-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/sigstore/policy-controller: CVE-2022-35930 #759
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
Vuln in importable package which is only used by the parent tool. |
neild
added
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
and removed
NotGoVuln
labels
Aug 10, 2022
Change https://go.dev/cl/592770 mentions this issue: |
Change https://go.dev/cl/607223 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-0642.yaml - data/reports/GO-2022-0644.yaml - data/reports/GO-2022-0645.yaml - data/reports/GO-2022-0647.yaml - data/reports/GO-2022-0649.yaml - data/reports/GO-2022-0700.yaml - data/reports/GO-2022-0703.yaml - data/reports/GO-2022-0704.yaml - data/reports/GO-2022-0705.yaml - data/reports/GO-2022-0707.yaml - data/reports/GO-2022-0708.yaml - data/reports/GO-2022-0709.yaml - data/reports/GO-2022-0732.yaml - data/reports/GO-2022-0749.yaml - data/reports/GO-2022-0751.yaml - data/reports/GO-2022-0752.yaml - data/reports/GO-2022-0759.yaml - data/reports/GO-2022-0760.yaml - data/reports/GO-2022-0769.yaml - data/reports/GO-2022-0770.yaml Updates #642 Updates #644 Updates #645 Updates #647 Updates #649 Updates #700 Updates #703 Updates #704 Updates #705 Updates #707 Updates #708 Updates #709 Updates #732 Updates #749 Updates #751 Updates #752 Updates #759 Updates #760 Updates #769 Updates #770 Change-Id: I3dabcc907fd498009a9bd4cf865198037615717e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607223 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-35930 references github.com/sigstore/policy-controller, which may be a Go module.
Description:
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is
ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2
. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.Links:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: