From b9e38d53b0a703e1451f481040ad104291b3a3c1 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Fri, 5 Jan 2024 22:28:40 -0600 Subject: [PATCH 01/16] Add FOSSA license scanning Signed-off-by: John Kjell --- .github/workflows/fossa.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/fossa.yml diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000..cdd0f88b --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,28 @@ +name: "Fossa Scan" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + fossa-scan: + env: + FOSSA_API_KEY: ${{ secrets.fossaApiKey }} + runs-on: ubuntu-latest + steps: + - if: ${{ env.FOSSA_API_KEY != '' }} + name: "Checkout Code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - if: ${{ env.FOSSA_API_KEY != '' }} + name: "Run FOSSA Scan" + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 + with: + api-key: ${{ env.FOSSA_API_KEY }} From 494d44ab00f76a11bf4d4c4928f63f6a4853e655 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Fri, 5 Jan 2024 22:54:21 -0600 Subject: [PATCH 02/16] Add Security MD files an add FOSSA scan badge Signed-off-by: John Kjell --- .clomonitor.yml | 21 +++++++++++ DEPENDENCY.md | 42 ++++++++++++++++++++++ README.md | 4 +-- SECURITY-INSIGHTS.yml | 81 +++++++++++++++++++++++++++++++++++++++++++ SECURITY.md | 34 ++++++++++++++++++ 5 files changed, 180 insertions(+), 2 deletions(-) create mode 100644 .clomonitor.yml create mode 100644 DEPENDENCY.md create mode 100644 SECURITY-INSIGHTS.yml create mode 100644 SECURITY.md diff --git a/.clomonitor.yml b/.clomonitor.yml new file mode 100644 index 00000000..7b5506cf --- /dev/null +++ b/.clomonitor.yml @@ -0,0 +1,21 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# CLOMonitor metadata file +# This file must be located at the root of the repository + +# Checks exemptions +exemptions: + - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions) + reason: "Project is a CLI tool and is not one of the support types for Artifact Hub" # Justification of this exemption (mandatory, it will be displayed on the UI) diff --git a/DEPENDENCY.md b/DEPENDENCY.md new file mode 100644 index 00000000..99f74a1c --- /dev/null +++ b/DEPENDENCY.md @@ -0,0 +1,42 @@ +# Environment Dependencies Policy + +## Purpose + +This policy describes how Witness maintainers consume third-party packages. + +## Scope + +This policy applies to all Witness maintainers and all third-party packages used in the Witness project. + +## Policy + +Witness maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of Witness. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the Witness codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to Witness, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of Witness? +2. Research the package. Is it well-maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the Witness codebase. +5. Update the Witness documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the Witness maintainers. +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis. + +## Credits + +This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md) diff --git a/README.md b/README.md index e563ce1a..3e331f28 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -[![OpenSSF --Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness) +[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness?ref=badge_shield&issueType=license)

diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..5cf89858 --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,81 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + schema-version: 1.0.0 + expiration-date: '2024-08-31T10:10:09.000Z' + last-updated: '2023-01-05' + last-reviewed: '2023-01-05' + commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 + project-url: https://github.com/in-toto/witness + project-release: 'v0.2.0' + changelog: https://github.com/in-toto/witness/releases/tag/v0.2.0 + license: https://github.com/in-toto/witness/blob/main/LICENSE + +project-lifecycle: + status: active + roadmap: https://github.com/orgs/in-toto/projects/4/views/3 + bug-fixes-only: false + core-maintainers: + - https://github.com/in-toto/witness/MAINTAINERS.md + release-cycle: https://github.com/in-toto/witness/releases + +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true + contributing-policy: https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md + code-of-conduct: https://github.com/in-toto/witness/blob/main/CODE_OF_CONDUCT.md + +documentation: + - https://witness.dev + +distribution-points: + - https://github.com/in-toto/witness/releases + +security-testing: +- tool-type: sca + tool-name: Dependabot + tool-version: 2 + tool-url: https://github.com/dependabot + integration: + ad-hoc: false + ci: true + before-release: false + +security-contacts: +- type: email + value: security@testifysec.com + primary: true + +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: security@testifysec.com + security-policy: https://github.com/in-toto/witness/SECURITY.md + +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/in-toto/witness/go.mod + sbom: + - sbom-file: https://foo.bar/sbom + sbom-format: CycloneDX + sbom-url: https://foo.bar + dependencies-lifecycle: + policy-url: https://github.com/in-toto/witness/SECURITY.md + comment: | + All dependencies are subject to the Witness Security Policy. + env-dependencies-policy: + policy-url: https://github.com/in-toto/witness/DEPENDENCY.md + comment: | + All dependencies are subject to the Witness Dependency Policy. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..1c558ac9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,34 @@ +# Security Policy + +## Security Bulletins + +See current security bullentins on GitHub: https://github.com/in-toto/witness/security/advisories + +For information regarding the security of this project please join: + +* in-toto-witness on CNCF Slack + +## Reporting a Vulnerability + +Please use the below process to report a vulnerability to the project: + +Web Form: + +1. Please visit https://github.com/in-toto/witness/security/advisories/new + * You will receive a confirmation email upon submission +1. You may be contacted by a maintainer to further discuss the reported item + within 3 days. Please bear with us as we seek to understand the breadth + and scope of the reported problem, recreate it, and confirm if there is an + vulnerability present. + +This project follows a 30 day disclosure timeline. + +## Supported Versions + +Information regarding supported versions of this project can be found on +in the below table: + +| Version | Supported | +| --- | --- | +| Latest | :white_check_mark: | +| <= Latest - 2 | :x: | From 93768db59b9509c42e1406b6b20640afacd51c98 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Fri, 5 Jan 2024 23:11:12 -0600 Subject: [PATCH 03/16] Pin dependencies and restrict permissions Signed-off-by: John Kjell --- .github/workflows/release.yml | 33 ++++++++++++++++++++++++---- .github/workflows/verify-licence.yml | 2 +- .github/workflows/witness.yml | 6 +++++ dev/Dockerfile.go-builder | 2 +- 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 12228a80..30b53374 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,11 +1,30 @@ -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout +# Copyright 2022 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: release on: [push, pull_request] + +permissions: + contents: read # This is required for actions/checkout + + jobs: fmt: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt @@ -15,6 +34,9 @@ jobs: sast: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: sast @@ -24,6 +46,9 @@ jobs: unit-test: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test @@ -68,7 +93,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Download GoReleaser - run: go install github.com/goreleaser/goreleaser@latest + run: go install github.com/goreleaser/goreleaser@v1.23.0 - name: Run GoReleaser uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 415eb405..6fdd09b4 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -17,7 +17,7 @@ jobs: with: go-version: '1.18.x' - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.1.1 - name: Check license headers run: | set -e diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 1b031473..2e353ed2 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -40,9 +40,15 @@ on: required: true type: string +permissions: + contents: read + jobs: witness: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 diff --git a/dev/Dockerfile.go-builder b/dev/Dockerfile.go-builder index 2f98ea11..9bf246c8 100644 --- a/dev/Dockerfile.go-builder +++ b/dev/Dockerfile.go-builder @@ -1,2 +1,2 @@ -FROM golang:1.21.3 +FROM golang:1.21.3@sha256:b113af1e8b06f06a18ad41a6b331646dff587d7a4cf740f4852d16c49ed8ad73 COPY ./bin/witness /usr/bin From 15d9014fae2c143f26ad39cfde3f0b5ee925a481 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Sat, 6 Jan 2024 00:19:03 -0600 Subject: [PATCH 04/16] Add signing to goreleaser and Best Practices badge to readme. Signed-off-by: John Kjell --- .github/workflows/scorecard.yml | 20 ++++++++++- .goreleaser.yaml | 16 +++++++++ README.md | 62 ++++++++++++++++++--------------- 3 files changed, 69 insertions(+), 29 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e83537be..d0311f66 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,3 +1,21 @@ +# Copyright 2024 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + name: Scorecards supply-chain security on: workflow_dispatch: @@ -38,7 +56,7 @@ jobs: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 28d21c17..61e29ec8 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -21,6 +21,14 @@ gomod: proxy: false source: enabled: true +signs: + - cmd: cosign + args: + - "sign-blob" + - "--output-signature=${signature}" + - "${artifact}" + - "--yes" # needed on cosign 2.0.0+ + artifacts: all changelog: use: github groups: @@ -49,3 +57,11 @@ kos: platforms: - linux/amd64 - linux/arm64 + sbom: spdx +docker_signs: + - artifacts: manifests + cmd: cosign + args: + - "sign" + - "${artifact}" + - "--yes" # needed on cosign 2.0.0+ diff --git a/README.md b/README.md index 3e331f28..fe5a9271 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,13 @@ -[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness) -[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness?ref=badge_shield&issueType=license) -


Witness is a pluggable framework for supply chain security

+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8280/badge)](https://www.bestpractices.dev/projects/8280) +[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness?ref=badge_shield&issueType=license) + [![asciicast](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D.svg)](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D) # Witness - Secure Your Supply Chain @@ -26,22 +27,24 @@ Witness works by wrapping commands executed in a continuous integration process, ## Witness is a pluggable framework for supply chain security - - It creates an evidence trail of the entire software development life cycle (SDLC) that can be used to evaluate policy compliance and detect any potential tampering or malicious activity. - - It is designed to run in both containerized and non-containerized environments and does not require elevated privileges. - - It supports most major CI and infrastructure providers, making it a versatile and flexible solution for securing software supply chains. - - It uses a secure PKI distribution system and allows for verification of Witness metadata to further enhance security and mitigate against software supply chain attack vectors. +- It creates an evidence trail of the entire software development life cycle (SDLC) that can be used to evaluate policy compliance and detect any potential tampering or malicious activity. +- It is designed to run in both containerized and non-containerized environments and does not require elevated privileges. +- It supports most major CI and infrastructure providers, making it a versatile and flexible solution for securing software supply chains. +- It uses a secure PKI distribution system and allows for verification of Witness metadata to further enhance security and mitigate against software supply chain attack vectors. ## Key Features - - Implementation of the in-toto specification including ITE-5, ITE-6, and ITE-7, and an embedded rego policy engine for build policy enforcement. - - Support for keyless signing with Sigstore and SPIFFE/SPIRE, and uploading attestation evidence to the Archivista server. - - Support for RFC3161 compatible timestamp authorities - - Experimental support for process tracing and process tampering prevention. - - Verifies file integrity between CI steps and across air gap. - - Support for Darwin, Windows, and ARM architectures. - - Can use Archivista as an attestation store. - - Integrations with GitLab, GitHub, AWS, and GCP. + +- Implementation of the in-toto specification including ITE-5, ITE-6, and ITE-7, and an embedded rego policy engine for build policy enforcement. +- Support for keyless signing with Sigstore and SPIFFE/SPIRE, and uploading attestation evidence to the Archivista server. +- Support for RFC3161 compatible timestamp authorities +- Experimental support for process tracing and process tampering prevention. +- Verifies file integrity between CI steps and across air gap. +- Support for Darwin, Windows, and ARM architectures. +- Can use Archivista as an attestation store. +- Integrations with GitLab, GitHub, AWS, and GCP. ## How it works + - Witness wraps commands executed during a continuous integration process to create an evidence trail of the entire software development life cycle (SDLC) - It records secure hashes of materials, artifacts, and events that occur during the CI process - This evidence can be used to evaluate policy compliance, detect tampering or malicious activity, and ensure only authorized users or machines complete a step of the process @@ -54,7 +57,6 @@ Witness works by wrapping commands executed in a continuous integration process, - It supports Darwin, Windows, and ARM architectures and can use [Archivista](https://github.com/testifysec/archivista) as an attestation store - Overall, Witness acts as a comprehensive framework for automated governance, providing a robust solution for securing the software supply chain. - ## Witness Examples - [Verify an Artifact Policy](https://github.com/testifysec/witness-examples/blob/main/keypair/README.md) @@ -117,19 +119,20 @@ Witness works by wrapping commands executed in a continuous integration process, ## Quick Start ### Download the Binary + Download from the releases page or use the install script to download the latest release. [Releases](https://github.com/testifysec/witness/releases) -``` + +```bash bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh) ``` - ### Create a Keypair > Witness supports keyless signing with [SPIRE](https://spiffe.io/)! -``` +```bash openssl genpkey -algorithm ed25519 -outform PEM -out testkey.pem openssl pkey -in testkey.pem -pubout > testpub.pem ``` @@ -141,7 +144,7 @@ openssl pkey -in testkey.pem -pubout > testpub.pem > - `witness help` will show all configuration options > - command-line arguments overrides configuration file values. -``` +```yaml ## .witness.yaml run: @@ -161,7 +164,7 @@ verify: > - Defining step names is important, these will be used in the policy. > - This should happen as a part of a CI step -``` +```bash witness run --step build -o test-att.json -- go build -o=testapp . ``` @@ -170,7 +173,7 @@ witness run --step build -o test-att.json -- go build -o=testapp . > - This data can be stored and retrieved from Archivista > - This is the data that is evaluated against the Rego policy -``` +```bash cat test-att.json | jq -r .payload | base64 -d | jq ``` @@ -184,7 +187,7 @@ Look [here](docs/policy.md) for full documentation on Witness Policies. > - Witness will require all attestations to succeed > - Witness will evaluate the rego policy against the JSON object in the corresponding attestor -``` +```json ## policy.json { @@ -224,7 +227,7 @@ Look [here](docs/policy.md) for full documentation on Witness Policies. ### Replace the variables in the policy -``` +```bash id=`sha256sum testpub.pem | awk '{print $1}'` && sed -i "s/{{PUBLIC_KEY_ID}}/$id/g" policy.json pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json ``` @@ -233,7 +236,7 @@ pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g Keep this key safe, its owner will control the policy gates. -``` +```bash witness sign -f policy.json --signer-file-key-path testkey.pem --outfile policy-signed.json ``` @@ -243,7 +246,7 @@ witness sign -f policy.json --signer-file-key-path testkey.pem --outfile policy- > `witness verify` will return a `non-zero` exit and reason in the case of failure. Success will be silent with a `0` exit status > for policies that require multiple steps, multiple attestations are required. -``` +```bash witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem ``` @@ -253,7 +256,7 @@ witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem Witness attestors are pieces of code that assert facts about a system and store those facts in a versioned schema. Each attestor has a `Name`, `Type`, and `RunType`. The `Type` is a versioned string corresponding to the JSON schema of the attestation. For example, the AWS attestor is defined as follows: -``` +```go Name = "aws" Type = "https://witness.dev/attestations/aws/v0.1" RunType = attestation.PreRunType @@ -286,6 +289,7 @@ Examples of cryptographic validation is found in the [GCP](https://github.com/te ## Attestor Types ### Pre-material Attestors + - [AWS](docs/attestors/aws-iid.md) - Attestor for AWS Instance Metadata - [GCP](docs/attestors/gcp-iit.md) - Attestor for GCP Instance Identity Service - [GitLab](docs/attestors/gitlab.md) - Attestor for GitLab Pipelines @@ -295,12 +299,15 @@ Examples of cryptographic validation is found in the [GCP](https://github.com/te - [JWT](docs/attestors/jwt.md) - Attestor for JWT Tokens ### Material Attestors + - [Material](docs/attestors/material.md) - Records secure hashes of files in current working directory ### Execute Attestors + - [CommandRun](docs/attestors/commandrun.md) - Records traces and metadata about the actual process being run ### Product Attestors + - [Product](docs/attestors/product.md) - Records secure hashes of files produced by commandrun attestor (only detects new files) ### Post-product Attestors @@ -335,7 +342,6 @@ Witness can consume ephemeral keys from a [SPIRE](https://github.com/spiffe/spir During the verification process witness will use a source of trusted time such as a timestamp from a timestamp authority to make a determination on certificate validity. The SPIRE certificate only needs to remain valid long enough for a timestamp to be created. - ## Support [TestifySec](https://testifysec.com) Provides support for witness and other CI security tools. From abce18ba1f0cb094a328facaa2946a3faf620a03 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Sat, 6 Jan 2024 00:44:14 -0600 Subject: [PATCH 05/16] Add cosign install Signed-off-by: John Kjell --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 30b53374..1e09db9a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -92,6 +92,9 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Install Cosign + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - name: Download GoReleaser run: go install github.com/goreleaser/goreleaser@v1.23.0 From f2e2a6fbd56b94c2935d8c052ea2309006a4f7b2 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Wed, 10 Jan 2024 12:13:09 -0500 Subject: [PATCH 06/16] Update cloudflare/circl due to dependabot failure (#352) Signed-off-by: John Kjell --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 18f4c63e..ac0cc74f 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/aws/aws-sdk-go v1.44.334 // indirect - github.com/cloudflare/circl v1.3.3 // indirect + github.com/cloudflare/circl v1.3.7 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect diff --git a/go.sum b/go.sum index 4556c69f..ea2d955b 100644 --- a/go.sum +++ b/go.sum @@ -68,8 +68,9 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= +github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= From d2471e69aae0f591a0a9e67daf3ee6859bcebf5e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:37:37 -0600 Subject: [PATCH 07/16] chore: bump actions/cache from 3.3.2 to 3.3.3 (#355) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.2 to 3.3.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/704facf57e6136b1bc63b828d79edcd491f0ee84...e12d46a63a90f2fae62d114769bbf2a179198b5c) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1e09db9a..ba7f7497 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,7 +76,7 @@ jobs: uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.21.x - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: path: | ~/go/pkg/mod From 70e0b09abb592e0a4a1c9ffbaf87a363e8dfe0e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:42:39 -0600 Subject: [PATCH 08/16] chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 (#356) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/c7d193f32edcb7bfad88892161225aeda64e9392...1eb3cb2b3e0f29609092a73eb033bb759a334595) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- .github/workflows/witness.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d0311f66..b90b9bd9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -67,7 +67,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # tag=v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # tag=v4.1.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 2e353ed2..440a7c69 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -80,7 +80,7 @@ jobs: run: ${{ inputs.command }} - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 with: name: ${{ inputs.artifact-upload-name }} path: ${{ inputs.artifact-upload-path }} From 63cc5d89297fc9e4e26e145ebfd5bd9d072f432c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:48:05 -0600 Subject: [PATCH 09/16] chore: bump github/codeql-action from 3.22.12 to 3.23.0 (#357) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.12 to 3.23.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/012739e5082ff0c22ca6d6ab32e07c36df03c4a4...e5f05b81d5b6ff8cfa111c80c22c5fd02a384118) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 290a8cb0..6c10102c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b90b9bd9..34618bdc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -75,6 +75,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # tag=v3.22.12 + uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # tag=v3.23.0 with: sarif_file: results.sarif From 83ca94240ba6a8e6148cffa60ff5e20efd0c3355 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:58:38 -0600 Subject: [PATCH 10/16] chore: bump actions/download-artifact from 4.1.0 to 4.1.1 (#358) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110...6b208ae046db98c579e8a3aa621ab581ff575935) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/witness.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 440a7c69..94145228 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -56,7 +56,7 @@ jobs: go-version: 1.21.x - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ inputs.artifact-download }} path: /tmp From 1a9b5a2b6b3191097a92163c5167086a62cb9f83 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Wed, 17 Jan 2024 09:29:07 -0500 Subject: [PATCH 11/16] Initial attempt at PR and Issue templates (#351) * Initial attempt at PR and Issue templates Signed-off-by: John Kjell * Address some review feedback Signed-off-by: John Kjell --------- Signed-off-by: John Kjell Co-authored-by: Tom Meadows --- .github/ISSUE_TEMPLATE/bug-report.md | 26 ++++++++++++++++ .github/ISSUE_TEMPLATE/feature-request.md | 36 +++++++++++++++++++++++ .github/PULL_REQUEST_TEMPLATE.md | 19 ++++++++++++ 3 files changed, 81 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug-report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md new file mode 100644 index 00000000..1efbee32 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug-report.md @@ -0,0 +1,26 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '[Bug]: ' +labels: ['bug', triage'] +assignees: '' +--- + +**What steps did you take and what happened:** + +[A clear and concise description of what the bug is.] + +**What did you expect to happen:** + +[Expected outcome listed here.] + +**Anything else you would like to add:** + +[Miscellaneous information that will assist in solving the issue.] + +**Environment:** + +- Witness version: +- Architecture: +- Attestors used: +- Archivista version: diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md new file mode 100644 index 00000000..a8540f67 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request.md @@ -0,0 +1,36 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '[Feat]: ' +labels: ['feature', 'triage'] +assignees: '' + +--- + +**Describe the solution you'd like:** + +[A clear and concise description of what you want to happen.] + +**User value:** + +[Why will this feature be valuable to you? Why will this be valuable to others?] + +**Expected behavior:** + +[What would you like to see happen] + +**Proposed solution:** + +[If you're able, describe possible solution workflow] + +**Anything else you would like to add:** + +[Miscellaneous information that will assist in solving the issue.] + +**Testing changes required:** + +[List possible testing changes required, if none please explain, if unsure assignee will assist] + +**Documentation changes required:** + +[List possible documentation changes required, if none please explain, if unsure assignee will assist] diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..0d0d900f --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,19 @@ +## What this PR does / why we need it + +Description + +## Which issue(s) this PR fixes (optional) + +(optional, using `fixes #(, fixes #, ...)` format, will close the issue(s) when the PR gets merged)* + +Fixes # + +## Acceptance Criteria Met + +- [ ] Docs changes if needed +- [ ] Testing changes if needed +- [ ] All workflow checks passing (automatically enforced) +- [ ] All review conversations resolved (automatically enforced) +- [ ] [DCO Sign-off](https://github.com/apps/dco) + +**Special notes for your reviewer**: From 06031da4459ee4aea13ee83c59f9dee8171133ff Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Wed, 17 Jan 2024 17:25:54 +0000 Subject: [PATCH 12/16] Checking attestors for duplicates (#361) * prevents duplicate attestors * adding tests * modified help for attestations flag --------- Signed-off-by: chaosinthecrd --- cmd/run.go | 23 +++++++++++--- cmd/run_test.go | 75 ++++++++++++++++++++++++++++++++++++++++++++ docs/witness_run.md | 3 +- docs/witness_sign.md | 1 + go.mod | 4 +-- go.sum | 8 ++--- options/run.go | 2 +- 7 files changed, 103 insertions(+), 13 deletions(-) diff --git a/cmd/run.go b/cmd/run.go index ad19a30c..2efbf4b1 100644 --- a/cmd/run.go +++ b/cmd/run.go @@ -85,12 +85,26 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers . attestors = append(attestors, commandrun.New(commandrun.WithCommand(args), commandrun.WithTracing(ro.Tracing))) } - addtlAttestors, err := attestation.Attestors(ro.Attestations) - if err != nil { - return fmt.Errorf("failed to create attestors := %w", err) + for _, a := range ro.Attestations { + duplicate := false + for _, att := range attestors { + if a != att.Name() { + } else { + log.Warnf("Attestator %s already declared, skipping", a) + duplicate = true + break + } + } + + if !duplicate { + attestor, err := attestation.GetAttestor(a) + if err != nil { + return fmt.Errorf("failed to create attestor: %w", err) + } + attestors = append(attestors, attestor) + } } - attestors = append(attestors, addtlAttestors...) for _, attestor := range attestors { setters, ok := ro.AttestorOptSetters[attestor.Name()] if !ok { @@ -120,7 +134,6 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers . witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)), witness.RunWithTimestampers(timestampers...), ) - if err != nil { return err } diff --git a/cmd/run_test.go b/cmd/run_test.go index 03cd2db3..4871c9d2 100644 --- a/cmd/run_test.go +++ b/cmd/run_test.go @@ -20,15 +20,20 @@ import ( "crypto/rand" "crypto/rsa" "encoding/json" + "fmt" "os" "path/filepath" + "strings" "testing" "github.com/in-toto/go-witness/cryptoutil" "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/log" "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/signer/file" "github.com/in-toto/witness/options" + "github.com/sirupsen/logrus" + "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -171,3 +176,73 @@ func TestRunHashesOptions(t *testing.T) { }) } } + +func TestRunDuplicateAttestors(t *testing.T) { + tests := []struct { + name string + attestors []string + expectWarn int + }{ + { + name: "No duplicate attestors", + attestors: []string{"environment"}, + expectWarn: 0, + }, + { + name: "duplicate attestors", + attestors: []string{"environment", "environment"}, + expectWarn: 1, + }, + { + name: "duplicate attestor due to default", + attestors: []string{"product"}, + expectWarn: 1, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + fmt.Println(tt.name) + testLogger, hook := test.NewNullLogger() + log.SetLogger(testLogger) + + privatekey, err := rsa.GenerateKey(rand.Reader, keybits) + require.NoError(t, err) + signer := cryptoutil.NewRSASigner(privatekey, crypto.SHA256) + + workingDir := t.TempDir() + attestationPath := filepath.Join(workingDir, "outfile.txt") + runOptions := options.RunOptions{ + WorkingDir: workingDir, + Attestations: tt.attestors, + OutFilePath: attestationPath, + StepName: "teststep", + Tracing: false, + } + + args := []string{ + "bash", + "-c", + "echo 'test' > test.txt", + } + + err = runRun(context.Background(), runOptions, args, signer) + if tt.expectWarn > 0 { + c := 0 + for _, entry := range hook.AllEntries() { + fmt.Println(tt.name, "log:", entry.Message) + if entry.Level == logrus.WarnLevel && strings.Contains(entry.Message, "already declared, skipping") { + c++ + } + } + assert.Equal(t, tt.expectWarn, c) + } else { + require.NoError(t, err) + attestationBytes, err := os.ReadFile(attestationPath) + require.NoError(t, err) + env := dsse.Envelope{} + require.NoError(t, json.Unmarshal(attestationBytes, &env)) + } + }) + } +} diff --git a/docs/witness_run.md b/docs/witness_run.md index 6c5851b7..831832d2 100644 --- a/docs/witness_run.md +++ b/docs/witness_run.md @@ -10,7 +10,7 @@ witness run [cmd] [flags] ``` --archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io") - -a, --attestations strings Attestations to record (default [environment,git]) + -a, --attestations strings Attestations to record ('product' and 'material' are always recorded) (default [environment,git]) --attestor-product-exclude-glob string Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation. --attestor-product-include-glob string Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. (default "*") --enable-archivista Use Archivista to store or retrieve attestations @@ -22,6 +22,7 @@ witness run [cmd] [flags] -k, --signer-file-key-path string Path to the file containing the private key --signer-fulcio-oidc-client-id string OIDC client ID to use for authentication --signer-fulcio-oidc-issuer string OIDC issuer to use for authentication + --signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path) --signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token) --signer-fulcio-url string Fulcio address to sign with diff --git a/docs/witness_sign.md b/docs/witness_sign.md index c20b5fd3..d91a689a 100644 --- a/docs/witness_sign.md +++ b/docs/witness_sign.md @@ -22,6 +22,7 @@ witness sign [file] [flags] -k, --signer-file-key-path string Path to the file containing the private key --signer-fulcio-oidc-client-id string OIDC client ID to use for authentication --signer-fulcio-oidc-issuer string OIDC issuer to use for authentication + --signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path) --signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token) --signer-fulcio-url string Fulcio address to sign with diff --git a/go.mod b/go.mod index ac0cc74f..8fcdfec6 100644 --- a/go.mod +++ b/go.mod @@ -3,13 +3,13 @@ module github.com/in-toto/witness go 1.19 require ( - github.com/in-toto/go-witness v0.2.0 + github.com/in-toto/go-witness v0.2.1 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.15.0 github.com/stretchr/testify v1.8.4 - k8s.io/apimachinery v0.26.11 + k8s.io/apimachinery v0.26.12 ) require ( diff --git a/go.sum b/go.sum index ea2d955b..9bfc6685 100644 --- a/go.sum +++ b/go.sum @@ -220,8 +220,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1: github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20= github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0= -github.com/in-toto/go-witness v0.2.0 h1:lxp3+Kc4Der2C1jV9ZePjSCEHUr2NsB4sImXI5sZHu4= -github.com/in-toto/go-witness v0.2.0/go.mod h1:Jr6ZlYoVfTS3hjUSmJ10J8qiHjpF1cfSE4NLAIJpbLw= +github.com/in-toto/go-witness v0.2.1 h1:eAxMBWUPbz3oPU3lsfEYi/Kdj6weej2umm59bOXPJSU= +github.com/in-toto/go-witness v0.2.1/go.mod h1:xURJVj4QRD3xnzOJps7gT0pMCFPpAHcPqDC3EyuLuUE= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -749,8 +749,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/apimachinery v0.26.11 h1:w//840HHdwSRKqD15j9YX9HLlU6RPlfrvW0xEhLk2+0= -k8s.io/apimachinery v0.26.11/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= +k8s.io/apimachinery v0.26.12 h1:y+OgufxqLIZtyXIydRhjLBGzrYLF+qwiDdCFXYOjeN4= +k8s.io/apimachinery v0.26.12/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/utils v0.0.0-20230115233650-391b47cb4029 h1:L8zDtT4jrxj+TaQYD0k8KNlr556WaVQylDXswKmX+dE= diff --git a/options/run.go b/options/run.go index 3cccb3f7..0e7ab343 100644 --- a/options/run.go +++ b/options/run.go @@ -37,7 +37,7 @@ func (ro *RunOptions) AddFlags(cmd *cobra.Command) { ro.SignerOptions.AddFlags(cmd) ro.ArchivistaOptions.AddFlags(cmd) cmd.Flags().StringVarP(&ro.WorkingDir, "workingdir", "d", "", "Directory from which commands will run") - cmd.Flags().StringSliceVarP(&ro.Attestations, "attestations", "a", []string{"environment", "git"}, "Attestations to record") + cmd.Flags().StringSliceVarP(&ro.Attestations, "attestations", "a", []string{"environment", "git"}, "Attestations to record ('product' and 'material' are always recorded)") cmd.Flags().StringSliceVar(&ro.Hashes, "hashes", []string{"sha256"}, "Hashes selected for digest calculation. Defaults to SHA256") cmd.Flags().StringVarP(&ro.OutFilePath, "outfile", "o", "", "File to which to write signed data. Defaults to stdout") cmd.Flags().StringVarP(&ro.StepName, "step", "s", "", "Name of the step being run") From 272e492ba2889b2287c731abb9608df966744824 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 16:39:47 +0000 Subject: [PATCH 13/16] chore: bump actions/cache from 3.3.3 to 4.0.0 (#364) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.3 to 4.0.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/e12d46a63a90f2fae62d114769bbf2a179198b5c...13aacd865c20de90d75de3b17ebe84f7a17d57d2) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba7f7497..d858616d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,7 +76,7 @@ jobs: uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.21.x - - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 + - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: | ~/go/pkg/mod From 55418b54b6cedbb16620fa78d8cbb1f67066c533 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 21:31:55 -0600 Subject: [PATCH 14/16] chore: bump actions/upload-artifact from 4.1.0 to 4.2.0 (#363) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/1eb3cb2b3e0f29609092a73eb033bb759a334595...694cdabd8bdb0f10b2cea11669e1bf5453eed0a6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tom Meadows --- .github/workflows/scorecard.yml | 2 +- .github/workflows/witness.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 34618bdc..e6b49d61 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -67,7 +67,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # tag=v4.1.0 + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # tag=v4.2.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 94145228..f3ef8856 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -80,7 +80,7 @@ jobs: run: ${{ inputs.command }} - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 with: name: ${{ inputs.artifact-upload-name }} path: ${{ inputs.artifact-upload-path }} From 9247c8179cc30fc207d0a43415e1b256e0c2e6fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 21:36:41 -0600 Subject: [PATCH 15/16] chore: bump github/codeql-action from 3.23.0 to 3.23.1 (#365) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.0 to 3.23.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e5f05b81d5b6ff8cfa111c80c22c5fd02a384118...0b21cf2492b6b02c465a3e5d7c473717ad7721ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6c10102c..aa398a1a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e6b49d61..b4980fc5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -75,6 +75,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # tag=v3.23.0 + uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # tag=v3.23.1 with: sarif_file: results.sarif From 2b872a34091302a83d87a12fa5e7be511ae55969 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 21:43:27 -0600 Subject: [PATCH 16/16] chore: bump actions/dependency-review-action from 3.1.5 to 4.0.0 (#366) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.5 to 4.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/c74b580d73376b7750d3d2a50bfb8adc2c937507...4901385134134e04cec5fbe5ddfe3b2c5bd5d976) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 130191f0..3fa8b859 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5 + uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0