commit 7c4e824b1d586f46afb1d0245e463a6988b4fc975f643f0b5daa113ed1a68c56 Author: Adrian Schröter Date: Thu Nov 28 17:50:27 2024 +0100 Sync from SUSE:SLFO:Main vexctl revision 8be39ec989898fffab89bc635f5b67d0 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_service b/_service new file mode 100644 index 0000000..5719603 --- /dev/null +++ b/_service @@ -0,0 +1,19 @@ + + + https://github.com/openvex/vexctl.git + git + .git + v0.3.0 + @PARENT_TAG@ + enable + v(.*) + + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..6832cba --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/openvex/vexctl.git + c613023a69ce990a54c25c2f5e69d5d78285927f \ No newline at end of file diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..de5bfad --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93cdc277d86de552eee35f70b45c9a8abe145bc95c6511d3604c623c06030954 +size 11870657 diff --git a/vexctl-0.3.0.tar.gz b/vexctl-0.3.0.tar.gz new file mode 100644 index 0000000..30233fc --- /dev/null +++ b/vexctl-0.3.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9c382bb4a0955391fd9a5824afd9dba60994046d9af892129ebbab32c43404cc +size 226241 diff --git a/vexctl.changes b/vexctl.changes new file mode 100644 index 0000000..ff21a07 --- /dev/null +++ b/vexctl.changes @@ -0,0 +1,280 @@ +------------------------------------------------------------------- +Tue Sep 10 01:45:26 UTC 2024 - Jeff Kowalczyk + +- Update to version 0.3.0: + * Bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 in the all group + * Bump actions/upload-artifact from 4.3.6 to 4.4.0 in the all group + * Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 in the all group + * Bump github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0 + * Bump the all group with 2 updates + * Bump actions/upload-artifact from 4.3.5 to 4.3.6 in the all group + * Bump actions/upload-artifact from 4.3.4 to 4.3.5 in the all group + * test: add a leading slash to repository_url + * Update pkg/ctl/implementation.go + * Fix OCI repository URL resolution + * Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 in the all group + * Bump github.com/docker/docker in the go_modules group + * Bump sigs.k8s.io/release-utils from 0.8.3 to 0.8.4 in the all group + * Bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 + * Bump softprops/action-gh-release from 2.0.7 to 2.0.8 in the all group + * update go.mod to 1.22.5 + * update golanci-lint + * Bump github.com/google/go-containerregistry in the all group + * Bump softprops/action-gh-release from 2.0.6 to 2.0.7 in the all group + * Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7 in the all group + * Improve the generated template README + * Add support to vulnerability aliases + * Fix Copyright in Boilerplates + * Bump actions/setup-go from 5.0.1 to 5.0.2 in the all group + * Bump google.golang.org/grpc in the go_modules group + * Bump github.com/google/go-containerregistry from 0.19.2 to 0.20.0 + * Bump sigs.k8s.io/release-utils from 0.8.2 to 0.8.3 in the all group + * Prevent from specifying subcomponents when multiple products are defined + * fix(create): support multiple --product flags + * Bump go to 1.22.4 + * Bump github.com/sigstore/sigstore in the all group across 1 directory + * Bump actions/upload-artifact from 4.3.3 to 4.3.4 in the all group + * Bump github.com/hashicorp/go-retryablehttp in the go_modules group + * Bump softprops/action-gh-release from 2.0.5 to 2.0.6 in the all group + * Bump ko-build/setup-ko from 0.6 to 0.7 in the all group + * Bump the all group with 2 updates + * Bump actions/checkout from 4.1.6 to 4.1.7 in the all group + * Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 + * update installation methods with homebrew + * Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 in the all group + * Bump github.com/package-url/packageurl-go in the all group + * Bump actions/checkout from 4.1.5 to 4.1.6 in the all group + * Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 in the all group + * Bump golangci/golangci-lint-action from 6.0.0 to 6.0.1 in the all group + * Bump sigs.k8s.io/release-utils from 0.8.1 to 0.8.2 in the all group + * Bump golangci/golangci-lint-action from 5.3.0 to 6.0.0 + * Bump softprops/action-gh-release from 2.0.4 to 2.0.5 in the all group + * Bump the all group with 2 updates + * Bump actions/setup-go from 5.0.0 to 5.0.1 in the all group + * Bump kubernetes-sigs/release-actions in the all group + * Bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 in the all group + * Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 + * Bump actions/checkout from 4.1.3 to 4.1.4 in the all group + * Bump actions/upload-artifact from 4.3.2 to 4.3.3 in the all group + * Bump actions/checkout from 4.1.2 to 4.1.3 in the all group + * Bump golang.org/x/net from 0.22.0 to 0.23.0 in the go_modules group + * Bump actions/upload-artifact from 4.3.1 to 4.3.2 in the all group + * Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 in the all group + * Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 + * Bump sigs.k8s.io/release-utils from 0.8.0 to 0.8.1 in the all group + * Add support for Golang GO-* vulnerability identifier + * Bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.0 + * Bump the all group with 1 update + * run attest in prs to test the entire release flow + * Bump the all group with 1 update + * Bump the all group with 1 update + * fix lints + * group dependabot updates + * upgrade to go1.22 + * Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 + * Bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 + * Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 + * Bump github.com/docker/docker + * Bump kubernetes-sigs/release-actions from 0.1.3 to 0.1.4 + * Bump github.com/google/go-containerregistry from 0.19.0 to 0.19.1 + * Update release.yaml + * Bump softprops/action-gh-release from 2.0.3 to 2.0.4 + * Bump actions/checkout from 4.1.1 to 4.1.2 + * Bump softprops/action-gh-release from 1 to 2 + * Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 + * Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 + * Bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 + * Bump github.com/sigstore/rekor from 1.3.4 to 1.3.5 + * Bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3 + * Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 + * Bump github.com/google/go-containerregistry from 0.18.0 to 0.19.0 + * Bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 + * Bump github.com/google/go-containerregistry from 0.17.0 to 0.18.0 + * Bump kubernetes-sigs/release-actions from 0.1.2 to 0.1.3 + * Bump github.com/sigstore/sigstore from 1.7.6 to 1.8.0 + * Fix linter errors + +------------------------------------------------------------------- +Fri Dec 15 11:21:35 UTC 2023 - Jeff Kowalczyk + +- Update to version 0.2.6: + * Add generate test fixtures + * Add generate subcommand + * Add generate --init test + * Add generate --init flag + * Only read openvex files as templates + * vexctl generate + * Add Generate method + * Add ReadTemplateData() function + * Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 + * Bump actions/setup-go from 4.1.0 to 5.0.0 + * go mod tidy + * Attach: Add OCI annotations for keyless verification + * Sign: Upload to tlog and capture sig data + * Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.2 + * Update examples to v0.2.0 + * add: Split out of cmd validation logic + * addOptions validation test + * vexctl add: Fix bug when writing docs in-place + * Bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 + * Move release actions to kubernetes-sigs + * Bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 + * add boilerplate headers + * add snapshot job + * cleanup + * add sboms and revamp the provanance with k8s-release actions tools + * bump golangci-lint to v1.55.x + +------------------------------------------------------------------- +Wed Nov 15 01:17:40 UTC 2023 - Jeff Kowalczyk + +- Update to version 0.2.5: + * Bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 + * Bump github.com/sigstore/cosign/v2 from 2.2.0 to 2.2.1 + * Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 + * Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 + * Bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 + * Bump github.com/sigstore/sigstore from 1.7.4 to 1.7.5 + * update version comments + * Bump actions/checkout from 4.1.0 to 4.1.1 + * Bump github.com/sigstore/sigstore from 1.7.3 to 1.7.4 + * Attest: Add refs flag, improve help and command + * Split intoto subj normlzatn into image and other + * Reuse hashes from existing VEX products + * Reuse purl hashes in product + * Bump sigs.k8s.io/release-utils from 0.7.4 to 0.7.5 + * Update README examples to v0.2.0 + * Bump github.com/package-url/packageurl-go from 0.1.1 to 0.1.2 + * Bump actions/checkout from 4.0.0 to 4.1.0 + * Factor out document write logic + * Add add subcommand + * Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 + * fix lints + * upgrade to go1.21 + * Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 + * Add options validation tests + * Make out file option reusable + * Create vex statements from st options + * Refactor commands and options + * Bump actions/checkout from 3.6.0 to 4.0.0 + * Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 + * Bump github.com/sigstore/sigstore from 1.7.2 to 1.7.3 + * Bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.0 + * Update show to list + * show subcommand creation for review + * go.mod: Pull go-vex@v0.2.5 + * Revamp tests for v0.2.2 add more fixtures + * Update vexctl implementation to v0.2.0 + * Update vexctl create to v0.2.0 + * Rename test fixtures to versioned filenames + * Drop depguard from golangci lint + * Bump actions/checkout from 3.5.3 to 3.6.0 + * Bump slsa-framework/slsa-github-generator from 1.8.0 to 1.9.0 + * Update SARIF filtering examples + * Update verify.yaml + * Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 + * Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 + * Bump github.com/sigstore/sigstore from 1.7.1 to 1.7.2 + * Bump actions/setup-go from 4.0.1 to 4.1.0 + * Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.8.0 + * Bump github.com/google/go-containerregistry from 0.15.2 to 0.16.1 + +------------------------------------------------------------------- +Fri Jul 21 18:35:07 UTC 2023 - Jeff Kowalczyk + +- Update to version 0.2.3: + * Rename artifacts to vexctl + * refactor release job + * fix deprecated flag + * Add ko installer to release workflow + * Add missing ldflags script + * go.mod: Pull go-vex v0.2.1 + * Drop deprecated vex.StatementFromID + * Bump github.com/secure-systems-lab/go-securesystemslib + * Fix --subcomponents flag + * Add support for PRISMA- identifiers + * Bump github.com/sigstore/cosign/v2 from 2.1.0 to 2.1.1 + * Bump sigstore/cosign-installer from 3.1.0 to 3.1.1 + * Bump sigstore/cosign-installer from 3.0.5 to 3.1.0 + * Bump github.com/sigstore/cosign/v2 + * Bump github.com/sigstore/sigstore from 1.7.0 to 1.7.1 + * Pull go-vex @ HEAD + * Use vex.Open instead of vex.Load to support multi format vex + * Add initial CSAF example files + * Add OpenVEX examples + * vexctl create: add --impaact-statement + * filter: Drop debug messages, improve output + * Add RUSTSEC, GHSA, RHSA to known identifiers + * Bump github.com/package-url/packageurl-go from 0.1.0 to 0.1.1 + * Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.0 + * Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 + * Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 + * Bump actions/checkout from 3.5.2 to 3.5.3 + * Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 + * Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 + * Bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 + * Bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 + * Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 + * Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 + * Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 + * Bump github.com/google/go-containerregistry from 0.15.1 to 0.15.2 + * Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 + * Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 + * Bump sigs.k8s.io/release-utils from 0.7.3 to 0.7.4 + * Bump actions/setup-go from 4.0.0 to 4.0.1 + * fix lints + * bump to go 1.20 and update some dependencies + * Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 + * Bump github.com/sigstore/sigstore from 1.6.3 to 1.6.4 + * Bump github.com/in-toto/in-toto-golang from 0.8.0 to 0.9.0 + * Bump github.com/sigstore/cosign/v2 from 2.0.1 to 2.0.2 + * Bump github.com/in-toto/in-toto-golang from 0.7.1 to 0.8.0 + * Bump github.com/sigstore/sigstore from 1.6.2 to 1.6.3 + * Bump sigstore/cosign-installer from 3.0.2 to 3.0.3 + * Bump actions/checkout from 3.5.1 to 3.5.2 + * Bump actions/checkout from 3.5.0 to 3.5.1 + * Bump github.com/sigstore/sigstore from 1.6.1 to 1.6.2 + * Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 + * Bump github.com/sigstore/cosign/v2 + * Bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 + * Bump github.com/in-toto/in-toto-golang from 0.7.0 to 0.7.1 + * Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 + * Bump actions/checkout from 3.4.0 to 3.5.0 + * Bump actions/setup-go from 3.5.0 to 4.0.0 + * Bump github.com/google/go-containerregistry + * Bump actions/checkout from 3.3.0 to 3.4.0 + * set cosign yes env var + * Bump sigstore/cosign-installer from 2.8.1 to 3.0.1 + * update dependencies and cosign to v2 + * Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 + * Bump slsa-framework/slsa-github-generator from 1.4.0 to 1.5.0 + * Bump github.com/sigstore/sigstore from 1.5.1 to 1.5.2 + * Bump github.com/in-toto/in-toto-golang + * Bump github.com/openvex/go-vex + * Fix broken parameters + * Fix examples based on actual command output + * Update maintainers to match community + * Add boilerplate to newfile + * Add unit test to references verifier + * Ensure attested refs are in doc + * --attach implies --sign + * Update attest subcm help + * Drop attestation targets from CLI + * Add test for ListDocumentProducts + * Rework attestation code + * go mod: pull purl module + * Add images test document + * Add test for NormalizeImageRefs + * Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 + * Fix exmple and testdata + * Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 + * Bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 + * fix: missing metadata on document merge + * small fixes + * add provenance and refactor release job + * build vexctl image using ko + * Add initial MAINTAINERS.md + * update license headers + * More improvements to README + * Update README + * Bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1 diff --git a/vexctl.spec b/vexctl.spec new file mode 100644 index 0000000..e12538b --- /dev/null +++ b/vexctl.spec @@ -0,0 +1,62 @@ +# +# spec file for package vexctl +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: vexctl +Version: 0.3.0 +Release: 0 +Summary: CLI tool to create, transform and attest VEX metadata +License: Apache-2.0 +Group: Productivity/Security +URL: https://github.com/openvex/vexctl +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: golang(API) >= 1.23 + +%description +vexctl is a CLI tool to create, apply, and attest VEX (Vulnerability +Exploitability eXchange) data. Its purpose is to help with the creation and +management of VEX documents that allow "turning off" security scanner alerts of +vulnerabilities known not to affect a product. + +VEX can be thought of as a "negative security advisory". Using VEX, software +authors can communicate to their users that an otherwise vulnerable component +has no security implications for their product. + +%prep +%autosetup -a 1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +go build + +%check +# execute the binary as a basic check +./%{name} --help + +%install +# Install the binary. +install -D -m 0755 %{name} "%{buildroot}/%{_bindir}/%{name}" + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} + +%changelog