Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 (#142)

Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.2.3 to 2.2.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sigstore/cosign/releases">github.com/sigstore/cosign/v2's releases</a>.</em></p> <blockquote> <h1>v2.2.4</h1> <h2>Bug Fixes</h2> <ul> <li>Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (<a href="https://redirect.github.com/sigstore/cosign/issues/3661">#3661</a>)</li> <li>ErrNoSignaturesFound should be used when there is no signature attached to an image. (<a href="https://redirect.github.com/sigstore/cosign/issues/3526">#3526</a>)</li> <li>fix semgrep issues for dgryski.semgrep-go ruleset (<a href="https://redirect.github.com/sigstore/cosign/issues/3541">#3541</a>)</li> <li>Honor creation timestamp for signatures again (<a href="https://redirect.github.com/sigstore/cosign/issues/3549">#3549</a>)</li> </ul> <h2>Features</h2> <ul> <li>Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (<a href="https://redirect.github.com/sigstore/cosign/issues/3578">#3578</a>)</li> </ul> <h2>Documentation</h2> <ul> <li>add oci bundle spec (<a href="https://redirect.github.com/sigstore/cosign/issues/3622">#3622</a>)</li> <li>Correct help text of triangulate cmd (<a href="https://redirect.github.com/sigstore/cosign/issues/3551">#3551</a>)</li> <li>Correct help text of verify-attestation policy argument (<a href="https://redirect.github.com/sigstore/cosign/issues/3527">#3527</a>)</li> <li>feat: add OVHcloud MPR registry tested with cosign (<a href="https://redirect.github.com/sigstore/cosign/issues/3639">#3639</a>)</li> </ul> <h2>Testing</h2> <ul> <li>Refactor e2e-tests.yml workflow (<a href="https://redirect.github.com/sigstore/cosign/issues/3627">#3627</a>)</li> <li>Clean up and clarify e2e scripts (<a href="https://redirect.github.com/sigstore/cosign/issues/3628">#3628</a>)</li> <li>Don't ignore transparency log in tests if possible (<a href="https://redirect.github.com/sigstore/cosign/issues/3528">#3528</a>)</li> <li>Make E2E tests hermetic (<a href="https://redirect.github.com/sigstore/cosign/issues/3499">#3499</a>)</li> <li>add e2e test for pkcs11 token signing (<a href="https://redirect.github.com/sigstore/cosign/issues/3495">#3495</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sigstore/cosign/compare/v2.2.3...v2.2.4">https://github.com/sigstore/cosign/compare/v2.2.3...v2.2.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sigstore/cosign/blob/main/CHANGELOG.md">github.com/sigstore/cosign/v2's changelog</a>.</em></p> <blockquote> <h1>v2.2.4</h1> <h2>Bug Fixes</h2> <ul> <li>Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (<a href="https://redirect.github.com/sigstore/cosign/issues/3661">#3661</a>)</li> <li>ErrNoSignaturesFound should be used when there is no signature attached to an image. (<a href="https://redirect.github.com/sigstore/cosign/issues/3526">#3526</a>)</li> <li>fix semgrep issues for dgryski.semgrep-go ruleset (<a href="https://redirect.github.com/sigstore/cosign/issues/3541">#3541</a>)</li> <li>Honor creation timestamp for signatures again (<a href="https://redirect.github.com/sigstore/cosign/issues/3549">#3549</a>)</li> </ul> <h2>Features</h2> <ul> <li>Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (<a href="https://redirect.github.com/sigstore/cosign/issues/3578">#3578</a>)</li> </ul> <h2>Documentation</h2> <ul> <li>add oci bundle spec (<a href="https://redirect.github.com/sigstore/cosign/issues/3622">#3622</a>)</li> <li>Correct help text of triangulate cmd (<a href="https://redirect.github.com/sigstore/cosign/issues/3551">#3551</a>)</li> <li>Correct help text of verify-attestation policy argument (<a href="https://redirect.github.com/sigstore/cosign/issues/3527">#3527</a>)</li> <li>feat: add OVHcloud MPR registry tested with cosign (<a href="https://redirect.github.com/sigstore/cosign/issues/3639">#3639</a>)</li> </ul> <h2>Testing</h2> <ul> <li>Refactor e2e-tests.yml workflow (<a href="https://redirect.github.com/sigstore/cosign/issues/3627">#3627</a>)</li> <li>Clean up and clarify e2e scripts (<a href="https://redirect.github.com/sigstore/cosign/issues/3628">#3628</a>)</li> <li>Don't ignore transparency log in tests if possible (<a href="https://redirect.github.com/sigstore/cosign/issues/3528">#3528</a>)</li> <li>Make E2E tests hermetic (<a href="https://redirect.github.com/sigstore/cosign/issues/3499">#3499</a>)</li> <li>add e2e test for pkcs11 token signing (<a href="https://redirect.github.com/sigstore/cosign/issues/3495">#3495</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sigstore/cosign/commit/fb651b4ddd8176bd81756fca2d988dd8611f514d"><code>fb651b4</code></a> Add v2.2.4 changelog (<a href="https://redirect.github.com/sigstore/cosign/issues/3662">#3662</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e"><code>629f5f8</code></a> Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (<a href="https://redirect.github.com/sigstore/cosign/issues/3661">#3661</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/302aee6c1648e5a85f77f785ca351f62d573a5e7"><code>302aee6</code></a> Refactor e2e-tests.yml workflow (<a href="https://redirect.github.com/sigstore/cosign/issues/3627">#3627</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/d0b98612d66b20b0f694f710ede442a1dadf3968"><code>d0b9861</code></a> chore(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (<a href="https://redirect.github.com/sigstore/cosign/issues/3649">#3649</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/c95439b6b80a62375a4e7b422d5e63be86dbc737"><code>c95439b</code></a> chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 (<a href="https://redirect.github.com/sigstore/cosign/issues/3653">#3653</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/430c985b7411e9e70aa2b7a5fd4ba1762df9738c"><code>430c985</code></a> chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 (<a href="https://redirect.github.com/sigstore/cosign/issues/3655">#3655</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/48858a2e5b4eb164a2741426cdb4c1ab64bd05f9"><code>48858a2</code></a> chore(deps): bump github.com/xanzy/go-gitlab from 0.101.0 to 0.102.0 (<a href="https://redirect.github.com/sigstore/cosign/issues/3652">#3652</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/eba7c59b6e482f7fbf402546b285479f96cb3561"><code>eba7c59</code></a> chore(deps): bump golang.org/x/term from 0.18.0 to 0.19.0 (<a href="https://redirect.github.com/sigstore/cosign/issues/3651">#3651</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/2d13b6510c4394dea4307b71b3bca9818cf01b55"><code>2d13b65</code></a> chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (<a href="https://redirect.github.com/sigstore/cosign/issues/3650">#3650</a>)</li> <li><a href="https://github.com/sigstore/cosign/commit/d56c9e821cbc0dc58657c4ea464b306dc82ba038"><code>d56c9e8</code></a> chore(deps): bump the gomod group with 3 updates (<a href="https://redirect.github.com/sigstore/cosign/issues/3648">#3648</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sigstore/cosign/compare/v2.2.3...v2.2.4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/sigstore/cosign/v2&package-manager=go_modules&previous-version=2.2.3&new-version=2.2.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chainguard-dev · Apr 11, 2024 · 289f369 · 289f369
1 parent 44764fd
commit 289f369
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 42 deletions.
diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-testing v1.7.0
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/cosign/v2 v2.2.3
+	github.com/sigstore/cosign/v2 v2.2.4
 	github.com/sigstore/fulcio v1.4.5
 	github.com/sigstore/policy-controller v0.8.5-0.20240311173756-4c6cc845da85
 	github.com/sigstore/rekor v1.3.6
@@ -39,7 +39,7 @@ require (
 	cloud.google.com/go/kms v1.15.8 // indirect
 	contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
-	cuelang.org/go v0.7.0 // indirect
+	cuelang.org/go v0.8.1 // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 // indirect
@@ -120,6 +120,7 @@ require (
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v25.0.5+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
@@ -212,14 +213,13 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
-	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/open-policy-agent/opa v0.61.0 // indirect
+	github.com/open-policy-agent/opa v0.63.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -244,7 +244,7 @@ require (
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 // indirect
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 // indirect
 	github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 // indirect
-	github.com/sigstore/timestamp-authority v1.2.1 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -264,7 +264,7 @@ require (
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
-	github.com/xanzy/go-gitlab v0.96.0 // indirect
+	github.com/xanzy/go-gitlab v0.102.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
@@ -283,16 +283,16 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
 	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/net v0.22.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/term v0.19.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/tools v0.19.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.172.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect