github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-16 04:17:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
503 Commits 38 Branches 132 Tags
87fc941b3c1baed7d3135e065a32c1dabd4db080
Commit Graph

76 Commits

Author SHA1 Message Date
Ramkumar Chinchani 3d72dad507 fix dependabot alerts 
https://github.com/project-zot/zot/pull/674
https://github.com/project-zot/zot/pull/676
https://github.com/project-zot/zot/pull/677
https://github.com/project-zot/zot/pull/678

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-27 08:48:51 +03:00
Laurentiu Niculae 7e3d063319 freeform querry api 
Signed-off-by: Laurentiu Niculae <themelopeus@gmail.com>
 2022-07-20 10:03:11 -07:00
Ramkumar Chinchani 317064ffc9 fix dependabot alerts 
https://github.com/project-zot/zot/pull/647
https://github.com/project-zot/zot/pull/648
https://github.com/project-zot/zot/pull/649
https://github.com/project-zot/zot/pull/650
https://github.com/project-zot/zot/pull/651
https://github.com/project-zot/zot/pull/652
https://github.com/project-zot/zot/pull/653
https://github.com/project-zot/zot/pull/656

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-18 14:59:27 -07:00
Andrei Aaron 43160dcc43 Update to graphql 1.17.13 
We encountered some problems with using the existing folder structure,
but it looks like running the tooling with the latest versions works after
we regenerated the project using 'gql init' and refactoring to separate
the login previously in resolvers.go.

- the autogenerated code is now under the gql_generated folder
- the file resolvers.go now contains only the code which is not
rewritten by the gqlgen framework
- the file schema.resolvers.go is rewritten when gqlgen runs,
and we'll only keep there the actual resolvers matching query names
Changes we observed to schema.resolvers.go when gqlgen runs include
reordering methods, and renaming function parameters to match the
names used in schema.graphql
- we now have a gqlgen.yaml config file which governs the behavior of
gqlgen (can be tweaked to restructure the folder structure of the
generated code in the future)

Looks like the new graphql server has better validation
1 Returns 422 instead of 200 for missing query string - had to update tests
2 Correctly uncovered an error in a test for a bad `%` in query string.

As as result of 2, a `masked` bug was found in the way we check if images are
signed with Notary, the signatures were reasched for with the media type
of the image manifest itself instead of the media type for notation.
Fixed this bug, and improved error messages.
This bug would have also been reproducible with main branch if the bad `%`
in the test would have fixed.

Updated the linter to ignore some issues with the code which is
always rewritten when running:
`go run github.com/99designs/gqlgen@v0.17.13 generate`

Add a workflow to test gqlgen works and has no uncommitted changes

Signed-off-by: Andrei Aaron <andaaron@cisco.com>
 2022-07-18 12:55:40 -07:00
Ramkumar Chinchani 37b3345199 fix dependabot alerts 
https://github.com/project-zot/zot/pull/629
https://github.com/project-zot/zot/pull/631
https://github.com/project-zot/zot/pull/632

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-15 14:22:39 -07:00
Ramkumar Chinchani 4ae1a908a0 fix dependabot alerts CVE-2022-33082/GHSA-2m4x-4q9j-w97g 
https://github.com/project-zot/zot/security/dependabot/24

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-07 23:58:51 -07:00
Alex Stan 66484c8ca9 changed go version to 1.18 
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
 2022-06-09 04:38:06 -07:00
Ramkumar Chinchani 0edee009c0 fix CVE-2022-28946/GHSA-x7f3-62pm-9p38 
https://github.com/project-zot/zot/security/dependabot/17
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-06-06 11:43:36 -07:00
Ramkumar Chinchani d07de27402 fix CVE-2022-26945/GHSA-x24g-9w7v-vprh 
https://github.com/project-zot/zot/security/dependabot/22

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-06-06 11:43:36 -07:00
laurentiuNiculae c9b32c73ae added more types of severity 
Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
 2022-06-03 09:44:54 -07:00
Ramkumar Chinchani dbe23e58f9 fix CVE-2022-28948/GHSA-hp87-p4gw-j4gq 
https://github.com/project-zot/zot/security/dependabot/18

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-25 15:13:45 -07:00
Ramkumar Chinchani 6b841809e3 fix CVE-2022-29173/GHSA-66x3-6cw3-v5gj 
https://github.com/project-zot/zot/security/dependabot/16

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-25 11:34:24 -07:00
Petu Eusebiu da4acaf178 sync: preserve upstream digests after syncing images 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-05-25 10:19:36 -07:00
Ramkumar Chinchani a5e091e3d2 fix CVE-2022-29162/GHSA-f3fp-gc8g-vw66 
https://github.com/project-zot/zot/security/dependabot/15

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-24 12:53:48 -07:00
Shivam Mishra 36c9631000 ext: use distribution spec route prefix for extension api 
Following the spec defined here https://github.com/opencontainers/distribution-spec/tree/main/extensions

Signed-off-by: Shivam Mishra <shimish2@cisco.com>
 2022-05-22 16:35:16 -07:00
Ramkumar Chinchani c1bf4456d0 update cosign deps 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-22 09:15:01 -07:00
Ramkumar Chinchani 6d593b468f dependabot alert: fix CVE-2022-29810 
https://github.com/project-zot/zot/security/dependabot/14

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-03 14:36:41 -07:00
Ramkumar Chinchani d19a4bf2a1 build(deps): bump github.com/swaggo/http-swagger from 1.2.5 to 1.2.6 
Fixes https://github.com/project-zot/zot/security/dependabot/12

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-04-26 09:31:11 -07:00
Petu Eusebiu 4e20ab8a5d go.mod: update dependencies 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-04-15 10:31:37 -07:00
Petu Eusebiu f53dc9eb8d sync: Add a new flag to enforce syncing only signed images, closes #455 
sync: When checking if a image is already synced also check for changes in upstream signatures.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-03-24 10:50:01 -07:00
Ramkumar Chinchani 251857fb6e move module deps under project-zot repo 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-21 11:03:19 -07:00
Ramkumar Chinchani 10f0e6c307 fix dependabot alert 
https://github.com/project-zot/zot/security/dependabot/10

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-15 16:55:32 -07:00
laurentiuNiculae 63d94d4ac5 Update dist-spec version automatically 
Warning if config has wrong dist-spec version

Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
 2022-03-14 10:24:03 -07:00
Ramkumar Chinchani 95e4b2054b upgrade module deps 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-04 13:10:58 -08:00
Ramkumar Chinchani 3b9699c536 go.mod: cleanup deps so 'go mod tidy' works 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-04 13:10:58 -08:00
Ramkumar Chinchani cf70a8d71e CVE-2022-23648: update dependencies in go.mod 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-03 09:55:48 -08:00
Ramkumar Chinchani bf21435d42 remove linger go.sum entries to fix dependabot alert 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-02 13:28:37 -08:00
Ramkumar Chinchani 8db3e1b192 CVE-2022-23649: fix dependabot alert 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-02 12:01:14 -08:00
Ramkumar Chinchani 3ada6af0de tls: set min version to 1.2 and restrict cipher suites 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-02 10:03:50 -08:00
Petu Eusebiu 45968e0bb7 sync: fix inconsistent test, used inject error fw for hard to reach test cases 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-03-01 09:56:27 -08:00
Ramkumar Chinchani bb53552048 bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-02-11 19:19:16 -08:00
Ramkumar Chinchani c0c6b255e1 dependabot-alert: update 'github.com/open-policy-agent/opa' 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-02-11 19:19:16 -08:00
Ramkumar Chinchani f66d496257 dependabot-alert: update 'github.com/open-policy-agent/opa' 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-02-11 15:49:54 -08:00
Ramkumar Chinchani 1e5ea7e09c controller: support rate-limiting incoming requests 
helps constraining resource usage and against flood attacks.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-01-24 12:48:13 -08:00
Ramkumar Chinchani f251e7af10 update go.mod 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-01-24 09:15:46 -08:00
Ramkumar Chinchani 9e98b03f55 go.mod: fix GHSA-mvff-h3cj-wj9c 
update containerd version

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-01-07 00:07:10 -08:00
Ramkumar Chinchani cac7fe4854 storage: use sha256-simd from minio 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-12-28 22:25:11 -08:00
Ramkumar Chinchani f011192615 fix Dependabot alert about GHSA-v95c-p5hm-xq8f 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-12-08 09:02:48 -08:00
Ramkumar Chinchani e42e42a2cc artifacts: initial support for artifacts/notaryv2 spec 
https://github.com/oras-project/artifacts-spec
https://github.com/notaryproject/notaryproject

Fixes issue #264

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-12-01 18:55:39 -08:00
Petu Eusebiu fff6107310 Sync prefix can be an exact match or a glob pattern, closes #297 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2021-11-29 13:10:13 -08:00
Ramkumar Chinchani a176bf7e83 go.mod: fix another dependabot alert 
GHSA-77vh-xpmg-72qh

pull in upstream github.com/opencontainers/image-spec where this is
fixed.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-18 14:32:20 -08:00
Ramkumar Chinchani 528e239e78 go.mod: tidy go.mod 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-18 13:16:47 -08:00
Ramkumar Chinchani bdfbebeb5a dependabot: fix dependabot alerts 
Fix GHSA-77vh-xpmg-72qh
Fix GHSA-5j5w-g665-5m35

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-18 11:56:50 -08:00
Ramkumar Chinchani bb537265cc go.mod: upgrade module deps 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-17 14:49:22 -08:00
Petu Eusebiu 9c568c0ee2 storage: add s3 backend support (without GC and dedupe) 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2021-11-15 08:09:00 -08:00
Petu Eusebiu 19003e8a71 Added new extension "sync" 
Periodically poll registries and pull images according to sync's config
Added sync on demand, syncing when clients asks for an image which
zot doesn't have.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2021-10-21 10:32:46 -07:00
Shivam Mishra d930adbd49 search: update trivy 
trivy updated to v0.20.0
trivy-db updated to bec0c6a
fanal updated to f7efd1b
 2021-10-13 16:37:31 -07:00
Ramkumar Chinchani d69ee3f562 go.mod: update go.mod to fix dependabot alert 
https://github.com/advisories/GHSA-c2h3-6mxw-7mvq

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-10-04 14:03:37 -07:00
Shivam Mishra 63fef3e48c search: added graphql api to return repository list with latest tag 2021-09-27 14:36:20 -07:00
Ramkumar Chinchani 0b302d9614 go.mod: update deps to address dependabot alerts 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-09-23 13:59:26 -07:00