Affected by GO-2024-2718 and 1 other vulnerabilities

GO-2024-2718: Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign

GO-2024-2719: Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign

The highest tagged major version is v2.

webhook

package

v1.8.0 Latest Latest Go to latest Published: Apr 27, 2022 License: Apache-2.0 Imports: 32 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/cosign

Links

Open Source Insights

Documentation ¶

Index ¶

func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, ...) (map[string][]PolicySignature, error)
type AuthorityMatch
type PolicyResult
- func ValidatePolicy(ctx context.Context, ref name.Reference, cip webhookcip.ClusterImagePolicy, ...) (*PolicyResult, []error)
type PolicySignature
- func ValidatePolicySignaturesForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, ...) ([]PolicySignature, error)
type Validator
- func NewValidator(ctx context.Context, secretName string) *Validator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ValidatePolicyAttestationsForAuthority ¶ added in v1.8.0

func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) (map[string][]PolicySignature, error)

ValidatePolicyAttestationsForAuthority takes the Authority and tries to verify attestations against it.

Types ¶

type AuthorityMatch ¶ added in v1.8.0

type AuthorityMatch struct {
	// All of the matching signatures for this authority
	// Wonder if for consistency this should also have the matching
	// attestations name, aka, make this into a map.
	Signatures []PolicySignature `json:"signatures"`

	// Mapping from attestation name to all of verified attestations
	Attestations map[string][]PolicySignature `json:"attestations"`
}

AuthorityMatch returns either Signatures (if there are no Attestations specified), or Attestations if there are Attestations specified.

type PolicyResult ¶ added in v1.8.0

type PolicyResult struct {
	// AuthorityMatches will have an entry for each successful Authority check
	// on it. Key in the map is the Attestation.Name
	AuthorityMatches map[string]AuthorityMatch `json:"authorityMatches"`
}

PolicyResult is the result of a successful ValidatePolicy call. These are meant to be consumed by a higher level Policy engine that can reason about validated results. The 'first' level pass will verify signatures and attestations, and make the results then available for a policy that can be used to gate a passing of a ClusterImagePolicy. Some examples are, at least 'vulnerability' has to have been done and the scan must have been attested by a particular entity (sujbect/issuer) or a particular key. Other examples are N-of-M must be satisfied and so forth. We do not expose the low level details of signatures / attestations here since they have already been validated as per the Authority configuration and optionally by the Attestations which contain a particular policy that can be used to validate the Attestations (say vulnerability scanner must not have any High sev issues).

func ValidatePolicy ¶ added in v1.7.0

func ValidatePolicy(ctx context.Context, ref name.Reference, cip webhookcip.ClusterImagePolicy, remoteOpts ...ociremote.Option) (*PolicyResult, []error)

ValidatePolicy will go through all the Authorities for a given image/policy and return a success if at least one of the Authorities validated the signatures OR attestations if atttestations were specified. Returns PolicyResult, or errors encountered if none of the authorities passed.

type PolicySignature ¶ added in v1.8.0

type PolicySignature struct {
	// Subject that was found to match on the Cert.
	Subject string `json:"subject"`
	// Issure that was found to match on the Cert.
	Issuer string `json:"issuer"`
}

PolicySignature contains a normalized result of a validated signature, where signature could be a signature on the Image (.sig) or on an Attestation (.att).

func ValidatePolicySignaturesForAuthority ¶ added in v1.8.0

func ValidatePolicySignaturesForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) ([]PolicySignature, error)

ValidatePolicySignaturesForAuthority takes the Authority and tries to verify a signature against it.

type Validator ¶

type Validator struct {
	// contains filtered or unexported fields
}

func NewValidator ¶

func NewValidator(ctx context.Context, secretName string) *Validator

func (*Validator) ResolveCronJob ¶ added in v1.3.0

func (v *Validator) ResolveCronJob(ctx context.Context, c *duckv1.CronJob)

ResolveCronJob implements duckv1.CronJobValidator

func (*Validator) ResolvePod ¶ added in v1.3.0

func (v *Validator) ResolvePod(ctx context.Context, p *duckv1.Pod)

ResolvePod implements duckv1.PodValidator

func (*Validator) ResolvePodSpecable ¶ added in v1.3.0

func (v *Validator) ResolvePodSpecable(ctx context.Context, wp *duckv1.WithPod)

ResolvePodSpecable implements duckv1.PodSpecValidator

func (*Validator) ValidateCronJob ¶ added in v1.3.0

func (v *Validator) ValidateCronJob(ctx context.Context, c *duckv1.CronJob) *apis.FieldError

ValidateCronJob implements duckv1.CronJobValidator

func (*Validator) ValidatePod ¶

func (v *Validator) ValidatePod(ctx context.Context, p *duckv1.Pod) *apis.FieldError

ValidatePod implements duckv1.PodValidator

func (*Validator) ValidatePodSpecable ¶

func (v *Validator) ValidatePodSpecable(ctx context.Context, wp *duckv1.WithPod) *apis.FieldError

ValidatePodSpecable implements duckv1.PodSpecValidator

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
clusterimagepolicy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL