Commit graph

36 commits

Author SHA1 Message Date
Bracken Dawson
27a96320b9
Changes for OCI 1.1RC3
Artifact Manifest was deleted ¯\_(ツ)_/¯, Image manifest keeps the
subject field, gains an artifactType field, and the rules for what the
artifactType actually is change.

Keeping a lot of the framework that came of the Artifact Manifest
because I think it lead to some worthwhile abstractions.

Signed-off-by: Bracken Dawson <abdawson@gmail.com>
2023-05-23 11:53:25 +01:00
Bracken Dawson
30015b3c6d
Parsing and storing of OCI Artifact Manifests
Does not yet make referrers link from the subject to the referrer

Signed-off-by: Bracken Dawson <abdawson@gmail.com>
2023-05-23 11:49:16 +01:00
AdamKorcz
e2a43ec8d3
Fuzzing: Move over two fuzzers from cncf-fuzzing
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-02 23:03:57 +02:00
Kirat Singh
ba4a6bbe02 Update Azure SDK and support additional authentication schemes
Microsoft has updated the golang Azure SDK significantly.  Update the
azure storage driver to use the new SDK.  Add support for client
secret and MSI authentication schemes in addition to shared key
authentication.

Implement rootDirectory support for the azure storage driver to mirror
the S3 driver.

Signed-off-by: Kirat Singh <kirat.singh@beacon.io>

Co-authored-by: Cory Snider <corhere@gmail.com>
2023-04-25 17:23:20 +00:00
dependabot[bot]
9594fbcfeb
build(deps): bump golang.org/x/net from 0.4.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-17 22:42:11 +00:00
Sebastiaan van Stijn
345be95498
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to (circular) dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/3c1f35247d10...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.3.7...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 10:39:04 +01:00
Sebastiaan van Stijn
b1285c33a8
go.mod: github.com/spf13/cobra v1.6.1
We were using v1.0.0 of Cobra as newer versions added spf13/viper as dependency,
which came with many indirect dependencies. Cobra v1.6.0 and up no longer depend
on viper, so we can now safely upgrade to the latest version.

full diff: https://github.com/spf13/cobra/compare/v1.0.0...v1.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-02 19:48:45 +01:00
Milos Gajdos
c47a966fde
Merge pull request #3727 from thaJeztah/bump_x_net
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
2022-10-21 10:26:57 +01:00
Aaron Lehmann
e36cb0a5d8 registry/storage/cache/memory: Use LRU cache to bound cache size
Instead of letting the cache grow without bound, use a LRU to impose a
size limit.

The limit is configurable through a new `blobdescriptorsize` config key.

Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
2022-09-07 07:20:06 -07:00
Sebastiaan van Stijn
f9dee9dc90
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 23:09:44 +02:00
Sebastiaan van Stijn
ec47096efc
vendor: github.com/prometheus/client_golang v1.12.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-05 18:43:00 +02:00
Trevor Wood
decc64eb5c
go.mod: github.com/aws/aws-sdk-go v1.43.16
Signed-off-by: Trevor Wood <Trevor.G.Wood@gmail.com>
2022-03-10 20:27:01 -05:00
Sebastiaan van Stijn
4f1c1e4268
go.mod: github.com/Azure/go-autorest/autorest v0.11.24
Update the indirect dependency to remove the transitional github.com/form3tech-oss/jwt-go
dependency from the dependency graph.

Updates:

- github.com/Azure/go-autorest/autorest v0.11.24: https://github.com/Azure/go-autorest/compare/autorest/v0.11.20...autorest/v0.11.24
- github.com/Azure/go-autorest/autorest/adal v0.9.18: https://github.com/Azure/go-autorest/compare/autorest/adal/v0.9.15...autorest/adal/v0.9.18
- github.com/golang-jwt/jwt v4.2.0: https://github.com/golang-jwt/jwt/compare/v4.0.0...v4.2.0
- golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3: 32db794688...e495a2d5b3

Before this:

    go mod graph | grep 'jwt'
    github.com/Azure/go-autorest/autorest/adal@v0.9.15 github.com/golang-jwt/jwt/v4@v4.0.0
    github.com/Azure/go-autorest/autorest/adal@v0.9.13 github.com/form3tech-oss/jwt-go@v3.2.2+incompatible

After this:

    go mod graph | grep 'jwt'
    github.com/Azure/go-autorest/autorest@v0.11.24 github.com/golang-jwt/jwt/v4@v4.2.0
    github.com/Azure/go-autorest/autorest/adal@v0.9.18 github.com/golang-jwt/jwt/v4@v4.0.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-28 18:02:58 +01:00
Sebastiaan van Stijn
79ead619be
go.mod: spf13/cobra v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-26 16:59:40 +01:00
Adam Kaplan
81a2d171ee Update aws-sdk to 1.42.27
Upgrade the aws golang SDK to 1.42.27 to add the new options for
configuring S3 dualstack endpoints.

Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
2022-01-04 17:19:05 -05:00
Sebastiaan van Stijn
6fbba6a99b
go.mod: github.com/opencontainers/image-spec v1.0.2
- Bring mediaType out of reserved status
- specs-go: adding mediaType to the index and manifest structures

full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-17 22:25:16 +01:00
Wang Yan
3f4c558dac bump up golang v1.17
Signed-off-by: Wang Yan <wangyan@vmware.com>
2021-10-27 15:51:30 +08:00
David Justice
3e68d47da6
chore: update azure go-autorest dependencies
Signed-off-by: David Justice <david@devigned.com>
2021-08-25 13:43:18 -04:00
Sebastiaan van Stijn
226ad1e639
go.mod: update logrus to v1.8.1
Newer versions contain fixes for recent Go versions, and this removes
the dependency on github.com/konsorten/go-windows-terminal-sequences

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-22 14:36:56 +02:00
Sebastiaan van Stijn
06c8d441f8
go.mod: gopkg.in/yaml.v2 v2.4.0
This updates the package to a version to include the security fixes in v2.2.3.

Version 2.3.0 was known introduce a breaking change for some users, so using
the latest (v2.4.0)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-22 14:31:11 +02:00
olegburov
907e7be545 Bump Logstash hook for logrus to v1.0.0.
Signed-off-by: olegburov <oleg.burov@outlook.com>
2021-02-11 21:51:13 -08:00
olegburov
03aaf6ab51
Bump Gorilla Handlers to v1.5.1.
Signed-off-by: olegburov <oleg.burov@outlook.com>
2020-11-06 10:22:21 -08:00
Arko Dasgupta
f4506b517a
Merge pull request #3237 from olegburov/bump-gorilla-mux
Upgrade Gorilla Mux to `1.8.0`.
2020-11-05 13:23:17 -08:00
olegburov
264e26fd8c Bump Redigo to v1.8.2.
Signed-off-by: olegburov <oleg.burov@outlook.com>
2020-08-31 18:07:54 -07:00
olegburov
545596ae2c Bump Gorilla Mux to v1.8.0.
Signed-off-by: olegburov <oleg.burov@outlook.com>
2020-08-31 08:54:44 -07:00
Manish Tomar
5dc1f65acc
Merge pull request #3224 from AndreasHassing/fix/bad-pointer-windows-EnableVirtualTerminalProcessing
Update logrus to v1.6.0, fixes #3223
2020-08-24 15:04:52 -07:00
Sebastiaan van Stijn
8a8d91529d
vendor: opencontainers/go-digest v1.0.0
full diff: https://github.com/opencontainers/go-digest/compare/v1.0.0-rc1...v1.0.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-24 18:46:53 +02:00
Andreas Hassing
9466dd4e5a Update logrus to v1.6.0
Fixes #3223 by bumping logrus to v1.6.0, which in turn bumps
github.com/konsorten/go-windows-terminal-sequences to v1.0.3
wherein the fix to bad pointer is found.

Signed-off-by: Andreas Hassing <andreas@famhassing.dk>
2020-08-24 13:14:04 +02:00
Manish Tomar
0316f34bf2
Merge pull request #3118 from lawliet89/bump-aws-sdk
Bump AWS SDK to v1.34.9
2020-08-21 15:57:08 -07:00
Yong Wen Chua
e1464fd317
Bump AWS SDK
Fixes https://github.com/docker/distribution/issues/3097

Signed-off-by: Yong Wen Chua <lawliet89@users.noreply.github.com>
2020-08-21 17:35:24 +08:00
wang yan
bf56f348be Update oci library
1, update go-digest to v1.0.0-rc1
2, update image-spec to v1.0.1

Signed-off-by: wang yan <wangyan@vmware.com>
2020-03-10 23:19:29 +08:00
Elliot Pahl
800cb95821
Use go-events package
TBD: Queue not converted yet

Signed-off-by: Elliot Pahl <elliot.pahl@gmail.com>
2020-03-04 12:49:32 -08:00
Sebastiaan van Stijn
98dcc5195e
vendor: update docker/go-metrics v0.0.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 20:14:15 +01:00
Sebastiaan van Stijn
7e290869e7
vendor: update golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d (CVE-2020-7919)
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:

- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-21 23:45:56 +01:00
Tariq Ibrahim
afe29bb697
update the golang compiler version and the versions of several dependencies
Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com>
2019-06-19 22:43:52 -07:00
Tariq Ibrahim
5223c27422
migrate to go modules from vndr
Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com>
2019-06-19 12:24:07 -07:00