build(deps): bump github.com/sigstore/rekor from 1.1.2-0.20230508234306-ad288b385a44 to 1.2.0

[dependabot]

Bumps github.com/sigstore/rekor from 1.1.2-0.20230508234306-ad288b385a44 to 1.2.0.

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.2.0

Functional Enhancements

• add client method to generate TLE struct (#1498)
• add dsse type (#1487)
• support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
• Add concurrency to backfill-redis (#1504)
• omit informational message if machine-parseable output has been requested (#1486)
• Publish stable checkpoint periodically to Redis (#1461)
• Add intoto v0.0.2 to backfill script (#1500)
• add new method to test insertability of proposed entries into log (#1410)

Quality Enhancements

• use t.Skip() in fuzzers (#1506)
• improve fuzzing coverage (#1499)
• Remove watcher script (#1484)

Bug Fixes

• Merge pull request from GHSA-frqx-jfcm-6jjr
• Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
• fix lint errors, bump linter up to 1.52 (#1485)
• Remove dependencies from pkg/util (#1469)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Ceridwen Coghlan
• Cody Soyland
• Hayden B
• Miloslav Trmač

v1.1.1

Functional Enhancements

• Refactor Trillian client with exported methods (#1454)
• Switch to official redis-go client (#1459)
• Remove replace in go.mod (#1444)
• Add Rekor OID info. (#1390)

Quality Enhancements

• remove legacy encrypted cosign key (#1446)
• swap cjson dependency (#1441)
• Update release readme (#1456)

Bug Fixes

• Merge pull request from GHSA-2h5h-59f5-c5x9

Contributors

• Billy Lynch
• Bob Callaway

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[openshift-ci]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign zhangguanzhang for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cevich]

@dependabot rebase

[cevich]

In case anybody else wonders WTF no renovate PR on this: I verified vulnerability alerts are being seen by renovate in the logs:

{
  "alerts": {
    "go/github.com/sigstore/rekor": {
      "< 1.2.0": "1.2.0"
    }
  }
}

And it "knows" that an update is needed:

{
  "alertPackageRules": [
    {
      "matchDatasources": [
        "go"
      ],
      "matchPackageNames": [
        "github.com/sigstore/rekor"
      ],
      "matchCurrentVersion": "= 1.1.2-0.20230508234306-ad288b385a44",
      "matchFiles": [
        "go.mod"
      ],
      "allowedVersions": "1.2.0",
      "prBodyNotes": [
        "### GitHub Vulnerability Alerts",
        "#### [CVE-2023-33199](https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr)\n\n### Impact\nA malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.\n\n### Patches\nThis is fixed in v1.2.0 of Rekor.\n\n### Workarounds\nNo\n\n### References\nDiscovered by OSS-Fuzz"
      ],
      "isVulnerabilityAlert": true,
      "force": {
        "groupName": null,
        "schedule": [],
        "dependencyDashboardApproval": false,
        "minimumReleaseAge": null,
        "rangeStrategy": "update-lockfile",
        "commitMessageSuffix": "[SECURITY]",
        "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
        "prCreation": "immediate",
        "labels": [
          "dependencies",
          "security"
        ]
      }
    }
  ]
}

However, the logs then show that renovate is completely disabled for this dependency:

          {
            "currentDigest": "ad288b385a44",
            "currentValue": "v1.1.2-0.20230508234306-ad288b385a44",
            "datasource": "go",
            "depName": "github.com/sigstore/rekor",
            "depType": "indirect",
            "digestOneAndOnly": true,
            "enabled": false,
            "managerData": {
              "lineNumber": 153,
              "multiLine": true
            },
            "packageName": "github.com/sigstore/rekor",
            "skipReason": "disabled",
            "updates": []
          },

Poking around trying to figure out why it's disabled, I noticed "depType": "indirect", which got a hit in the docs for the gomod manager: "Indirect updates are disabled by default." That lead down a rabbit-hole landing in an open RFE for this (where we apparently hit it for Skopeo as well): renovatebot/renovate#12999

[cevich]

Opened containers/automation#143

[cevich]

I'm not sure w/n to believe this:

***************************************************************************
* bin/podman grew by 2507632 bytes; max allowed is 51200.
*
* Please investigate, and fix if possible.
*
* A repo admin can override by setting the bloat_approved label
***************************************************************************

[cevich]

/hold

[mtrmac]

I'm not sure w/n to believe this:

***************************************************************************
* bin/podman grew by 2507632 bytes; max allowed is 51200.

Sadly, yes. It’s an ongoing struggle, and one we are likely to keep losing.

For now, I’d recommend manually updating to ≥ v1.2.2-0.20230529154427-55a5a338d149 ; that should get us ~to the current Podman size; and getting all the way to main as of today might even shrink Podman a tiny bit.

A bit longer-term, per the conversation in sigstore/rekor#1511 , we might need to completely replace that dependency (containers/image#1845 ).

And even longer-term, some protobuf dependencies might be imposed on us for compatibility with Cosign, making some parts of that size increase hard to avoid.

[cevich]

Thanks for the details and additional context.

[mtrmac]

For the record, I can’t find any code path that could trigger the vulnerable code. It’s included but dead.

[cevich]

Closing in favor of #18833

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.