hub
hub copied to clipboard
Bump github.com/sigstore/cosign from 1.10.0 to 1.10.1
Bumps github.com/sigstore/cosign from 1.10.0 to 1.10.1.
Release notes
Sourced from github.com/sigstore/cosign's releases.
v1.10.1
This release fixes a security issue
cosign verify-attestaton --type
can report a false positive if any attestation exists https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296What's Changed
- Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by
@dependabot
in sigstore/cosign#2088- Remove knative/pkg deps by
@imjasonh
in sigstore/cosign#2092- add flag to allow skipping upload to transparency log by
@k4leung4
in sigstore/cosign#2089- Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by
@dependabot
in sigstore/cosign#2100- Improve error message when no sigs/atts are found for an image by
@imjasonh
in sigstore/cosign#2101- Change Result in Vulnerability Attestation to interface{} by
@knqyf263
in sigstore/cosign#2096- Fix field names in the vulnerability attestation by
@otms61
in sigstore/cosign#2099- Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by
@dependabot
in sigstore/cosign#2103- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by
@cpanato
in sigstore/cosign#2105- Bump imjasonh/setup-ko from 0.4 to 0.5 by
@dependabot
in sigstore/cosign#2107- Bump google.golang.org/api from 0.88.0 to 0.89.0 by
@dependabot
in sigstore/cosign#2106- ✨ Enable Scorecard badge by
@azeemshaikh38
in sigstore/cosign#2109- Resolves #522 set Created date to time of execution by
@Lerentis
in sigstore/cosign#2108- Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by
@dependabot
in sigstore/cosign#2110- Introduce a custom error type to classify errors. by
@mattmoor
in sigstore/cosign#2114- Bump github/codeql-action from 2.1.16 to 2.1.17 by
@dependabot
in sigstore/cosign#2112- Bump google.golang.org/api from 0.89.0 to 0.90.0 by
@dependabot
in sigstore/cosign#2111- feat: attach: attestation: allow passing multiple payloads by
@Dentrax
in sigstore/cosign#2085- Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 by
@dependabot
in sigstore/cosign#2115- Bump mikefarah/yq from 4.26.1 to 4.27.2 by
@dependabot
in sigstore/cosign#2116- update cross-builder to go1.18.5 and cosign image to 1.10.0 by
@cpanato
in sigstore/cosign#2119- Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 by
@dependabot
in sigstore/cosign#2120- chore: fix documentation and warning on using untrusted rekor key by
@asraa
in sigstore/cosign#2124- Bump google.golang.org/api from 0.90.0 to 0.91.0 by
@dependabot
in sigstore/cosign#2125- Correct the type used for attest by
@mattmoor
in sigstore/cosign#2128New Contributors
@otms61
made their first contribution in sigstore/cosign#2099@azeemshaikh38
made their first contribution in sigstore/cosign#2109@Lerentis
made their first contribution in sigstore/cosign#2108Full Changelog: https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1
Thanks to all contributors!
Changelog
Sourced from github.com/sigstore/cosign's changelog.
v1.10.1
Note: This release comes with a fix for CVE-2022-35929 described in this Github Security Advisory. Please upgrade to this release ASAP
Enhancements
- update cross-builder to go1.18.5 and cosign image to 1.10.0 (#2119)
- feat: attach: attestation: allow passing multiple payloads (#2085)
- Resolves #522 set Created date to time of execution (#2108)
- Fix field names in the vulnerability attestation (#2099)
- Change Result in Vulnerability Attestation to interface{} (#2096)
- Improve error message when no sigs/atts are found for an image (#2101)
- add flag to allow skipping upload to transparency log (#2089)
Documention
- chore: fix documentation and warning on using untrusted rekor key (#2124)
- Enable Scorecard badge (#2109)
Bug Fixes
- Merge pull request from GHSA-vjxv-45g9-9296
- Correct the type used for attest (#2128)
Others
- Bump mikefarah/yq from 4.26.1 to 4.27.2 (#2116)
- Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#2115)
- Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (#2120)
- Bump google.golang.org/api from 0.90.0 to 0.91.0 (#2125)
- Bump google.golang.org/api from 0.89.0 to 0.90.0 (#2111)
- Bump github/codeql-action from 2.1.16 to 2.1.17 (#2112)
- Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2110)
- Bump google.golang.org/api from 0.88.0 to 0.89.0 (#2106)
- Bump imjasonh/setup-ko from 0.4 to 0.5 (#2107)
- Introduce a custom error type to classify errors. (#2114)
- Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 (#2103)
- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint (#2105)
- Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2100)
- Remove knative/pkg deps (#2092)
Contributors
- Azeem Shaikh
- Carlos Tadeu Panato Junior
- Furkan Türkal
- Jason Hall
- Kenny Leung
- Matt Moore
- Teppei Fukuda
- Tobias Trabelsi
- asraa
- saso
Commits
a39ce91
Correct the type used for attest (#2128)c5fda01
Merge pull request from GHSA-vjxv-45g9-9296641f02b
Bump google.golang.org/api from 0.90.0 to 0.91.0 (#2125)0f017f8
chore: fix documentation and warning on using untrusted rekor key (#2124)5aa17b9
Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (#2120)998323f
update cross-builder to go1.18.5 and cosign image to 1.10.0 (#2119)d58d23a
Bump mikefarah/yq from 4.26.1 to 4.27.2 (#2116)ecd794b
Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#2115)938ad43
feat: attach: attestation: allow passing multiple payloads (#2085)7b1c0c0
Bump google.golang.org/api from 0.89.0 to 0.90.0 (#2111)- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)