Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion acceptance/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ require (
github.com/yudai/gojsondiff v1.0.0
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/sync v0.21.0
gopkg.in/go-jose/go-jose.v2 v2.6.3
gopkg.in/go-jose/go-jose.v4 v4.1.4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

The PR replaces gopkg.in/go-jose/go-jose.v2 with v4 in acceptance/go.mod, but acceptance/image/image.go (line 60) still imports gopkg.in/go-jose/go-jose.v2/json. In Go, v2 and v4 are distinct module paths. The acceptance module will not compile.

Suggested fix: Update the import in acceptance/image/image.go to the v4 equivalent (github.com/go-jose/go-jose/v4), or keep v2 alongside v4.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] incomplete-security-fix

The go-jose upgrade from v2 to v4 addresses GHSA-78h2-9frx-2jm8 and GHSA-c6gw-w398-hv78, but acceptance/image/image.go still imports v2. Security fixes in v4 will not apply to code importing the v2 module path.

Suggested fix: Update the import in acceptance/image/image.go to the v4 module path, adapt to API changes, and run go mod tidy to remove v2 from the dependency graph.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] incomplete-major-version-bump

go-jose v2→v4: The PR replaces gopkg.in/go-jose/go-jose.v2 with .v4 but acceptance/image/image.go:60 still imports gopkg.in/go-jose/go-jose.v2/json. The old v2 is removed as a direct dependency — if not available transitively, the build will fail. go-jose v4 also removed the json sub-package entirely.

Suggested fix: Update acceptance/image/image.go to use 'encoding/json' instead of 'gopkg.in/go-jose/go-jose.v2/json', then remove v2 from the dependency tree.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] known-vulnerable-dependency

go-jose v2 has known CVEs (CVE-2023-50658, CVE-2024-28180) but remains in the compiled binary because the source code still imports it. The go.mod change does not remediate these vulnerabilities — the vulnerable module stays in the dependency graph.

Suggested fix: Migrate source code away from go-jose v2 imports to actually remove the vulnerable dependency from the module graph.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] correctness

go-jose v2→v4 in acceptance module: the require directive replaces gopkg.in/go-jose/go-jose.v2 with .v4, but acceptance/image/image.go still imports gopkg.in/go-jose/go-jose.v2/json. Unlike the root module changes, the old v2 is not preserved as a fallback dependency. The acceptance/go.sum is also not updated with v4 checksums. This may cause build failures.

Suggested fix: Update the import in acceptance/image/image.go from gopkg.in/go-jose/go-jose.v2/json to the v4 equivalent, update acceptance/go.sum with v4 checksums, verify API compatibility, and run go mod tidy in the acceptance module.

k8s.io/api v0.36.0
k8s.io/apimachinery v0.36.0
k8s.io/client-go v0.36.0
Expand Down
6 changes: 4 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.26.3
require (
cuelang.org/go v0.16.0
github.com/CycloneDX/cyclonedx-go v0.10.0
github.com/MakeNowJust/heredoc v1.0.0
github.com/MakeNowJust/heredoc/v2 v2.0.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

github.com/MakeNowJust/heredoc/v2 v2.0.1 is added as a direct dependency but no source file imports the v2 path. All 19 files import v1. The v2 dependency is unused.

Suggested fix: Either update all 19 source files to import heredoc/v2 or remove the v2 entry from go.mod.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] correctness

heredoc v1→v2 major version bump: go.mod adds heredoc/v2 as a direct dependency but all 19 source files still import the v1 path (github.com/MakeNowJust/heredoc). The v2 module is completely unused and would be removed by go mod tidy. Import paths in all consuming .go files must be updated to github.com/MakeNowJust/heredoc/v2.

Suggested fix: Update all 19 import statements from github.com/MakeNowJust/heredoc to github.com/MakeNowJust/heredoc/v2, verify the v2 whitespace handling change is acceptable, remove the v1 require entry, and run go mod tidy.

github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a
github.com/conforma/crds/api v0.1.7
github.com/conforma/go-gather v1.2.0
Expand All @@ -29,7 +29,7 @@ require (
github.com/open-policy-agent/opa v1.15.2
github.com/package-url/packageurl-go v0.1.3
github.com/qri-io/jsonpointer v0.1.1
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 is added as a direct dependency but no source file imports v6. All 3 files import v5. The v6 dependency is unused.

Suggested fix: Either update the 3 source files to import jsonschema/v6 and adapt to the new API, or remove the v6 entry from go.mod.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] correctness

jsonschema v5→v6 major version bump: go.mod adds jsonschema/v6 as a direct dependency but all 3 source files (pkg/schema/schema.go, internal/policy/policy.go, internal/evaluation_target/application_snapshot_image/application_snapshot_image.go) still import jsonschema/v5. The v6 module is unused. Additionally, jsonschema v6 has breaking API changes to NewCompiler(), CompileString(), AddResource(), and ValidationError that must be addressed during migration.

Suggested fix: Update import paths from jsonschema/v5 to jsonschema/v6, follow the v5→v6 migration guide at santhosh-tekuri/jsonschema#172, update API call sites, remove the v5 require entry, and run go mod tidy.

github.com/secure-systems-lab/go-securesystemslib v0.11.0
github.com/sigstore/cosign/v3 v3.0.4
github.com/sigstore/rekor v1.5.3
Expand Down Expand Up @@ -63,9 +63,11 @@ require (
replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.21.8-0.20260626175242-ae5f0ae7a0b0

require (
github.com/MakeNowJust/heredoc v1.0.0
github.com/go-openapi/runtime v0.32.4
github.com/google/uuid v1.6.0
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
golang.org/x/text v0.38.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.36.0
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ github.com/KeisukeYamashita/go-vcl v0.4.0 h1:dFxZq2yVeaCWBJAT7Oh9Z+Pp8y32i7b11QH
github.com/KeisukeYamashita/go-vcl v0.4.0/go.mod h1:af2qGlXbsHDQN5abN7hyGNKtGhcFSaDdbLl4sfud+AU=
github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM=
github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a h1:U//wWgvWVegUHd9m3aL6K+W9WUrXdaM/aVNxHuOmRw4=
github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a/go.mod h1:mUDfRDWWpXdfuyUtpCgApCxsgqKppYtPi35Q222DRB8=
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
Expand Down Expand Up @@ -1026,6 +1027,7 @@ github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDc
github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=
github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk=
github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=
Expand Down
Loading