From bfb73c60f4ed85a6c0e8c16af2626789b72aba0b Mon Sep 17 00:00:00 2001
From: Debasish Biswas <debasishbsws.dev@gmail.com>
Date: Tue, 16 Dec 2025 00:34:49 +0530
Subject: [PATCH] Pending upstream fix: for GHSA-4qg8-fj49-pxjh and
 GHSA-f83f-xpx7-ffpw

GHSA-f83f-xpx7-ffpw:
          note: |
            The dependency github.com/sigstore/timestamp-authority cannot be updated from v1.2.9 to v2.0.3 because it is an indirect dependency
            pulled in by github.com/sigstore/cosign/v2, and the current cosign v2.x releases (up to v2.6.1) all depend on timestamp-authority v1.x;
            upgrading to cosign v3 to potentially get timestamp-authority v2 is not feasible as it introduces breaking API changes
            (e.g., sign.SignerFromKeyOpts is undefined), which would require significant refactoring of attestation.go and other signing-related code in vexctl.

GHSA-4qg8-fj49-pxjh:
          note: |
            The dependency github.com/sigstore/fulcio cannot be updated to v1.8.3 because the API has changed and
            cryptoutils.ValidatePubKey is now undefined; resolving this requires upgrading to cosign v3, which is
            not feasible as it introduces breaking API changes(e.g., sign.SignerFromKeyOpts is undefined) that
            would require significant refactoring of attestation.go and other signing-related code in vexctl.

Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
---
 vexctl.advisories.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/vexctl.advisories.yaml b/vexctl.advisories.yaml
index ee674b1b0a..4ee175a6e5 100644
--- a/vexctl.advisories.yaml
+++ b/vexctl.advisories.yaml
@@ -106,6 +106,14 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/vexctl
             scanner: grype
+      - timestamp: 2025-12-15T19:03:47Z
+        type: pending-upstream-fix
+        data:
+          note: |
+            The dependency github.com/sigstore/timestamp-authority cannot be updated from v1.2.9 to v2.0.3 because it is an indirect dependency
+            pulled in by github.com/sigstore/cosign/v2, and the current cosign v2.x releases (up to v2.6.1) all depend on timestamp-authority v1.x;
+            upgrading to cosign v3 to potentially get timestamp-authority v2 is not feasible as it introduces breaking API changes
+            (e.g., sign.SignerFromKeyOpts is undefined), which would require significant refactoring of attestation.go and other signing-related code in vexctl.
 
   - id: CGA-3m6p-7w62-crcj
     aliases:
@@ -820,6 +828,14 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/vexctl
             scanner: grype
+      - timestamp: 2025-12-15T19:03:47Z
+        type: pending-upstream-fix
+        data:
+          note: |
+            The dependency github.com/sigstore/fulcio cannot be updated to v1.8.3 because the API has changed and
+            cryptoutils.ValidatePubKey is now undefined; resolving this requires upgrading to cosign v3, which is
+            not feasible as it introduces breaking API changes(e.g., sign.SignerFromKeyOpts is undefined) that
+            would require significant refactoring of attestation.go and other signing-related code in vexctl.
 
   - id: CGA-qqh5-q6xp-3654
     aliases: