-
Notifications
You must be signed in to change notification settings - Fork 416
Address vulnerabilities in zot #3350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| package: | ||
| name: zot | ||
| version: 1.4.3 | ||
| epoch: 5 | ||
| version: 1.4.3 # Check if the Go module patching can be removed in the next release. | ||
| epoch: 6 | ||
| description: A production-ready vendor-neutral OCI-native container image registry (purely based on OCI Distribution Specification) | ||
| copyright: | ||
| - license: Apache-2.0 | ||
|
|
@@ -16,17 +16,44 @@ environment: | |
| - busybox | ||
| - go | ||
| - curl | ||
| - patch | ||
|
|
||
| pipeline: | ||
| - uses: git-checkout | ||
| with: | ||
| repository: https://github.com/project-zot/zot | ||
| tag: v${{package.version}} | ||
| destination: zot | ||
| expected-commit: 69f0cf6bb4727884af42f38c92858fdb114104de | ||
|
|
||
| - runs: | | ||
| cd zot | ||
| # Resolve numerous vulnerabilities, and resolve dependency issues caused by these changes. | ||
|
|
||
| go mod edit -replace 'go.opentelemetry.io/otel=go.opentelemetry.io/[email protected]' | ||
| go mod edit -replace 'google.golang.org/grpc=google.golang.org/[email protected]' | ||
|
|
||
| # Remove replace directives that don't appear to be necessary and introduce vulnerabilities. | ||
| sed -i '/github\.com\/opencontainers\/runc v1\.1\.2/d' go.mod | ||
| sed -i '/github\.com\/hashicorp\/go-getter v1\.6\.1/d' go.mod | ||
|
|
||
| go get github.com/docker/[email protected] | ||
| go get github.com/docker/[email protected] | ||
| go get github.com/hashicorp/[email protected] | ||
| go get github.com/opencontainers/[email protected] | ||
| go get github.com/sigstore/[email protected] | ||
| go get golang.org/x/[email protected] | ||
|
|
||
| go mod tidy | ||
|
|
||
| - runs: | | ||
| # Zot hasn't been updated to handle the latest version of the image-spec module. | ||
| # Revert a particular breaking commit in image-spec (63b8bd0) until zot does upgrade. | ||
|
|
||
| moduleDir="$(go env GOPATH)/pkg/mod/github.com/opencontainers/[email protected]" | ||
| chmod -R u+w "$moduleDir" | ||
| patch -p1 -d "$moduleDir" -N < ./revert-removal-of-symbols.patch | ||
| go clean -cache | ||
|
|
||
| - runs: | | ||
| GOARCH=$(go env GOARCH) | ||
|
|
||
| make OS=linux ARCH=${GOARCH} binary | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,270 @@ | ||
| commit cb308cd1d7c438c28746547e0c283f31cb61716a | ||
| Author: Dan Luhring <[email protected]> | ||
| Date: Mon Jul 3 17:52:19 2023 -0400 | ||
|
|
||
| Revert "Remove artifact manifest" | ||
|
|
||
| This reverts commit 63b8bd02f5b5a2ce464a9a8ea6df049c326ce20f. | ||
|
|
||
| diff --git a/Makefile b/Makefile | ||
| index dd2074d..9e529c9 100644 | ||
| --- a/Makefile | ||
| +++ b/Makefile | ||
| @@ -30,6 +30,7 @@ DOC_FILES := \ | ||
| descriptor.md \ | ||
| image-layout.md \ | ||
| manifest.md \ | ||
| + artifact.md \ | ||
| image-index.md \ | ||
| layer.md \ | ||
| config.md \ | ||
| diff --git a/annotations.md b/annotations.md | ||
| index 49f5f82..f3752e5 100644 | ||
| --- a/annotations.md | ||
| +++ b/annotations.md | ||
| @@ -16,8 +16,10 @@ This property contains arbitrary metadata. | ||
|
|
||
| ## Pre-Defined Annotation Keys | ||
|
|
||
| -This specification defines the following annotation keys, intended for but not limited to [image index](image-index.md), image [manifest](manifest.md), and [descriptor](descriptor.md) authors. | ||
| +This specification defines the following annotation keys, intended for but not limited to [image index](image-index.md), image [manifest](manifest.md), [artifact](artifact.md), and [descriptor](descriptor.md) authors. | ||
|
|
||
| +* **org.opencontainers.artifact.created** date and time on which the artifact was built, conforming to [RFC 3339][rfc3339]. | ||
| +* **org.opencontainers.artifact.description**: human readable description for the artifact (string) | ||
| * **org.opencontainers.image.created** date and time on which the image was built, conforming to [RFC 3339][rfc3339]. | ||
| * **org.opencontainers.image.authors** contact details of the people or organization responsible for the image (freeform string) | ||
| * **org.opencontainers.image.url** URL to find more information on the image (string) | ||
| diff --git a/artifact.md b/artifact.md | ||
| new file mode 100644 | ||
| index 0000000..3d2b44c | ||
| --- /dev/null | ||
| +++ b/artifact.md | ||
| @@ -0,0 +1,74 @@ | ||
| +# OCI Artifact Manifest Specification | ||
| + | ||
| +The goal of the Artifact Manifest Specification is to define content addressable artifacts in order to store them along side container images in a registry. | ||
| +Like [OCI Images](manifest.md), OCI Artifacts may be referenced by the hash of their manifest. | ||
| +Unlike OCI Images, OCI Artifacts are not meant to be used by any container runtime. | ||
| + | ||
| +Examples of artifacts that may be stored along with container images are Software Bill of Materials (SBOM), Digital Signatures, Provenance data, Supply Chain Attestations, scan results, and Helm charts. | ||
| + | ||
| +This section defines the `application/vnd.oci.artifact.manifest.v1+json` [media type](media-types.md). | ||
| +For the media type(s) that this is compatible with see the [matrix](media-types.md#compatibility-matrix). | ||
| + | ||
| +# Artifact Manifest | ||
| + | ||
| +## *Artifact Manifest* Property Descriptions | ||
| + | ||
| +- **`mediaType`** *string* | ||
| + | ||
| + This property MUST be used and contain the media type `application/vnd.oci.artifact.manifest.v1+json`. | ||
| + | ||
| +- **`artifactType`** *string* | ||
| + | ||
| + This property SHOULD be used and contain the mediaType of the referenced artifact. | ||
| + If defined, the value MUST comply with [RFC 6838][rfc6838], including the [naming requirements in its section 4.2][rfc6838-s4.2], and MAY be registered with [IANA][iana]. | ||
| + | ||
| +- **`blobs`** *array of objects* | ||
| + | ||
| + This OPTIONAL property is an array of objects and each item in the array MUST be a [descriptor](descriptor.md). | ||
| + Each descriptor represents an artifact of any IANA mediaType. | ||
| + The list MAY be ordered for certain artifact types like scan results. | ||
| + | ||
| +- **`subject`** *[descriptor](descriptor.md)* | ||
| + | ||
| + This OPTIONAL property specifies a [descriptor](descriptor.md) of another manifest. | ||
| + This value, used by the [`referrers` API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers), indicates a relationship to the specified manifest. | ||
| + | ||
| +- **`annotations`** *string-string map* | ||
| + | ||
| + This OPTIONAL property contains additional metadata for the artifact manifest. | ||
| + This OPTIONAL property MUST use the [annotation rules](annotations.md#rules). | ||
| + | ||
| + See [Pre-Defined Annotation Keys](annotations.md#pre-defined-annotation-keys). | ||
| + | ||
| + Annotations MAY be used to filter the response from the [`referrers` API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers). | ||
| + | ||
| +## Examples | ||
| + | ||
| +*Example showing an artifact manifest for an example SBOM referencing an image:* | ||
| + | ||
| +```jsonc,title=Manifest&mediatype=application/vnd.oci.artifact.manifest.v1%2Bjson | ||
| +{ | ||
| + "mediaType": "application/vnd.oci.artifact.manifest.v1+json", | ||
| + "artifactType": "application/vnd.example.sbom.v1", | ||
| + "blobs": [ | ||
| + { | ||
| + "mediaType": "application/gzip", | ||
| + "size": 123, | ||
| + "digest": "sha256:87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630" | ||
| + } | ||
| + ], | ||
| + "subject": { | ||
| + "mediaType": "application/vnd.oci.image.manifest.v1+json", | ||
| + "size": 1234, | ||
| + "digest": "sha256:cc06a2839488b8bd2a2b99dcdc03d5cfd818eed72ad08ef3cc197aac64c0d0a0" | ||
| + }, | ||
| + "annotations": { | ||
| + "org.opencontainers.artifact.created": "2022-01-01T14:42:55Z", | ||
| + "org.example.sbom.format": "json" | ||
| + } | ||
| +} | ||
| +``` | ||
| + | ||
| +[iana]: https://www.iana.org/assignments/media-types/media-types.xhtml | ||
| +[rfc6838]: https://tools.ietf.org/html/rfc6838 | ||
| +[rfc6838-s4.2]: https://tools.ietf.org/html/rfc6838#section-4.2 | ||
| diff --git a/descriptor.md b/descriptor.md | ||
| index f936b91..82d303f 100644 | ||
| --- a/descriptor.md | ||
| +++ b/descriptor.md | ||
| @@ -55,11 +55,14 @@ The following fields contain the primary properties that constitute a Descriptor | ||
| - **`artifactType`** *string* | ||
|
|
||
| This OPTIONAL property contains the type of an artifact when the descriptor points to an artifact. | ||
| + This is the value of `artifactType` when the descriptor references an [artifact manifest](artifact.md). | ||
| This is the value of the config descriptor `mediaType` when the descriptor references an [image manifest](manifest.md). | ||
| If defined, the value MUST comply with [RFC 6838][rfc6838], including the [naming requirements in its section 4.2][rfc6838-s4.2], and MAY be registered with [IANA][iana]. | ||
|
|
||
| Descriptors pointing to [`application/vnd.oci.image.manifest.v1+json`](manifest.md) SHOULD include the extended field `platform`, see [Image Index Property Descriptions](image-index.md#image-index-property-descriptions) for details. | ||
|
|
||
| +Descriptors pointing to [`application/vnd.oci.artifact.manifest.v1+json`](artifact.md) SHOULD include the extended field `artifactType`. | ||
| + | ||
| ### Reserved | ||
|
|
||
| Extended _Descriptor_ field additions proposed in other OCI specifications SHOULD first be considered for addition into this specification. | ||
| @@ -203,7 +206,7 @@ In the following example, the descriptor indicates the type of artifact it is re | ||
|
|
||
| ```json,title=Content%20Descriptor&mediatype=application/vnd.oci.descriptor.v1%2Bjson | ||
| { | ||
| - "mediaType": "application/vnd.oci.image.manifest.v1+json", | ||
| + "mediaType": "application/vnd.oci.artifact.manifest.v1+json", | ||
| "size": 123, | ||
| "digest": "sha256:87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630", | ||
| "artifactType": "application/vnd.example.sbom.v1" | ||
| diff --git a/image-index.md b/image-index.md | ||
| index 5d32c6b..7695bb6 100644 | ||
| --- a/image-index.md | ||
| +++ b/image-index.md | ||
| @@ -35,6 +35,7 @@ For the media type(s) that this document is compatible with, see the [matrix][ma | ||
| Implementations MUST support at least the following media types: | ||
|
|
||
| - [`application/vnd.oci.image.manifest.v1+json`](manifest.md) | ||
| + - [`application/vnd.oci.artifact.manifest.v1+json`](artifact.md) | ||
|
|
||
| Also, implementations SHOULD support the following media types: | ||
|
|
||
| @@ -156,9 +157,14 @@ When the variant of the CPU is not listed in the table, values are implementatio | ||
| } | ||
| }, | ||
| { | ||
| - "mediaType": "application/vnd.oci.image.index.v1+json", | ||
| + "mediaType": "application/vnd.oci.artifact.manifest.v1+json", | ||
| "size": 7682, | ||
| - "digest": "sha256:601570aaff1b68a61eb9c85b8beca1644e698003e0cdb5bce960f193d265a8b7" | ||
| + "digest": "sha256:601570aaff1b68a61eb9c85b8beca1644e698003e0cdb5bce960f193d265a8b7", | ||
| + "artifactType": "application/example", | ||
| + "annotations": { | ||
| + "com.example.artifactKey1": "value1", | ||
| + "com.example.artifactKey2": "value2" | ||
| + } | ||
| } | ||
| ], | ||
| "annotations": { | ||
| diff --git a/img/media-types.dot b/img/media-types.dot | ||
| index 8583d5f..b6b331a 100644 | ||
| --- a/img/media-types.dot | ||
| +++ b/img/media-types.dot | ||
| @@ -4,6 +4,7 @@ digraph G { | ||
| { | ||
| rank=same | ||
| manifest [shape=note, label="Image manifest\napplication/vnd.oci.image.manifest.v1+json"] | ||
| + artifact [shape=note, label="Artifact Manifest\napplication/vnd.oci.artifact.manifest.v1+json"] | ||
| } | ||
| config [shape=note, label="Image config JSON\napplication/vnd.oci.image.config.v1+json"] | ||
| layer [shape=note, label="Layer tar archive\napplication/vnd.oci.image.layer.v1.tar\napplication/vnd.oci.image.layer.v1.tar+gzip\napplication/vnd.oci.image.layer.nondistributable.v1.tar\napplication/vnd.oci.image.layer.nondistributable.v1.tar+gzip"] | ||
| @@ -13,5 +14,9 @@ digraph G { | ||
| imageIndex -> manifest [label="1..*"] | ||
| manifest -> config [label="1..1"] | ||
| manifest -> layer [label="1..*"] | ||
| + artifact -> manifest [label="0..1"] [constraint = false]; | ||
| + artifact -> artifact [label="0..1"]; | ||
| manifest -> manifest [label="0..1"]; | ||
| + artifact -> imageIndex [label="0..1"] | ||
| + artifact -> layer[label="0..*"] | ||
| } | ||
| diff --git a/img/media-types.png b/img/media-types.png | ||
| index 70d2fe6..cfb9f5b 100644 | ||
| Binary files a/img/media-types.png and b/img/media-types.png differ | ||
| diff --git a/spec.md b/spec.md | ||
| index 4a37788..a3e7684 100644 | ||
| --- a/spec.md | ||
| +++ b/spec.md | ||
| @@ -17,6 +17,7 @@ The goal of this specification is to enable the creation of interoperable tools | ||
| - [Image Index](image-index.md) | ||
| - [Filesystem Layers](layer.md) | ||
| - [Image Configuration](config.md) | ||
| +- [Artifact Manifest](artifact.md) | ||
| - [Annotations](annotations.md) | ||
| - [Conversion](conversion.md) | ||
| - [Considerations](considerations.md) | ||
| @@ -53,6 +54,7 @@ The high-level components of the spec include: | ||
|
|
||
| * [Image Manifest](manifest.md) - a document describing the components that make up a container image | ||
| * [Image Index](image-index.md) - an annotated list of manifests | ||
| +* [Artifact Manifest](artifact.md) - a document describing the components that make up an artifact | ||
| * [Image Layout](image-layout.md) - a filesystem layout representing the contents of an image | ||
| * [Filesystem Layer](layer.md) - a changeset that describes a container's filesystem | ||
| * [Image Configuration](config.md) - a document determining layer ordering and configuration of the image suitable for translation into a [runtime bundle][runtime-spec] | ||
| diff --git a/specs-go/v1/artifact.go b/specs-go/v1/artifact.go | ||
| new file mode 100644 | ||
| index 0000000..b755ec2 | ||
| --- /dev/null | ||
| +++ b/specs-go/v1/artifact.go | ||
| @@ -0,0 +1,34 @@ | ||
| +// Copyright 2022 The Linux Foundation | ||
| +// | ||
| +// Licensed under the Apache License, Version 2.0 (the "License"); | ||
| +// you may not use this file except in compliance with the License. | ||
| +// You may obtain a copy of the License at | ||
| +// | ||
| +// http://www.apache.org/licenses/LICENSE-2.0 | ||
| +// | ||
| +// Unless required by applicable law or agreed to in writing, software | ||
| +// distributed under the License is distributed on an "AS IS" BASIS, | ||
| +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| +// See the License for the specific language governing permissions and | ||
| +// limitations under the License. | ||
| + | ||
| +package v1 | ||
| + | ||
| +// Artifact describes an artifact manifest. | ||
| +// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON. | ||
| +type Artifact struct { | ||
| + // MediaType is the media type of the object this schema refers to. | ||
| + MediaType string `json:"mediaType"` | ||
| + | ||
| + // ArtifactType is the IANA media type of the artifact this schema refers to. | ||
| + ArtifactType string `json:"artifactType,omitempty"` | ||
| + | ||
| + // Blobs is a collection of blobs referenced by this manifest. | ||
| + Blobs []Descriptor `json:"blobs,omitempty"` | ||
| + | ||
| + // Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest. | ||
| + Subject *Descriptor `json:"subject,omitempty"` | ||
| + | ||
| + // Annotations contains arbitrary metadata for the artifact manifest. | ||
| + Annotations map[string]string `json:"annotations,omitempty"` | ||
| +} | ||
| diff --git a/specs-go/v1/mediatype.go b/specs-go/v1/mediatype.go | ||
| index 5dd3125..3126d81 100644 | ||
| --- a/specs-go/v1/mediatype.go | ||
| +++ b/specs-go/v1/mediatype.go | ||
| @@ -72,4 +72,7 @@ const ( | ||
|
|
||
| // MediaTypeScratch specifies the media type for an unused blob containing the value `{}` | ||
| MediaTypeScratch = "application/vnd.oci.scratch.v1+json" | ||
| + | ||
| + // MediaTypeArtifactManifest specifies the media type for a content descriptor. | ||
| + MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json" | ||
| ) |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.