Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chore/upstream go witness #4

Merged
merged 109 commits into from
Jun 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
109 commits
Select commit Hold shift + click to select a range
7abed11
Initial commit
kriscoleman May 10, 2023
f83ccc4
chore: Configure SAST in `.gitlab-ci.yml`, creating this file if it d…
kriscoleman May 10, 2023
7b10c3e
chore: initial commit of judge monorepo core projects
kriscoleman May 14, 2023
4f8c5a6
chore: Set up our new home for product and development planning (#7)
kriscoleman Jun 5, 2023
c7e38ea
fix(web): friendly errors
kriscoleman Jun 6, 2023
bd86a99
chore: Added issue templates for additional issue types
kriscoleman Jun 6, 2023
1cc422a
chore: Added issue templates for epic and feature
kriscoleman Jun 6, 2023
09edca9
chore: update Judge monorepo with latest judge-api change delta
kriscoleman Jun 6, 2023
a6f45fb
story: As a user I want a simple and intuitive sign-in flow
kriscoleman Jun 7, 2023
c444d6a
docs(web): added todo to move sorting logic that shouldn't be in fron…
kriscoleman Jun 7, 2023
d337140
fix(web): the dashboard attestation results should belong to the repo…
kriscoleman Jun 7, 2023
b7a4cc9
chore(web): remove of .old web ui
kriscoleman Jun 8, 2023
f58afdb
fix(web): tests all pass
kriscoleman Jun 13, 2023
38ca60b
chore: implemented prepush-if-changed so that we can only run tests f…
kriscoleman Jun 8, 2023
4127a04
chore: implemented prepush test githooks for all go subprojectsg
kriscoleman Jun 8, 2023
a8de2ad
docs: wrote docs for our githooks
kriscoleman Jun 8, 2023
e74a8ed
chore: sorted our root package.json scripts
kriscoleman Jun 8, 2023
f498109
feat: add proxies to production services for netlify deployments (#34)
mikhailswift Jun 8, 2023
d80ecc6
fix: adds missing wildcards to netlify redirects
mikhailswift Jun 8, 2023
56f9302
fix: tell kratos to return us to our current judge web instance
mikhailswift Jun 8, 2023
35993d3
chore: implemented conventioanal-commits with commitlint
kriscoleman Jun 8, 2023
120aa80
docs: updated githooks documentation for conventional commits
kriscoleman Jun 8, 2023
091622f
chore: implemented git-conventional-commits
kriscoleman Jun 8, 2023
5affbeb
fix: githooks should be frictionless
kriscoleman Jun 13, 2023
5c2f308
chore: updated subtree scripts
kriscoleman Jun 14, 2023
8b48fbe
Squashed 'subtrees/witness/' content from commit cc2478e
kriscoleman Jun 14, 2023
0582367
Merge commit '8b48fbe7d9b2266778a37ccc68929a5266898b38' as 'subtrees/…
kriscoleman Jun 14, 2023
c253411
Squashed 'subtrees/archivista/' content from commit 21ab99d
kriscoleman Jun 14, 2023
abfc7e2
Merge commit 'c253411786d22d45d6ff862aa4de1092028da9f4' as 'subtrees/…
kriscoleman Jun 14, 2023
3fc45ba
Squashed 'subtrees/go-witness/' content from commit 31e6790
kriscoleman Jun 14, 2023
9dc2edd
Merge commit '3fc45badc0336983a1be1ee8777ef7e1963e46a6' as 'subtrees/…
kriscoleman Jun 14, 2023
4e35b9a
chore: move subtrees to subtrees/ subfolder
kriscoleman Jun 14, 2023
9b334c9
chore: upgrade kratos to v13.0 (#55)
dlake89 Jun 15, 2023
9bb7934
fix: tests fail if you run npm build instead of npm start before testing
kriscoleman Jun 15, 2023
4c663a2
chore(web): implement node workflow to github workflows
kriscoleman Jun 20, 2023
a8b870b
feat: implemented metadata webhook in kratos for updating tenant meta…
kriscoleman Jun 23, 2023
183f55a
feat: upgrade kratos ui
dlake89 Jun 28, 2023
6bdf703
Squashed 'subtrees/witness-run-action/' content from commit bdd8272
kriscoleman Jun 29, 2023
19cde03
Merge commit '6bdf703fbd00f11964a3386675f6f3f02597d8fb' as 'subtrees/…
kriscoleman Jun 29, 2023
58eb00b
chore: updated conventional-commit to support subtree type
kriscoleman Jun 22, 2023
068179d
subtree(witness-run-action): onboarded the witness-run-action to the …
kriscoleman Jun 22, 2023
e0de585
chore: updated download-compress-witness.sh to support macos
kriscoleman Jun 27, 2023
344911b
chore: updated how we push subtrees to a smarter approach
kriscoleman Jun 28, 2023
5030338
subtree(witness-run-action): Merge pull request #71 from testifysec/s…
kriscoleman Jul 11, 2023
6e88165
chore(web): update the yo generators to work with monorepo OOTB
kriscoleman Jun 28, 2023
6210845
feat(web): implemented RepoCard
kriscoleman Jun 28, 2023
ab1ff8a
feat(web): implemented CommitLink component
kriscoleman Jun 28, 2023
8ed3f40
story: as a user, anytime I click on a git sha, I want to copy it the…
kriscoleman Jun 28, 2023
7765fae
ops(go): implement go ci workflow to github workflows
kriscoleman Jul 11, 2023
e1cdf01
chore: dogfood the witness-run-action on the monorepo
kriscoleman Jul 11, 2023
7c6c3c7
subtree(witness-run-action): updated docs to help users with generati…
kriscoleman Jul 11, 2023
84f5307
subtree(witness): updated `run` docs to help users with generating at…
kriscoleman Jul 11, 2023
1f0a614
subtree(witness): updated `run` docs to help users with generating at…
kriscoleman Jul 11, 2023
be5048f
ops: renamed web.yaml to node.yml
kriscoleman Jul 12, 2023
fc65b8e
chore(judge-api): use logrus directly
mikhailswift Jul 13, 2023
c40e7a1
chore(archivista): use logrus directly
mikhailswift Jul 13, 2023
c3fcecb
fix(archivista): update archivista's usage of updated go-witness func…
mikhailswift Jul 13, 2023
7fc6068
feat(monorepo): add go workspace file to monorepo
mikhailswift Jul 13, 2023
4faca88
chore(judge-api): rename go module
mikhailswift Jul 13, 2023
a3744a9
fix(monorepo): update witness-run-action version used
mikhailswift Jul 13, 2023
20edd15
chore(deps): bump yaml in /subtrees/witness-run-action
dependabot[bot] Jul 15, 2023
ee045b4
chore(judge-api): support multiple database providers
kriscoleman Jul 19, 2023
11023e2
fix(witness): witness should not error on an empty git repo with no c…
kriscoleman Jul 21, 2023
47bad29
chore: make skaffold config modular
Jul 15, 2023
5e6d721
chore: add skaffold README
Jul 22, 2023
627a7a2
chore(policy): implemented struct representing a decision on a policy
kriscoleman Jul 21, 2023
f178afe
feat(policy): judge-api has a endpoint for submitting witness verify …
kriscoleman Jul 21, 2023
dd5f718
refactor(witness): use generic registry for attestor options
mikhailswift Jul 16, 2023
100b20c
refactor(go-witness): use generic registry for attestor options
mikhailswift Jul 16, 2023
a320cba
feat(go-witness): add signer provider registry
mikhailswift Jul 17, 2023
0ba79b3
refactor: add SetOptions helper to registry, fix return values in som…
mikhailswift Jul 23, 2023
5916dcc
feat(witness): use signer registry to setup signers for CLI flags
mikhailswift Jul 23, 2023
c384030
docs(witness): regenerate docs for new cli flags
mikhailswift Jul 24, 2023
d496425
fix: use go mod download in install scripts for go modules
mikhailswift Jul 24, 2023
13cfb19
feat(go-witness): add time.Duration option for registries
mikhailswift Jul 25, 2023
45ca04d
feat(go-witness): add vault pki signer provider
mikhailswift Jul 25, 2023
aa6ee8a
refactor(witness): create helper function to add options from registries
mikhailswift Jul 24, 2023
c4b55f6
docs(witness): regenerate docs for new cli flags
mikhailswift Jul 25, 2023
fdb3800
fix(witness): re-enable verify tests
mikhailswift Jul 25, 2023
2cb7902
fix: fix remotes:add:all script
mikhailswift Jul 25, 2023
5b44ffe
Squashed 'subtrees/witness/' changes from cc2478e..8a53d68
mikhailswift Jul 25, 2023
4bd19be
feat(policy, witness): added decisionLogUrl argument to verify
kriscoleman Aug 4, 2023
400ea6c
feat(policy, go-witness): implemented decisionLogUrl and also impleme…
kriscoleman Aug 3, 2023
a792042
subtree(go-witness): downstream v0.1.17 cd0c222058a8830a8e190b840e466…
kriscoleman Aug 23, 2023
99d7fdb
subtree(witness): downstream v0.1.14 be20100af602c780deeef50c54f53386…
kriscoleman Aug 23, 2023
277ec7a
Squashed 'subtrees/witness/' changes from 8a53d68..be20100
kriscoleman Aug 23, 2023
79a3d6b
Revert "feat(policy, go-witness): implemented decisionLogUrl and also…
kriscoleman Aug 3, 2023
f5c8bd9
Revert "feat(policy): judge-api has a endpoint for submitting witness…
kriscoleman Oct 17, 2023
d7c7372
Revert "chore(policy): implemented struct representing a decision on …
kriscoleman Jul 21, 2023
908791b
subtree(go-witness): downstream v0.2.0 a0b8cc8
nkane Jan 18, 2024
250f7c5
Squashed 'subtrees/witness/' changes from be20100..06031da
nkane Jan 19, 2024
edec478
subtree(witness): downstream v0.2.0 250f7c5
nkane Jan 19, 2024
777d8bb
Merge branch 'main' into chore/subtree-witness-update
kriscoleman Jan 19, 2024
ceb1961
subtree(go-witness): downstream v[0.3.1] [8fbc70b1d7db128d88f2aba60e1…
kriscoleman Apr 1, 2024
3162777
Squashed 'subtrees/witness/' changes from 06031da4..74f6c3dc
kriscoleman Apr 1, 2024
1547bd9
subtree(witness): downstream v[0.3.1] [74f6c3dcb07ad6b6c2e67eede125bc…
kriscoleman Apr 1, 2024
8917fb5
chore(go-witness): update go-witness to use new store with http clien…
kriscoleman Apr 1, 2024
766aa6d
chore: onboarding aws and localstack
kriscoleman Apr 10, 2024
88d7370
chore(deps): bump the go_modules group across 3 directories with 3 up…
dependabot[bot] Apr 29, 2024
113c869
subtree(go-witness): add git refs to go witness git attestor
nkane May 20, 2024
873147c
chore(deps): bump the go_modules group across 3 directories with 2 up…
dependabot[bot] May 31, 2024
f014fc2
subtree(go-witness): downstream v0.4.0 94c5d38633598ff387fcec2f1456e5…
kriscoleman Jun 4, 2024
d807867
Squashed 'subtrees/witness/' changes from 74f6c3dcb..47b6e1cc1
kriscoleman Jun 4, 2024
2464c2b
subtree(witness): downstream v0.4.0 47b6e1cc1cdb55b2eb4c5610111514a73…
kriscoleman Jun 4, 2024
ee8d2c7
feat: implemented dapr workflow engine and vulnerability scanning in …
kriscoleman Jun 7, 2024
1c5506c
Squashed 'subtrees/witness/' changes from 47b6e1cc..f07725e5
jkjell Jun 14, 2024
32b180e
chore(subtrees): witness downstream v0.5.2 f07725e52356cdfe9bf113b205…
jkjell Jun 14, 2024
38dc13c
chore(subtrees): go-witness downstream v0.5.2 4f3e5c430633b20884b77c4…
jkjell Jun 14, 2024
644571c
feat(go-witness): add vex attestor
kriscoleman Jun 4, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion archivista/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
)

func (c *Client) Store(ctx context.Context, env dsse.Envelope) (string, error) {
resp, err := archivistaapi.Upload(ctx, c.url, env)
resp, err := archivistaapi.Store(ctx, c.url, env)

Check failure on line 25 in archivista/store.go

View workflow job for this annotation

GitHub Actions / lint

SA1019: archivistaapi.Store is deprecated: Use Upload instead. It will be removed in version >= v0.6.0 (staticcheck)
if err != nil {
return "", err
}
Expand Down
33 changes: 31 additions & 2 deletions attestation/link/link_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,10 @@ func TestAttest(t *testing.T) {

testJson := []byte(testLinkJSON)
if !bytes.Equal(linkJson, testJson) {
t.Errorf("expected \n%s\n, got \n%s\n", testJson, linkJson)
testJson := []byte(testLinkJSONAlternative)
if !bytes.Equal(linkJson, testJson) {
t.Errorf("expected \n%s\n, got \n%s\n", testJson, linkJson)
}
}
}

Expand Down Expand Up @@ -178,6 +181,7 @@ func setupLink(t *testing.T) *Link {

return link
}

func TestRegistration(t *testing.T) {
registrations := attestation.RegistrationEntries()

Expand All @@ -191,7 +195,6 @@ func TestRegistration(t *testing.T) {
if !found {
t.Errorf("expected %s to be registered", Name)
}

}

const testLinkJSON = `{
Expand Down Expand Up @@ -219,3 +222,29 @@ const testLinkJSON = `{
"COLORTERM": "truecolor"
}
}`

const testLinkJSONAlternative = `{
"name": "test",
"command": [
"touch",
"test.txt"
],
"materials": [
{
"name": "test1",
"digest": {
"sha256": "a53d0741798b287c6dd7afa64aee473f305e65d3f49463bb9d7408ec3b12bf5f"
}
},
{
"name": "test2",
"digest": {
"sha256": "a53d0741798b287c6dd7afa64aee473f305e65d3f49463bb9d7408ec3b12bf5f"
}
}
],
"environment": {
"COLORFGBG": "7;0",
"COLORTERM": "truecolor"
}
}`
5 changes: 5 additions & 0 deletions attestation/product/product.go
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,11 @@ func getFileContentType(fileName string) (string, error) {
return bytes.HasPrefix(buf, []byte(`<?xml version="1.0" encoding="UTF-8"?><bom xmlns="http://cyclonedx.org/schema/bom/`))
}, "application/vnd.cyclonedx+xml", ".cdx.xml")

// Add Vex JSON detector
mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool {
return bytes.HasPrefix(buf, []byte(`{"@context":"https://openvex.dev/ns`))
}, "application/vex+json", ".vex.json")

contentType, err := mimetype.DetectFile(fileName)
if err != nil {
return "", err
Expand Down
14 changes: 7 additions & 7 deletions attestation/slsa/slsa_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func TestAttest(t *testing.T) {
// Setup OCI
o := attestors.NewTestOCIAttestor()

var tests = []struct {
tests := []struct {
name string
attestors []attestation.Attestor
expectedJson string
Expand All @@ -140,9 +140,9 @@ func TestAttest(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
t.Logf("Running test %s", test.name)
s := New()
slsaAttestor := New()

ctx, err := attestation.NewContext("test", append(test.attestors, s))
ctx, err := attestation.NewContext("test", append(test.attestors, slsaAttestor))
if err != nil {
t.Errorf("error creating attestation context: %s", err)
}
Expand All @@ -154,17 +154,17 @@ func TestAttest(t *testing.T) {

// TODO: We don't have a way to mock out times on attestor runs
// Set attestor times manually to match testProvenanceJSON
s.PbProvenance.RunDetails.Metadata.StartedOn = &timestamppb.Timestamp{
slsaAttestor.PbProvenance.RunDetails.Metadata.StartedOn = &timestamppb.Timestamp{
Seconds: 1711199861,
Nanos: 560152000,
}
s.PbProvenance.RunDetails.Metadata.FinishedOn = &timestamppb.Timestamp{
slsaAttestor.PbProvenance.RunDetails.Metadata.FinishedOn = &timestamppb.Timestamp{
Seconds: 1711199861,
Nanos: 560152000,
}

var prov []byte
if prov, err = json.MarshalIndent(s, "", " "); err != nil {
if prov, err = json.MarshalIndent(slsaAttestor, "", " "); err != nil {
t.Errorf("unexpected error: %s", err)
}

Expand Down Expand Up @@ -221,6 +221,7 @@ func setupProvenance(t *testing.T) *Provenance {

return provenance
}

func TestRegistration(t *testing.T) {
registrations := attestation.RegistrationEntries()

Expand All @@ -234,7 +235,6 @@ func TestRegistration(t *testing.T) {
if !found {
t.Errorf("expected %s to be registered", Name)
}

}

const testGHProvJSON = `{
Expand Down
122 changes: 122 additions & 0 deletions attestation/vex/vex.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
// Copyright 2024 The Witness Contributors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package vex

import (
"encoding/json"
"fmt"
"io"
"os"

"github.com/in-toto/go-witness/attestation"
"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
"github.com/invopop/jsonschema"
vex "github.com/openvex/go-vex/pkg/vex"
)

const (
Name = "vex"
Type = "https://openvex.dev/ns"
RunType = attestation.PostProductRunType
)

// This is a hacky way to create a compile time error in case the attestor
// doesn't implement the expected interfaces.
var (
_ attestation.Attestor = &Attestor{}
)

func init() {
attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
return New()
})
}

type Attestor struct {
VEXDocument vex.VEX `json:"vexDocument"`
ReportFile string `json:"reportFileName,omitempty"`
ReportDigestSet cryptoutil.DigestSet `json:"reportDigestSet,omitempty"`
}

func New() *Attestor {
return &Attestor{}
}

func (a *Attestor) Name() string {
return Name
}

func (a *Attestor) Type() string {
return Type
}

func (a *Attestor) RunType() attestation.RunType {
return RunType
}

func (a *Attestor) Schema() *jsonschema.Schema {
return jsonschema.Reflect(&a)
}

func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
if err := a.getCandidate(ctx); err != nil {
log.Debugf("(attestation/vex) error getting candidate: %w", err)
return err
}

return nil
}

func (a *Attestor) getCandidate(ctx *attestation.AttestationContext) error {
products := ctx.Products()

if len(products) == 0 {
return fmt.Errorf("no products to attest")
}

for path, product := range products {
newDigestSet, err := cryptoutil.CalculateDigestSetFromFile(path, ctx.Hashes())
if newDigestSet == nil || err != nil {
return fmt.Errorf("error calculating digest set from file: %s", path)
}

if !newDigestSet.Equal(product.Digest) {
return fmt.Errorf("integrity error: product digest set does not match candidate digest set")
}

f, err := os.Open(path)
if err != nil {
return fmt.Errorf("error opening file: %s", path)
}

reportBytes, err := io.ReadAll(f)
if err != nil {
return fmt.Errorf("error reading file: %s", path)
}

// Check to see if we can unmarshal into VEX type
if err := json.Unmarshal(reportBytes, &a.VEXDocument); err != nil {
log.Debugf("(attestation/vex) error unmarshaling VEX document: %w", err)
continue
}

a.ReportFile = path
a.ReportDigestSet = product.Digest

return nil
}
return fmt.Errorf("no VEX file found")
}
98 changes: 98 additions & 0 deletions attestation/vex/vex_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
// Copyright 2024 The Witness Contributors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package vex

import (
"bytes"
"encoding/json"
"testing"
"time"

"github.com/in-toto/go-witness/attestation"
vex "github.com/openvex/go-vex/pkg/vex"
)

// NOTE(nick): examples https://github.com/openvex/vexctl/tree/main/examples/openvex

const vexDocumentExpected = `{
"vexDocument": {
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-0f3be8817faafa24e4bfb3d17eaf619efb1fe54923b9c42c57b156a936b91431",
"author": "John Doe",
"role": "Senior Trusted Vex Issuer",
"timestamp": "1970-01-01T00:00:00Z",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-1234-5678"
},
"products": [
{
"@id": "pkg:apk/wolfi/bash@1.0.0"
}
],
"status": "fixed"
}
]
}
}`

func TestAttest(t *testing.T) {
vexAttestor := New()
vexAttestor.VEXDocument.Context = "https://openvex.dev/ns/v0.2.0"
vexAttestor.VEXDocument.ID = "https://openvex.dev/docs/public/vex-0f3be8817faafa24e4bfb3d17eaf619efb1fe54923b9c42c57b156a936b91431"
vexAttestor.VEXDocument.Author = "John Doe"
vexAttestor.VEXDocument.AuthorRole = "Senior Trusted Vex Issuer"
vexAttestor.VEXDocument.Version = 1
time := time.Date(1970, 1, 1, 0, 0, 0, 0, time.Now().UTC().Location())
vexAttestor.VEXDocument.Timestamp = &time
vexAttestor.VEXDocument.Statements = []vex.Statement{
{
Vulnerability: vex.Vulnerability{
Name: "CVE-1234-5678",
},
Products: []vex.Product{
{
Component: vex.Component{
ID: "pkg:apk/wolfi/bash@1.0.0",
},
},
},
Status: vex.StatusFixed,
},
}

attestorCollection := []attestation.Attestor{vexAttestor}
ctx, err := attestation.NewContext("test", append(attestorCollection, vexAttestor))
if err != nil {
t.Errorf("error creating attestation context: %s", err)
}
err = ctx.RunAttestors()
if err != nil {
t.Errorf("error attesting: %s", err.Error())
}

vexDocJSON, err := json.MarshalIndent(vexAttestor, "", " ")
if err != nil {
t.Errorf("unexpected error: %s", err)
}

expectedJSON := []byte(vexDocumentExpected)

if !bytes.Equal(vexDocJSON, expectedJSON) {
t.Errorf("expected \n%s\n, got \n%s\n", expectedJSON, vexDocJSON)
}
}
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ require (
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/omnibor/omnibor-go v0.0.0-20230521145532-a77de61a16cd // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/package-url/packageurl-go v0.1.1 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.19.0 // indirect
Expand Down Expand Up @@ -137,6 +138,7 @@ require (
github.com/golang/protobuf v1.5.4 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/openvex/go-vex v0.2.5
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
Expand All @@ -161,5 +163,3 @@ require (
replace github.com/sigstore/rekor => github.com/testifysec/rekor v0.4.0-dsse-intermediates-2

replace github.com/gin-gonic/gin v1.5.0 => github.com/gin-gonic/gin v1.7.7

replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -261,8 +261,12 @@ github.com/open-policy-agent/opa v0.64.0 h1:2g0JTt78zxhFaoBmZViY4UXvtOlzBjhhrnyr
github.com/open-policy-agent/opa v0.64.0/go.mod h1:j4VeLorVpKipnkQ2TDjWshEuV3cvP/rHzQhYaraUXZY=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/openvex/go-vex v0.2.5 h1:41utdp2rHgAGCsG+UbjmfMG5CWQxs15nGqir1eRgSrQ=
github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88IO/0Wo=
github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE=
github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
Expand Down
Loading