Affected by GO-2024-2582 and 4 other vulnerabilities

GO-2024-2582: Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder

GO-2024-2864: Denial of service of Minder Server with attacker-controlled REST endpoint in github.com/stacklok/minder

GO-2024-2871: Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder

GO-2024-2885: Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder

GO-2024-2934: Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder

verifier

package

v0.0.28 Latest Latest Go to latest Published: Feb 2, 2024 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/minder

Links

Open Source Insights

Documentation ¶

Overview ¶

Package verifier provides a client for verifying various types of artifacts against various provenance mechanisms

Index ¶

Constants
func GetSignatureTag(tags []string) string
type ArtifactRegistry
type ArtifactType
type ArtifactVerifier
type Result
- func (r *Result) SignatureInfoProto() *pb.SignatureVerification
- func (r *Result) WorkflowInfoProto() *pb.GithubWorkflow
type Type
type Verifier
- func NewVerifier(verifier Type, verifierURL string, containerAuth ...container.AuthMethod) (*Verifier, error)
- func (v *Verifier) ClearCache()
- func (v *Verifier) Verify(ctx context.Context, artifactType ArtifactType, registry ArtifactRegistry, ...) (*Result, error)

Constants ¶

View Source

const (
	// ArtifactSignatureSuffix is the suffix for the signature tag
	ArtifactSignatureSuffix = ".sig"
	// LocalCacheDir is the local cache directory for the verifier
	LocalCacheDir = "/tmp/minder-cache"
)

Variables ¶

This section is empty.

Functions ¶

func GetSignatureTag ¶

func GetSignatureTag(tags []string) string

GetSignatureTag returns the signature tag for a given image, if exists, otherwise empty string

Types ¶

type ArtifactRegistry ¶

type ArtifactRegistry string

ArtifactRegistry supported artifact registries

const (
	// ArtifactRegistryGHCR is the GitHub Container Registry
	ArtifactRegistryGHCR ArtifactRegistry = "ghcr.io"
)

type ArtifactType ¶

type ArtifactType string

ArtifactType represents the type of artifact, i.e., container, npm, etc.

const (
	// ArtifactTypeContainer is a container artifact
	ArtifactTypeContainer ArtifactType = "container"
)

type ArtifactVerifier ¶

type ArtifactVerifier interface {
	VerifyContainer(ctx context.Context,
		registry, owner, artifact, version string) (
		sigInfo json.RawMessage, workflowInfo json.RawMessage, err error)
}

ArtifactVerifier is the interface for artifact verifiers

type Result ¶

type Result struct {
	SignatureInfo json.RawMessage
	WorkflowInfo  json.RawMessage
	URI           string
}

Result is the result of the verification

func (*Result) SignatureInfoProto ¶

func (r *Result) SignatureInfoProto() *pb.SignatureVerification

SignatureInfoProto returns the signature info as a SignatureVerification protobuf

func (*Result) WorkflowInfoProto ¶

func (r *Result) WorkflowInfoProto() *pb.GithubWorkflow

WorkflowInfoProto returns the workflow info as a GithubWorkflow protobuf

type Type ¶

type Type string

Type represents the type of verifier, i.e., sigstore, slsa, etc.

const (
	// VerifierSigstore is the sigstore verifier
	VerifierSigstore Type = "sigstore"
)

type Verifier ¶

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier is the object that verifies artifacts

func NewVerifier ¶

func NewVerifier(verifier Type, verifierURL string, containerAuth ...container.AuthMethod) (*Verifier, error)

NewVerifier creates a new Verifier object

func (*Verifier) ClearCache ¶

func (v *Verifier) ClearCache()

ClearCache cleans up the verifier cache directory and all its contents This is temporary until sigstore-go supports in-memory verification

func (*Verifier) Verify ¶

func (v *Verifier) Verify(ctx context.Context, artifactType ArtifactType, registry ArtifactRegistry,
	owner, artifact, version string) (*Result, error)

Verify verifies an artifact

Source Files ¶

View all Source files

verifier.go

Directories ¶

Path	Synopsis
sigstore Package sigstore provides a client for verifying artifacts using sigstore	Package sigstore provides a client for verifying artifacts using sigstore
container Package container provides the tools to verify a container artifact using sigstore	Package container provides the tools to verify a container artifact using sigstore

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL