Bump github.com/sigstore/cosign from 1.10.0 to 1.10.1

[dependabot[bot]]

Bumps github.com/sigstore/cosign from 1.10.0 to 1.10.1.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.10.1

This release fixes a security issue

cosign verify-attestaton --type can report a false positive if any attestation exists https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296

What's Changed

• Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @​dependabot in sigstore/cosign#2088
• Remove knative/pkg deps by @​imjasonh in sigstore/cosign#2092
• add flag to allow skipping upload to transparency log by @​k4leung4 in sigstore/cosign#2089
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @​dependabot in sigstore/cosign#2100
• Improve error message when no sigs/atts are found for an image by @​imjasonh in sigstore/cosign#2101
• Change Result in Vulnerability Attestation to interface{} by @​knqyf263 in sigstore/cosign#2096
• Fix field names in the vulnerability attestation by @​otms61 in sigstore/cosign#2099
• Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @​dependabot in sigstore/cosign#2103
• remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @​cpanato in sigstore/cosign#2105
• Bump imjasonh/setup-ko from 0.4 to 0.5 by @​dependabot in sigstore/cosign#2107
• Bump google.golang.org/api from 0.88.0 to 0.89.0 by @​dependabot in sigstore/cosign#2106
• ✨ Enable Scorecard badge by @​azeemshaikh38 in sigstore/cosign#2109
• Resolves #522 set Created date to time of execution by @​Lerentis in sigstore/cosign#2108
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @​dependabot in sigstore/cosign#2110
• Introduce a custom error type to classify errors. by @​mattmoor in sigstore/cosign#2114
• Bump github/codeql-action from 2.1.16 to 2.1.17 by @​dependabot in sigstore/cosign#2112
• Bump google.golang.org/api from 0.89.0 to 0.90.0 by @​dependabot in sigstore/cosign#2111
• feat: attach: attestation: allow passing multiple payloads by @​Dentrax in sigstore/cosign#2085
• Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 by @​dependabot in sigstore/cosign#2115
• Bump mikefarah/yq from 4.26.1 to 4.27.2 by @​dependabot in sigstore/cosign#2116
• update cross-builder to go1.18.5 and cosign image to 1.10.0 by @​cpanato in sigstore/cosign#2119
• Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 by @​dependabot in sigstore/cosign#2120
• chore: fix documentation and warning on using untrusted rekor key by @​asraa in sigstore/cosign#2124
• Bump google.golang.org/api from 0.90.0 to 0.91.0 by @​dependabot in sigstore/cosign#2125
• Correct the type used for attest by @​mattmoor in sigstore/cosign#2128

New Contributors

• @​otms61 made their first contribution in sigstore/cosign#2099
• @​azeemshaikh38 made their first contribution in sigstore/cosign#2109
• @​Lerentis made their first contribution in sigstore/cosign#2108

Full Changelog: https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1

Thanks to all contributors!

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.10.1

Note: This release comes with a fix for CVE-2022-35929 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

• update cross-builder to go1.18.5 and cosign image to 1.10.0 (#2119)
• feat: attach: attestation: allow passing multiple payloads (#2085)
• Resolves #522 set Created date to time of execution (#2108)
• Fix field names in the vulnerability attestation (#2099)
• Change Result in Vulnerability Attestation to interface{} (#2096)
• Improve error message when no sigs/atts are found for an image (#2101)
• add flag to allow skipping upload to transparency log (#2089)

Documention

• chore: fix documentation and warning on using untrusted rekor key (#2124)
• Enable Scorecard badge (#2109)

Bug Fixes

• Merge pull request from GHSA-vjxv-45g9-9296
• Correct the type used for attest (#2128)

Others

• Bump mikefarah/yq from 4.26.1 to 4.27.2 (#2116)
• Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#2115)
• Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (#2120)
• Bump google.golang.org/api from 0.90.0 to 0.91.0 (#2125)
• Bump google.golang.org/api from 0.89.0 to 0.90.0 (#2111)
• Bump github/codeql-action from 2.1.16 to 2.1.17 (#2112)
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2110)
• Bump google.golang.org/api from 0.88.0 to 0.89.0 (#2106)
• Bump imjasonh/setup-ko from 0.4 to 0.5 (#2107)
• Introduce a custom error type to classify errors. (#2114)
• Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 (#2103)
• remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint (#2105)
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2100)
• Remove knative/pkg deps (#2092)

Contributors

• Azeem Shaikh
• Carlos Tadeu Panato Junior
• Furkan Türkal
• Jason Hall
• Kenny Leung
• Matt Moore
• Teppei Fukuda
• Tobias Trabelsi
• asraa
• saso

Commits

• a39ce91 Correct the type used for attest (#2128)
• c5fda01 Merge pull request from GHSA-vjxv-45g9-9296
• 641f02b Bump google.golang.org/api from 0.90.0 to 0.91.0 (#2125)
• 0f017f8 chore: fix documentation and warning on using untrusted rekor key (#2124)
• 5aa17b9 Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (#2120)
• 998323f update cross-builder to go1.18.5 and cosign image to 1.10.0 (#2119)
• d58d23a Bump mikefarah/yq from 4.26.1 to 4.27.2 (#2116)
• ecd794b Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#2115)
• 938ad43 feat: attach: attestation: allow passing multiple payloads (#2085)
• 7b1c0c0 Bump google.golang.org/api from 0.89.0 to 0.90.0 (#2111)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)