mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
fix: critical docker vulnerability in release 1.11 (#10762)
* fix: critical docker vulnerability in release 1.11 Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update scaffolding version Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: notary tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
parent
0a51e10130
commit
4816b7cad8
5 changed files with 10 additions and 15 deletions
12
.github/workflows/conformance.yaml
vendored
12
.github/workflows/conformance.yaml
vendored
|
@ -513,10 +513,6 @@ jobs:
|
||||||
- standard
|
- standard
|
||||||
- custom-sigstore
|
- custom-sigstore
|
||||||
k8s-version:
|
k8s-version:
|
||||||
- name: v1.25
|
|
||||||
version: v1.25.x
|
|
||||||
- name: v1.26
|
|
||||||
version: v1.26.x
|
|
||||||
- name: v1.27
|
- name: v1.27
|
||||||
version: v1.27.x
|
version: v1.27.x
|
||||||
- name: v1.28
|
- name: v1.28
|
||||||
|
@ -534,11 +530,11 @@ jobs:
|
||||||
with:
|
with:
|
||||||
build-cache-key: run-conformance
|
build-cache-key: run-conformance
|
||||||
- name: Create kind cluster and setup Sigstore Scaffolding
|
- name: Create kind cluster and setup Sigstore Scaffolding
|
||||||
uses: sigstore/scaffolding/actions/setup@d120ad89e1f5c9d4a0bbd92959c6874be2a2131d
|
uses: sigstore/scaffolding/actions/setup@634364a897dff805b1a26ab18abaefe379616785
|
||||||
with:
|
with:
|
||||||
version: 'v0.6.8'
|
version: main
|
||||||
k8s-version: ${{ matrix.k8s-version.version }}
|
k8s-version: ${{ matrix.k8s-version.version }}
|
||||||
knative-version: '1.10.0'
|
knative-version: "1.10.0"
|
||||||
- name: Create TUF values config map
|
- name: Create TUF values config map
|
||||||
run: |
|
run: |
|
||||||
kubectl create namespace kyverno
|
kubectl create namespace kyverno
|
||||||
|
@ -740,4 +736,4 @@ jobs:
|
||||||
- check-tests
|
- check-tests
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- run: echo "Required jobs success!"
|
- run: echo "Required jobs success!"
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -187,7 +187,7 @@ require (
|
||||||
github.com/djherbis/times v1.5.0 // indirect
|
github.com/djherbis/times v1.5.0 // indirect
|
||||||
github.com/docker/cli v24.0.7+incompatible // indirect
|
github.com/docker/cli v24.0.7+incompatible // indirect
|
||||||
github.com/docker/distribution v2.8.3+incompatible // indirect
|
github.com/docker/distribution v2.8.3+incompatible // indirect
|
||||||
github.com/docker/docker v24.0.7+incompatible // indirect
|
github.com/docker/docker v26.1.4+incompatible // indirect
|
||||||
github.com/docker/docker-credential-helpers v0.8.1 // indirect
|
github.com/docker/docker-credential-helpers v0.8.1 // indirect
|
||||||
github.com/dustin/go-humanize v1.0.1 // indirect
|
github.com/dustin/go-humanize v1.0.1 // indirect
|
||||||
github.com/ebitengine/purego v0.6.0-alpha // indirect
|
github.com/ebitengine/purego v0.6.0-alpha // indirect
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -436,8 +436,8 @@ github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1x
|
||||||
github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
|
github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
|
||||||
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
|
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
|
||||||
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
|
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
|
||||||
github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
|
github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
|
||||||
github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||||
github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
|
github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
|
||||||
github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
|
github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
|
||||||
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
|
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
|
||||||
|
|
|
@ -35,7 +35,7 @@ uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestExtractStatements(t *testing.T) {
|
func TestExtractStatements(t *testing.T) {
|
||||||
imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1"
|
imageRef := "ghcr.io/kyverno/test-verify-image:signed"
|
||||||
ref, err := name.ParseReference(imageRef)
|
ref, err := name.ParseReference(imageRef)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
repoDesc, err := remote.Head(ref)
|
repoDesc, err := remote.Head(ref)
|
||||||
|
|
|
@ -12,7 +12,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
imageRef = "jimnotarytest.azurecr.io/jim/net-monitor:v1"
|
imageRef = "ghcr.io/kyverno/test-verify-image:signed"
|
||||||
ctx = context.Background()
|
ctx = context.Background()
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ func TestResolve(t *testing.T) {
|
||||||
|
|
||||||
desc, err := repositoryClient.Resolve(ctx, repoDesc.Digest.String())
|
desc, err := repositoryClient.Resolve(ctx, repoDesc.Digest.String())
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
assert.Equal(t, desc.Digest.String(), "sha256:ba7000206594c2d72c3ab550453004c0dc50961157e5ebd2fb8ea1890099d02d")
|
assert.Equal(t, desc.Digest.String(), "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105")
|
||||||
assert.Equal(t, desc.MediaType, "application/vnd.docker.distribution.manifest.v2+json")
|
assert.Equal(t, desc.MediaType, "application/vnd.docker.distribution.manifest.v2+json")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,7 +78,6 @@ func TestFetchSignatureBlob(t *testing.T) {
|
||||||
_, desc, err := repositoryClient.FetchSignatureBlob(ctx, v1ToOciSpecDescriptor(d))
|
_, desc, err := repositoryClient.FetchSignatureBlob(ctx, v1ToOciSpecDescriptor(d))
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
assert.Equal(t, desc.MediaType, "application/jose+json")
|
assert.Equal(t, desc.MediaType, "application/jose+json")
|
||||||
assert.Equal(t, desc.Digest.String(), "sha256:746134b09f89451497668c598857d87ca660bb3d0b888832235c460d8d2697f3")
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue