Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sbom): scan sbom attestation in the rekor record #2699

Merged
merged 50 commits into from Sep 15, 2022
Merged

feat(sbom): scan sbom attestation in the rekor record #2699

Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
fdf46bc
feat(sbom): scan sbom attestation in the rekor record
otms61 Aug 14, 2022
afc6575
image command can scan an SBOM attestation in rekor
otms61 Aug 14, 2022
1e24dcf
rename option name
otms61 Aug 14, 2022
68f807d
refactor: rename field name
otms61 Aug 14, 2022
c29b54d
fix: import order
otms61 Aug 17, 2022
feac772
Merge branch 'main' into scan_rekor_attest
otms61 Aug 17, 2022
1d8fd38
chore: update go.mod
otms61 Aug 17, 2022
ba90261
refactor rekor client
otms61 Aug 17, 2022
28d11ce
refactor: refactor inspect sbom
otms61 Aug 17, 2022
71af599
enable to parse decoded in-toto statements
otms61 Aug 26, 2022
f165cef
test: add a test for rekor client
otms61 Aug 26, 2022
e941e7b
refactor: rename rekor client function name
otms61 Aug 26, 2022
705ffec
refactor: refactor rekor client
otms61 Aug 27, 2022
8d661e4
refactor: refactor Inspect
otms61 Aug 27, 2022
840f670
refactor: refactor rekor client
otms61 Aug 27, 2022
3e645d9
Merge branch 'main' into scan_rekor_attest
otms61 Aug 27, 2022
17ba208
fix: fix lint error
otms61 Aug 27, 2022
7e93c55
refactor: refactor rekor client
otms61 Aug 28, 2022
29c414c
refactor: rename entry ID variables
otms61 Aug 28, 2022
0f50432
chore: update go.mod
otms61 Aug 28, 2022
3b9d4ee
fix: fix entry ID in a test
otms61 Aug 28, 2022
a36b5a5
test: add a test case for decoded sbom attestation
otms61 Aug 28, 2022
73f0338
refactor: refactor rekor client
otms61 Aug 28, 2022
c0ebfce
feat: change sbom option from sbom-attestation to sbom-from
otms61 Sep 5, 2022
ddc33ee
feat: add rekor-url option
otms61 Sep 7, 2022
79341dc
fix: rekor URL option
otms61 Sep 12, 2022
1a4b091
overwrite the name of SBOM artifact inspection results
otms61 Sep 12, 2022
5ca3edf
refactor: use httptest insted of client mock
otms61 Sep 14, 2022
3039fb9
Merge branch 'main' into scan_rekor_attest
otms61 Sep 15, 2022
628e728
revert attestation decode
otms61 Sep 15, 2022
5ba33cf
refactor
otms61 Sep 15, 2022
813759c
refactor: add a new file
knqyf263 Sep 15, 2022
78c3ab5
refactor: embed Rekor client
knqyf263 Sep 15, 2022
b19fdf0
feat: handle expected errors
knqyf263 Sep 15, 2022
64c300b
Merge branch 'main' into scan_rekor_attest
knqyf263 Sep 15, 2022
c168b80
refactor: parse in_toto statement on the fly
knqyf263 Sep 15, 2022
1257c7b
refactor: simplify error handling
knqyf263 Sep 15, 2022
fc58768
chore: add a comment
knqyf263 Sep 15, 2022
810fd44
refactor: remove unnecessary splitting
knqyf263 Sep 15, 2022
c579331
refactor: remove the default Rekor URL
knqyf263 Sep 15, 2022
d648b8e
refactor: comply with conventions
knqyf263 Sep 15, 2022
f5299d1
refactor: validate sbom sources
knqyf263 Sep 15, 2022
228ffcb
Merge branch 'main' into scan_rekor_attest
knqyf263 Sep 15, 2022
0df6174
refactor: some tweaks
knqyf263 Sep 15, 2022
50296ed
test: add sad paths
knqyf263 Sep 15, 2022
d97c670
test: add Rekor tests
knqyf263 Sep 15, 2022
b7e5e45
test: remove an unneeded case
knqyf263 Sep 15, 2022
63a282d
fix: revert attestation decoding
knqyf263 Sep 15, 2022
c9c84b9
fix: slice the default value
knqyf263 Sep 15, 2022
ca36f16
fix: import grouping
knqyf263 Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
71 changes: 41 additions & 30 deletions go.mod
View file
Open in desktop
Expand Up @@ -28,10 +28,12 @@ require (
github.com/docker/go-connections v0.4.0
github.com/fatih/color v1.13.0
github.com/go-enry/go-license-detector/v4 v4.3.0
github.com/go-openapi/runtime v0.24.1
github.com/go-openapi/strfmt v0.21.3
github.com/go-redis/redis/v8 v8.11.5
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/golang/protobuf v1.5.2
github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
github.com/google/go-containerregistry v0.11.0
github.com/google/licenseclassifier/v2 v2.0.0-pre6
github.com/google/uuid v1.3.0
github.com/google/wire v0.5.0
Expand All @@ -52,6 +54,7 @@ require (
github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
github.com/samber/lo v1.27.1
github.com/secure-systems-lab/go-securesystemslib v0.4.0
github.com/sigstore/rekor v0.12.0
github.com/sosedoff/gitkit v0.3.0
github.com/spf13/cobra v1.5.0
github.com/spf13/pflag v1.0.5
Expand All @@ -62,8 +65,8 @@ require (
github.com/twitchtv/twirp v8.1.2+incompatible
github.com/xlab/treeprint v1.1.0
go.etcd.io/bbolt v1.3.6
go.uber.org/zap v1.22.0
golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
go.uber.org/zap v1.23.0
golang.org/x/exp v0.0.0-20220823124025-807a23277127
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
google.golang.org/protobuf v1.28.1
gopkg.in/yaml.v3 v3.0.1
Expand Down Expand Up @@ -121,18 +124,28 @@ require (
github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.3 // indirect
github.com/aws/smithy-go v1.13.2 // indirect
github.com/emicklei/go-restful/v3 v3.8.0 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/loads v0.21.2 // indirect
github.com/go-openapi/spec v0.20.7 // indirect
github.com/go-openapi/validate v0.22.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/go-type-adapters v1.0.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
go.mongodb.org/mongo-driver v1.10.0 // indirect
gonum.org/v1/gonum v0.7.0 // indirect
)

require (
cloud.google.com/go v0.100.2 // indirect
cloud.google.com/go/compute v1.6.1 // indirect
cloud.google.com/go v0.103.0 // indirect
cloud.google.com/go/compute v1.7.0 // indirect
cloud.google.com/go/iam v0.3.0 // indirect
cloud.google.com/go/storage v1.14.0 // indirect
cloud.google.com/go/storage v1.23.0 // indirect
github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
Expand All @@ -154,8 +167,6 @@ require (
github.com/Microsoft/hcsshim v0.9.3 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/VividCortex/ewma v1.1.1 // indirect
github.com/acomagu/bufpipe v1.0.3 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
Expand All @@ -165,7 +176,7 @@ require (
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/aquasecurity/defsec v0.74.2
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/aws/aws-sdk-go v1.44.92
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
Expand All @@ -177,7 +188,7 @@ require (
github.com/containerd/cgroups v1.0.4 // indirect
github.com/containerd/continuity v0.3.0 // indirect
github.com/containerd/fifo v1.0.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
github.com/containerd/typeurl v1.0.2 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
Expand Down Expand Up @@ -205,8 +216,8 @@ require (
github.com/go-gorp/gorp/v3 v3.0.2 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.8.2 // indirect
github.com/gofrs/uuid v4.0.0+incompatible // indirect
Expand Down Expand Up @@ -243,7 +254,7 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
github.com/klauspost/compress v1.15.6 // indirect
github.com/klauspost/compress v1.15.8 // indirect
github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
github.com/knqyf263/nested v0.0.1
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
Expand Down Expand Up @@ -274,7 +285,7 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
github.com/morikuni/aec v1.0.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/olekukonko/tablewriter v0.0.5 // indirect
Expand All @@ -288,10 +299,10 @@ require (
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.12.2 // indirect
github.com/prometheus/client_golang v1.13.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
Expand All @@ -308,7 +319,7 @@ require (
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/stretchr/objx v0.4.0 // indirect
github.com/subosito/gotenv v1.4.0 // indirect
github.com/ulikunitz/xz v0.5.8 // indirect
github.com/ulikunitz/xz v0.5.10 // indirect
github.com/vbatts/tar-split v0.11.2 // indirect
github.com/vektah/gqlparser/v2 v2.4.6 // indirect
github.com/xanzy/ssh-agent v0.3.0 // indirect
Expand All @@ -321,26 +332,26 @@ require (
github.com/zclconf/go-cty-yaml v1.0.2 // indirect
go.opencensus.io v0.23.0 // indirect
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
go.uber.org/atomic v1.7.0 // indirect
go.uber.org/multierr v1.7.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
golang.org/x/text v0.3.7
golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
golang.org/x/tools v0.1.10 // indirect
google.golang.org/api v0.81.0 // indirect
golang.org/x/tools v0.1.12 // indirect
google.golang.org/api v0.92.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
google.golang.org/grpc v1.48.0 // indirect
google.golang.org/genproto v0.0.0-20220720214146-176da50484ac // indirect
google.golang.org/grpc v1.49.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.66.4 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down