Headline
CVE-2022-35930: Merge pull request from GHSA-739f-hw6h-7wq8 · sigstore/policy-controller@e852af3
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (–type defaults to “custom”). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
@@ -1511,21 +1511,20 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== passKeyless := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) { // This is from 2022/07/29 // ghcr.io/distroless/static@sha256:a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8 payload := []byte(`{"critical":{"identity":{"docker-reference":"ghcr.io/distroless/static"},"image":{"docker-manifest-digest":"sha256:a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8"},"type":"cosign container image signature"},"optional":{"run_attempt":"1","run_id":"2757953139","sha":"7e7572e578de7c51a2f1a1791f025cf315503aa2"}}`) b64sig := “MEUCIAmudMKGDWEpufGGqrMgeei7KVdpZwhc6clqMaMaw6lyAiEA3JnLUqV3wtKDERcVy8OjMGopJY7IZ8lfks5zEAjlnW0=” set, err := base64.StdEncoding.DecodeString(“MEUCIAOMBR9Gh7laJtdvU9+JqK/AiTps8/tzviDzkvfMQqn4AiEAs553xG1bvlIu3aGERoPRf+oR3MfZTIM9M4nQrGeW8D4=”) payload := []byte(`{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9kaXN0cm9sZXNzL3N0YXRpYyIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhMWU4MmY2YTVmNmRmYzczNTE2NWQzNDQyZTdjYzVhNjE1ZjcyYWJhYzNkYjE5NDUyNDgxZjVmM2M5MGZiZmE4In19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mvc3RhdGljL2FjdGlvbnMvcnVucy8yNzU3OTUzMTM5IiwiZXZlbnRfaWQiOiIyNzU3OTUzMTM5IiwiYnVpbGRlci5pZCI6IkNyZWF0ZSBSZWxlYXNlIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FxdWFzZWN1cml0eS90cml2eSIsInZlcnNpb24iOiIwLjI5LjIiLCJkYiI6eyJ1cmkiOiIiLCJ2ZXJzaW9uIjoiIn0sInJlc3VsdCI6eyIkc2NoZW1hIjoiaHR0cHM6Ly9qc29uLnNjaGVtYXN0b3JlLm9yZy9zYXJpZi0yLjEuMC1ydG0uNS5qc29uIiwicnVucyI6W3siY29sdW1uS2luZCI6InV0ZjE2Q29kZVVuaXRzIiwib3JpZ2luYWxVcmlCYXNlSWRzIjp7IlJPT1RQQVRIIjp7InVyaSI6ImZpbGU6Ly8vIn19LCJyZXN1bHRzIjpbXSwidG9vbCI6eyJkcml2ZXIiOnsiZnVsbE5hbWUiOiJUcml2eSBWdWxuZXJhYmlsaXR5IFNjYW5uZXIiLCJpbmZvcm1hdGlvblVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hcXVhc2VjdXJpdHkvdHJpdnkiLCJuYW1lIjoiVHJpdnkiLCJydWxlcyI6W10sInZlcnNpb24iOiIwLjI5LjIifX19XSwidmVyc2lvbiI6IjIuMS4wIn19LCJtZXRhZGF0YSI6eyJzY2FuU3RhcnRlZE9uIjoiMjAyMi0wNy0yOVQwMjoyODo0MloiLCJzY2FuRmluaXNoZWRPbiI6IjIwMjItMDctMjlUMDI6Mjg6NDhaIn19fQ==","signatures":[{"keyid":"","sig":"MEYCIQDeQXMMojIpNvxEDLDXUC5aAwCbPPr/0uckP8TCcdTLjgIhAJG6M00kY40bz/C90W0FeUc2YcWY+txD4BPXhzd8E+tP"}]}`) set, err := base64.StdEncoding.DecodeString(“MEQCIDBYWwwDW+nH+1vFoTOqHS4jAtVm4Yezq2nAy7vjcV8zAiBkznmgMrz9em4NuB/hl5X/umubhLgwoXgUAY2NJJwu5A==”) if err != nil { return nil, false, err } sig, err := static.NewSignature(payload, b64sig, static.WithCertChain( []byte("-----BEGIN CERTIFICATE-----\nMIIDnDCCAyKgAwIBAgIUfMlmBH82a8tub3Mzzv8DBUEjLHwwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIwNzI5MDIyNzEzWhcNMjIwNzI5MDIzNzEzWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEPL3MZbQBWha+4lgvmbZ4JA7BgxcAOcWTq+Ns\nGgKVhhodbDucZp5JLVRn+QWrEG+Ppd4JzLoAZth2a0BhNlkGC6OCAkEwggI9MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU3yHz\nvrj7CsZsIsI87Ps9XUXd7+0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wYQYDVR0RAQH/BFcwVYZTaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mv\nc3RhdGljLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueWFtbEByZWZzL2hlYWRz\nL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1\nYnVzZXJjb250ZW50LmNvbTAWBgorBgEEAYO/MAECBAhzY2hlZHVsZTA2BgorBgEE\nAYO/MAEDBCg3ZTc1NzJlNTc4ZGU3YzUxYTJmMWExNzkxZjAyNWNmMzE1NTAzYWEy\nMBwGCisGAQQBg78wAQQEDkNyZWF0ZSBSZWxlYXNlMB8GCisGAQQBg78wAQUEEWRp\nc3Ryb2xlc3Mvc3RhdGljMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCB\niQYKKwYBBAHWeQIEAgR7BHkAdwB1AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m\nvCIGNm9yAAABgkfHgcEAAAQDAEYwRAIgZteRlFRR3aLNH6RlF3iknW4BfQXwsIWP\nRnkEOzOlN4MCIBQShlTxp2JJ677LTbFBU30zHLOZfQCa/qj5kpiFDPn6MAoGCCqG\nSM49BAMDA2gAMGUCMQDG7KFCngua3Nn5C20np9DiSnw74v7/xjbhFBoWQj1m0pio\nbSbh3ihNMR5neANay6ECMFwFsGFHCeLlL9kmf5ONk2EAZWQuwdJONPvXlbC/28KE\na7sPOJxVkCUQMdvqf1KBTw==\n-----END CERTIFICATE-----\n"), sig, err := static.NewSignature(payload, “", static.WithCertChain( []byte("-----BEGIN CERTIFICATE-----\nMIIDnDCCAyOgAwIBAgIUVGZ4TQgYi4VCLLFghYMU/taKrD8wCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIwNzI5MDIyODQ4WhcNMjIwNzI5MDIzODQ4WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEhiVvK5Tqk1+HnXSstf/8byA1RDpZu+Jvn9X6\nZoaCL/IjSJ7fBakvKAQ0BlzFg/JEtDreg/TFNiX2wnlMBlMV16OCAkIwggI+MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUiMn3\nza+9v+99n385GpkXzZxZiBIwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wYQYDVR0RAQH/BFcwVYZTaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mv\nc3RhdGljLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueWFtbEByZWZzL2hlYWRz\nL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1\nYnVzZXJjb250ZW50LmNvbTAWBgorBgEEAYO/MAECBAhzY2hlZHVsZTA2BgorBgEE\nAYO/MAEDBCg3ZTc1NzJlNTc4ZGU3YzUxYTJmMWExNzkxZjAyNWNmMzE1NTAzYWEy\nMBwGCisGAQQBg78wAQQEDkNyZWF0ZSBSZWxlYXNlMB8GCisGAQQBg78wAQUEEWRp\nc3Ryb2xlc3Mvc3RhdGljMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCB\nigYKKwYBBAHWeQIEAgR8BHoAeAB2AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m\nvCIGNm9yAAABgkfI9c8AAAQDAEcwRQIgPm4AoftGQF2abbFxMLvtzTjXy+sxwxTp\nCh5ZsoesBDMCIQCNlwmLpuu1KiqjY74l5527AffSd4kOapDMfpHAlMrpCTAKBggq\nhkjOPQQDAwNnADBkAjAe7jfVc1OJNhbaZF8BJRJ9nQOAcY6kwFYMav1XfQsJPE0x\naYpNg/oXVA5UrFcSBLkCMFa4124w3qUzrXSTGq99nlALKQ8HFR8ri17wM5/ZiWxi\nrtABq5eub32TXpAnfqGSmw==\n-----END CERTIFICATE-----\n”), []byte("-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\nmygUY7Ii2zbdCdliiow=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----"), ), static.WithBundle(&bundle.RekorBundle{ SignedEntryTimestamp: set, Payload: bundle.RekorPayload{ Body: "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjYzYxZDc4MzdmYWYzYmMyYjMxMThkNTUxZmY5NTJjYzU5NzljNzM3OTkwNGE4NDEwMzAxMDg3OGVlMmZjMDUwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQW11ZE1LR0RXRXB1ZkdHcXJNZ2VlaTdLVmRwWndoYzZjbHFNYU1hdzZseUFpRUEzSm5MVXFWM3d0S0RFUmNWeThPak1Hb3BKWTdJWjhsZmtzNXpFQWpsblcwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnVSRU5EUVhsTFowRjNTVUpCWjBsVlprMXNiVUpJT0RKaE9IUjFZak5OZW5wMk9FUkNWVVZxVEVoM2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2U1RWTlJFbDVUbnBGZWxkb1kwNU5ha2wzVG5wSk5VMUVTWHBPZWtWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRVEROTldtSlJRbGRvWVNzMGJHZDJiV0phTkVwQk4wSm5lR05CVDJOWFZIRXJUbk1LUjJkTFZtaG9iMlJpUkhWalduQTFTa3hXVW00clVWZHlSVWNyVUhCa05FcDZURzlCV25Sb01tRXdRbWhPYkd0SFF6WlBRMEZyUlhkblowazVUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV6ZVVoNkNuWnlhamREYzFwelNYTkpPRGRRY3psWVZWaGtOeXN3ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFsUldVUldVakJTUVZGSUwwSkdZM2RXV1ZwVVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2NHTXpVbmxpTW5oc1l6Tk5kZ3BqTTFKb1pFZHNha3g1Tlc1aFdGSnZaRmRKZG1ReU9YbGhNbHB6WWpOa2Vrd3pTbXhpUjFab1l6SlZkV1ZYUm5SaVJVSjVXbGRhZWt3eWFHeFpWMUo2Q2t3eU1XaGhWelIzVDFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVhKaFNGSXdZMGhOTmt4NU9UQmlNblJzWW1rMWFGa3pVbkJpTWpWNlRHMWtjR1JIYURFS1dXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRUZYUW1kdmNrSm5SVVZCV1U4dlRVRkZRMEpCYUhwWk1taHNXa2hXYzFwVVFUSkNaMjl5UW1kRlJRcEJXVTh2VFVGRlJFSkRaek5hVkdNeFRucEtiRTVVWXpSYVIxVXpXWHBWZUZsVVNtMU5WMFY0VG5wcmVGcHFRWGxPVjA1dFRYcEZNVTVVUVhwWlYwVjVDazFDZDBkRGFYTkhRVkZSUW1jM09IZEJVVkZGUkd0T2VWcFhSakJhVTBKVFdsZDRiRmxZVG14TlFqaEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVVlhVbkFLWXpOU2VXSXllR3hqTTAxMll6TlNhR1JIYkdwTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVUXpTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbXBEUWdwcFVWbExTM2RaUWtKQlNGZGxVVWxGUVdkU04wSklhMEZrZDBJeFFVRm9aMnQyUVc5VmRqbHZVbVJJVW1GNVpVVnVSVlp1UjB0M1YxQmpUVFF3YlROdENuWkRTVWRPYlRsNVFVRkJRbWRyWmtoblkwVkJRVUZSUkVGRldYZFNRVWxuV25SbFVteEdVbEl6WVV4T1NEWlNiRVl6YVd0dVZ6UkNabEZZZDNOSlYxQUtVbTVyUlU5NlQyeE9ORTFEU1VKUlUyaHNWSGh3TWtwS05qYzNURlJpUmtKVk16QjZTRXhQV21aUlEyRXZjV28xYTNCcFJrUlFialpOUVc5SFEwTnhSd3BUVFRRNVFrRk5SRUV5WjBGTlIxVkRUVkZFUnpkTFJrTnVaM1ZoTTA1dU5VTXlNRzV3T1VScFUyNTNOelIyTnk5NGFtSm9Sa0p2VjFGcU1XMHdjR2x2Q21KVFltZ3phV2hPVFZJMWJtVkJUbUY1TmtWRFRVWjNSbk5IUmtoRFpVeHNURGxyYldZMVQwNXJNa1ZCV2xkUmRYZGtTazlPVUhaWWJHSkRMekk0UzBVS1lUZHpVRTlLZUZaclExVlJUV1IyY1dZeFMwSlVkejA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=", IntegratedTime: 1659061655, LogIndex: 3059462, Body: "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYjY1Y2JmMGU3OTAxYmEzMWQ1NWIxMmQzMTliY2EzOTQyMGFmNDM4OGQzZTU3MTRkMTZmMjAxOWQ3NGUzYWI3In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYzFiNWYwZjRiOGVjZDU1ZWRhMjUwY2Q4NDk2NGQwYzFmYjVkN2E4YTM0OGY0YjdmZmI3ZGFhMmUwNmM0ODM3MyJ9fSwicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnVSRU5EUVhsUFowRjNTVUpCWjBsVlZrZGFORlJSWjFscE5GWkRURXhHWjJoWlRWVXZkR0ZMY2tRNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2U1RWTlJFbDVUMFJSTkZkb1kwNU5ha2wzVG5wSk5VMUVTWHBQUkZFMFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZvYVZaMlN6VlVjV3N4SzBodVdGTnpkR1l2T0dKNVFURlNSSEJhZFN0S2RtNDVXRFlLV205aFEwd3ZTV3BUU2pkbVFtRnJka3RCVVRCQ2JIcEdaeTlLUlhSRWNtVm5MMVJHVG1sWU1uZHViRTFDYkUxV01UWlBRMEZyU1hkblowa3JUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZwVFc0ekNucGhLemwyS3prNWJqTTROVWR3YTFoNlduaGFhVUpKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFsUldVUldVakJTUVZGSUwwSkdZM2RXV1ZwVVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2NHTXpVbmxpTW5oc1l6Tk5kZ3BqTTFKb1pFZHNha3g1Tlc1aFdGSnZaRmRKZG1ReU9YbGhNbHB6WWpOa2Vrd3pTbXhpUjFab1l6SlZkV1ZYUm5SaVJVSjVXbGRhZWt3eWFHeFpWMUo2Q2t3eU1XaGhWelIzVDFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVhKaFNGSXdZMGhOTmt4NU9UQmlNblJzWW1rMWFGa3pVbkJpTWpWNlRHMWtjR1JIYURFS1dXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRUZYUW1kdmNrSm5SVVZCV1U4dlRVRkZRMEpCYUhwWk1taHNXa2hXYzFwVVFUSkNaMjl5UW1kRlJRcEJXVTh2VFVGRlJFSkRaek5hVkdNeFRucEtiRTVVWXpSYVIxVXpXWHBWZUZsVVNtMU5WMFY0VG5wcmVGcHFRWGxPVjA1dFRYcEZNVTVVUVhwWlYwVjVDazFDZDBkRGFYTkhRVkZSUW1jM09IZEJVVkZGUkd0T2VWcFhSakJhVTBKVFdsZDRiRmxZVG14TlFqaEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVVlhVbkFLWXpOU2VXSXllR3hqTTAxMll6TlNhR1JIYkdwTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVUXpTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbXBEUWdwcFoxbExTM2RaUWtKQlNGZGxVVWxGUVdkU09FSkliMEZsUVVJeVFVRm9aMnQyUVc5VmRqbHZVbVJJVW1GNVpVVnVSVlp1UjB0M1YxQmpUVFF3YlROdENuWkRTVWRPYlRsNVFVRkJRbWRyWmtrNVl6aEJRVUZSUkVGRlkzZFNVVWxuVUcwMFFXOW1kRWRSUmpKaFltSkdlRTFNZG5SNlZHcFllU3R6ZUhkNFZIQUtRMmcxV25OdlpYTkNSRTFEU1ZGRFRteDNiVXh3ZFhVeFMybHhhbGszTkd3MU5USTNRV1ptVTJRMGEwOWhjRVJOWm5CSVFXeE5jbkJEVkVGTFFtZG5jUXBvYTJwUFVGRlJSRUYzVG01QlJFSnJRV3BCWlRkcVpsWmpNVTlLVG1oaVlWcEdPRUpLVWtvNWJsRlBRV05aTm10M1JsbE5ZWFl4V0daUmMwcFFSVEI0Q21GWmNFNW5MMjlZVmtFMVZYSkdZMU5DVEd0RFRVWmhOREV5TkhjemNWVjZjbGhUVkVkeE9UbHViRUZNUzFFNFNFWlNPSEpwTVRkM1RUVXZXbWxYZUdrS2NuUkJRbkUxWlhWaU16SlVXSEJCYm1aeFIxTnRkejA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19", IntegratedTime: 1659061729, LogIndex: 3059470, LogID: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d", }, })) @@ -1675,7 +1674,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== }, Attestations: []webhookcip.AttestationPolicy{{ Name: "test-att", PredicateType: "custom", PredicateType: "vuln", }}, }, },
Related news
PolicyController will report a false positive, resulting in an admission when it should not be admitted when: * There is at least one attestation with a valid signature * There are NO attestations of the type being verified (--type defaults to "custom") Users should upgrade to cosign version 0.2.1 or greater for a patch. There are no known workarounds at this time.