diff --git a/contrib/tkn-image/Dockerfile b/contrib/tkn-image/Dockerfile index c00aa0c696..b2c299b6e5 100644 --- a/contrib/tkn-image/Dockerfile +++ b/contrib/tkn-image/Dockerfile @@ -1,4 +1,4 @@ -ARG GOLANG_VERSION=1.26.2 +ARG GOLANG_VERSION=1.26.3 ARG DEBIAN_VERSION=10 FROM golang:${GOLANG_VERSION} as builder diff --git a/go.mod b/go.mod index ffc57d8ca5..63830f31bd 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/tektoncd/cli -go 1.26.2 +go 1.26.3 require ( github.com/AlecAivazis/survey/v2 v2.3.7 @@ -219,7 +219,7 @@ require ( github.com/in-toto/archivista v0.10.0 // indirect github.com/in-toto/attestation v1.1.2 // indirect github.com/in-toto/go-witness v0.9.1 // indirect - github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 // indirect + github.com/in-toto/in-toto-golang v0.11.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jcmturner/aescts/v2 v2.0.0 // indirect github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect diff --git a/go.sum b/go.sum index aeb7030ba4..9fafc42639 100644 --- a/go.sum +++ b/go.sum @@ -846,8 +846,8 @@ github.com/in-toto/attestation v1.1.2 h1:MBFn6lsMq6dptQZJBhalXTcWMb/aJy3V+GX3VYj github.com/in-toto/attestation v1.1.2/go.mod h1:gYFddHMZj3DiQ0b62ltNi1Vj5rC879bTmBbrv9CRHpM= github.com/in-toto/go-witness v0.9.1 h1:tT14ysHhnTcMLjLsp9k6GNGyKxfmr0WmTrJKREnhVGE= github.com/in-toto/go-witness v0.9.1/go.mod h1:9baHJG15esrfao4R3J42mWhQf3yMeKUeioCdQM+i9ek= -github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 h1:cwCITdi9pF50CF8uh40qDbkJ/VrEVzx5AoaHP7OPdEo= -github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09/go.mod h1:yGCBn2JKF1m26FX8GmkcLSOFVjB6khWRxFsHwWIg7hw= +github.com/in-toto/in-toto-golang v0.11.0 h1:nfidMYBFx+E0lnmX5KUnN2Pdm8zdNKal1ayjJuzzRoA= +github.com/in-toto/in-toto-golang v0.11.0/go.mod h1:u3PjTnwFKjp5a1YCcw8SJg0G+tMeKfVoWsWeFMDCMtw= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= diff --git a/tools/go.mod b/tools/go.mod index 4044741e26..0dbb7d1435 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -1,6 +1,6 @@ module github.com/tektoncd/cli/tools -go 1.26.0 +go 1.26.3 require github.com/golangci/golangci-lint v1.64.8 diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go index b9ec4b0d60..b03871cbf4 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go @@ -69,7 +69,7 @@ of the predicate. This struct represents a generic statement. // https://github.com/in-toto/attestation/tree/main/go/v1. type Statement struct { StatementHeader - // Predicate contains type speficic metadata. + // Predicate contains type specific metadata. Predicate interface{} `json:"predicate"` } diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go index bc3069a645..a3994c8472 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go @@ -405,7 +405,11 @@ func (k *Key) loadKey(keyObj interface{}, pemData *pem.Block, scheme string, key } case ed25519.PrivateKey: pubKeyBytes := key.Public() - if err := k.setKeyComponents(pubKeyBytes.(ed25519.PublicKey), key, ed25519KeyType, scheme, keyIDHashAlgorithms); err != nil { + publicKey, ok := pubKeyBytes.(ed25519.PublicKey) + if !ok { + return fmt.Errorf("pubKeyBytes must be ed25519.PublicKey") + } + if err := k.setKeyComponents(publicKey, key, ed25519KeyType, scheme, keyIDHashAlgorithms); err != nil { return err } case *ecdsa.PrivateKey: diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go index 52373aa75f..a581d00f71 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go @@ -22,8 +22,12 @@ var errBadPattern = errors.New("syntax error in pattern") // term: // '*' matches any sequence of non-/ characters // '?' matches any single non-/ character -// '[' [ '^' ] { character-range } ']' +// '[' [ '!' ] { character-range } ']' // character class (must be non-empty) +// +// NOTE: Only '!' is supported for character class negation, not '^'. This is to +// ensure compatibility with in-toto-python. +// // c matches character c (c != '*', '?', '\\', '[') // '\\' c matches character c // @@ -141,7 +145,7 @@ func matchChunk(chunk, s string) (rest string, ok bool, err error) { chunk = chunk[1:] // possibly negated negated := false - if len(chunk) > 0 && chunk[0] == '^' { + if len(chunk) > 0 && chunk[0] == '!' { negated = true chunk = chunk[1:] } diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go index 15226ca608..4081535656 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go @@ -355,8 +355,14 @@ func validateArtifacts(artifacts map[string]HashObj) error { for artifactName, artifact := range artifacts { artifactValue := reflect.ValueOf(artifact).MapRange() for artifactValue.Next() { - value := artifactValue.Value().Interface().(string) - hashType := artifactValue.Key().Interface().(string) + value, ok := artifactValue.Value().Interface().(string) + if !ok { + return fmt.Errorf("value is not string") + } + hashType, ok := artifactValue.Key().Interface().(string) + if !ok { + return fmt.Errorf("hash type is not string") + } if err := validateHexString(value); err != nil { return fmt.Errorf("in artifact '%s', %s hash value: %s", artifactName, hashType, err.Error()) diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go index cbc1b513fd..4cc0321667 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go @@ -423,9 +423,9 @@ func InTotoRecordStart(name string, materialPaths []string, key Key, hashAlgorit } /* -InTotoRecordStop ends the creation of a metatadata link file created by +InTotoRecordStop ends the creation of a metadata link file created by InTotoRecordStart. InTotoRecordStop takes in a signed unfinished link metablock -created by InTotoRecordStart and records the hashes of any products creted by +created by InTotoRecordStart and records the hashes of any products created by commands run between InTotoRecordStart and InTotoRecordStop. The resultant finished link metablock is then signed by the provided key and returned. */ diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go index a45a454634..ab6763e855 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go @@ -4,7 +4,7 @@ package common // algorithm name to lowercase hex-encoded value. type DigestSet map[string]string -// ProvenanceBuilder idenfifies the entity that executed the build steps. +// ProvenanceBuilder identifies the entity that executed the build steps. type ProvenanceBuilder struct { ID string `json:"id"` } diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go index 5978e9229d..4470723b8d 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go @@ -40,8 +40,8 @@ type ProvenanceMetadata struct { Reproducible bool `json:"reproducible"` } -// ProvenanceComplete indicates wheter the claims in build/recipe are complete. -// For in depth information refer to the specifictaion: +// ProvenanceComplete indicates whether the claims in build/recipe are complete. +// For in depth information refer to the specification: // https://github.com/in-toto/attestation/blob/v0.1.0/spec/predicates/provenance.md type ProvenanceComplete struct { Arguments bool `json:"arguments"` diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go index 40416e29a8..3efbb51e81 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go @@ -127,8 +127,8 @@ type ProvenanceMetadata struct { Reproducible bool `json:"reproducible"` } -// ProvenanceComplete indicates wheter the claims in build/recipe are complete. -// For in depth information refer to the specifictaion: +// ProvenanceComplete indicates whether the claims in build/recipe are complete. +// For in depth information refer to the specification: // https://github.com/in-toto/attestation/blob/v0.1.0/spec/predicates/provenance.md type ProvenanceComplete struct { // Parameters if true, means the builder claims that [ProvenanceInvocation.Parameters] is diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go index 1e99880277..5a26445c5c 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go @@ -48,7 +48,7 @@ type ProvenanceBuildDefinition struct { // The parameters that are under external control, such as those set by a // user or tenant of the build system. They MUST be complete at SLSA Build - // L3, meaning that that there is no additional mechanism for an external + // L3, meaning that there is no additional mechanism for an external // party to influence the build. (At lower SLSA Build levels, the // completeness MAY be best effort.) @@ -173,7 +173,7 @@ type BuildMetadata struct { // finding associated logs or other ad-hoc analysis. The exact meaning and // format is defined by builder.id; by default it is treated as opaque and // case-sensitive. The value SHOULD be globally unique. - InvocationID string `json:"invocationID,omitempty"` + InvocationID string `json:"invocationId,omitempty"` // The timestamp of when the build started. StartedOn *time.Time `json:"startedOn,omitempty"` diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go index 471df50e76..de9dfa7e64 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go @@ -59,7 +59,11 @@ func RunInspections(layout Layout, runDir string, lineNormalization bool, useDSS return nil, err } - retVal := linkEnv.GetPayload().(Link).ByProducts["return-value"] + link, ok := linkEnv.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + retVal := link.ByProducts["return-value"] if retVal != float64(0) { return nil, fmt.Errorf("inspection command '%s' of inspection '%s'"+ " returned a non-zero value: %d", inspection.Run, inspection.Name, @@ -91,13 +95,19 @@ func verifyMatchRule(ruleData map[string]string, return consumed } + dstLink, ok := dstLinkEnv.GetPayload().(Link) + if !ok { + fmt.Printf("invalid metadata") + return consumed + } + // Get artifacts from destination link metadata var dstArtifacts map[string]HashObj switch ruleData["dstType"] { case "materials": - dstArtifacts = dstLinkEnv.GetPayload().(Link).Materials + dstArtifacts = dstLink.Materials case "products": - dstArtifacts = dstLinkEnv.GetPayload().(Link).Products + dstArtifacts = dstLink.Products } // cleanup paths in pattern and artifact maps @@ -216,8 +226,12 @@ func VerifyArtifacts(items []interface{}, // Create shortcuts to materials and products (including hashes) reported // by the item's link, required to verify "match" rules - materials := srcLinkEnv.GetPayload().(Link).Materials - products := srcLinkEnv.GetPayload().(Link).Products + link, ok := srcLinkEnv.GetPayload().(Link) + if !ok { + return fmt.Errorf("invalid metadata") + } + materials := link.Materials + products := link.Products // All other rules only require the material or product paths (without // hashes). We extract them from the corresponding maps and store them as @@ -269,17 +283,24 @@ func VerifyArtifacts(items []interface{}, // TODO: Add logging library (see in-toto/in-toto-golang#4) // fmt.Printf("%s...\n", verificationData["srcType"]) - rules := verificationData["rules"].([][]string) - artifacts := verificationData["artifacts"].(map[string]HashObj) - + rules, ok := verificationData["rules"].([][]string) + if !ok { + return fmt.Errorf(`rules must be of type [][]string`) + } + artifacts, ok := verificationData["artifacts"].(map[string]HashObj) + if !ok { + return fmt.Errorf(`artifacts must be of type map[string]HashObj`) + } // Use artifacts (without hashes) as base queue. Each rule only operates // on artifacts in that queue. If a rule consumes an artifact (i.e. can // be applied successfully), the artifact is removed from the queue. By // applying a DISALLOW rule eventually, verification may return an error, // if the rule matches any artifacts in the queue that should have been // consumed earlier. - queue := verificationData["artifactPaths"].(Set) - + queue, ok := verificationData["artifactPaths"].(Set) + if !ok { + return fmt.Errorf(`queue must be of type Set`) + } // TODO: Add logging library (see in-toto/in-toto-golang#4) // fmt.Printf("Initial state\nMaterials: %s\nProducts: %s\nQueue: %s\n\n", // materialPaths.Slice(), productPaths.Slice(), queue.Slice()) @@ -398,10 +419,16 @@ func ReduceStepsMetadata(layout Layout, // threshold requires, but not all of them are equal? Right now we would // also error. for keyID, linkEnv := range linksPerStep { - if !reflect.DeepEqual(linkEnv.GetPayload().(Link).Materials, - referenceLinkEnv.GetPayload().(Link).Materials) || - !reflect.DeepEqual(linkEnv.GetPayload().(Link).Products, - referenceLinkEnv.GetPayload().(Link).Products) { + link, ok := linkEnv.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + refLink, ok := referenceLinkEnv.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + if !reflect.DeepEqual(link.Materials, refLink.Materials) || + !reflect.DeepEqual(link.Products, refLink.Products) { return nil, fmt.Errorf("link '%s' and '%s' have different"+ " artifacts", fmt.Sprintf(LinkNameFormat, step.Name, referenceKeyID), @@ -432,8 +459,13 @@ func VerifyStepCommandAlignment(layout Layout, } for signerKeyID, linkEnv := range linksPerStep { + link, ok := linkEnv.GetPayload().(Link) + if !ok { + fmt.Printf("invalid metadata") + return + } expectedCommandS := strings.Join(step.ExpectedCommand, " ") - executedCommandS := strings.Join(linkEnv.GetPayload().(Link).Command, " ") + executedCommandS := strings.Join(link.Command, " ") if expectedCommandS != executedCommandS { linkName := fmt.Sprintf(LinkNameFormat, step.Name, signerKeyID) @@ -708,16 +740,24 @@ func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata, firstStepLink := stepsMetadataReduced[layout.Steps[0].Name] lastStepLink := stepsMetadataReduced[layout.Steps[len(layout.Steps)-1].Name] - summaryLink.Materials = firstStepLink.GetPayload().(Link).Materials + firstStepPayloadLink, ok := firstStepLink.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + summaryLink.Materials = firstStepPayloadLink.Materials summaryLink.Name = stepName - summaryLink.Type = firstStepLink.GetPayload().(Link).Type + summaryLink.Type = firstStepPayloadLink.Type - summaryLink.Products = lastStepLink.GetPayload().(Link).Products - summaryLink.ByProducts = lastStepLink.GetPayload().(Link).ByProducts + lastStepPayloadLink, ok := lastStepLink.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + summaryLink.Products = lastStepPayloadLink.Products + summaryLink.ByProducts = lastStepPayloadLink.ByProducts // Using the last command of the sublayout as the command // of the summary link can be misleading. Is it necessary to // include all the commands executed as part of sublayout? - summaryLink.Command = lastStepLink.GetPayload().(Link).Command + summaryLink.Command = lastStepPayloadLink.Command } if useDSSE { @@ -845,7 +885,7 @@ the in-toto specification. It requires the metadata of the root layout, a map that contains public keys to verify the root layout signatures, a path to a directory from where it can load link metadata files, which are treated as signed evidence for the steps defined in the layout, a step name, and a -paramater dictionary used for parameter substitution. The step name only +parameter dictionary used for parameter substitution. The step name only matters for sublayouts, where it's important to associate the summary of that step with a unique name. The verification routine is as follows: diff --git a/vendor/modules.txt b/vendor/modules.txt index b394dbc362..9a396fe36f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1026,8 +1026,8 @@ github.com/in-toto/go-witness/cryptoutil github.com/in-toto/go-witness/dsse github.com/in-toto/go-witness/log github.com/in-toto/go-witness/timestamp -# github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 -## explicit; go 1.20 +# github.com/in-toto/in-toto-golang v0.11.0 +## explicit; go 1.24.0 github.com/in-toto/in-toto-golang/in_toto github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1