 7 files changed, 222 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..fe259ee4 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..fd27e55b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index e07b99c9..a591c5c0 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -29,12 +29,17 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version-file: "go.mod" - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: latest args: --timeout=3m diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000..dd7ff683 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + sarif_file: results.sarif diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 1741fa2f..721039b6 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -18,13 +18,21 @@ on: push: branches: ['main', 'release-*'] pull_request: +permissions: + contents: read + jobs: license-check: name: license boilerplate check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.17.x' - name: Install addlicense diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 3a21372e..600e7d3e 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -44,13 +44,18 @@ jobs: witness: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ inputs.artifact-download }} path: /tmp @@ -74,7 +79,7 @@ jobs: run: ${{ inputs.command }} - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ inputs.artifact-upload-name }} path: ${{ inputs.artifact-upload-path }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..919f2c44 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace From 3328596969465b3cc732083a907b606a822fbb30 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 5 Dec 2023 08:14:50 -0600 Subject: [PATCH 09/39] Fix pre-commit violations (#87) Signed-off-by: John Kjell --- .github/workflows/witness.yml | 4 ++-- CODE_OF_CONDUCT.md | 1 - MAINTAINERS.md | 2 +- README.md | 2 +- attestation/aws-iid/aws-iid_test.go | 2 +- attestation/commandrun/tracing_linux_test.go | 2 +- hack/boilerplate.go.txt | 2 +- 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 600e7d3e..7d426e4e 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -15,7 +15,7 @@ on: workflow_call: inputs: - pull_request: + pull_request: required: true type: boolean artifact-download: @@ -39,7 +39,7 @@ on: attestations: required: true type: string - + jobs: witness: runs-on: ubuntu-latest diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index b65ee56d..571772ec 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -131,4 +131,3 @@ For answers to common questions about this code of conduct, see the FAQ at [Mozilla CoC]: https://github.com/mozilla/diversity [FAQ]: https://www.contributor-covenant.org/faq [translations]: https://www.contributor-covenant.org/translations - diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 7c46c8b9..32441f9a 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -5,4 +5,4 @@ | Cole Kennedy (TestifySec) | [@colek42](https://github.com/colek42) | | John Kjell (TestifySec) | [@jkjell](https://github.com/jkjell) | | Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) | -| Aditya Sirish (NYU) | [@adityasaky](https://github.com/adityasaky) | \ No newline at end of file +| Aditya Sirish (NYU) | [@adityasaky](https://github.com/adityasaky) | diff --git a/README.md b/README.md index 8c2afc51..5c28f7d2 100644 --- a/README.md +++ b/README.md @@ -287,7 +287,7 @@ During the verification process witness will use the [Rekor](https://github.com/ - Vault Key Provider - Cloud KMS Support - Kubernetes Admission Controller -- SIEM Collection Agent +- SIEM Collection Agent - Cosign Signature Validation - Notary v2 Signature Validation - [Zarf](https://github.com/defenseunicorns/zarf) Integration diff --git a/attestation/aws-iid/aws-iid_test.go b/attestation/aws-iid/aws-iid_test.go index 870a9b17..13cb45f3 100644 --- a/attestation/aws-iid/aws-iid_test.go +++ b/attestation/aws-iid/aws-iid_test.go @@ -31,7 +31,7 @@ import ( const iid = `{ "devpayProductCodes" : null, - "marketplaceProductCodes" : [ "1abc2defghijklm3nopqrs4tu" ], + "marketplaceProductCodes" : [ "1abc2defghijklm3nopqrs4tu" ], "availabilityZone" : "us-west-2b", "privateIp" : "10.158.112.84", "version" : "2017-09-30", diff --git a/attestation/commandrun/tracing_linux_test.go b/attestation/commandrun/tracing_linux_test.go index 188d21b6..5a5f2676 100644 --- a/attestation/commandrun/tracing_linux_test.go +++ b/attestation/commandrun/tracing_linux_test.go @@ -31,7 +31,7 @@ TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 -Groups: +Groups: NStgid: 214 NSpid: 214 NSpgid: 0 diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt index 65b86227..6975adbe 100644 --- a/hack/boilerplate.go.txt +++ b/hack/boilerplate.go.txt @@ -12,4 +12,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -*/ \ No newline at end of file +*/ From bec608e169965f8e295e4dd30fbb670c325d1e4c Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 7 Dec 2023 11:36:56 -0600 Subject: [PATCH 10/39] Changes to improve CLOMonitor Score (#88) * Changes to improve CLOMonitor Score --------- Signed-off-by: John Kjell --- .clomonitor.yml | 21 ++++++++++++++ .github/dependabot.yml | 14 +++++++++ .github/workflows/codeql.yml | 14 +++++++++ .github/workflows/dependency-review.yml | 14 +++++++++ .github/workflows/fossa.yml | 38 +++++++++++++++++++++++++ .github/workflows/scorecards.yml | 14 +++++++++ .pre-commit-config.yaml | 14 +++++++++ CONTRIBUTORS.md => CONTRIBUTING.md | 0 README.md | 3 ++ SECURITY-INSIGHTS.yml | 24 ++++++++++++++++ 10 files changed, 156 insertions(+) create mode 100644 .clomonitor.yml create mode 100644 .github/workflows/fossa.yml rename CONTRIBUTORS.md => CONTRIBUTING.md (100%) create mode 100644 SECURITY-INSIGHTS.yml diff --git a/.clomonitor.yml b/.clomonitor.yml new file mode 100644 index 00000000..8a14c3b1 --- /dev/null +++ b/.clomonitor.yml @@ -0,0 +1,21 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# CLOMonitor metadata file +# This file must be located at the root of the repository + +# Checks exemptions +exemptions: + - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions) + reason: "Project is a library and does not create an artifact" # Justification of this exemption (mandatory, it will be displayed on the UI) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8d2b1f50..ccd96740 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + version: 2 updates: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe259ee4..20484106 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fd27e55b..57d25081 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Dependency Review Action # # This Action will scan dependency manifest files that change as part of a Pull Request, diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000..aa365a8e --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,38 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "Fossa Scan" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + fossa-scan: + runs-on: ubuntu-latest + steps: + - name: "Checkout Code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: "Run FOSSA Scan" + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 + with: + api-key: ${{ secrets.fossaApiKey }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index dd7ff683..bdcf613e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 919f2c44..221048da 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.16.3 diff --git a/CONTRIBUTORS.md b/CONTRIBUTING.md similarity index 100% rename from CONTRIBUTORS.md rename to CONTRIBUTING.md diff --git a/README.md b/README.md index 5c28f7d2..53428b47 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,6 @@ +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8164/badge)](https://www.bestpractices.dev/projects/8164) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/in-toto/go-witness/badge)](https://securityscorecards.dev/viewer/?uri=github.com/in-toto/go-witness) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness?ref=badge_shield&issueType=license) [![asciicast](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D.svg)](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..cf55b9bd --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,24 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + schema-version: 1.0.0 + expiration-date: '2024-08-31T10:10:09.000Z' + last-updated: '2023-12-06' + last-reviewed: '2023-12-06' + commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 + project-url: https://github.com/in-toto/go-witness + project-release: 'v0.17.0' + changelog: https://github.com/in-toto/go-witness/releases/tag/v0.17.0 + license: https://github.com/in-toto/go-witness/blob/main/LICENSE From a10252c1f29846e701b4da4c7e95cf861f8c9b04 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 7 Dec 2023 18:13:28 -0600 Subject: [PATCH 11/39] Don't run FOSSA Scan on PR from fork (#95) Signed-off-by: John Kjell --- .github/workflows/fossa.yml | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index aa365a8e..13ac3e02 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -1,17 +1,3 @@ -# Copyright 2023 The Witness Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - name: "Fossa Scan" on: @@ -28,11 +14,15 @@ permissions: jobs: fossa-scan: + env: + FOSSA_API_KEY: ${{ secrets.fossaApiKey }} runs-on: ubuntu-latest steps: - - name: "Checkout Code" + - if: ${{ env.FOSSA_API_KEY }} != "" + name: "Checkout Code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: "Run FOSSA Scan" + - if: ${{ env.FOSSA_API_KEY }} != "" + name: "Run FOSSA Scan" uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: - api-key: ${{ secrets.fossaApiKey }} + api-key: ${{ env.FOSSA_API_KEY }} From 19d2725b460f639090070ed2ca19cc4e94b1b16e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 18:36:15 -0600 Subject: [PATCH 12/39] chore: bump ossf/scorecard-action from 2.0.6 to 2.3.1 (#89) * chore: bump ossf/scorecard-action from 2.0.6 to 2.3.1 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.0.6 to 2.3.1. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/99c53751e09b9529366343771cc321ec74e9bd3d...0864cf19026789058feabb7e87baa5f140aac736) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update fossa.yml Signed-off-by: John Kjell --------- Signed-off-by: dependabot[bot] Signed-off-by: John Kjell Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: John Kjell --- .github/workflows/fossa.yml | 4 ++-- .github/workflows/scorecards.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 13ac3e02..88cc7ad5 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -18,10 +18,10 @@ jobs: FOSSA_API_KEY: ${{ secrets.fossaApiKey }} runs-on: ubuntu-latest steps: - - if: ${{ env.FOSSA_API_KEY }} != "" + - if: ${{ env.FOSSA_API_KEY != '' }} name: "Checkout Code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - if: ${{ env.FOSSA_API_KEY }} != "" + - if: ${{ env.FOSSA_API_KEY != '' }} name: "Run FOSSA Scan" uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index bdcf613e..fcfe16c8 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -55,7 +55,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif From 9243257f5bf08e443778f854d0edaf686be9a552 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 19:53:00 -0600 Subject: [PATCH 13/39] chore: bump actions/setup-go from 4.1.0 to 5.0.0 (#93) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/93397bea11091df50f3d7e59dc26a7711a8bcfbe...0c52d547c9bc32b1aa3301fd7a9cb496313a4491) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/golangci-lint.yml | 2 +- .github/workflows/verify-licence.yml | 2 +- .github/workflows/witness.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index a591c5c0..0b6a231c 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -35,7 +35,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: "go.mod" - name: golangci-lint diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 721039b6..593a8d18 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: '1.17.x' - name: Install addlicense diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 7d426e4e..dd93c079 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -50,7 +50,7 @@ jobs: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.21.x From 765aa2b7becc74531eb3571cf0c6c700fe4e0313 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 19:57:15 -0600 Subject: [PATCH 14/39] chore: bump actions/checkout from 3.6.0 to 4.1.1 (#92) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/scorecards.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 20484106..5d744825 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -60,7 +60,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 57d25081..4a02615a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -36,6 +36,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index fcfe16c8..025bcb8b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -50,7 +50,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false From 1ec7071327633228a8586ccfaf7e6b85329fd0e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 20:00:56 -0600 Subject: [PATCH 15/39] chore: bump actions/dependency-review-action from 2.5.1 to 3.1.4 (#91) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.1.4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...01bc87099ba56df1e897b6874784491ea6309bc4) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 4a02615a..40f28f19 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -38,4 +38,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 + uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4 From b11e25f68bd259e99e7298d540d4f5988a162114 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 20:04:28 -0600 Subject: [PATCH 16/39] chore: bump github/codeql-action from 2.22.8 to 2.22.9 (#90) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.8 to 2.22.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/407ffafae6a767df3e0230c3df91b6443ae8df75...c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5d744825..1193c97f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -64,7 +64,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + uses: github/codeql-action/autobuild@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 025bcb8b..0c6e645b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -85,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 with: sarif_file: results.sarif From 70efbcfe1ae4a9eec460d158ad34cc65450e49ac Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Mon, 11 Dec 2023 17:54:32 +0000 Subject: [PATCH 17/39] Improving `--signer-fulcio-token` flag to accept both path and raw token string (#82) * modified `--signer-fulcio-token` flag to accept either a path to a token or a raw token string * modified `--signer-fulcio-token` flag to accept either a path to a token or a raw token string Signed-off-by: chaosinthecrd * adding an unhappy path to the tests Signed-off-by: chaosinthecrd * updated function and description * updated function and description Signed-off-by: chaosinthecrd * removing ineffectual assignment in test Signed-off-by: chaosinthecrd * updated to add token path flag and remove idToken function magic Signed-off-by: chaosinthecrd * removing ineffectual assignments Signed-off-by: chaosinthecrd * removing whitespace Signed-off-by: chaosinthecrd * fixing small issue and adding test to makefile to speed things up Signed-off-by: chaosinthecrd --------- Signed-off-by: chaosinthecrd --- Makefile | 6 ++++++ hack/test.token | 1 + signer/fulcio/fulcio.go | 39 +++++++++++++++++++++++++++++++----- signer/fulcio/fulcio_test.go | 21 +++++++++++++++++++ 4 files changed, 62 insertions(+), 5 deletions(-) create mode 100644 hack/test.token diff --git a/Makefile b/Makefile index f717d8a7..2738f0f0 100644 --- a/Makefile +++ b/Makefile @@ -18,3 +18,9 @@ controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessar $(CONTROLLER_GEN): $(LOCALBIN) test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) + +test: ## Run the go unit tests + go test -v -coverprofile=profile.cov -covermode=atomic ./... + +help: ## Display this help screen + @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/hack/test.token b/hack/test.token new file mode 100644 index 00000000..fbcb3807 --- /dev/null +++ b/hack/test.token @@ -0,0 +1 @@ +eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb29iYXIiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsIkVtYWlsIjoidGVzdEBpbi10b3RvLmlvIn0.IswtNc6aJL3zAf-lSGvuz7Okf2tBr-I3ulJ_SRUMt0k diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 8983f8c0..449e7553 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -93,7 +93,7 @@ func init() { ), registry.StringConfigOption( "token", - "Raw token to use for authentication", + "Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)", "", func(sp signer.SignerProvider, token string) (signer.SignerProvider, error) { fsp, ok := sp.(FulcioSignerProvider) @@ -105,6 +105,20 @@ func init() { return fsp, nil }, ), + registry.StringConfigOption( + "token-path", + "Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)", + "", + func(sp signer.SignerProvider, tokenPath string) (signer.SignerProvider, error) { + fsp, ok := sp.(FulcioSignerProvider) + if !ok { + return sp, fmt.Errorf("provided signer provider is not a fulcio signer provider") + } + + WithTokenPath(tokenPath)(&fsp) + return fsp, nil + }, + ), ) } @@ -113,6 +127,7 @@ type FulcioSignerProvider struct { OidcIssuer string OidcClientID string Token string + TokenPath string } type Option func(*FulcioSignerProvider) @@ -141,6 +156,12 @@ func WithToken(tokenOption string) Option { } } +func WithTokenPath(tokenPathOption string) Option { + return func(fsp *FulcioSignerProvider) { + fsp.TokenPath = tokenPathOption + } +} + func New(opts ...Option) FulcioSignerProvider { fsp := FulcioSignerProvider{} for _, opt := range opts { @@ -194,7 +215,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, var raw string switch { - case fsp.Token == "" && os.Getenv("GITHUB_ACTIONS") == "true": + case fsp.Token == "" && fsp.TokenPath == "" && os.Getenv("GITHUB_ACTIONS") == "true": tokenURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") if tokenURL == "" { return nil, errors.New("ACTIONS_ID_TOKEN_REQUEST_URL is not set") @@ -209,10 +230,18 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, if err != nil { return nil, err } - - case fsp.Token != "": + // we want to fail if both flags used (they're mutually exclusive) + case fsp.TokenPath != "" && fsp.Token != "": + return nil, errors.New("only one of --fulcio-token-path or --fulcio-raw-token can be used") + case fsp.Token != "" && fsp.TokenPath == "": raw = fsp.Token + case fsp.TokenPath != "" && fsp.Token == "": + f, err := os.ReadFile(fsp.TokenPath) + if err != nil { + return nil, fmt.Errorf("failed to read fulcio token from filepath %s: %w", fsp.TokenPath, err) + } + raw = string(f) case fsp.Token == "" && isatty.IsTerminal(os.Stdin.Fd()): tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", "", oauthflow.DefaultIDTokenGetter) if err != nil { @@ -281,7 +310,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, func getCert(ctx context.Context, key *rsa.PrivateKey, fc fulciopb.CAClient, token string) (*fulciopb.SigningCertificate, error) { t, err := jwt.ParseSigned(token) if err != nil { - return nil, err + return nil, fmt.Errorf("Failed to parse jwt token for fulcio: %w", err) } var claims struct { diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index 1a062821..8f5a3dae 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -24,6 +24,7 @@ import ( "fmt" "log" "net" + "os" "strings" "testing" "time" @@ -33,6 +34,7 @@ import ( fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/stretchr/testify/require" "go.step.sm/crypto/jose" + "path/filepath" "google.golang.org/grpc" "gopkg.in/square/go-jose.v2/jwt" @@ -198,6 +200,25 @@ func TestSigner(t *testing.T) { _, err = provider.Signer(ctx) //this should be a tranport err since we cant actually test on 443 which is the default require.ErrorContains(t, err, "lookup test") + + // Test signer with token read from file + // NOTE: this function could be refactored to accept a fileSystem or io.Reader so reading the file can be mocked, + // but unsure if this is the way we want to go for now + wd, err := os.Getwd() + if err != nil { + t.Fatalf("failed to get working directory: %v", err) + } + rootDir := filepath.Dir(filepath.Dir(wd)) + tp := filepath.Join(rootDir, "hack", "test.token") + + provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp)) + _, err = provider.Signer(ctx) + require.NoError(t, err) + + // Test signer with both token read from file and raw token + provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp), WithToken(token)) + _, err = provider.Signer(ctx) + require.ErrorContains(t, err, "only one of --fulcio-token-path or --fulcio-raw-token can be used") } func generateCertChain(t *testing.T) []string { From 737eed88d5d9c67a6a695ffadea23dd9de189fa7 Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Mon, 11 Dec 2023 18:17:53 +0000 Subject: [PATCH 18/39] Updating README (#97) * Updating README with more relevant information for the `go-witness` library. --------- Signed-off-by: Tom Meadows --- README.md | 326 +++++------------------------------------------------- 1 file changed, 28 insertions(+), 298 deletions(-) diff --git a/README.md b/README.md index 53428b47..9579bb17 100644 --- a/README.md +++ b/README.md @@ -1,302 +1,32 @@ +# go-witness +A client library for [Witness](https://github.com/in-toto/witness), written in Go. + +[![Go Reference](https://pkg.go.dev/badge/github.com/in-toto/go-witness.svg)](https://pkg.go.dev/github.com/in-toto/go-witness) +[![Go Report Card](https://goreportcard.com/badge/github.com/in-toto/go-witness)](https://goreportcard.com/report/github.com/in-toto/go-witness) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8164/badge)](https://www.bestpractices.dev/projects/8164) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/in-toto/go-witness/badge)](https://securityscorecards.dev/viewer/?uri=github.com/in-toto/go-witness) [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness?ref=badge_shield&issueType=license) -[![asciicast](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D.svg)](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D) - -## Witness is a pluggable framework for supply chain security - -Witness prevents tampering of build materials and verifies the integrity of the build process from source to target. It works by wrapping commands executed in a continuous integration process. Its attestation system is pluggable and offers support out of the box for most major CI and infrastructure providers. Verification of Witness metadata and a secure PKI distribution system will mitigate against many software supply chain attack vectors and can be used as a framework for automated governance. - -Witness is an implementation of the in-toto spec including [ITE-5](https://github.com/in-toto/ITE/tree/master/ITE/5), [ITE-6](https://github.com/in-toto/ITE/tree/master/ITE/6), [ITE-7](https://github.com/in-toto/ITE/tree/master/ITE/7) with an [embedded rego policy engine](https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api). - -- Does **NOT** require elevated privileges. -- Can run in a containerized or non-containerized environment -- Records secure hashes of materials, artifacts, and events occurring during the CI process -- Integrations with cloud identity services -- Keyless signing with [SPIFFE/SPIRE](https://spiffe.io/) -- Support for uploading attestation evidence to rekor server (sigstore) -- Build policy enforcement with Open Policy Agent. -- Alpha support for tracing and process tampering prevention -- Verifies file integrity between CI steps, and across air gap. -- Experimental Windows and ARM Support - -## Usage - -- [Run](docs/witness_run.md) - Runs the provided command and records attestations about the execution. -- [Sign](docs/witness_sign.md) - Signs the provided file with the provided key. -- [Verify](docs/witness_verify.md) - Verifies a witness policy. - -## TOC - -- [Witness Attestors](#witness-attestors) - - [What is a witness attestor?](#what-is-a-witness-attestor) - - [Attestor Security Model](#attestor-security-model) - - [Attestor Life Cycle](#attestor-life-cycle) - - [Attestation Lifecycle](#attestation-lifecycle) - - [Attestor Types](#attestor-types) - - [Pre Run Attestors](#pre-run-attestors) - - [Internal Attestors](#internal-attestors) - - [Post Run Attestors](#post-run-attestors) - - [AttestationCollection](#attestationcollection) - - [Attestor Subjects](#attestor-subjects) - - [Witness Policy](#witness-policy) - - [What is a witness policy?](#what-is-a-witness-policy) - - [Witness Verification](#witness-verification) - - [Verification Lifecycle](#verification-lifecycle) - - [Using SPIRE for Keyless Signing](#using-spire-for-keyless-signing) - - [Witness Examples](#witness-examples) - - [Media](#media) - - [Roadmap](#roadmap) - - [Support](#support) - -## Getting Started - -### Download the Binary -[Releases](https://github.com/testifysec/witness/releases) -``` -curl -LO https://github.com/testifysec/witness/releases/download/${VERSION}/witness_${VERSION}_${ARCH}.tar.gz -tar -xzf witness_${VERSION}_${ARCH}.tar.gz -``` - -### Create a Keypair - -> Witness supports keyless signing with [SPIRE](https://spiffe.io/)! - -``` -openssl genpkey -algorithm ed25519 -outform PEM -out testkey.pem -openssl pkey -in testkey.pem -pubout > testpub.pem -``` - -### Create a Witness configuration - -> - This file generally resides in your source code repository along with the public keys generated above. -> - `.witness yaml` is the default location for the configuration file -> - `witness help` will show all configuration options -> - command-line arguments overrides configuration file values. - -``` -## .witness.yaml - -run: - key: testkey.pem - trace: false -verify: - attestations: - - "test-att.json" - policy: policy-signed.json - publickey: testpub.pem -``` - -### Record attestations for a build step - -> - The `-a {attestor}` flag allows you to define which attestors run -> - ex. `-a maven -a was -a gitlab` would be used for a maven build running on a GitLab runner on GCP. -> - Defining step names is important, these will be used in the policy. -> - This should happen as a part of a CI step - -``` -witness run --step build -o test-att.json -- go build -o=testapp . -``` - -### View the attestation data in the signed DSSE Envelope - -> - This data can be stored and retrieved from rekor! -> - This is the data that is evaluated against the Rego policy - -``` -cat test-att.json | jq -r .payload | base64 -d | jq -``` - -### Create a Policy File - -Look [here](docs/policy.md) for full documentation on Witness Policies. - -> - Make sure to replace the keys in this file with the ones from the step above (sed command below). -> - Rego policies should be base64 encoded -> - Steps are bound to keys. Policy can be written to check the certificate data. For example, we can require a step is signed by a key with a specific `CN` attribute. -> - Witness will require all attestations to succeed -> - Witness will evaluate the rego policy against the JSON object in the corresponding attestor - -``` -## policy.json - -{ - "expires": "2023-12-17T23:57:40-05:00", - "steps": { - "build": { - "name": "build", - "attestations": [ - { - "type": "https://witness.dev/attestations/material/v0.1", - "regopolicies": [] - }, - { - "type": "https://witness.dev/attestations/command-run/v0.1", - "regopolicies": [] - }, - { - "type": "https://witness.dev/attestations/product/v0.1", - "regopolicies": [] - } - ], - "functionaries": [ - { - "publickeyid": "{{PUBLIC_KEY_ID}}" - } - ] - } - }, - "publickeys": { - "{{PUBLIC_KEY_ID}}": { - "keyid": "{{PUBLIC_KEY_ID}}", - "key": "{{B64_PUBLIC_KEY}}" - } - } -} -``` - -### Replace the variables in the policy - -``` -id=`sha256sum testpub.pem | awk '{print $1}'` && sed -i "s/{{PUBLIC_KEY_ID}}/$id/g" policy.json -pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json -``` - -### Sign The Policy File - -Keep this key safe, its owner will control the policy gates. - -``` -witness sign -f policy.json --key testkey.pem --outfile policy-signed.json -``` - -### Verify the Binary Meets Policy Requirements - -> This process works across air-gap as long as you have the signed policy file, correct binary, and public key or certificate authority corresponding to the private key that signed the policy. -> `witness verify` will return a `non-zero` exit and reason in the case of failure. Success will be silent with a `0` exit status -> for policies that require multiple steps, multiple attestations are required. - -``` -witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem -``` - -# Witness Attestors - -## What is a witness attestor? - -Witness attestors are pieces of code that assert facts about a system and store those facts in a versioned schema. Each attestor has a `Name`, `Type`, and `RunType`. The `Type` is a versioned string corresponding to the JSON schema of the attestation. For example, the AWS attestor is defined as follows: - -``` - Name = "aws" - Type = "https://witness.dev/attestations/aws/v0.1" - RunType = attestation.PreRunType -``` - -The attestation types are used when we evaluate policy against these attestations. - -## Attestor Security Model - -Attestations are only as secure as the data that feeds them. Where possible cryptographic material should be validated, evidence of validation should be included in the attestation for out-of-band validation. - -Examples of cryptographic validation is found in the [GCP](https://github.com/in-toto/go-witness/blob/main/attestation/gcp-iit/gcp-iit.go), [AWS](https://github.com/in-toto/go-witness/blob/main/attestation/aws-iid/aws-iid.go), and [GitLab](https://github.com/in-toto/go-witness/blob/main/attestation/gitlab/gitlab.go) attestors. - -## Attestor Life Cycle - -- **Pre-material:** Pre-material attestors run before any other attestors. These attestors generally collect information about the environment. - -- **Material:** Material attestors run after any prematerial attestors and prior to any execute attestors. Generally these collect information about state that may change after any execute attestors, such as file hashes. - -- **Execute:**: Execute attestors run after any material attestors and generally record information about some command or process that is to be executed. - -- **Product:** Product attestors run after any execute attestors and generally record information about what changed during the execute lifecycle step, such as changed or created files. - -- **Post-product:** Post-product attestors run after product attestors and generally record some additional information about specific products, such as OCI image information from a saved image tarball. - -### Attestation Lifecycle - -![](docs/assets/attestation.png) - -## Attestor Types - -### Pre-material Attestors -- [AWS](docs/attestors/aws-iid.md) - Attestor for AWS Instance Metadata -- [GCP](docs/attestors/gcp-iit.md) - Attestor for GCP Instance Identity Service -- [GitLab](docs/attestors/gitlab.md) - Attestor for GitLab Pipelines -- [Git](docs/attestors/git.md) - Attestor for Git Repository -- [Maven](docs/attestors/maven.md) Attestor for Maven Projects -- [Environment](docs/attestors/environment.md) - Attestor for environment variables (**_be careful with this - there is no way to mask values yet_**) -- [JWT](docs/attestors/jwt.md) - Attestor for JWT Tokens - -### Material Attestors -- [Material](docs/attestors/material.md) - Records secure hashes of files in current working directory - -### Execute Attestors -- [CommandRun](docs/attestors/commandrun.md) - Records traces and metadata about the actual process being run - -### Product Attestors -- [Product](docs/attestors/product.md) - Records secure hashes of files produced by commandrun attestor (only detects new files) - -### Post-product Attestors - -- [OCI](docs/attestors/oci.md) - Attestor for tar'd OCI images - -### AttestationCollection - -An `attestationCollection` is a collection of attestations that are cryptographically bound together. Because the attestations are bound together, we can trust that they all happened as part of the same attesation life cycle. Witness policy defines which attestations are required. - -### Attestor Subjects - -Attestors define subjects that act as lookup indexes. The attestationCollection can be looked up by any of the subjects defined by the attestors. - -## Witness Policy - -### What is a witness policy? - -A witness policy is a signed document that encodes the requirements for an artifact to be validated. A witness policy includes public keys for trusted functionaries, which attestations must be found, and rego policy to evaluate against the attestation meta-data. - -I witness policy allowers administrators trace the compliance status of an artifact at any point during it's lifecycle. - -## Witness Verification - -### Verification Lifecycle - -![](docs/assets/verification.png) - -## Using [SPIRE](https://github.com/spiffe/spire) for Keyless Signing - -Witness can consume ephemeral keys from a [SPIRE](https://github.com/spiffe/spire) node agent. Configure witness with the flag `--spiffe-socket` to enable keyless signing. - -During the verification process witness will use the [Rekor](https://github.com/sigstore/rekor) integrated time to make a determination on certificate validity. The SPIRE certificate only needs to remain valid long enough for the attestation to be integrated into the Rekor log. - -## Witness Examples - -- [Using Witness To Prevent SolarWinds Type Attacks](examples/solarwinds/README.md) -- [Using Witness To Find Artifacts With Hidden Vulnerable Log4j Dependencies](examples/log4shell/README.md) - -## Media - -- [Blog - What is a supply chain attestation, and why do I need it?](https://www.testifysec.com/blog/what-is-a-supply-chain-attestation/) -- [Talk - Securing the Software Supply Chain with the in-toto & SPIRE projects](https://www.youtube.com/watch?v=4lFbdkB62QI) -- [Talk - Securing the Software Supply Chain with SBOM and Attestation](https://www.youtube.com/watch?v=wX6aTZfpJv0) - -## Roadmap - -- Attestors for all major platforms -- CaC Card Attestor -- GovCloud Attestor -- OIDC Attestor -- FIDO Attestor -- Vault Key Provider -- Cloud KMS Support -- Kubernetes Admission Controller -- SIEM Collection Agent -- Cosign Signature Validation -- Notary v2 Signature Validation -- [Zarf](https://github.com/defenseunicorns/zarf) Integration -- IronBank Attestor - -## Support - -[TestifySec](https://testifysec.com) Provides support for witness and other CI security tools. -[Contact Us](mailto:info@testifysec.com) +## Status +This library is currently pre-1.0 and therefore the API may be subject to breaking changes. + +## Features +- Creation and signing of in-toto attestations +- Verification of in-toto attestations and associated signatures with: + - Witness policy engine + - [OPA Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/) +- A growing list of attestor types defined under a common interface +- A selection of attestation sources to search for attestation collections + +## Documentation +For more detail regarding the library itself, we recommend viewing [pkg.go.dev](https://pkg.go.dev/github.com/testifysec/go-witness). For +the documentation of the witness project, please view [the main witness repository](https://github.com/in-toto/witness/tree/main/docs). + +## Requirements +In order to effectively contribute to this library, you will need: +- A Unix-compatible Operating System +- GNU Make +- Go 1.19 + +## Running Tests +This repository uses Go tests for testing. You can run these tests by executing `make test`. From c555ac6525c89037f200f8296e7308dce07d14cd Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Mon, 11 Dec 2023 18:24:58 +0000 Subject: [PATCH 19/39] Adding go test command to Makefile (#96) added go test to makefile Signed-off-by: John Kjell Co-authored-by: John Kjell --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 2738f0f0..bc9258ae 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,7 @@ $(CONTROLLER_GEN): $(LOCALBIN) test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) +.PHONY: test test: ## Run the go unit tests go test -v -coverprofile=profile.cov -covermode=atomic ./... From 5b5647c42b3c10dd56c1b9ee4970567531597186 Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Thu, 14 Dec 2023 17:56:34 +0000 Subject: [PATCH 20/39] WIP: Migrating Go module to in-toto (#101) * changing module name and imports * Change archivista api usage to in-toto/archivista/pkg/api Signed-off-by: John Kjell --------- Signed-off-by: chaosinthecrd Signed-off-by: John Kjell Co-authored-by: John Kjell --- README.md | 2 +- archivista/download.go | 4 +-- archivista/searchgitoids.go | 2 +- archivista/store.go | 4 +-- attestation/aws-iid/aws-iid.go | 10 +++---- attestation/aws-iid/aws-iid_test.go | 4 +-- attestation/collection.go | 2 +- attestation/commandrun/commandrun.go | 6 ++-- attestation/commandrun/tracing_linux.go | 8 ++--- attestation/commandrun/tracing_unsupported.go | 2 +- attestation/context.go | 4 +-- attestation/environment/environment.go | 2 +- attestation/environment/environment_test.go | 2 +- attestation/factory.go | 4 +-- attestation/file/file.go | 4 +-- attestation/file/file_test.go | 2 +- attestation/gcp-iit/gcp-iit.go | 8 ++--- attestation/git/git.go | 4 +-- attestation/git/git_test.go | 2 +- attestation/github/github.go | 8 ++--- attestation/gitlab/gitlab.go | 8 ++--- attestation/jwt/jwt.go | 2 +- attestation/material/material.go | 6 ++-- attestation/maven/maven.go | 6 ++-- attestation/maven/maven_test.go | 2 +- attestation/oci/oci.go | 6 ++-- attestation/oci/oci_test.go | 4 +-- attestation/product/product.go | 8 ++--- attestation/product/product_test.go | 4 +-- attestation/sarif/sarif.go | 6 ++-- dsse/dsse_test.go | 2 +- dsse/sign.go | 2 +- dsse/verify.go | 2 +- go.mod | 12 ++++---- go.sum | 22 +++++++------- imports.go | 30 +++++++++---------- intoto/statement.go | 9 ++++-- policy/constraints.go | 2 +- policy/constraints_test.go | 2 +- policy/errors.go | 2 +- policy/policy.go | 8 ++--- policy/policy_test.go | 10 +++---- policy/rego.go | 2 +- policy/rego_test.go | 2 +- policy/step.go | 4 +-- run.go | 12 ++++---- sign.go | 2 +- signer/file/file.go | 6 ++-- signer/fulcio/fulcio.go | 8 ++--- signer/registry.go | 8 ++--- signer/spiffe/spiffe.go | 6 ++-- signer/vault/signerprovider.go | 6 ++-- signer/vault/signerprovider_test.go | 2 +- source/archivista.go | 2 +- source/memory.go | 2 +- source/source.go | 6 ++-- source/verified.go | 6 ++-- timestamp/tsp.go | 2 +- timestamp/tsp_test.go | 2 +- verify.go | 10 +++---- 60 files changed, 165 insertions(+), 162 deletions(-) diff --git a/README.md b/README.md index 9579bb17..2741e8d7 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ This library is currently pre-1.0 and therefore the API may be subject to breaki - A selection of attestation sources to search for attestation collections ## Documentation -For more detail regarding the library itself, we recommend viewing [pkg.go.dev](https://pkg.go.dev/github.com/testifysec/go-witness). For +For more detail regarding the library itself, we recommend viewing [pkg.go.dev](https://pkg.go.dev/github.com/in-toto/go-witness). For the documentation of the witness project, please view [the main witness repository](https://github.com/in-toto/witness/tree/main/docs). ## Requirements diff --git a/archivista/download.go b/archivista/download.go index 5550d45a..cb6127b8 100644 --- a/archivista/download.go +++ b/archivista/download.go @@ -17,8 +17,8 @@ package archivista import ( "context" - archivistaapi "github.com/testifysec/archivista-api" - "github.com/testifysec/go-witness/dsse" + archivistaapi "github.com/in-toto/archivista/pkg/api" + "github.com/in-toto/go-witness/dsse" ) func (c *Client) Download(ctx context.Context, gitoid string) (dsse.Envelope, error) { diff --git a/archivista/searchgitoids.go b/archivista/searchgitoids.go index 851840dc..f52d5257 100644 --- a/archivista/searchgitoids.go +++ b/archivista/searchgitoids.go @@ -17,7 +17,7 @@ package archivista import ( "context" - archivistaapi "github.com/testifysec/archivista-api" + archivistaapi "github.com/in-toto/archivista/pkg/api" ) type searchGitoidResponse struct { diff --git a/archivista/store.go b/archivista/store.go index 0b6f682a..ccba927a 100644 --- a/archivista/store.go +++ b/archivista/store.go @@ -17,8 +17,8 @@ package archivista import ( "context" - archivistaapi "github.com/testifysec/archivista-api" - "github.com/testifysec/go-witness/dsse" + archivistaapi "github.com/in-toto/archivista/pkg/api" + "github.com/in-toto/go-witness/dsse" ) func (c *Client) Store(ctx context.Context, env dsse.Envelope) (string, error) { diff --git a/attestation/aws-iid/aws-iid.go b/attestation/aws-iid/aws-iid.go index 874fbd6d..a9bd0a6f 100644 --- a/attestation/aws-iid/aws-iid.go +++ b/attestation/aws-iid/aws-iid.go @@ -27,9 +27,9 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( @@ -42,8 +42,8 @@ const ( const ( docPath = "instance-identity/document" sigPath = "instance-identity/signature" - //https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html - //The following AWS public certificate is for all AWS Regions, except Hong Kong, Bahrain, China, and GovCloud. + // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html + // The following AWS public certificate is for all AWS Regions, except Hong Kong, Bahrain, China, and GovCloud. awsCACertPEM = `-----BEGIN CERTIFICATE----- MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw diff --git a/attestation/aws-iid/aws-iid_test.go b/attestation/aws-iid/aws-iid_test.go index 13cb45f3..bcda075b 100644 --- a/attestation/aws-iid/aws-iid_test.go +++ b/attestation/aws-iid/aws-iid_test.go @@ -24,9 +24,9 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" ) const iid = `{ diff --git a/attestation/collection.go b/attestation/collection.go index 2697a81e..9add8895 100644 --- a/attestation/collection.go +++ b/attestation/collection.go @@ -19,7 +19,7 @@ import ( "fmt" "time" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) const CollectionType = "https://witness.testifysec.com/attestation-collection/v0.1" diff --git a/attestation/commandrun/commandrun.go b/attestation/commandrun/commandrun.go index ff6675c6..5379700e 100644 --- a/attestation/commandrun/commandrun.go +++ b/attestation/commandrun/commandrun.go @@ -20,9 +20,9 @@ import ( "os" "os/exec" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/environment" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/environment" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/attestation/commandrun/tracing_linux.go b/attestation/commandrun/tracing_linux.go index e9cce1bd..53d20d3d 100644 --- a/attestation/commandrun/tracing_linux.go +++ b/attestation/commandrun/tracing_linux.go @@ -26,10 +26,10 @@ import ( "strconv" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/environment" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/environment" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" "golang.org/x/sys/unix" ) diff --git a/attestation/commandrun/tracing_unsupported.go b/attestation/commandrun/tracing_unsupported.go index 23023c72..55353dc1 100644 --- a/attestation/commandrun/tracing_unsupported.go +++ b/attestation/commandrun/tracing_unsupported.go @@ -20,7 +20,7 @@ import ( "errors" "os/exec" - "github.com/testifysec/go-witness/attestation" + "github.com/in-toto/go-witness/attestation" ) func enableTracing(c *exec.Cmd) { diff --git a/attestation/context.go b/attestation/context.go index d0e1a455..748829c5 100644 --- a/attestation/context.go +++ b/attestation/context.go @@ -21,8 +21,8 @@ import ( "os" "time" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) type RunType string diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go index e27d056b..bb3e3d96 100644 --- a/attestation/environment/environment.go +++ b/attestation/environment/environment.go @@ -20,7 +20,7 @@ import ( "runtime" "strings" - "github.com/testifysec/go-witness/attestation" + "github.com/in-toto/go-witness/attestation" ) const ( diff --git a/attestation/environment/environment_test.go b/attestation/environment/environment_test.go index 7a86ef58..b958cd32 100644 --- a/attestation/environment/environment_test.go +++ b/attestation/environment/environment_test.go @@ -18,8 +18,8 @@ import ( "os" "testing" + "github.com/in-toto/go-witness/attestation" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" ) func TestEnvironment(t *testing.T) { diff --git a/attestation/factory.go b/attestation/factory.go index ef50a60c..abc0bb4d 100644 --- a/attestation/factory.go +++ b/attestation/factory.go @@ -17,8 +17,8 @@ package attestation import ( "fmt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" ) var ( diff --git a/attestation/file/file.go b/attestation/file/file.go index 4b648c7f..40752b28 100644 --- a/attestation/file/file.go +++ b/attestation/file/file.go @@ -21,8 +21,8 @@ import ( "path/filepath" "github.com/edwarnicke/gitoid" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) // recordArtifacts will walk basePath and record the digests of each file with each of the functions in hashes. diff --git a/attestation/file/file_test.go b/attestation/file/file_test.go index a4269bf1..9f4dc0da 100644 --- a/attestation/file/file_test.go +++ b/attestation/file/file_test.go @@ -20,8 +20,8 @@ import ( "path/filepath" "testing" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) func TestBrokenSymlink(t *testing.T) { diff --git a/attestation/gcp-iit/gcp-iit.go b/attestation/gcp-iit/gcp-iit.go index c2cdfdbd..84ea433d 100644 --- a/attestation/gcp-iit/gcp-iit.go +++ b/attestation/gcp-iit/gcp-iit.go @@ -22,10 +22,10 @@ import ( "net/url" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/jwt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/jwt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) diff --git a/attestation/git/git.go b/attestation/git/git.go index 2978b4d7..1a92634e 100644 --- a/attestation/git/git.go +++ b/attestation/git/git.go @@ -23,8 +23,8 @@ import ( "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/attestation/git/git_test.go b/attestation/git/git_test.go index c4d93dc4..30c06944 100644 --- a/attestation/git/git_test.go +++ b/attestation/git/git_test.go @@ -26,8 +26,8 @@ import ( "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" + "github.com/in-toto/go-witness/attestation" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" ) func TestNew(t *testing.T) { diff --git a/attestation/github/github.go b/attestation/github/github.go index cece9c0c..c768e3b7 100644 --- a/attestation/github/github.go +++ b/attestation/github/github.go @@ -26,10 +26,10 @@ import ( "strings" "github.com/davecgh/go-spew/spew" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/jwt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/jwt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( diff --git a/attestation/gitlab/gitlab.go b/attestation/gitlab/gitlab.go index 5d6c1a80..b9663b0a 100644 --- a/attestation/gitlab/gitlab.go +++ b/attestation/gitlab/gitlab.go @@ -20,10 +20,10 @@ import ( "os" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/jwt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/jwt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( diff --git a/attestation/jwt/jwt.go b/attestation/jwt/jwt.go index 56952543..1eb2ca12 100644 --- a/attestation/jwt/jwt.go +++ b/attestation/jwt/jwt.go @@ -19,7 +19,7 @@ import ( "fmt" "net/http" - "github.com/testifysec/go-witness/attestation" + "github.com/in-toto/go-witness/attestation" "gopkg.in/square/go-jose.v2" "gopkg.in/square/go-jose.v2/jwt" ) diff --git a/attestation/material/material.go b/attestation/material/material.go index 84394d33..458515a1 100644 --- a/attestation/material/material.go +++ b/attestation/material/material.go @@ -17,9 +17,9 @@ package material import ( "encoding/json" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/file" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/file" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/attestation/maven/maven.go b/attestation/maven/maven.go index 985b4ab1..9e50034d 100644 --- a/attestation/maven/maven.go +++ b/attestation/maven/maven.go @@ -21,9 +21,9 @@ import ( "io" "os" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( diff --git a/attestation/maven/maven_test.go b/attestation/maven/maven_test.go index ab1df6b9..9934433e 100644 --- a/attestation/maven/maven_test.go +++ b/attestation/maven/maven_test.go @@ -19,9 +19,9 @@ import ( "path/filepath" "testing" + "github.com/in-toto/go-witness/attestation" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" ) func writeTempPomXml(t *testing.T) (string, error) { diff --git a/attestation/oci/oci.go b/attestation/oci/oci.go index f16569af..0f6dcb93 100644 --- a/attestation/oci/oci.go +++ b/attestation/oci/oci.go @@ -26,9 +26,9 @@ import ( "os" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( diff --git a/attestation/oci/oci_test.go b/attestation/oci/oci_test.go index 4b75a125..faca7495 100644 --- a/attestation/oci/oci_test.go +++ b/attestation/oci/oci_test.go @@ -20,9 +20,9 @@ import ( "os" "testing" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" ) type testProducter struct { diff --git a/attestation/product/product.go b/attestation/product/product.go index 3ef24571..1754d841 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -24,10 +24,10 @@ import ( "path/filepath" "github.com/gobwas/glob" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/file" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/file" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" ) const ( diff --git a/attestation/product/product_test.go b/attestation/product/product_test.go index 76502b74..21aead8a 100644 --- a/attestation/product/product_test.go +++ b/attestation/product/product_test.go @@ -23,10 +23,10 @@ import ( "strings" "testing" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" ) func TestFromDigestMap(t *testing.T) { diff --git a/attestation/sarif/sarif.go b/attestation/sarif/sarif.go index 8c21d8ca..1dac7d87 100644 --- a/attestation/sarif/sarif.go +++ b/attestation/sarif/sarif.go @@ -21,10 +21,10 @@ import ( "os" "strings" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" "github.com/owenrumney/go-sarif/sarif" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" ) const ( diff --git a/dsse/dsse_test.go b/dsse/dsse_test.go index 1df34b3f..7a63e251 100644 --- a/dsse/dsse_test.go +++ b/dsse/dsse_test.go @@ -28,9 +28,9 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) func createRsaKey() (*rsa.PrivateKey, *rsa.PublicKey, error) { diff --git a/dsse/sign.go b/dsse/sign.go index 570934a3..25b958ec 100644 --- a/dsse/sign.go +++ b/dsse/sign.go @@ -21,7 +21,7 @@ import ( "fmt" "io" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type Timestamper interface { diff --git a/dsse/verify.go b/dsse/verify.go index f1a90393..b74c24ed 100644 --- a/dsse/verify.go +++ b/dsse/verify.go @@ -21,7 +21,7 @@ import ( "io" "time" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type TimestampVerifier interface { diff --git a/go.mod b/go.mod index 6d6c876c..f112ab8d 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/testifysec/go-witness +module github.com/in-toto/go-witness go 1.19 @@ -8,12 +8,12 @@ require ( github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425 github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d github.com/go-git/go-git/v5 v5.5.2 + github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe github.com/mattn/go-isatty v0.0.20 github.com/open-policy-agent/opa v0.49.2 github.com/owenrumney/go-sarif v1.1.1 github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 - github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 go.step.sm/crypto v0.25.2 golang.org/x/sys v0.13.0 google.golang.org/grpc v1.56.3 @@ -28,7 +28,7 @@ require ( github.com/coreos/go-oidc/v3 v3.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect - github.com/go-logr/logr v1.2.3 // indirect + github.com/go-logr/logr v1.2.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect github.com/google/go-containerregistry v0.13.0 // indirect @@ -50,9 +50,9 @@ require ( github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/zclconf/go-cty v1.12.1 // indirect - golang.org/x/mod v0.8.0 // indirect + golang.org/x/mod v0.10.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/tools v0.6.0 // indirect + golang.org/x/tools v0.9.3 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/klog/v2 v2.90.0 // indirect @@ -103,3 +103,5 @@ replace github.com/sigstore/rekor => github.com/testifysec/rekor v0.4.0-dsse-int replace github.com/gin-gonic/gin v1.5.0 => github.com/gin-gonic/gin v1.7.7 replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 + +replace github.com/in-toto/archivista v0.1.3-0.20231213123840-c6750e051f5c => github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe diff --git a/go.sum b/go.sum index dea9197c..72feb1d1 100644 --- a/go.sum +++ b/go.sum @@ -74,8 +74,8 @@ github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxF github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-rod/rod v0.112.6 h1:zMirUmhsBeshMWyf285BD0UGtGq54HfThLDGSjcP3lU= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= @@ -110,6 +110,8 @@ github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXp github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe h1:SNafk19rV7gMlu3YyFuVkj/9vsXnMp6yrFMXDguT3fE= +github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe/go.mod h1:AJU7zhcITsaufiqYMFPLZM66/vwmHVQtZeC2/JFxw7w= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= @@ -179,7 +181,7 @@ github.com/sigstore/fulcio v1.1.0/go.mod h1:zv1ZQTXZbUwQdRwajlQksc34pRas+2aZYpIZ github.com/sigstore/sigstore v1.5.2 h1:rvZSPJDH2ysoc8kjW9v4nv1UX3XwSA8y4x6Dk7hA0D4= github.com/sigstore/sigstore v1.5.2/go.mod h1:wxhp9KoaOpeb1VLKILruD283KJqPSqX+3TuBByVDZ6E= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0= github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= @@ -198,16 +200,14 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 h1:GAUgHyg4ss2DDTIYG9RuVxap2smkAGtzpXcOvNxlLic= -github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76/go.mod h1:6OYeTa1OOoVuqo9i8t6GAHtwg0CgofZVfwgVt7DgrwI= github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 h1:1i/Afw3rmaR1gF3sfVkG2X6ldkikQwA9zY380LrR5YI= github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= -github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= +github.com/vmihailenco/tagparser v0.1.2 h1:gnjoVuB/kljJ5wICEEOpx98oXMWPLj22G67Vbd1qPqc= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= @@ -245,8 +245,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -270,7 +270,7 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -316,8 +316,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/imports.go b/imports.go index 1fa4afee..3736edf3 100644 --- a/imports.go +++ b/imports.go @@ -17,21 +17,21 @@ package witness // all of the following imports are here so that each of the package's init functions run appropriately import ( // attestors - _ "github.com/testifysec/go-witness/attestation/aws-iid" - _ "github.com/testifysec/go-witness/attestation/commandrun" - _ "github.com/testifysec/go-witness/attestation/environment" - _ "github.com/testifysec/go-witness/attestation/gcp-iit" - _ "github.com/testifysec/go-witness/attestation/git" - _ "github.com/testifysec/go-witness/attestation/github" - _ "github.com/testifysec/go-witness/attestation/gitlab" - _ "github.com/testifysec/go-witness/attestation/jwt" - _ "github.com/testifysec/go-witness/attestation/maven" - _ "github.com/testifysec/go-witness/attestation/oci" - _ "github.com/testifysec/go-witness/attestation/sarif" + _ "github.com/in-toto/go-witness/attestation/aws-iid" + _ "github.com/in-toto/go-witness/attestation/commandrun" + _ "github.com/in-toto/go-witness/attestation/environment" + _ "github.com/in-toto/go-witness/attestation/gcp-iit" + _ "github.com/in-toto/go-witness/attestation/git" + _ "github.com/in-toto/go-witness/attestation/github" + _ "github.com/in-toto/go-witness/attestation/gitlab" + _ "github.com/in-toto/go-witness/attestation/jwt" + _ "github.com/in-toto/go-witness/attestation/maven" + _ "github.com/in-toto/go-witness/attestation/oci" + _ "github.com/in-toto/go-witness/attestation/sarif" // signer providers - _ "github.com/testifysec/go-witness/signer/file" - _ "github.com/testifysec/go-witness/signer/fulcio" - _ "github.com/testifysec/go-witness/signer/spiffe" - _ "github.com/testifysec/go-witness/signer/vault" + _ "github.com/in-toto/go-witness/signer/file" + _ "github.com/in-toto/go-witness/signer/fulcio" + _ "github.com/in-toto/go-witness/signer/spiffe" + _ "github.com/in-toto/go-witness/signer/vault" ) diff --git a/intoto/statement.go b/intoto/statement.go index ee84ff63..6574276e 100644 --- a/intoto/statement.go +++ b/intoto/statement.go @@ -16,11 +16,14 @@ package intoto import ( "encoding/json" - "github.com/testifysec/go-witness/cryptoutil" + + "github.com/in-toto/go-witness/cryptoutil" ) -const StatementType = "https://in-toto.io/Statement/v0.1" -const PayloadType = "application/vnd.in-toto+json" +const ( + StatementType = "https://in-toto.io/Statement/v0.1" + PayloadType = "application/vnd.in-toto+json" +) type Subject struct { Name string `json:"name"` diff --git a/policy/constraints.go b/policy/constraints.go index d1a5ebf0..b9f92627 100644 --- a/policy/constraints.go +++ b/policy/constraints.go @@ -18,7 +18,7 @@ import ( "fmt" "net/url" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/policy/constraints_test.go b/policy/constraints_test.go index 3afd5cba..83afab6a 100644 --- a/policy/constraints_test.go +++ b/policy/constraints_test.go @@ -28,9 +28,9 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) type checkConstraintAttributeCase struct { diff --git a/policy/errors.go b/policy/errors.go index 5b4dc8ad..88f1800b 100644 --- a/policy/errors.go +++ b/policy/errors.go @@ -19,7 +19,7 @@ import ( "strings" "time" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type ErrNoAttestations string diff --git a/policy/policy.go b/policy/policy.go index b6456b1f..3eddcd94 100644 --- a/policy/policy.go +++ b/policy/policy.go @@ -20,10 +20,10 @@ import ( "crypto/x509" "time" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" - "github.com/testifysec/go-witness/source" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" + "github.com/in-toto/go-witness/source" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) diff --git a/policy/policy_test.go b/policy/policy_test.go index 6e767a20..6b5af3ac 100644 --- a/policy/policy_test.go +++ b/policy/policy_test.go @@ -25,13 +25,13 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/commandrun" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/intoto" + "github.com/in-toto/go-witness/source" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/commandrun" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/intoto" - "github.com/testifysec/go-witness/source" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) diff --git a/policy/rego.go b/policy/rego.go index 6a436399..51e71e81 100644 --- a/policy/rego.go +++ b/policy/rego.go @@ -20,9 +20,9 @@ import ( "encoding/json" "fmt" + "github.com/in-toto/go-witness/attestation" "github.com/open-policy-agent/opa/ast" "github.com/open-policy-agent/opa/rego" - "github.com/testifysec/go-witness/attestation" ) func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error { diff --git a/policy/rego_test.go b/policy/rego_test.go index 3ae3d373..ab767e9e 100644 --- a/policy/rego_test.go +++ b/policy/rego_test.go @@ -17,9 +17,9 @@ package policy import ( "testing" + "github.com/in-toto/go-witness/attestation/git" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation/git" ) func TestRegoPolicy(t *testing.T) { diff --git a/policy/step.go b/policy/step.go index 15a54001..b1b63ef0 100644 --- a/policy/step.go +++ b/policy/step.go @@ -18,8 +18,8 @@ import ( "fmt" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/source" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/source" ) // +kubebuilder:object:generate=true diff --git a/run.go b/run.go index d9c489b3..b6ccd2ca 100644 --- a/run.go +++ b/run.go @@ -19,12 +19,12 @@ import ( "encoding/json" "fmt" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/environment" - "github.com/testifysec/go-witness/attestation/git" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/intoto" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/environment" + "github.com/in-toto/go-witness/attestation/git" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/intoto" ) type runOptions struct { diff --git a/sign.go b/sign.go index 8f10a028..c2d0a58e 100644 --- a/sign.go +++ b/sign.go @@ -18,7 +18,7 @@ import ( "encoding/json" "io" - "github.com/testifysec/go-witness/dsse" + "github.com/in-toto/go-witness/dsse" ) func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error { diff --git a/signer/file/file.go b/signer/file/file.go index 95256daa..f76d8116 100644 --- a/signer/file/file.go +++ b/signer/file/file.go @@ -20,9 +20,9 @@ import ( "fmt" "os" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" ) func init() { diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 449e7553..ff628ecc 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -31,16 +31,16 @@ import ( "strings" "time" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" "github.com/mattn/go-isatty" fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" sigo "github.com/sigstore/sigstore/pkg/signature/options" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" diff --git a/signer/registry.go b/signer/registry.go index a445df31..3c828fde 100644 --- a/signer/registry.go +++ b/signer/registry.go @@ -17,13 +17,11 @@ package signer import ( "context" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" ) -var ( - signerRegistry = registry.New[SignerProvider]() -) +var signerRegistry = registry.New[SignerProvider]() type SignerProvider interface { Signer(context.Context) (cryptoutil.Signer, error) diff --git a/signer/spiffe/spiffe.go b/signer/spiffe/spiffe.go index ee76fe6e..34d708e6 100644 --- a/signer/spiffe/spiffe.go +++ b/signer/spiffe/spiffe.go @@ -18,10 +18,10 @@ import ( "context" "fmt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" "github.com/spiffe/go-spiffe/v2/workloadapi" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" ) func init() { diff --git a/signer/vault/signerprovider.go b/signer/vault/signerprovider.go index 27ec65c6..c6a19da3 100644 --- a/signer/vault/signerprovider.go +++ b/signer/vault/signerprovider.go @@ -21,9 +21,9 @@ import ( "strings" "time" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" ) const ( diff --git a/signer/vault/signerprovider_test.go b/signer/vault/signerprovider_test.go index c5a2f007..39c44e74 100644 --- a/signer/vault/signerprovider_test.go +++ b/signer/vault/signerprovider_test.go @@ -25,9 +25,9 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) func createRsaKey() (*rsa.PrivateKey, *rsa.PublicKey, error) { diff --git a/source/archivista.go b/source/archivista.go index 66c4ec32..2f74f722 100644 --- a/source/archivista.go +++ b/source/archivista.go @@ -17,7 +17,7 @@ package source import ( "context" - "github.com/testifysec/go-witness/archivista" + "github.com/in-toto/go-witness/archivista" ) type ArchivistaSource struct { diff --git a/source/memory.go b/source/memory.go index df6e5609..8f7450e7 100644 --- a/source/memory.go +++ b/source/memory.go @@ -21,7 +21,7 @@ import ( "io" "os" - "github.com/testifysec/go-witness/dsse" + "github.com/in-toto/go-witness/dsse" ) type ErrDuplicateReference string diff --git a/source/source.go b/source/source.go index 7ebd5e41..1aad2bbd 100644 --- a/source/source.go +++ b/source/source.go @@ -18,9 +18,9 @@ import ( "context" "encoding/json" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/intoto" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/intoto" ) type CollectionEnvelope struct { diff --git a/source/verified.go b/source/verified.go index 0bbc0058..46fc561e 100644 --- a/source/verified.go +++ b/source/verified.go @@ -17,9 +17,9 @@ package source import ( "context" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/log" ) type VerifiedCollection struct { diff --git a/timestamp/tsp.go b/timestamp/tsp.go index 8e6d1303..e8a1e596 100644 --- a/timestamp/tsp.go +++ b/timestamp/tsp.go @@ -26,7 +26,7 @@ import ( "github.com/digitorus/pkcs7" "github.com/digitorus/timestamp" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type TSPTimestamper struct { diff --git a/timestamp/tsp_test.go b/timestamp/tsp_test.go index f9e61757..60698931 100644 --- a/timestamp/tsp_test.go +++ b/timestamp/tsp_test.go @@ -20,9 +20,9 @@ import ( "crypto/x509" "testing" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) const ( diff --git a/verify.go b/verify.go index 857aa09b..bb20df6b 100644 --- a/verify.go +++ b/verify.go @@ -21,11 +21,11 @@ import ( "fmt" "io" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/policy" - "github.com/testifysec/go-witness/source" - "github.com/testifysec/go-witness/timestamp" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/policy" + "github.com/in-toto/go-witness/source" + "github.com/in-toto/go-witness/timestamp" ) func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error) { From 00081b097acd91a58ad1dd1b15244cfcd89a701a Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Fri, 15 Dec 2023 15:33:49 +0000 Subject: [PATCH 21/39] Fixing bug introduced in logs - warning and debug logs not printing (#103) warning logs and debug logs werent printing after error check - fixing it Signed-off-by: chaosinthecrd --- log/log.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/log/log.go b/log/log.go index 14d54256..31396dc1 100644 --- a/log/log.go +++ b/log/log.go @@ -58,8 +58,11 @@ func Warnf(format string, args ...interface{}) { if _, ok := a.(error); ok { err := fmt.Errorf(format, args...) log.Warn(err) + return } } + + log.Warnf(format, args...) } func Warn(args ...interface{}) { @@ -71,8 +74,11 @@ func Debugf(format string, args ...interface{}) { if _, ok := a.(error); ok { err := fmt.Errorf(format, args...) log.Debug(err) + return } } + + log.Debugf(format, args...) } func Debug(args ...interface{}) { From 6094e21e6832587e76cdd287906cd6458c8b2017 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Fri, 15 Dec 2023 09:46:29 -0600 Subject: [PATCH 22/39] Point to v0.2.0 of archivista (#105) Signed-off-by: John Kjell --- go.mod | 4 +--- go.sum | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index f112ab8d..69858fc7 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425 github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d github.com/go-git/go-git/v5 v5.5.2 - github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe + github.com/in-toto/archivista v0.2.0 github.com/mattn/go-isatty v0.0.20 github.com/open-policy-agent/opa v0.49.2 github.com/owenrumney/go-sarif v1.1.1 @@ -103,5 +103,3 @@ replace github.com/sigstore/rekor => github.com/testifysec/rekor v0.4.0-dsse-int replace github.com/gin-gonic/gin v1.5.0 => github.com/gin-gonic/gin v1.7.7 replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 - -replace github.com/in-toto/archivista v0.1.3-0.20231213123840-c6750e051f5c => github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe diff --git a/go.sum b/go.sum index 72feb1d1..fc5d8e93 100644 --- a/go.sum +++ b/go.sum @@ -110,8 +110,8 @@ github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXp github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= -github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe h1:SNafk19rV7gMlu3YyFuVkj/9vsXnMp6yrFMXDguT3fE= -github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe/go.mod h1:AJU7zhcITsaufiqYMFPLZM66/vwmHVQtZeC2/JFxw7w= +github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20= +github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= @@ -206,8 +206,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= +github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= -github.com/vmihailenco/tagparser v0.1.2 h1:gnjoVuB/kljJ5wICEEOpx98oXMWPLj22G67Vbd1qPqc= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= From cfee7c97c584fcc8f6b472f64534e6c0fd71a2a1 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Sun, 17 Dec 2023 16:17:31 -0600 Subject: [PATCH 23/39] Create SECURITY.md (#107) Add an initial SECURITY.md file. Signed-off-by: John Kjell --- SECURITY.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..2d5ae3cb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,34 @@ +# Security Policy + +## Security Bulletins + +See current security bullentins on GitHub: https://github.com/in-toto/go-witness/security/advisories + +For information regarding the security of this project please join: + +* in-toto-witness on CNCF Slack + +## Reporting a Vulnerability + +Please use the below process to report a vulnerability to the project: + +Web Form: + +1. Please visit https://github.com/in-toto/go-witness/security/advisories/new + * You will receive a confirmation email upon submission +1. You may be contacted by a maintainer to further discuss the reported item + within 3 days. Please bear with us as we seek to understand the breadth + and scope of the reported problem, recreate it, and confirm if there is an + vulnerability present. + +This project follows a 30 day disclosure timeline. + +## Supported Versions + +Information regarding supported versions of this project can be found on +in the below table: + +| Version | Supported | +| --- | --- | +| Latest | :white_check_mark: | +| <= Latest - 2 | :x: | From 9465ff46b8582e4baa1fea96cd1f17ae390512a9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 22:05:59 -0600 Subject: [PATCH 24/39] chore: bump github/codeql-action from 2.22.9 to 3.22.11 (#110) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.9 to 3.22.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2...b374143c1149a9115d881581d29b8390bbcbb59c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1193c97f..57714fde 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -64,7 +64,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/autobuild@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 0c6e645b..915c5f19 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -85,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 + uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 with: sarif_file: results.sarif From 84bdf2a49b9dd0e4bf9e046b0af7573548a4f3f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 22:10:15 -0600 Subject: [PATCH 25/39] chore: bump actions/download-artifact from 3.0.2 to 4.0.0 (#112) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.2 to 4.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/9bc31d5ccc31df68ecc42ccf4149144866c47d8a...7a1cd3216ca9260cd8022db641d960b1db4d1be4) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: John Kjell --- .github/workflows/witness.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index dd93c079..90b21c41 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -55,7 +55,7 @@ jobs: go-version: 1.21.x - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4 # v4.0.0 with: name: ${{ inputs.artifact-download }} path: /tmp From 603cfa95b709f91630aff13685bbf5b9917bcbaf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 22:15:00 -0600 Subject: [PATCH 26/39] chore: bump actions/upload-artifact from 3.1.3 to 4.0.0 (#111) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.3 to 4.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/a8a3f3ad30e3422c9c7b888a15615d19a852ae32...c7d193f32edcb7bfad88892161225aeda64e9392) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/witness.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 915c5f19..9a4561fa 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -77,7 +77,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 90b21c41..a1c8ccab 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -79,7 +79,7 @@ jobs: run: ${{ inputs.command }} - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ inputs.artifact-upload-name }} path: ${{ inputs.artifact-upload-path }} From c28d93f009396f6ebcbb8b36222e69a5e7860d82 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 22:21:05 -0600 Subject: [PATCH 27/39] chore: bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#115) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](https://github.com/golang/crypto/compare/v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 69858fc7..e9a2ab20 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 go.step.sm/crypto v0.25.2 - golang.org/x/sys v0.13.0 + golang.org/x/sys v0.15.0 google.golang.org/grpc v1.56.3 gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/apimachinery v0.26.11 @@ -87,10 +87,10 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/zeebo/errs v1.3.0 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/net v0.17.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index fc5d8e93..0f0dfae6 100644 --- a/go.sum +++ b/go.sum @@ -240,8 +240,8 @@ golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -291,16 +291,16 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -309,8 +309,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= From a39d484e0b8c420fa21f9403349a29764456dc2c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:04:01 +0100 Subject: [PATCH 28/39] chore: bump github.com/go-git/go-git/v5 from 5.5.2 to 5.11.0 (#119) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.5.2 to 5.11.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.5.2...v5.11.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 27 +++++++------- go.sum | 109 +++++++++++++++++++++++---------------------------------- 2 files changed, 57 insertions(+), 79 deletions(-) diff --git a/go.mod b/go.mod index e9a2ab20..91769e4a 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/digitorus/pkcs7 v0.0.0-20230220124406-51331ccfc40f github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425 github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d - github.com/go-git/go-git/v5 v5.5.2 + github.com/go-git/go-git/v5 v5.11.0 github.com/in-toto/archivista v0.2.0 github.com/mattn/go-isatty v0.0.20 github.com/open-policy-agent/opa v0.49.2 @@ -22,37 +22,38 @@ require ( ) require ( + dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.0.0 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/cloudflare/circl v1.3.3 // indirect github.com/coreos/go-oidc/v3 v3.5.0 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect github.com/google/go-containerregistry v0.13.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kr/pretty v0.3.0 // indirect github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/pjbgf/sha1cd v0.2.3 // indirect + github.com/pjbgf/sha1cd v0.3.0 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/rogpeppe/go-internal v1.8.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect - github.com/skeema/knownhosts v1.1.0 // indirect + github.com/skeema/knownhosts v1.2.1 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/zclconf/go-cty v1.12.1 // indirect - golang.org/x/mod v0.10.0 // indirect + golang.org/x/mod v0.12.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/tools v0.9.3 // indirect + golang.org/x/tools v0.13.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/klog/v2 v2.90.0 // indirect @@ -62,18 +63,16 @@ require ( ) require ( - github.com/Microsoft/go-winio v0.6.0 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect - github.com/acomagu/bufpipe v1.0.3 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect github.com/aws/aws-sdk-go v1.44.334 github.com/emirpasic/gods v1.18.1 // indirect github.com/ghodss/yaml v1.0.0 // indirect - github.com/go-git/gcfg v1.5.0 // indirect - github.com/go-git/go-billy/v5 v5.4.1 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.5.0 // indirect github.com/gobwas/glob v0.2.3 github.com/golang/protobuf v1.5.3 // indirect - github.com/imdario/mergo v0.3.13 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect @@ -88,7 +87,7 @@ require ( github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/zeebo/errs v1.3.0 // indirect golang.org/x/crypto v0.17.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/net v0.19.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect diff --git a/go.sum b/go.sum index 0f0dfae6..e59efb8e 100644 --- a/go.sum +++ b/go.sum @@ -1,38 +1,35 @@ cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= -github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= -github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= -github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8= -github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA= -github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= -github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk= -github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= -github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= -github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aws/aws-sdk-go v1.44.334 h1:h2bdbGb//fez6Sv6PaYv868s9liDeoYM6hYsAqTB4MU= github.com/aws/aws-sdk-go v1.44.334/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= github.com/coreos/go-oidc/v3 v3.5.0 h1:VxKtbccHZxs8juq7RdJntSqtXFtde9YpNpGn0yqgEHw= github.com/coreos/go-oidc/v3 v3.5.0/go.mod h1:ecXRtV4romGPeO6ieExAsUK9cb/3fp9hXNz1tlv8PIM= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -49,6 +46,7 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d h1:4l+Uq5zFWSagXgGFaKRRVWJrnlzeathyagWgYUltCgY= github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d/go.mod h1:WxWwA3EYuCQjlR5EBUX3uaTS8bh9BOa7BcqVREHQ0uQ= +github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= @@ -59,17 +57,13 @@ github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= -github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= -github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4= -github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= -github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= -github.com/go-git/go-billy/v5 v5.4.0/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= -github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= -github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= -github.com/go-git/go-git-fixtures/v4 v4.3.1 h1:y5z6dd3qi8Hl+stezc8p3JxDkoTRqMAlKnXHuzrfjTQ= -github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo= -github.com/go-git/go-git/v5 v5.5.2 h1:v8lgZa5k9ylUw+OR/roJHTxR4QItsNFI5nKtAXFuynw= -github.com/go-git/go-git/v5 v5.5.2/go.mod h1:BE5hUJ5yaV2YMxhmaP4l6RBQ08kMxKSPD4BlxtH7OjI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= +github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= +github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4= +github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= @@ -84,6 +78,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= @@ -97,8 +92,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-containerregistry v0.13.0 h1:y1C7Z3e149OJbOPDBxLYR8ITPz8dTKqQwjErKVHJC8k= github.com/google/go-containerregistry v0.13.0/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -108,13 +102,10 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 h1:1JYBfzqrWPcCclBwxFCPAou9n+q github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0/go.mod h1:YDZoGHuwE+ov0c8smSH49WLF3F2LaWnYYuDVd+EWrc0= github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXpNvOEDLDc= github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20= github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= @@ -128,17 +119,12 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= -github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL43g16EQkPV/i8+b3l5bYQwLeoSBe7tS8= github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA= -github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= -github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= @@ -148,16 +134,15 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/open-policy-agent/opa v0.49.2 h1:n8ntRq/yDWy+cmYaqSLrHXmrT3tX8WlK28vjFQdC6W8= github.com/open-policy-agent/opa v0.49.2/go.mod h1:7L3lN5qe8xboRmEHxC5lGjo5KsRMdK+CCLiFoOCP7rU= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE= github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= -github.com/pjbgf/sha1cd v0.2.3 h1:uKQP/7QOzNtKYH7UTohZLcjF5/55EnTw0jO/Ru4jZwI= -github.com/pjbgf/sha1cd v0.2.3/go.mod h1:HOK9QrgzdHpbc2Kzip0Q1yi3M2MFGPADtR6HjG65m5M= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -168,12 +153,9 @@ github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8u github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= -github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/sigstore/fulcio v1.1.0 h1:mzzJ05Ccu8Y2inyioklNvc8MpzlGHxu8YqNeTm0dHfU= @@ -182,8 +164,8 @@ github.com/sigstore/sigstore v1.5.2 h1:rvZSPJDH2ysoc8kjW9v4nv1UX3XwSA8y4x6Dk7hA0 github.com/sigstore/sigstore v1.5.2/go.mod h1:wxhp9KoaOpeb1VLKILruD283KJqPSqX+3TuBByVDZ6E= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0= -github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag= +github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ= +github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY= @@ -236,17 +218,17 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -256,13 +238,14 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= @@ -270,35 +253,33 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -309,6 +290,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -316,8 +299,9 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= -golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -338,10 +322,7 @@ gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVC gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= @@ -349,12 +330,10 @@ gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= k8s.io/apimachinery v0.26.11 h1:w//840HHdwSRKqD15j9YX9HLlU6RPlfrvW0xEhLk2+0= From c5246d46d202e0e381f2bb6dbdab0cb9c4594e14 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:47:23 -0600 Subject: [PATCH 29/39] chore: bump github/codeql-action from 3.22.11 to 3.22.12 (#118) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.11 to 3.22.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b374143c1149a9115d881581d29b8390bbcbb59c...012739e5082ff0c22ca6d6ab32e07c36df03c4a4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 57714fde..899cc198 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -64,7 +64,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 9a4561fa..6c3dda81 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -85,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: sarif_file: results.sarif From 6ab0399170a22b226eeb7642a52448cf3a623242 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:53:07 -0600 Subject: [PATCH 30/39] chore: bump actions/download-artifact from 4.0.0 to 4.1.0 (#117) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/7a1cd3216ca9260cd8022db641d960b1db4d1be4...f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/witness.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index a1c8ccab..0cdcf9f5 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -55,7 +55,7 @@ jobs: go-version: 1.21.x - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4 # v4.0.0 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: ${{ inputs.artifact-download }} path: /tmp From 30884423c97151d74d4bcbf305b3f41c5ace3d37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:56:44 -0600 Subject: [PATCH 31/39] chore: bump k8s.io/apimachinery from 0.26.11 to 0.26.12 (#116) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.26.11 to 0.26.12. - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.26.11...v0.26.12) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 91769e4a..afee1830 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( golang.org/x/sys v0.15.0 google.golang.org/grpc v1.56.3 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/apimachinery v0.26.11 + k8s.io/apimachinery v0.26.12 ) require ( diff --git a/go.sum b/go.sum index e59efb8e..dd3809c3 100644 --- a/go.sum +++ b/go.sum @@ -336,8 +336,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/apimachinery v0.26.11 h1:w//840HHdwSRKqD15j9YX9HLlU6RPlfrvW0xEhLk2+0= -k8s.io/apimachinery v0.26.11/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= +k8s.io/apimachinery v0.26.12 h1:y+OgufxqLIZtyXIydRhjLBGzrYLF+qwiDdCFXYOjeN4= +k8s.io/apimachinery v0.26.12/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/utils v0.0.0-20230115233650-391b47cb4029 h1:L8zDtT4jrxj+TaQYD0k8KNlr556WaVQylDXswKmX+dE= From 9875fcc6e4dc0e34d0ed308a126ba954d04196e7 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 2 Jan 2024 15:03:24 -0600 Subject: [PATCH 32/39] Update SECURITY-INSIGHTS.yml with additional information (#108) * Update SECURITY-INSIGHTS.yml with additional information Signed-off-by: John Kjell * Address Scorecard feedback and add dependency policy. Signed-off-by: John Kjell --------- Signed-off-by: John Kjell --- .github/workflows/release.yml | 16 +++++-- .github/workflows/verify-licence.yml | 4 +- .github/workflows/witness.yml | 6 +++ DEPENDENCY.md | 42 ++++++++++++++++++ SECURITY-INSIGHTS.yml | 65 ++++++++++++++++++++++++++-- 5 files changed, 124 insertions(+), 9 deletions(-) create mode 100644 DEPENDENCY.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2861efc3..2785e946 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,14 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout name: release on: [push, pull_request] + +permissions: + contents: read + jobs: fmt: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt @@ -29,6 +33,9 @@ jobs: sast: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: sast @@ -38,6 +45,9 @@ jobs: unit-test: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 593a8d18..8528886d 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -34,9 +34,9 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.17.x' + go-version: '1.21.x' - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.1.1 - name: Check license headers run: | set -e diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 0cdcf9f5..e02a3049 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -40,9 +40,15 @@ on: required: true type: string +permissions: + contents: read + jobs: witness: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/DEPENDENCY.md b/DEPENDENCY.md new file mode 100644 index 00000000..99f74a1c --- /dev/null +++ b/DEPENDENCY.md @@ -0,0 +1,42 @@ +# Environment Dependencies Policy + +## Purpose + +This policy describes how Witness maintainers consume third-party packages. + +## Scope + +This policy applies to all Witness maintainers and all third-party packages used in the Witness project. + +## Policy + +Witness maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of Witness. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the Witness codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to Witness, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of Witness? +2. Research the package. Is it well-maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the Witness codebase. +5. Update the Witness documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the Witness maintainers. +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis. + +## Credits + +This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index cf55b9bd..c52c5f1b 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -15,10 +15,67 @@ header: schema-version: 1.0.0 expiration-date: '2024-08-31T10:10:09.000Z' - last-updated: '2023-12-06' - last-reviewed: '2023-12-06' + last-updated: '2023-12-20' + last-reviewed: '2023-12-20' commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 project-url: https://github.com/in-toto/go-witness - project-release: 'v0.17.0' - changelog: https://github.com/in-toto/go-witness/releases/tag/v0.17.0 + project-release: 'v0.2.0' + changelog: https://github.com/in-toto/go-witness/releases/tag/v0.2.0 license: https://github.com/in-toto/go-witness/blob/main/LICENSE + +project-lifecycle: + status: active + roadmap: https://github.com/orgs/in-toto/projects/4/views/3 + bug-fixes-only: false + core-maintainers: + - https://github.com/in-toto/go-witness/MAINTAINERS.md + release-cycle: https://github.com/in-toto/go-witness/releases + +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true + contributing-policy: https://github.com/in-toto/go-witness/blob/main/CONTRIBUTING.md + code-of-conduct: https://github.com/in-toto/go-witness/blob/main/CODE_OF_CONDUCT.md + +documentation: + - https://witness.dev + +distribution-points: + - https://github.com/in-toto/go-witness/releases + +security-testing: +- tool-type: sca + tool-name: Dependabot + tool-version: 2 + tool-url: https://github.com/dependabot + integration: + ad-hoc: false + ci: true + before-release: false + +security-contacts: +- type: email + value: security@testifysec.com + primary: true + +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: security@testifysec.com + security-policy: https://github.com/in-toto/go-witness/SECURITY.md + +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/in-toto/go-witness/go.mod + sbom: + - sbom-file: https://foo.bar/sbom + sbom-format: CycloneDX + sbom-url: https://foo.bar + dependencies-lifecycle: + policy-url: https://github.com/in-toto/go-witness/SECURITY.md + comment: | + All dependencies are subject to the Witness Security Policy. + env-dependencies-policy: + policy-url: https://github.com/in-toto/go-witness/DEPENDENCY.md + comment: | + All dependencies are subject to the Witness Dependency Policy. From 90c26c321d3997755752a3ea0db59d9c4f73d155 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 12:56:01 -0500 Subject: [PATCH 33/39] chore: bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#121) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.3.3...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index afee1830..d8e42716 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.0.0 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect - github.com/cloudflare/circl v1.3.3 // indirect + github.com/cloudflare/circl v1.3.7 // indirect github.com/coreos/go-oidc/v3 v3.5.0 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/dustin/go-humanize v1.0.1 // indirect diff --git a/go.sum b/go.sum index dd3809c3..fdcfeed1 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,9 @@ github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7N github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= +github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/coreos/go-oidc/v3 v3.5.0 h1:VxKtbccHZxs8juq7RdJntSqtXFtde9YpNpGn0yqgEHw= github.com/coreos/go-oidc/v3 v3.5.0/go.mod h1:ecXRtV4romGPeO6ieExAsUK9cb/3fp9hXNz1tlv8PIM= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= From 43548222eba752d59cc6c51c8c54ebafdb79a1d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 12:59:42 -0500 Subject: [PATCH 34/39] chore: bump actions/dependency-review-action from 3.1.4 to 3.1.5 (#123) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.4 to 3.1.5. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/01bc87099ba56df1e897b6874784491ea6309bc4...c74b580d73376b7750d3d2a50bfb8adc2c937507) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 40f28f19..5b0608ae 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -38,4 +38,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4 + uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5 From 0aaf29b4d0dbd0ce2728d9538a133222a1d17573 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 21:05:31 -0500 Subject: [PATCH 35/39] chore: bump github/codeql-action from 3.22.12 to 3.23.0 (#122) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.12 to 3.23.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/012739e5082ff0c22ca6d6ab32e07c36df03c4a4...e5f05b81d5b6ff8cfa111c80c22c5fd02a384118) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: John Kjell --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 899cc198..98bbd925 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -64,7 +64,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 6c3dda81..8a135b6b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -85,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: sarif_file: results.sarif From a54b4c03268ecb65a289a913e589a360931a5c83 Mon Sep 17 00:00:00 2001 From: pkwiatkowski1 <126618572+pkwiatkowski1@users.noreply.github.com> Date: Fri, 12 Jan 2024 13:13:35 -0500 Subject: [PATCH 36/39] fix: added oidc redirect url option for fulcio (#76) * fix: added oidc redirect url option for fulcio Signed-off-by: Patrick Kwiatkowski * Update fulcio.go --------- Signed-off-by: Patrick Kwiatkowski Signed-off-by: Tom Meadows Co-authored-by: Tom Meadows --- signer/fulcio/fulcio.go | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index ff628ecc..fc4c55d8 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -105,6 +105,20 @@ func init() { return fsp, nil }, ), + registry.StringConfigOption( + "oidc-redirect-url", + "OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.", + "", + func(sp signer.SignerProvider, oidcRedirectUrl string) (signer.SignerProvider, error) { + fsp, ok := sp.(FulcioSignerProvider) + if !ok { + return sp, fmt.Errorf("provided signer provider is not a fulcio signer provider") + } + + WithOidcRedirectUrl(oidcRedirectUrl)(&fsp) + return fsp, nil + }, + ), registry.StringConfigOption( "token-path", "Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)", @@ -123,11 +137,12 @@ func init() { } type FulcioSignerProvider struct { - FulcioURL string - OidcIssuer string - OidcClientID string - Token string - TokenPath string + FulcioURL string + OidcIssuer string + OidcClientID string + Token string + TokenPath string + OidcRedirectUrl string } type Option func(*FulcioSignerProvider) @@ -156,6 +171,13 @@ func WithToken(tokenOption string) Option { } } + +func WithOidcRedirectUrl(oidcRedirectUrl string) Option { + return func(fsp *FulcioSignerProvider) { + fsp.OidcRedirectUrl = oidcRedirectUrl + } +} + func WithTokenPath(tokenPathOption string) Option { return func(fsp *FulcioSignerProvider) { fsp.TokenPath = tokenPathOption @@ -243,7 +265,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, raw = string(f) case fsp.Token == "" && isatty.IsTerminal(os.Stdin.Fd()): - tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", "", oauthflow.DefaultIDTokenGetter) + tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", fsp.OidcRedirectUrl, oauthflow.DefaultIDTokenGetter) if err != nil { return nil, err } From 8937af70507e6741521aa54845a3526eca2261ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:39:32 -0600 Subject: [PATCH 37/39] chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 (#126) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/c7d193f32edcb7bfad88892161225aeda64e9392...1eb3cb2b3e0f29609092a73eb033bb759a334595) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/witness.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 8a135b6b..aa38c90b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -77,7 +77,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index e02a3049..f2029c25 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -85,7 +85,7 @@ jobs: run: ${{ inputs.command }} - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 with: name: ${{ inputs.artifact-upload-name }} path: ${{ inputs.artifact-upload-path }} From 404b65482adde0bdff021c20b6c49eab543d9e56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:43:04 -0600 Subject: [PATCH 38/39] chore: bump actions/download-artifact from 4.1.0 to 4.1.1 (#127) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110...6b208ae046db98c579e8a3aa621ab581ff575935) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/witness.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index f2029c25..1b2dc2c1 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -61,7 +61,7 @@ jobs: go-version: 1.21.x - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ inputs.artifact-download }} path: /tmp From 61576e0f41c659c5dc0e322f8481f5976139b02f Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Tue, 16 Jan 2024 17:40:51 +0000 Subject: [PATCH 39/39] Adding function to add a single attestor (#128) * adding function for adding a single attestor Signed-off-by: chaosinthecrd * changing to GetXXX and creating separate attestor error Signed-off-by: chaosinthecrd --------- Signed-off-by: chaosinthecrd --- attestation/factory.go | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/attestation/factory.go b/attestation/factory.go index abc0bb4d..a78bfabb 100644 --- a/attestation/factory.go +++ b/attestation/factory.go @@ -70,6 +70,12 @@ func (e ErrAttestationNotFound) Error() string { return fmt.Sprintf("attestation not found: %v", string(e)) } +type ErrAttestorNotFound string + +func (e ErrAttestorNotFound) Error() string { + return fmt.Sprintf("attestor not found: %v", string(e)) +} + func RegisterAttestation(name, predicateType string, run RunType, factoryFunc registry.FactoryFunc[Attestor], opts ...registry.Configurer) { registrationEntry := attestorRegistry.Register(name, factoryFunc, opts...) attestationsByType[predicateType] = registrationEntry @@ -86,14 +92,32 @@ func FactoryByName(name string) (registry.FactoryFunc[Attestor], bool) { return registrationEntry.Factory, ok } +func GetAttestor(nameOrType string) (Attestor, error) { + attestors, err := GetAttestors([]string{nameOrType}) + if err != nil { + return nil, err + } + + if len(attestors) == 0 { + return nil, ErrAttestorNotFound(nameOrType) + } + + return attestors[0], nil +} + +// Deprecated: use AddAttestors instead func Attestors(nameOrTypes []string) ([]Attestor, error) { + return GetAttestors(nameOrTypes) +} + +func GetAttestors(nameOrTypes []string) ([]Attestor, error) { attestors := make([]Attestor, 0) for _, nameOrType := range nameOrTypes { factory, ok := FactoryByName(nameOrType) if !ok { factory, ok = FactoryByType(nameOrType) if !ok { - return nil, ErrAttestationNotFound(nameOrType) + return nil, ErrAttestorNotFound(nameOrType) } }