Skip to content

Commit d8a6af3

Browse files
leodidoona-agent
leodido
and
ona-agent
committed
Add slsa-verifier dependency for cache verification
- Add github.com/slsa-framework/slsa-verifier/v2 v2.6.0 - Enables SLSA Level 3 verification for cached artifacts - Direct Go API integration without external processes Co-authored-by: Ona <[email protected]>
1 parent bfe3f21 commit d8a6af3

File tree

2 files changed

+486
-84
lines changed

2 files changed

+486
-84
lines changed

go.mod

Lines changed: 70 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ require (
1919
github.com/google/go-containerregistry v0.20.4-0.20250225234217-098045d5e61f
2020
github.com/google/uuid v1.6.0
2121
github.com/gookit/color v1.5.4
22-
github.com/imdario/mergo v0.3.13
22+
github.com/imdario/mergo v0.3.16
2323
github.com/in-toto/in-toto-golang v0.9.0
2424
github.com/karrick/godirwalk v1.17.0
2525
github.com/minio/highwayhash v1.0.2
@@ -28,17 +28,18 @@ require (
2828
github.com/segmentio/analytics-go/v3 v3.3.0
2929
github.com/segmentio/textio v1.2.0
3030
github.com/sirupsen/logrus v1.9.3
31+
github.com/slsa-framework/slsa-verifier/v2 v2.6.0
3132
github.com/spf13/cobra v1.9.1
3233
github.com/stretchr/testify v1.10.0
33-
golang.org/x/mod v0.24.0
34-
golang.org/x/sync v0.12.0
34+
golang.org/x/mod v0.25.0
35+
golang.org/x/sync v0.15.0
3536
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da
3637
gopkg.in/yaml.v3 v3.0.1
3738
sigs.k8s.io/bom v0.6.0
3839
)
3940

4041
require (
41-
cel.dev/expr v0.16.1 // indirect
42+
cel.dev/expr v0.16.2 // indirect
4243
cloud.google.com/go v0.116.0 // indirect
4344
cloud.google.com/go/auth v0.13.0 // indirect
4445
cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
@@ -57,7 +58,7 @@ require (
5758
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
5859
github.com/Masterminds/goutils v1.1.1 // indirect
5960
github.com/Masterminds/semver v1.5.0 // indirect
60-
github.com/Masterminds/semver/v3 v3.3.0 // indirect
61+
github.com/Masterminds/semver/v3 v3.3.1 // indirect
6162
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
6263
github.com/Microsoft/go-winio v0.6.2 // indirect
6364
github.com/Microsoft/hcsshim v0.11.7 // indirect
@@ -79,7 +80,8 @@ require (
7980
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
8081
github.com/aquasecurity/go-pep440-version v0.0.1 // indirect
8182
github.com/aquasecurity/go-version v0.0.1 // indirect
82-
github.com/aws/aws-sdk-go v1.44.288 // indirect
83+
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
84+
github.com/aws/aws-sdk-go v1.51.6 // indirect
8385
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.8 // indirect
8486
github.com/aws/aws-sdk-go-v2/credentials v1.17.59 // indirect
8587
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 // indirect
@@ -98,6 +100,7 @@ require (
98100
github.com/becheran/wildmatch-go v1.0.0 // indirect
99101
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
100102
github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef // indirect
103+
github.com/blang/semver v3.5.1+incompatible // indirect
101104
github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect
102105
github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
103106
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
@@ -122,15 +125,19 @@ require (
122125
github.com/containerd/ttrpc v1.2.7 // indirect
123126
github.com/containerd/typeurl/v2 v2.1.1 // indirect
124127
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
128+
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
125129
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
126130
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
127131
github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
132+
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
133+
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
128134
github.com/distribution/reference v0.6.0 // indirect
129135
github.com/dlclark/regexp2 v1.11.4 // indirect
130136
github.com/docker/cli v28.0.1+incompatible // indirect
131137
github.com/docker/distribution v2.8.3+incompatible // indirect
132138
github.com/docker/docker v28.0.1+incompatible // indirect
133139
github.com/docker/docker-credential-helpers v0.8.2 // indirect
140+
github.com/docker/go v1.5.1-1 // indirect
134141
github.com/docker/go-connections v0.5.0 // indirect
135142
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
136143
github.com/docker/go-units v0.5.0 // indirect
@@ -148,48 +155,68 @@ require (
148155
github.com/github/go-spdx/v2 v2.3.2 // indirect
149156
github.com/glebarez/go-sqlite v1.22.0 // indirect
150157
github.com/glebarez/sqlite v1.11.0 // indirect
158+
github.com/go-chi/chi v4.1.2+incompatible // indirect
151159
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
152160
github.com/go-git/go-billy/v5 v5.6.2 // indirect
153161
github.com/go-git/go-git/v5 v5.14.0 // indirect
162+
github.com/go-jose/go-jose/v4 v4.0.2 // indirect
154163
github.com/go-logr/logr v1.4.2 // indirect
155164
github.com/go-logr/stdr v1.2.2 // indirect
165+
github.com/go-openapi/analysis v0.23.0 // indirect
166+
github.com/go-openapi/errors v0.22.0 // indirect
167+
github.com/go-openapi/jsonpointer v0.21.0 // indirect
168+
github.com/go-openapi/jsonreference v0.21.0 // indirect
169+
github.com/go-openapi/loads v0.22.0 // indirect
170+
github.com/go-openapi/runtime v0.28.0 // indirect
171+
github.com/go-openapi/spec v0.21.0 // indirect
172+
github.com/go-openapi/strfmt v0.23.0 // indirect
173+
github.com/go-openapi/swag v0.23.0 // indirect
174+
github.com/go-openapi/validate v0.24.0 // indirect
156175
github.com/go-restruct/restruct v1.2.0-alpha // indirect
157176
github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
158177
github.com/godbus/dbus/v5 v5.1.0 // indirect
159178
github.com/gogo/protobuf v1.3.2 // indirect
160179
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
161180
github.com/golang/snappy v0.0.4 // indirect
181+
github.com/google/certificate-transparency-go v1.1.8 // indirect
162182
github.com/google/licensecheck v0.3.1 // indirect
163183
github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect
164184
github.com/google/s2a-go v0.1.8 // indirect
185+
github.com/google/trillian v1.6.0 // indirect
165186
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
166187
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
167188
github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
168189
github.com/hashicorp/errwrap v1.1.0 // indirect
169190
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
170191
github.com/hashicorp/go-getter v1.7.8 // indirect
171192
github.com/hashicorp/go-multierror v1.1.1 // indirect
193+
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
172194
github.com/hashicorp/go-safetemp v1.0.0 // indirect
173195
github.com/hashicorp/go-version v1.7.0 // indirect
174-
github.com/hashicorp/hcl v1.0.0 // indirect
196+
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
175197
github.com/hashicorp/hcl/v2 v2.23.0 // indirect
176198
github.com/huandu/xstrings v1.5.0 // indirect
177199
github.com/iancoleman/strcase v0.3.0 // indirect
200+
github.com/in-toto/attestation v1.1.0 // indirect
178201
github.com/inconshreveable/mousetrap v1.1.0 // indirect
179202
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
203+
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
180204
github.com/jinzhu/copier v0.4.0 // indirect
181205
github.com/jinzhu/inflection v1.0.0 // indirect
182206
github.com/jinzhu/now v1.1.5 // indirect
183207
github.com/jmespath/go-jmespath v0.4.0 // indirect
208+
github.com/josharian/intern v1.0.0 // indirect
184209
github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 // indirect
185210
github.com/kevinburke/ssh_config v1.2.0 // indirect
186211
github.com/klauspost/compress v1.18.0 // indirect
187212
github.com/klauspost/pgzip v1.2.6 // indirect
188213
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect
189214
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d // indirect
190215
github.com/knqyf263/go-rpmdb v0.1.1 // indirect
216+
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
191217
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
192218
github.com/magiconair/properties v1.8.9 // indirect
219+
github.com/mailru/easyjson v0.7.7 // indirect
193220
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 // indirect
194221
github.com/mattn/go-colorable v0.1.13 // indirect
195222
github.com/mattn/go-isatty v0.0.20 // indirect
@@ -198,7 +225,7 @@ require (
198225
github.com/mitchellh/copystructure v1.2.0 // indirect
199226
github.com/mitchellh/go-homedir v1.1.0 // indirect
200227
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
201-
github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect
228+
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
202229
github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
203230
github.com/mitchellh/mapstructure v1.5.0 // indirect
204231
github.com/mitchellh/reflectwalk v1.0.2 // indirect
@@ -211,11 +238,14 @@ require (
211238
github.com/moby/sys/userns v0.1.0 // indirect
212239
github.com/muesli/termenv v0.16.0 // indirect
213240
github.com/ncruces/go-strftime v0.1.9 // indirect
241+
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
214242
github.com/nwaples/rardecode v1.1.3 // indirect
243+
github.com/oklog/ulid v1.3.1 // indirect
215244
github.com/olekukonko/tablewriter v0.0.5 // indirect
216245
github.com/opencontainers/go-digest v1.0.0 // indirect
217246
github.com/opencontainers/image-spec v1.1.1 // indirect
218247
github.com/opencontainers/selinux v1.11.0 // indirect
248+
github.com/opentracing/opentracing-go v1.2.0 // indirect
219249
github.com/openvex/go-vex v0.2.5 // indirect
220250
github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554 // indirect
221251
github.com/package-url/packageurl-go v0.1.2 // indirect
@@ -237,15 +267,24 @@ require (
237267
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
238268
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
239269
github.com/sassoftware/go-rpmutils v0.4.0 // indirect
270+
github.com/sassoftware/relic v7.2.1+incompatible // indirect
240271
github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
241272
github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
242273
github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 // indirect
243-
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
274+
github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
244275
github.com/segmentio/backo-go v1.0.0 // indirect
245276
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
246277
github.com/shibumi/go-pathspec v1.3.0 // indirect
247278
github.com/shopspring/decimal v1.4.0 // indirect
279+
github.com/sigstore/cosign/v2 v2.2.4 // indirect
280+
github.com/sigstore/fulcio v1.4.5 // indirect
281+
github.com/sigstore/protobuf-specs v0.3.0 // indirect
282+
github.com/sigstore/rekor v1.3.6 // indirect
283+
github.com/sigstore/sigstore v1.8.11 // indirect
284+
github.com/sigstore/sigstore-go v0.2.0 // indirect
285+
github.com/sigstore/timestamp-authority v1.2.2 // indirect
248286
github.com/skeema/knownhosts v1.3.1 // indirect
287+
github.com/slsa-framework/slsa-github-generator v1.9.0 // indirect
249288
github.com/sourcegraph/conc v0.3.0 // indirect
250289
github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb // indirect
251290
github.com/spdx/tools-golang v0.5.5 // indirect
@@ -256,7 +295,12 @@ require (
256295
github.com/subosito/gotenv v1.6.0 // indirect
257296
github.com/sylabs/sif/v2 v2.20.2 // indirect
258297
github.com/sylabs/squashfs v1.0.5 // indirect
298+
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
259299
github.com/therootcompany/xz v1.0.1 // indirect
300+
github.com/theupdateframework/go-tuf v0.7.0 // indirect
301+
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
302+
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
303+
github.com/transparency-dev/merkle v0.0.2 // indirect
260304
github.com/ulikunitz/xz v0.5.12 // indirect
261305
github.com/vbatts/go-mtree v0.5.4 // indirect
262306
github.com/vbatts/tar-split v0.11.6 // indirect
@@ -267,39 +311,42 @@ require (
267311
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
268312
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
269313
github.com/zclconf/go-cty v1.14.0 // indirect
314+
go.mongodb.org/mongo-driver v1.14.0 // indirect
270315
go.opencensus.io v0.24.0 // indirect
271316
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
272-
go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect
317+
go.opentelemetry.io/contrib/detectors/gcp v1.31.0 // indirect
273318
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
274319
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
275320
go.opentelemetry.io/otel v1.33.0 // indirect
276321
go.opentelemetry.io/otel/metric v1.33.0 // indirect
277322
go.opentelemetry.io/otel/sdk v1.33.0 // indirect
278-
go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect
323+
go.opentelemetry.io/otel/sdk/metric v1.31.0 // indirect
279324
go.opentelemetry.io/otel/trace v1.33.0 // indirect
280-
go.uber.org/atomic v1.9.0 // indirect
281-
go.uber.org/multierr v1.9.0 // indirect
282-
golang.org/x/crypto v0.36.0 // indirect
283-
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
284-
golang.org/x/net v0.37.0 // indirect
325+
go.uber.org/multierr v1.11.0 // indirect
326+
go.uber.org/zap v1.27.0 // indirect
327+
golang.org/x/crypto v0.39.0 // indirect
328+
golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 // indirect
329+
golang.org/x/net v0.41.0 // indirect
285330
golang.org/x/oauth2 v0.25.0 // indirect
286-
golang.org/x/sys v0.31.0 // indirect
287-
golang.org/x/term v0.30.0 // indirect
288-
golang.org/x/text v0.23.0 // indirect
331+
golang.org/x/sys v0.33.0 // indirect
332+
golang.org/x/term v0.32.0 // indirect
333+
golang.org/x/text v0.26.0 // indirect
289334
golang.org/x/time v0.11.0 // indirect
290-
golang.org/x/tools v0.31.0 // indirect
335+
golang.org/x/tools v0.34.0 // indirect
291336
google.golang.org/api v0.215.0 // indirect
292337
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
293338
google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
294-
google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
295-
google.golang.org/grpc v1.67.3 // indirect
339+
google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d // indirect
340+
google.golang.org/grpc v1.69.4 // indirect
296341
google.golang.org/protobuf v1.36.3 // indirect
297342
gopkg.in/ini.v1 v1.67.0 // indirect
298343
gopkg.in/warnings.v0 v0.1.2 // indirect
299344
gorm.io/gorm v1.25.12 // indirect
345+
k8s.io/klog/v2 v2.120.1 // indirect
300346
modernc.org/libc v1.61.13 // indirect
301347
modernc.org/mathutil v1.7.1 // indirect
302348
modernc.org/memory v1.8.2 // indirect
303349
modernc.org/sqlite v1.36.1 // indirect
304-
sigs.k8s.io/release-utils v0.7.7 // indirect
350+
sigs.k8s.io/release-utils v0.9.0 // indirect
351+
sigs.k8s.io/yaml v1.4.0 // indirect
305352
)

0 commit comments

Comments
 (0)