chore(go.mod): upgrade trivy and cosign (#1387)

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2026-06-16 04:17:55 +08:00 · 2023-04-27 19:35:10 +03:00
parent 07bfc8ab95
commit 40bf76add5
15 changed files with 393 additions and 901 deletions
@@ -31,11 +31,11 @@ import (
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
-	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/cmd/cosign/cli/verify"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
+	"github.com/sigstore/cosign/v2/pkg/oci/remote"
 	. "github.com/smartystreets/goconvey/convey"
 	"github.com/stretchr/testify/assert"
 	"go.etcd.io/bbolt"
@@ -3970,20 +3970,24 @@ func TestImageSignatures(t *testing.T) {

 			// generate a keypair
 			os.Setenv("COSIGN_PASSWORD", "")
-			err = generate.GenerateKeyPairCmd(context.TODO(), "", nil)
+			err = generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
 			So(err, ShouldBeNil)

+			annotations := []string{"tag=1.0"}
+
 			// sign the image
 			err = sign.SignCmd(&options.RootOptions{Verbose: true, Timeout: 1 * time.Minute},
 				options.KeyOpts{KeyRef: path.Join(tdir, "cosign.key"), PassFunc: generate.GetPass},
-				options.RegistryOptions{AllowInsecure: true},
-				map[string]interface{}{"tag": "1.0"},
-				[]string{fmt.Sprintf("localhost:%s/%s@%s", port, repoName, digest.String())},
-				"", "", true, "", "", "", false, false, "", true)
+				options.SignOptions{
+					Registry:          options.RegistryOptions{AllowInsecure: true},
+					AnnotationOptions: options.AnnotationOptions{Annotations: annotations},
+					Upload:            true,
+				},
+				[]string{fmt.Sprintf("localhost:%s/%s@%s", port, repoName, digest.String())})
 			So(err, ShouldBeNil)

 			// verify the image
-			aopts := &options.AnnotationOptions{Annotations: []string{"tag=1.0"}}
+			aopts := &options.AnnotationOptions{Annotations: annotations}
 			amap, err := aopts.AnnotationsMap()
 			So(err, ShouldBeNil)
 			vrfy := verify.VerifyCommand{
@@ -3991,6 +3995,7 @@ func TestImageSignatures(t *testing.T) {
 				CheckClaims:     true,
 				KeyRef:          path.Join(tdir, "cosign.pub"),
 				Annotations:     amap,
+				IgnoreTlog:      true,
 			}
 			err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", port, repoName, "1.0")})
 			So(err, ShouldBeNil)
@@ -4004,6 +4009,7 @@ func TestImageSignatures(t *testing.T) {
 				CheckClaims:     true,
 				KeyRef:          path.Join(tdir, "cosign.pub"),
 				Annotations:     amap,
+				IgnoreTlog:      true,
 			}
 			err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", port, repoName, "1.0")})
 			So(err, ShouldNotBeNil)
@@ -4017,6 +4023,7 @@ func TestImageSignatures(t *testing.T) {
 				RegistryOptions: options.RegistryOptions{AllowInsecure: true},
 				KeyRef:          path.Join(tdir, "cosign.key"),
 				Annotations:     amap,
+				IgnoreTlog:      true,
 			}
 			err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", port, repoName, "1.0")})
 			So(err, ShouldNotBeNil)
@@ -4028,7 +4035,7 @@ func TestImageSignatures(t *testing.T) {
 			So(err, ShouldBeNil)

 			os.Setenv("COSIGN_PASSWORD", "")
-			err = generate.GenerateKeyPairCmd(context.TODO(), "", nil)
+			err = generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
 			So(err, ShouldBeNil)

 			// verify the image with incorrect key
@@ -4040,6 +4047,7 @@ func TestImageSignatures(t *testing.T) {
 				RegistryOptions: options.RegistryOptions{AllowInsecure: true},
 				KeyRef:          path.Join(tdir, "cosign.pub"),
 				Annotations:     amap,
+				IgnoreTlog:      true,
 			}
 			err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", port, repoName, "1.0")})
 			So(err, ShouldNotBeNil)
@@ -6244,18 +6252,22 @@ func TestGCSignaturesAndUntaggedManifests(t *testing.T) {

 			// generate a keypair
 			os.Setenv("COSIGN_PASSWORD", "")
-			err = generate.GenerateKeyPairCmd(context.TODO(), "", nil)
+			err = generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
 			So(err, ShouldBeNil)

 			image := fmt.Sprintf("localhost:%s/%s@%s", port, repoName, digest.String())

+			annotations := []string{fmt.Sprintf("tag=%s", tag)}
+
 			// sign the image
 			err = sign.SignCmd(&options.RootOptions{Verbose: true, Timeout: 1 * time.Minute},
 				options.KeyOpts{KeyRef: path.Join(tdir, "cosign.key"), PassFunc: generate.GetPass},
-				options.RegistryOptions{AllowInsecure: true},
-				map[string]interface{}{"tag": tag},
-				[]string{image},
-				"", "", true, "", "", "", false, false, "", true)
+				options.SignOptions{
+					Registry:          options.RegistryOptions{AllowInsecure: true},
+					AnnotationOptions: options.AnnotationOptions{Annotations: annotations},
+					Upload:            true,
+				},
+				[]string{image})

 			So(err, ShouldBeNil)

@@ -19,7 +19,7 @@ import (

 	notreg "github.com/notaryproject/notation-go/registry"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/oci/remote"

 	zotErrors "zotregistry.io/zot/errors"
 	"zotregistry.io/zot/pkg/common"
@@ -19,9 +19,9 @@ import (

 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
 	. "github.com/smartystreets/goconvey/convey"
 	"github.com/spf13/cobra"
 	"gopkg.in/resty.v1"
@@ -300,7 +300,7 @@ func TestSignature(t *testing.T) {
 		// generate a keypair
 		if _, err := os.Stat(path.Join(currentDir, "cosign.key")); err != nil {
 			os.Setenv("COSIGN_PASSWORD", "")
-			err = generate.GenerateKeyPairCmd(context.TODO(), "", nil)
+			err = generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
 			So(err, ShouldBeNil)
 		}

@@ -310,10 +310,12 @@ func TestSignature(t *testing.T) {
 		// sign the image
 		err = sign.SignCmd(&options.RootOptions{Verbose: true, Timeout: 1 * time.Minute},
 			options.KeyOpts{KeyRef: path.Join(currentDir, "cosign.key"), PassFunc: generate.GetPass},
-			options.RegistryOptions{AllowInsecure: true},
-			map[string]interface{}{"tag": "test:1.0"},
-			[]string{fmt.Sprintf("localhost:%s/%s@%s", port, "repo7", digest.String())},
-			"", "", true, "", "", "", false, false, "", true)
+			options.SignOptions{
+				Registry:          options.RegistryOptions{AllowInsecure: true},
+				AnnotationOptions: options.AnnotationOptions{Annotations: []string{"tag=test:1.0"}},
+				Upload:            true,
+			},
+			[]string{fmt.Sprintf("localhost:%s/%s@%s", port, "repo7", digest.String())})
 		So(err, ShouldBeNil)

 		t.Logf("%s", ctlr.Config.Storage.RootDirectory)
@@ -10,6 +10,7 @@ import (
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
 	"github.com/aquasecurity/trivy/pkg/commands/operation"
+	fanalTypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/aquasecurity/trivy/pkg/types"
 	regTypes "github.com/google/go-containerregistry/pkg/v1/types"
@@ -368,7 +369,10 @@ func (scanner Scanner) UpdateDB() error {
 func (scanner Scanner) updateDB(dbDir string) error {
 	scanner.log.Debug().Msgf("Download Trivy DB to destination dir: %s", dbDir)

-	err := operation.DownloadDB("dev", dbDir, scanner.dbRepository, false, false, false)
+	ctx := context.Background()
+
+	err := operation.DownloadDB(ctx, "dev", dbDir, scanner.dbRepository, false, false,
+		fanalTypes.RemoteOptions{Insecure: false})
 	if err != nil {
 		scanner.log.Error().Err(err).Msgf("Error downloading Trivy DB to destination dir: %s", dbDir)

@@ -14,7 +14,7 @@ import (
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	oras "github.com/oras-project/artifacts-spec/specs-go/v1"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/oci/remote"

 	zerr "zotregistry.io/zot/errors"
 	"zotregistry.io/zot/pkg/api/constants"
@@ -24,11 +24,11 @@ import (
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
-	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/cmd/cosign/cli/verify"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
+	"github.com/sigstore/cosign/v2/pkg/oci/remote"
 	. "github.com/smartystreets/goconvey/convey"
 	"gopkg.in/resty.v1"

@@ -3222,6 +3222,7 @@ func TestSignatures(t *testing.T) {
 			CheckClaims:     true,
 			KeyRef:          path.Join(tdir, "cosign.pub"),
 			Annotations:     amap,
+			IgnoreTlog:      true,
 		}

 		err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", destPort, repoName, "1.0")})
@@ -4097,6 +4098,7 @@ func TestSignaturesOnDemand(t *testing.T) {
 			CheckClaims:     true,
 			KeyRef:          path.Join(tdir, "cosign.pub"),
 			Annotations:     amap,
+			IgnoreTlog:      true,
 		}
 		err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", destPort, repoName, "1.0")})
 		So(err, ShouldBeNil)
@@ -4355,6 +4357,7 @@ func TestOnlySignaturesOnDemand(t *testing.T) {
 			CheckClaims:     true,
 			KeyRef:          path.Join(tdir, "cosign.pub"),
 			Annotations:     amap,
+			IgnoreTlog:      true,
 		}

 		err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", destPort, repoName, "1.0")})
@@ -4374,6 +4377,7 @@ func TestOnlySignaturesOnDemand(t *testing.T) {
 			CheckClaims:     true,
 			KeyRef:          path.Join(tdir, "cosign.pub"),
 			Annotations:     amap,
+			IgnoreTlog:      true,
 		}

 		err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", destPort, repoName, "1.0")})
@@ -4721,6 +4725,7 @@ func TestSyncSignaturesDiff(t *testing.T) {
 			CheckClaims:     true,
 			KeyRef:          path.Join(tdir, "cosign.pub"),
 			Annotations:     amap,
+			IgnoreTlog:      true,
 		}
 		err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", destPort, repoName, "1.0")})
 		So(err, ShouldBeNil)
@@ -4747,6 +4752,7 @@ func TestSyncSignaturesDiff(t *testing.T) {
 			CheckClaims:     true,
 			KeyRef:          path.Join(tdir, "cosign.pub"),
 			Annotations:     amap,
+			IgnoreTlog:      true,
 		}
 		err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", destPort, repoName, "1.0")})
 		So(err, ShouldBeNil)
@@ -5564,7 +5570,7 @@ func generateKeyPairs(tdir string) {
 	os.Setenv("COSIGN_PASSWORD", "")

 	if _, err := os.Stat(path.Join(tdir, "cosign.key")); err != nil {
-		err := generate.GenerateKeyPairCmd(context.TODO(), "", nil)
+		err := generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
 		if err != nil {
 			panic(err)
 		}
@@ -5582,20 +5588,24 @@ func generateKeyPairs(tdir string) {
 }

 func signImage(tdir, port, repoName string, digest godigest.Digest) {
+	annotations := []string{"tag=1.0"}
+
 	// push signatures to upstream server so that we can sync them later
 	// sign the image
 	err := sign.SignCmd(&options.RootOptions{Verbose: true, Timeout: 1 * time.Minute},
 		options.KeyOpts{KeyRef: path.Join(tdir, "cosign.key"), PassFunc: generate.GetPass},
-		options.RegistryOptions{AllowInsecure: true},
-		map[string]interface{}{"tag": "1.0"},
-		[]string{fmt.Sprintf("localhost:%s/%s@%s", port, repoName, digest.String())},
-		"", "", true, "", "", "", false, false, "", true)
+		options.SignOptions{
+			Registry:          options.RegistryOptions{AllowInsecure: true},
+			AnnotationOptions: options.AnnotationOptions{Annotations: annotations},
+			Upload:            true,
+		},
+		[]string{fmt.Sprintf("localhost:%s/%s@%s", port, repoName, digest.String())})
 	if err != nil {
 		panic(err)
 	}

 	// verify the image
-	a := &options.AnnotationOptions{Annotations: []string{"tag=1.0"}}
+	a := &options.AnnotationOptions{Annotations: annotations}

 	amap, err := a.AnnotationsMap()
 	if err != nil {
@@ -5607,6 +5617,7 @@ func signImage(tdir, port, repoName string, digest godigest.Digest) {
 		CheckClaims:     true,
 		KeyRef:          path.Join(tdir, "cosign.pub"),
 		Annotations:     amap,
+		IgnoreTlog:      true,
 	}

 	err = vrfy.Exec(context.TODO(), []string{fmt.Sprintf("localhost:%s/%s:%s", port, repoName, "1.0")})
@@ -24,7 +24,7 @@ import (
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
-	"github.com/sigstore/cosign/pkg/oci/static"
+	"github.com/sigstore/cosign/v2/pkg/oci/static"

 	zerr "zotregistry.io/zot/errors"
 	"zotregistry.io/zot/pkg/common"
@@ -13,7 +13,7 @@ import (
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	oras "github.com/oras-project/artifacts-spec/specs-go/v1"
 	"github.com/rs/zerolog"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/oci/remote"

 	zerr "zotregistry.io/zot/errors"
 	"zotregistry.io/zot/pkg/scheduler"
@@ -26,7 +26,7 @@ import (
 	"github.com/opencontainers/umoci/oci/casext"
 	oras "github.com/oras-project/artifacts-spec/specs-go/v1"
 	"github.com/rs/zerolog"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/oci/remote"

 	zerr "zotregistry.io/zot/errors"
 	"zotregistry.io/zot/pkg/common"
@@ -37,9 +37,9 @@ import (
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/umoci"
 	"github.com/phayes/freeport"
-	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
 	"gopkg.in/resty.v1"
 	"oras.land/oras-go/v2/registry"
 	"oras.land/oras-go/v2/registry/remote"
@@ -1651,7 +1651,7 @@ func SignImageUsingCosign(repoTag, port string) error {
 	// generate a keypair
 	os.Setenv("COSIGN_PASSWORD", "")

-	err = generate.GenerateKeyPairCmd(context.TODO(), "", nil)
+	err = generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
 	if err != nil {
 		return err
 	}
@@ -1663,10 +1663,12 @@ func SignImageUsingCosign(repoTag, port string) error {
 	// sign the image
 	return sign.SignCmd(&options.RootOptions{Verbose: true, Timeout: timeoutPeriod * time.Minute},
 		options.KeyOpts{KeyRef: path.Join(tdir, "cosign.key"), PassFunc: generate.GetPass},
-		options.RegistryOptions{AllowInsecure: true},
-		map[string]interface{}{"tag": "1.0"},
-		[]string{imageURL},
-		"", "", true, "", "", "", false, false, "", true)
+		options.SignOptions{
+			Registry:          options.RegistryOptions{AllowInsecure: true},
+			AnnotationOptions: options.AnnotationOptions{Annotations: []string{"tag=1.0"}},
+			Upload:            true,
+		},
+		[]string{imageURL})
 }

 func SignImageUsingNotary(repoTag, port string) error {