Skip to content

Commit f9daefc

Browse files
st3pentast3penta
authored
Merge pull request #1701 from st3penta/EC-1655
Discover SBOMs attached to images via OCI referrers and tags
2 parents 6f91359 + e9feaa0 commit f9daefc

File tree

11 files changed

+629
-3411
lines changed

11 files changed

+629
-3411
lines changed

acceptance/go.mod

Lines changed: 22 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -5,24 +5,23 @@ go 1.25.3
55
toolchain go1.25.7
66

77
require (
8-
github.com/conforma/cli v0.8.108
8+
github.com/conforma/cli v0.9.2
99
github.com/cucumber/godog v0.15.1
1010
)
1111

1212
require (
1313
cel.dev/expr v0.25.1 // indirect
1414
cloud.google.com/go v0.121.6 // indirect
15-
cloud.google.com/go/auth v0.17.0 // indirect
15+
cloud.google.com/go/auth v0.18.0 // indirect
1616
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
1717
cloud.google.com/go/compute/metadata v0.9.0 // indirect
1818
cloud.google.com/go/iam v1.5.3 // indirect
19-
cloud.google.com/go/monitoring v1.24.2 // indirect
19+
cloud.google.com/go/monitoring v1.24.3 // indirect
2020
cloud.google.com/go/storage v1.57.1 // indirect
2121
contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
2222
contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
2323
cuelang.org/go v0.15.3 // indirect
2424
dario.cat/mergo v1.0.2 // indirect
25-
filippo.io/edwards25519 v1.1.0 // indirect
2625
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.15.0 // indirect
2726
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
2827
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
@@ -63,7 +62,6 @@ require (
6362
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
6463
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
6564
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
66-
github.com/aws/aws-sdk-go v1.55.8 // indirect
6765
github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
6866
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
6967
github.com/aws/aws-sdk-go-v2/config v1.32.5 // indirect
@@ -92,14 +90,16 @@ require (
9290
github.com/blang/semver v3.5.1+incompatible // indirect
9391
github.com/blendle/zapdriver v1.3.1 // indirect
9492
github.com/bufbuild/protocompile v0.14.1 // indirect
95-
github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect
9693
github.com/bytecodealliance/wasmtime-go/v39 v39.0.1 // indirect
9794
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
9895
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
9996
github.com/cespare/xxhash/v2 v2.3.0 // indirect
10097
github.com/chainguard-dev/git-urls v1.0.2 // indirect
10198
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
10299
github.com/clbanning/mxj/v2 v2.7.0 // indirect
100+
github.com/clipperhouse/displaywidth v0.6.0 // indirect
101+
github.com/clipperhouse/stringish v0.1.1 // indirect
102+
github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
103103
github.com/cloudflare/circl v1.6.1 // indirect
104104
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
105105
github.com/cockroachdb/apd/v3 v3.2.1 // indirect
@@ -124,15 +124,14 @@ require (
124124
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
125125
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
126126
github.com/dimchansky/utfbom v1.1.1 // indirect
127-
github.com/docker/cli v29.0.3+incompatible // indirect
127+
github.com/docker/cli v29.2.0+incompatible // indirect
128128
github.com/docker/distribution v2.8.3+incompatible // indirect
129129
github.com/docker/docker-credential-helpers v0.9.4 // indirect
130130
github.com/docker/go-units v0.5.0 // indirect
131131
github.com/dustin/go-humanize v1.0.1 // indirect
132132
github.com/emicklei/go-restful/v3 v3.13.0 // indirect
133133
github.com/emicklei/proto v1.14.2 // indirect
134134
github.com/emirpasic/gods v1.18.1 // indirect
135-
github.com/enterprise-contract/enterprise-contract-controller/api v0.1.112 // indirect
136135
github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect
137136
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
138137
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
@@ -141,25 +140,23 @@ require (
141140
github.com/fsnotify/fsnotify v1.9.0 // indirect
142141
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
143142
github.com/go-akka/configuration v0.0.0-20200606091224-a002c0330665 // indirect
144-
github.com/go-chi/chi v4.1.2+incompatible // indirect
145-
github.com/go-chi/chi/v5 v5.2.3 // indirect
143+
github.com/go-chi/chi/v5 v5.2.4 // indirect
146144
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
147145
github.com/go-git/go-billy/v5 v5.6.2 // indirect
148146
github.com/go-git/go-git/v5 v5.16.5 // indirect
149147
github.com/go-ini/ini v1.67.0 // indirect
150-
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
151148
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
152149
github.com/go-kit/log v0.2.1 // indirect
153150
github.com/go-logfmt/logfmt v0.6.0 // indirect
154151
github.com/go-logr/logr v1.4.3 // indirect
155152
github.com/go-logr/stdr v1.2.2 // indirect
156153
github.com/go-openapi/analysis v0.24.1 // indirect
157-
github.com/go-openapi/errors v0.22.5 // indirect
154+
github.com/go-openapi/errors v0.22.6 // indirect
158155
github.com/go-openapi/jsonpointer v0.22.4 // indirect
159156
github.com/go-openapi/jsonreference v0.21.4 // indirect
160157
github.com/go-openapi/loads v0.23.2 // indirect
161158
github.com/go-openapi/runtime v0.29.2 // indirect
162-
github.com/go-openapi/spec v0.22.2 // indirect
159+
github.com/go-openapi/spec v0.22.3 // indirect
163160
github.com/go-openapi/strfmt v0.25.0 // indirect
164161
github.com/go-openapi/swag v0.25.4 // indirect
165162
github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
@@ -189,16 +186,14 @@ require (
189186
github.com/google/gnostic-models v0.7.0 // indirect
190187
github.com/google/go-cmp v0.7.0 // indirect
191188
github.com/google/go-containerregistry v0.20.7 // indirect
192-
github.com/google/go-github/v55 v55.0.0 // indirect
193189
github.com/google/go-github/v73 v73.0.0 // indirect
194190
github.com/google/go-jsonnet v0.21.0 // indirect
195191
github.com/google/go-querystring v1.2.0 // indirect
196-
github.com/google/gofuzz v1.2.0 // indirect
197192
github.com/google/s2a-go v0.1.9 // indirect
198193
github.com/google/safearchive v0.0.0-20241025131057-f7ce9d7b6f9c // indirect
199194
github.com/google/uuid v1.6.0 // indirect
200-
github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
201-
github.com/googleapis/gax-go/v2 v2.15.0 // indirect
195+
github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect
196+
github.com/googleapis/gax-go/v2 v2.16.0 // indirect
202197
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
203198
github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
204199
github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.65 // indirect
@@ -209,7 +204,6 @@ require (
209204
github.com/hashicorp/go-memdb v1.3.4 // indirect
210205
github.com/hashicorp/go-multierror v1.1.1 // indirect
211206
github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
212-
github.com/hashicorp/go-safetemp v1.0.0 // indirect
213207
github.com/hashicorp/go-version v1.7.0 // indirect
214208
github.com/hashicorp/golang-lru v1.0.2 // indirect
215209
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
@@ -223,8 +217,6 @@ require (
223217
github.com/inconshreveable/mousetrap v1.1.0 // indirect
224218
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
225219
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
226-
github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
227-
github.com/josharian/intern v1.0.0 // indirect
228220
github.com/json-iterator/go v1.1.12 // indirect
229221
github.com/jstemmer/go-junit-report v1.0.0 // indirect
230222
github.com/jstemmer/go-junit-report/v2 v2.1.0 // indirect
@@ -242,15 +234,12 @@ require (
242234
github.com/letsencrypt/boulder v0.20251110.0 // indirect
243235
github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
244236
github.com/magiconair/properties v1.8.10 // indirect
245-
github.com/mailru/easyjson v0.9.0 // indirect
246237
github.com/mattn/go-colorable v0.1.14 // indirect
247238
github.com/mattn/go-isatty v0.0.20 // indirect
248-
github.com/mattn/go-runewidth v0.0.16 // indirect
239+
github.com/mattn/go-runewidth v0.0.19 // indirect
249240
github.com/miekg/pkcs11 v1.1.1 // indirect
250241
github.com/mitchellh/go-homedir v1.1.0 // indirect
251-
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
252242
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
253-
github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
254243
github.com/moby/buildkit v0.26.3 // indirect
255244
github.com/moby/docker-image-spec v1.3.1 // indirect
256245
github.com/moby/locker v1.0.1 // indirect
@@ -262,14 +251,14 @@ require (
262251
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
263252
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
264253
github.com/oklog/ulid v1.3.1 // indirect
254+
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
265255
github.com/olekukonko/errors v1.1.0 // indirect
266-
github.com/olekukonko/ll v0.0.9 // indirect
267-
github.com/olekukonko/tablewriter v1.1.0 // indirect
256+
github.com/olekukonko/ll v0.1.3 // indirect
257+
github.com/olekukonko/tablewriter v1.1.2 // indirect
268258
github.com/open-policy-agent/conftest v0.66.0 // indirect
269259
github.com/open-policy-agent/opa v1.12.1 // indirect
270260
github.com/opencontainers/go-digest v1.0.0 // indirect
271261
github.com/opencontainers/image-spec v1.1.1 // indirect
272-
github.com/opentracing/opentracing-go v1.2.0 // indirect
273262
github.com/owenrumney/go-sarif/v2 v2.3.3 // indirect
274263
github.com/package-url/packageurl-go v0.1.3 // indirect
275264
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
@@ -287,29 +276,24 @@ require (
287276
github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect
288277
github.com/qri-io/jsonpointer v0.1.1 // indirect
289278
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
290-
github.com/rivo/uniseg v0.4.7 // indirect
291279
github.com/sagikazarmark/locafero v0.11.0 // indirect
292280
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
293281
github.com/sassoftware/relic v7.2.1+incompatible // indirect
294282
github.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect
295283
github.com/segmentio/asm v1.2.1 // indirect
296-
github.com/segmentio/ksuid v1.0.4 // indirect
297284
github.com/sergi/go-diff v1.4.0 // indirect
298285
github.com/shibumi/go-pathspec v1.3.0 // indirect
299286
github.com/shteou/go-ignore v0.3.1 // indirect
300-
github.com/sigstore/cosign/v2 v2.4.1 // indirect
301287
github.com/sigstore/cosign/v3 v3.0.4 // indirect
302288
github.com/sigstore/fulcio v1.8.4 // indirect
303289
github.com/sigstore/protobuf-specs v0.5.0 // indirect
304-
github.com/sigstore/rekor v1.4.3 // indirect
290+
github.com/sigstore/rekor v1.5.0 // indirect
305291
github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
306292
github.com/sigstore/sigstore v1.10.4 // indirect
307293
github.com/sigstore/sigstore-go v1.1.4 // indirect
308-
github.com/sigstore/timestamp-authority v1.2.9 // indirect
309294
github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect
310-
github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
295+
github.com/sirupsen/logrus v1.9.4 // indirect
311296
github.com/skeema/knownhosts v1.3.1 // indirect
312-
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
313297
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
314298
github.com/spdx/tools-golang v0.5.5 // indirect
315299
github.com/spf13/afero v1.15.0 // indirect
@@ -340,13 +324,11 @@ require (
340324
github.com/vbatts/tar-split v0.12.2 // indirect
341325
github.com/vektah/gqlparser/v2 v2.5.31 // indirect
342326
github.com/x448/float16 v0.8.4 // indirect
343-
github.com/xanzy/go-gitlab v0.109.0 // indirect
344327
github.com/xanzy/ssh-agent v0.3.3 // indirect
345328
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
346329
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
347330
github.com/yashtewari/glob-intersection v0.2.0 // indirect
348331
github.com/zclconf/go-cty v1.16.2 // indirect
349-
github.com/zeebo/errs v1.4.0 // indirect
350332
gitlab.com/gitlab-org/api/client-go v1.11.0 // indirect
351333
go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
352334
go.etcd.io/etcd/client/v3 v3.6.5 // indirect
@@ -365,7 +347,6 @@ require (
365347
go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect
366348
go.opentelemetry.io/otel/trace v1.39.0 // indirect
367349
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
368-
go.step.sm/crypto v0.75.0 // indirect
369350
go.uber.org/automaxprocs v1.6.0 // indirect
370351
go.uber.org/multierr v1.11.0 // indirect
371352
go.uber.org/zap v1.27.1 // indirect
@@ -383,15 +364,15 @@ require (
383364
golang.org/x/time v0.14.0 // indirect
384365
golang.org/x/tools v0.40.0 // indirect
385366
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
386-
google.golang.org/api v0.258.0 // indirect
387-
google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect
367+
google.golang.org/api v0.260.0 // indirect
368+
google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 // indirect
388369
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
389370
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
390371
google.golang.org/grpc v1.78.0 // indirect
391372
google.golang.org/protobuf v1.36.11 // indirect
392373
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
393374
gopkg.in/inf.v0 v0.9.1 // indirect
394-
gopkg.in/ini.v1 v1.67.0 // indirect
375+
gopkg.in/ini.v1 v1.67.1 // indirect
395376
gopkg.in/warnings.v0 v0.1.2 // indirect
396377
gopkg.in/yaml.v2 v2.4.0 // indirect
397378
gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -408,8 +389,7 @@ require (
408389
sigs.k8s.io/controller-runtime v0.19.0 // indirect
409390
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
410391
sigs.k8s.io/randfill v1.0.0 // indirect
411-
sigs.k8s.io/release-utils v0.12.2 // indirect
412-
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
392+
sigs.k8s.io/release-utils v0.12.3 // indirect
413393
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
414394
sigs.k8s.io/yaml v1.6.0 // indirect
415395
)

0 commit comments

Comments
 (0)