GO-2023-1901: Pipelines do not validate child UIDs in github.com/tektoncd/pipeline

trustedresources

package

v0.47.5 Latest Latest Go to latest Published: Oct 19, 2023 License: Apache-2.0 Imports: 16 Imported by: 5

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/tektoncd/pipeline

Links

Open Source Insights

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index ¶

Constants
Variables
func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, ...) error
func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, ...) error

Constants ¶

View Source

const (
	// SignatureAnnotation is the key of signature in annotation map
	SignatureAnnotation = "tekton.dev/signature"
)

Variables ¶

View Source

var (
	// ErrResourceVerificationFailed is returned when trusted resources fails verification.
	ErrResourceVerificationFailed = errors.New("resource verification failed")
	// ErrNoMatchedPolicies is returned when no policies are matched
	ErrNoMatchedPolicies = errors.New("no policies are matched")
	// ErrRegexMatch is returned when regex match returns error
	ErrRegexMatch = errors.New("regex failed to match")
)

Functions ¶

func VerifyPipeline ¶

func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, refSourceURI string, verificationpolicies []*v1alpha1.VerificationPolicy) error

VerifyPipeline verifies the signature and public key against pipeline. Skip the verification when no policies are found and trusted-resources-verification-no-match-policy is set to ignore or warn Return an error when no policies are found and trusted-resources-verification-no-match-policy is set to fail, or the resource fails to pass matched enforce verification policy refSourceURI is from RefSource.URI, which will be used to match policy patterns. k8s is used to fetch secret from cluster

func VerifyTask ¶

func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, refSourceURI string, verificationpolicies []*v1alpha1.VerificationPolicy) error

VerifyTask verifies the signature and public key against task. Skip the verification when no policies are found and trusted-resources-verification-no-match-policy is set to ignore or warn Return an error when no policies are found and trusted-resources-verification-no-match-policy is set to fail, or the resource fails to pass matched enforce verification policy refSourceURI is from RefSource.URI, which will be used to match policy patterns. k8s is used to fetch secret from cluster

Types ¶

This section is empty.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
verifier

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL