From c9693346d54b0862f734c12e67df38ef5287a73d Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 17 Aug 2023 07:53:17 -0700 Subject: [PATCH] Update golangci-lint and Markdown linter (#4440) Also fix new Markdown linter errors Signed-off-by: Ryan Turner Co-authored-by: Marcos Yacob --- CONTRIBUTING.md | 2 +- Makefile | 4 +-- README.md | 2 +- SECURITY.md | 2 +- doc/plugin_agent_workloadattestor_k8s.md | 10 +++--- support/oidc-discovery-provider/README.md | 42 +++++++++++------------ 6 files changed, 31 insertions(+), 31 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index dfdee4be60..ba1ff91280 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -244,4 +244,4 @@ $ ln -s .githooks/pre-commit .git/hooks/pre-commit ## Reporting security vulnerabilities -If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. +If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at . We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/Makefile b/Makefile index 262253cbac..46a074c06f 100644 --- a/Makefile +++ b/Makefile @@ -138,12 +138,12 @@ endif go_path := PATH="$(go_bin_dir):$(PATH)" -golangci_lint_version = v1.53.3 +golangci_lint_version = v1.54.1 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version) golangci_lint_bin = $(golangci_lint_dir)/golangci-lint golangci_lint_cache = $(golangci_lint_dir)/cache -markdown_lint_version = v0.33.0 +markdown_lint_version = v0.35.0 markdown_lint_image = ghcr.io/igorshubovych/markdownlint-cli:$(markdown_lint_version) protoc_version = 3.20.1 diff --git a/README.md b/README.md index 9ed39a2731..c7022cb79b 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,6 @@ A third party security firm ([Cure53](https://cure53.de/)) completed a security ### Reporting Security Vulnerabilities -If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. +If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at . We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/SECURITY.md b/SECURITY.md index 77fd1c8b05..cf6de358de 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,4 +6,4 @@ The project supports security releases for the current minor release series and ## Reporting a Vulnerability -If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. +If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at . We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index eb6f27a5ce..b0421d5a82 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -118,11 +118,11 @@ Sigstore enabled selectors (available when configured to use sigstore) | Selector | Value | |----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=") | -| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com") | -| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | -| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | -| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. "k8s:sigstore-validation:passed") | +| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. `k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=`) | +| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. `k8s:000000:image-signature-subject:spirex@example.com`) | +| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. `k8s:000000:image-signature-logid:samplelogID`) | +| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. `k8s:000000:image-signature-integrated-time:12345`) | +| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. `k8s:sigstore-validation:passed`) | > **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of > the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, > respectively. diff --git a/support/oidc-discovery-provider/README.md b/support/oidc-discovery-provider/README.md index 55a4dce47d..f89ec8a3bf 100644 --- a/support/oidc-discovery-provider/README.md +++ b/support/oidc-discovery-provider/README.md @@ -31,27 +31,27 @@ The provider has the following command line flags: The configuration file is **required** by the provider. It contains [HCL](https://github.com/hashicorp/hcl) encoded configurables. -| Key | Type | Required? | Description | Default | -|-------------------------|---------|----------------|------------------------------------------------------------------------|----------| -| `acme` | section | required[1] | Provides the ACME configuration. | | -| `serving_cert_file` | section | required[1][4] | Provides the serving certificate configuration. | | -| `allow_insecure_scheme` | string | optional[3] | Serves OIDC configuration response with HTTP url. | `false` | -| `domains` | strings | required | One or more domains the provider is being served from. | | -| `experimental` | section | optional | The experimental options that are subject to change or removal. | | -| `insecure_addr` | string | optional[3] | Exposes the service on http. | | -| `set_key_use` | bool | optional | If true, the `use` parameter on JWKs will be set to `sig`. | `false` | -| `listen_socket_path` | string | required[1][3] | Path on disk to listen with a Unix Domain Socket. Unix platforms only. | | -| `log_format` | string | optional | Format of the logs (either `"TEXT"` or `"JSON"`) | `""` | -| `log_level` | string | required | Log level (one of `"error"`,`"warn"`,`"info"`,`"debug"`) | `"info"` | -| `log_path` | string | optional | Path on disk to write the log. | | -| `log_requests` | bool | optional | If true, all HTTP requests are logged at the debug level | `false` | -| `server_api` | section | required[2] | Provides SPIRE Server API details. | | -| `workload_api` | section | required[2] | Provides Workload API details. | | -| `health_checks` | section | optional | Enable and configure health check endpoints | | - -| experimental | Type | Required? | Description | Default | -|--------------------------|--------|----------------|------------------------------------------------------|---------| -| `listen_named_pipe_name` | string | required[1][3] | Pipe name to listen with a named pipe. Windows only. | | +| Key | Type | Required? | Description | Default | +|-------------------------|---------|--------------------|------------------------------------------------------------------------|----------| +| `acme` | section | required[1] | Provides the ACME configuration. | | +| `serving_cert_file` | section | required\[1\]\[4\] | Provides the serving certificate configuration. | | +| `allow_insecure_scheme` | string | optional\[3\] | Serves OIDC configuration response with HTTP url. | `false` | +| `domains` | strings | required | One or more domains the provider is being served from. | | +| `experimental` | section | optional | The experimental options that are subject to change or removal. | | +| `insecure_addr` | string | optional\[3\] | Exposes the service on http. | | +| `set_key_use` | bool | optional | If true, the `use` parameter on JWKs will be set to `sig`. | `false` | +| `listen_socket_path` | string | required\[1\]\[3\] | Path on disk to listen with a Unix Domain Socket. Unix platforms only. | | +| `log_format` | string | optional | Format of the logs (either `"TEXT"` or `"JSON"`) | `""` | +| `log_level` | string | required | Log level (one of `"error"`,`"warn"`,`"info"`,`"debug"`) | `"info"` | +| `log_path` | string | optional | Path on disk to write the log. | | +| `log_requests` | bool | optional | If true, all HTTP requests are logged at the debug level | `false` | +| `server_api` | section | required\[2\] | Provides SPIRE Server API details. | | +| `workload_api` | section | required\[2\] | Provides Workload API details. | | +| `health_checks` | section | optional | Enable and configure health check endpoints | | + +| experimental | Type | Required? | Description | Default | +|--------------------------|--------|--------------------|------------------------------------------------------|---------| +| `listen_named_pipe_name` | string | required\[1\]\[3\] | Pipe name to listen with a named pipe. Windows only. | |