Skip to content

Commit

Permalink
fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [sec…
Browse files Browse the repository at this point in the history 
…urity] (#723)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)
| `v2.2.0` -> `v2.2.4` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9)

### Summary
Cosign is susceptible to a denial of service by an attacker controlled
registry. An attacker who controls a remote registry can return a high
number of attestations and/or signatures to Cosign and cause Cosign to
enter a long loop resulting in an endless data attack. The root cause is
that Cosign loops through all attestations fetched from the remote
registry in `pkg/cosign.FetchAttestations`.

The attacker needs to compromise the registry or make a request to a
registry they control. When doing so, the attacker must return a high
number of attestations in the response to Cosign. The result will be
that the attacker can cause Cosign to go into a long or infinite loop
that will prevent other users from verifying their data. In Kyvernos
case, an attacker whose privileges are limited to making requests to the
cluster can make a request with an image reference to their own
registry, trigger the infinite loop and deny other users from completing
their admission requests. Alternatively, the attacker can obtain control
of the registry used by an organization and return a high number of
attestations instead the expected number of attestations.

The vulnerable loop in Cosign starts on line 154 below:

https://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196

The `l` slice is controllable by an attacker who controls the remote
registry.

Many cloud-native projects consider the remote registry to be untrusted,
including Crossplane, Notary and Kyverno. We consider the same to be the
case for Cosign, since users are not in control of whether the registry
returns the expected data.

TUF's security model labels this type of vulnerability an ["Endless data
attack"](https://theupdateframework.io/security/), but an attacker could
use this as a type of rollback attack, in case the user attempts to
deploy a patched version of a vulnerable image; The attacker could
prevent this upgrade by causing Cosign to get stuck in an infinite loop
and never complete.

### Mitigation
The issue can be mitigated rather simply by setting a limit to the limit
of attestations that Cosign will loop through. The limit does not need
to be high to be within the vast majority of use cases and still prevent
the endless data attack.

####
[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc)

### Summary
A remote image with a malicious attachment can cause denial of service
of the host machine running Cosign. This can impact other services on
the machine that rely on having memory available such as a Redis
database which can result in data loss. It can also impact the
availability of other services on the machine that will not be available
for the duration of the machine denial.

### Details
The root cause of this issue is that Cosign reads the attachment from a
remote image entirely into memory without checking the size of the
attachment first. As such, a large attachment can make Cosign read a
large attachment into memory; If the attachments size is larger than the
machine has memory available, the machine will be denied of service. The
Go runtime will make a `SIGKILL` after a few seconds of system-wide
denial.

The root cause is that Cosign reads the contents of the attachments
entirely into memory on line 238 below:


https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239

...and prior to that, neither Cosign nor go-containerregistry checks the
size of the attachment and enforces a max cap. In the case of a remote
layer of `f *attached`, go-containerregistry will invoke this API:


https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
```golang
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
```

Notice that the second argument to `rl.fetcher.fetchBlob` is
`verify.SizeUnknown` which results in not using the `io.LimitReader` in
`verify.ReadCloser`:

https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100
```golang
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}
```

### Impact
This issue can allow a supply-chain escalation from a compromised
registry to the Cosign user: If an attacher has compromised a registry
or the account of an image vendor, they can include a malicious
attachment and hurt the image consumer.

### Remediation
Update to the latest version of Cosign, which limits the number of
attachments. An environment variable can override this value.

####
[CVE-2024-29903](https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv)

Maliciously-crafted software artifacts can cause denial of service of
the machine running Cosign, thereby impacting all services on the
machine. The root cause is that Cosign creates slices based on the
number of signatures, manifests or attestations in untrusted artifacts.
As such, the untrusted artifact can control the amount of memory that
Cosign allocates.

As an example, these lines demonstrate the problem:


https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70

This `Get()` method gets the manifest of the image, allocates a slice
equal to the length of the layers in the manifest, loops through the
layers and adds a new signature to the slice.

The exact issue is Cosign allocates excessive memory on the lines that
creates a slice of the same length as the manifests.

## Remediation

Update to the latest version of Cosign, where the number of
attestations, signatures and manifests has been limited to a reasonable
value.

## Cosign PoC

In the case of this API (also referenced above):


https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70

… The first line can contain a length that is safe for the system and
will not throw a runtime panic or be blocked by other safety mechanisms.
For the sake of argument, let’s say that the length of `m, err :=
s.Manifest()` is the max allowed (by the machine without throwing OOM
panics) manifests minus 1. When Cosign then allocates a new slice on
this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`,
Cosign will allocate more memory than is available and the machine will
be denied of service, causing Cosign and all other services on the
machine to be unavailable.

To illustrate the issue here, we run a modified version of
`TestSignedImageIndex()` in `pkg/oci/remote`:


https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57

Here, `wantLayers` is the number of manifests from these lines:


https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60

To test this, we want to make `wantLayers` high enough to not cause a
memory on its own but still trigger the machine-wide OOM when a slice
gets create with the same length. On my local machine, it would take
hours to create a slice of layers that fulfils that criteria, so instead
I modify the Cosign production code to reflect a long list of manifests:

```golang
// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
        m, err := s.Manifest()
        if err != nil {
                return nil, err
        }
        // Here we imitate a long list of manifests
        ms := make([]byte, 2600000000) // imitate a long list of manifests
        signatures := make([]oci.Signature, 0, len(ms))
        panic("Done")
        //signatures := make([]oci.Signature, 0, len(m.Layers))
        for _, desc := range m.Layers {
```

With this modified code, if we can cause an OOM without triggering the
`panic("Done")`, we have succeeded.

---

### Release Notes

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4)

#### Bug Fixes

- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#&#8203;3661](https://togithub.com/sigstore/cosign/issues/3661))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#&#8203;3526](https://togithub.com/sigstore/cosign/issues/3526))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#&#8203;3541](https://togithub.com/sigstore/cosign/issues/3541))
- Honor creation timestamp for signatures again
([#&#8203;3549](https://togithub.com/sigstore/cosign/issues/3549))

#### Features

- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#&#8203;3578](https://togithub.com/sigstore/cosign/issues/3578))

#### Documentation

- add oci bundle spec
([#&#8203;3622](https://togithub.com/sigstore/cosign/issues/3622))
- Correct help text of triangulate cmd
([#&#8203;3551](https://togithub.com/sigstore/cosign/issues/3551))
- Correct help text of verify-attestation policy argument
([#&#8203;3527](https://togithub.com/sigstore/cosign/issues/3527))
- feat: add OVHcloud MPR registry tested with cosign
([#&#8203;3639](https://togithub.com/sigstore/cosign/issues/3639))

#### Testing

- Refactor e2e-tests.yml workflow
([#&#8203;3627](https://togithub.com/sigstore/cosign/issues/3627))
- Clean up and clarify e2e scripts
([#&#8203;3628](https://togithub.com/sigstore/cosign/issues/3628))
- Don't ignore transparency log in tests if possible
([#&#8203;3528](https://togithub.com/sigstore/cosign/issues/3528))
- Make E2E tests hermetic
([#&#8203;3499](https://togithub.com/sigstore/cosign/issues/3499))
- add e2e test for pkcs11 token signing
([#&#8203;3495](https://togithub.com/sigstore/cosign/issues/3495))

###
[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3)

#### Bug Fixes

- Fix race condition on verification with multiple signatures attached
to image
([#&#8203;3486](https://togithub.com/sigstore/cosign/issues/3486))
- fix(clean): Fix clean cmd for private registries
([#&#8203;3446](https://togithub.com/sigstore/cosign/issues/3446))
- Fixed BYO PKI verification
([#&#8203;3427](https://togithub.com/sigstore/cosign/issues/3427))

#### Features

- Allow for option in cosign attest and attest-blob to upload
attestation as supported in Rekor
([#&#8203;3466](https://togithub.com/sigstore/cosign/issues/3466))
- Add support for OpenVEX predicate type
([#&#8203;3405](https://togithub.com/sigstore/cosign/issues/3405))

#### Documentation

- Resolves
[#&#8203;3088](https://togithub.com/sigstore/cosign/issues/3088):
`version` sub-command expected behaviour documentation and testing
([#&#8203;3447](https://togithub.com/sigstore/cosign/issues/3447))
- add examples for cosign attach signature cmd
([#&#8203;3468](https://togithub.com/sigstore/cosign/issues/3468))

#### Misc

- Remove CertSubject function
([#&#8203;3467](https://togithub.com/sigstore/cosign/issues/3467))
- Use local rekor and fulcio instances in e2e tests
([#&#8203;3478](https://togithub.com/sigstore/cosign/issues/3478))

#### Contributors

-   aalsabag
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Colleen Murphy
-   Hayden B
-   Mukuls77
-   Omri Bornstein
-   Puerco
-   vivek kumar sahu

###
[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2)

v2.2.2 adds a new container with a shell,
`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.

For private deployments, we have also added an alias for
`--insecure-skip-log`, `--private-infrastructure`.

#### Bug Fixes

- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6
([#&#8203;3411](https://togithub.com/sigstore/cosign/issues/3411)) which
fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk
([#&#8203;3415](https://togithub.com/sigstore/cosign/issues/3415))
- Fix copy without any flag set
([#&#8203;3409](https://togithub.com/sigstore/cosign/issues/3409))
- Update cosign generate cmd to not include newline
([#&#8203;3393](https://togithub.com/sigstore/cosign/issues/3393))
- Fix idempotency error with signing
([#&#8203;3371](https://togithub.com/sigstore/cosign/issues/3371))

#### Features

- Add `--yes` flag `cosign import-key-pair` to skip the overwrite
confirmation.
([#&#8203;3383](https://togithub.com/sigstore/cosign/issues/3383))
- Use the timeout flag value in verify\* commands.
([#&#8203;3391](https://togithub.com/sigstore/cosign/issues/3391))
- add --private-infrastructure flag
([#&#8203;3369](https://togithub.com/sigstore/cosign/issues/3369))

#### Container Updates

- Bump builder image to use go1.21.4 and add new cosign image tags with
shell ([#&#8203;3373](https://togithub.com/sigstore/cosign/issues/3373))

#### Documentation

- Update SBOM_SPEC.md
([#&#8203;3358](https://togithub.com/sigstore/cosign/issues/3358))

#### Contributors

-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Hayden B
-   Lily Sturmann
-   Nikos Fotiou
-   Yonghe Zhao

###
[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1)

**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Please upgrade to this release ASAP**

#### Enhancements

- feat: Support basic auth and bearer auth login to registry
([#&#8203;3310](https://togithub.com/sigstore/cosign/issues/3310))
- add support for ignoring certificates with pkcs11
([#&#8203;3334](https://togithub.com/sigstore/cosign/issues/3334))
- Support ReplaceOp in Signatures
([#&#8203;3315](https://togithub.com/sigstore/cosign/issues/3315))
- feat: added ability to get image digest back via triangulate
([#&#8203;3255](https://togithub.com/sigstore/cosign/issues/3255))
- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom
([#&#8203;3247](https://togithub.com/sigstore/cosign/issues/3247))
- feat: add support attaching a Rekor bundle to a container
([#&#8203;3246](https://togithub.com/sigstore/cosign/issues/3246))
- feat: add support outputting rekor response on signing
([#&#8203;3248](https://togithub.com/sigstore/cosign/issues/3248))
- feat: improve dockerfile verify subcommand
([#&#8203;3264](https://togithub.com/sigstore/cosign/issues/3264))
- Add guard flag for experimental OCI 1.1 verify.
([#&#8203;3272](https://togithub.com/sigstore/cosign/issues/3272))
- Deprecate SBOM attachments
([#&#8203;3256](https://togithub.com/sigstore/cosign/issues/3256))
- feat: dedent line in cosign copy doc
([#&#8203;3244](https://togithub.com/sigstore/cosign/issues/3244))
- feat: add platform flag to cosign copy command
([#&#8203;3234](https://togithub.com/sigstore/cosign/issues/3234))
- Add SLSA 1.0 attestation support to cosign. Closes
[#&#8203;2860](https://togithub.com/sigstore/cosign/issues/2860)
([#&#8203;3219](https://togithub.com/sigstore/cosign/issues/3219))
- attest: pass OCI remote opts to att resolver.
([#&#8203;3225](https://togithub.com/sigstore/cosign/issues/3225))

#### Bug Fixes

-   Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent
([#&#8203;3245](https://togithub.com/sigstore/cosign/issues/3245))
- ci: add a OCI registry test for referrers support
([#&#8203;3253](https://togithub.com/sigstore/cosign/issues/3253))
- Fix ReplaceSignatures
([#&#8203;3292](https://togithub.com/sigstore/cosign/issues/3292))
- Stop using deprecated in_toto.ProvenanceStatement
([#&#8203;3243](https://togithub.com/sigstore/cosign/issues/3243))
- Fixes
[#&#8203;3236](https://togithub.com/sigstore/cosign/issues/3236),
disable SCT checking for a cosign verification when usin…
([#&#8203;3237](https://togithub.com/sigstore/cosign/issues/3237))
- fix: update error in `SignedEntity` to be more descriptive
([#&#8203;3233](https://togithub.com/sigstore/cosign/issues/3233))
- Fail timestamp verification if no root is provided
([#&#8203;3224](https://togithub.com/sigstore/cosign/issues/3224))

#### Documentation

- Add some docs about verifying in an air-gapped environment
([#&#8203;3321](https://togithub.com/sigstore/cosign/issues/3321))
- Update CONTRIBUTING.md
([#&#8203;3268](https://togithub.com/sigstore/cosign/issues/3268))
- docs: improves the Contribution guidelines
([#&#8203;3257](https://togithub.com/sigstore/cosign/issues/3257))
- Remove security policy
([#&#8203;3230](https://togithub.com/sigstore/cosign/issues/3230))

#### Others

- Set go to min 1.21 and update dependencies
([#&#8203;3327](https://togithub.com/sigstore/cosign/issues/3327))
- Update contact for code of conduct
([#&#8203;3266](https://togithub.com/sigstore/cosign/issues/3266))
- Update .ko.yaml
([#&#8203;3240](https://togithub.com/sigstore/cosign/issues/3240))

#### Contributors

-   AdamKorcz
-   Andres Galante
-   Appu
-   Billy Lynch
-   Bob Callaway
-   Caleb Woodbine
-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Gareth Healy
-   Hayden B
-   John Kjell
-   Jon Johnson
-   jonvnadelberg
-   Luiz Carvalho
-   Priya Wadhwa
-   Ramkumar Chinchani
-   Tosone
-   Ville Aikas
-   Vishal Choudhary
-   ziel

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <[email protected]>
  • Loading branch information
@renovate-bot
renovate-bot authored Apr 18, 2024
1 parent 8c9ed07 commit 79d225b
Show file tree
Hide file tree
Showing 2 changed files with 410 additions and 271 deletions.
96 changes: 48 additions & 48 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,91 +6,92 @@ toolchain go1.21.6

require (
github.com/docker/go v1.5.1-1
github.com/go-openapi/runtime v0.27.1
github.com/go-openapi/runtime v0.28.0
github.com/google/go-cmp v0.6.0
github.com/google/trillian v1.6.0 // indirect
github.com/in-toto/in-toto-golang v0.9.0
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/rekor v1.3.5
github.com/sigstore/sigstore v1.8.1
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.3
)

require (
github.com/google/go-containerregistry v0.18.0
github.com/google/go-containerregistry v0.19.1
github.com/gorilla/mux v1.8.1
github.com/sigstore/cosign/v2 v2.2.0
github.com/sigstore/cosign/v2 v2.2.4
github.com/sigstore/sigstore-go v0.2.0
github.com/slsa-framework/slsa-github-generator v1.9.0
github.com/spf13/cobra v1.8.0
golang.org/x/mod v0.15.0
golang.org/x/mod v0.16.0
sigs.k8s.io/release-utils v0.7.7
)

require (
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/go-openapi/strfmt v0.22.0 // indirect
github.com/go-openapi/swag v0.22.9 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/sigstore/timestamp-authority v1.2.1 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
go.opentelemetry.io/otel/metric v1.22.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
go.opentelemetry.io/otel/metric v1.24.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
)

require (
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
github.com/docker/cli v24.0.0+incompatible // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/docker/cli v24.0.7+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v24.0.7+incompatible // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/docker/docker v24.0.9+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.22.0 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/spec v0.20.14 // indirect
github.com/go-openapi/validate v0.22.6 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/certificate-transparency-go v1.1.7 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/klauspost/compress v1.17.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.1.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/fulcio v1.4.3
github.com/sigstore/protobuf-specs v0.2.1
github.com/sigstore/fulcio v1.4.5
github.com/sigstore/protobuf-specs v0.3.0
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/cast v1.6.0 // indirect
Expand All @@ -100,24 +101,23 @@ require (
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/otel v1.22.0 // indirect
go.opentelemetry.io/otel/trace v1.22.0 // indirect
github.com/vbatts/tar-split v0.11.5 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opentelemetry.io/otel v1.24.0 // indirect
go.opentelemetry.io/otel/trace v1.24.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/exp v0.0.0-20231006140011-7918f672742d
golang.org/x/net v0.20.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.17.0 // indirect
golang.org/x/term v0.17.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.22.0 // indirect
golang.org/x/exp v0.0.0-20231108232855-2478ac86f678
golang.org/x/net v0.22.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.19.0 // indirect
golang.org/x/term v0.19.0 // indirect
golang.org/x/text v0.14.0 // indirect
google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
google.golang.org/grpc v1.61.0 // indirect
google.golang.org/grpc v1.62.1 // indirect
google.golang.org/protobuf v1.33.0
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.120.0 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
Loading

0 comments on commit 79d225b

Please sign in to comment.