From b6c959bfacaf59dc339fffaba3264205f8cf0eb0 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Date: Mon, 18 Sep 2023 23:39:48 +0530
Subject: [PATCH] style: improve descriptions in notary verifier (#8444)

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
---
 pkg/notary/notary.go     | 4 ++--
 pkg/notary/repository.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/notary/notary.go b/pkg/notary/notary.go
index 38dff2a667..3bea2c2033 100644
--- a/pkg/notary/notary.go
+++ b/pkg/notary/notary.go
@@ -167,7 +167,7 @@ func (v *notaryVerifier) FetchAttestations(ctx context.Context, opts images.Opti
 		return nil, err
 	}
 
-	// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r
+	// This check ensures that the manifest does not have an abnormal amount of referrers attached to it to protect against compromised images
 	if len(referrersDescs.Manifests) > maxReferrersCount {
 		return nil, fmt.Errorf("failed to fetch referrers: to many referrers found, max limit is %d", maxReferrersCount)
 	}
@@ -318,7 +318,7 @@ func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descr
 	}
 	predicateDesc := manifest.Layers[0]
 
-	// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v
+	// This check ensures that the size of a layer isn't abnormally large to avoid malicious payloads
 	if predicateDesc.Size > int64(maxPayloadSize) {
 		return nil, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, predicateDesc)
 	}
diff --git a/pkg/notary/repository.go b/pkg/notary/repository.go
index 7ffebe4571..1aeeb41dcd 100644
--- a/pkg/notary/repository.go
+++ b/pkg/notary/repository.go
@@ -50,7 +50,7 @@ func (c *repositoryClient) ListSignatures(ctx context.Context, desc ocispec.Desc
 		return err
 	}
 
-	// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262
+	// This check ensures that the manifest does not have an abnormal amount of referrers attached to it to protect against compromised images
 	if len(referrersDescs.Manifests) > maxReferrersCount {
 		return fmt.Errorf("failed to fetch referrers: to many referrers found, max limit is %d", maxReferrersCount)
 	}
@@ -86,7 +86,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
 	}
 	manifestDesc := manifest.Layers[0]
 
-	// See: https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r
+	// This check ensures that the size of a layer isn't abnormally large to avoid malicious payloads
 	if manifestDesc.Size > int64(maxPayloadSize) {
 		return nil, ocispec.Descriptor{}, fmt.Errorf("payload size is too large, max size is %d: %+v", maxPayloadSize, manifestDesc)
 	}