Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. #847

Merged
merged 2 commits into from
May 31, 2022
Merged

Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. #847

merged 2 commits into from
May 31, 2022

Conversation

dhaus67
Copy link

@dhaus67 dhaus67 commented May 31, 2022

Summary

go-tuf has a vulnerability assigned: GHSA-66x3-6cw3-v5gj.

This has already been fixed within cosign as well as sigstore/sigstore.

Updated the go-tuf version as well as the sigstore version to point to the latest version that's not containing the vulnerable go-tuf one.

@dhaus67 dhaus67 requested a review from a team as a code owner May 31, 2022 05:28
@dhaus67 dhaus67 mentioned this pull request May 31, 2022
Merged
dhaus67 added 2 commits May 31, 2022 09:19
@dhaus67
Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version.
433e5f0 
Signed-off-by: Daniel Haus <dhaus@redhat.com>
@dhaus67
Fix build issue.
43bdce3 
Signed-off-by: Daniel Haus <dhaus@redhat.com>
@dhaus67
Copy link
Author

dhaus67 commented May 31, 2022

I've fixed the build issue, as the latest commit of sigstore/sigstore seems to introduce a breaking dependency.

@codecov-commenter
Copy link

Codecov Report

Merging #847 (43bdce3) into main (cc33a43) will increase coverage by 0.09%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #847      +/-   ##
==========================================
+ Coverage   46.32%   46.42%   +0.09%     
==========================================
  Files          60       60              
  Lines        5116     5116              
==========================================
+ Hits         2370     2375       +5     
+ Misses       2471     2467       -4     
+ Partials      275      274       -1
Impacted Files Coverage Δ
pkg/types/rekord/v0.0.1/entry.go 48.18% <0.00%> (+0.66%) ⬆️
pkg/types/alpine/v0.0.1/entry.go 55.78% <0.00%> (+1.23%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cc33a43...43bdce3. Read the comment docs.

bobcallaway
bobcallaway approved these changes May 31, 2022
View reviewed changes
Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dlorenc dlorenc merged commit 0c1de2a into sigstore:main May 31, 2022
@github-actions github-actions bot added this to the v1.0.0 milestone May 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@dhaus67 @codecov-commenter @bobcallaway @dlorenc