Infrastructure/zot
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Code Issues Activity
1232 commits 7 branches 108 tags 208 MiB
Commit graph

251 commits

Author SHA1 Message Date
Ramkumar Chinchani
137e5bd793
chore: fix dependabot alerts (#1581) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-07-05 11:42:24 +03:00
Ramkumar Chinchani
aad6db279b
chore: fix dependabot alerts (#1576) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-07-04 09:19:26 -07:00
Ramkumar Chinchani
d30d7a9330
chore: fix dependabot alerts (#1537) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-06-19 12:34:50 -07:00
Ramkumar Chinchani
7dd17be96d
chore: fix dependabot alerts (#1517) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-06-16 10:28:43 +03:00
peusebiu
03f47f68c0
chore(deps): downgrade golang-lru (#1515) 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2023-06-14 19:45:30 +03:00
Ramkumar Chinchani
d7bddd2a05
chore: fix dependabot alerts (#1508) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-06-12 14:53:03 -07:00
Lisca Ana-Roberta
622dde9193
fix: referrers now appears in swagger generated docs (#1488) 
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
 2023-06-12 10:32:11 -07:00
Ramkumar Chinchani
4d6ca493f2
chore: fix dependabot alerts (#1501) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-06-09 10:27:42 -07:00
Andrei Aaron
96d00cd0ef
fix(cve): Fix CVE scanning in images containing Jar files (#1475) 2023-06-01 00:37:46 +03:00
Ramkumar Chinchani
40180f878f
chore(go.mod): fix dependabot alerts (#1491) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-31 22:16:21 +03:00
Ramkumar Chinchani
e148343540
chore(go.mod): fix dependabot alerts (#1479) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-27 01:23:50 +03:00
LaurentiuNiculae
6e6ffe800c
chore(go.mod): upgrade to notation-go v1.0.0-rc.5 and image-spec v1.1.0-rc3 (#1468) 
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
 2023-05-23 15:16:33 +00:00
Ramkumar Chinchani
83ae1aad70
chore(go.mod): fix dependabot alerts (#1466) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-23 10:14:43 +03:00
Ramkumar Chinchani
2be5459c8e
chore: fix dependabot alerts (#1458) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-17 00:37:34 -07:00
Ramkumar Chinchani
d17fe0044b
chore(go.mod): fix dependabot alerts (#1443) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-12 09:45:52 +03:00
Ramkumar Chinchani
9534e0b88b
chore: fix dependabot alerts (#1409) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-11 16:39:21 -07:00
LaurentiuNiculae
ea79be64da
refactor(artifact): remove oci artifact support (#1359) 
* refactor(artifact): remove oci artifact support
- add header to referrers call to indicated applied artifact type filters

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(gc): simplify gc logic to increase coverage

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

---------

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
 2023-05-10 10:15:33 -07:00
Ramkumar Chinchani
42df4c505a
chore: fix dependabot alerts (#1403) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-05-01 12:49:10 -07:00
Ramkumar Chinchani
c3ba122830
chore(go.mod): fix dependabot alerts (#1377) 2023-05-01 08:31:02 +03:00
Andreea Lupu
40bf76add5
chore(go.mod): upgrade trivy and cosign (#1387) 
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
 2023-04-27 09:35:10 -07:00
Ramkumar Chinchani
e6b81bb354
chore(go.mod): fix dependabot alerts (#1365) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-04-12 14:10:47 +03:00
Ramkumar Chinchani
9f512082ad
chore(go.mod): fix dependabot alerts (#1360) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-04-11 23:21:30 -07:00
Ramkumar Chinchani
8f809bda29
chore(go.mod): fix dependabot alerts (#1351) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-04-10 14:09:54 -07:00
Ramkumar Chinchani
38997be596
chore(go.mod): fix dependabot alerts (#1343) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-04-07 09:35:12 +03:00
Andrei Aaron
06bd8a8252
chore(go.mod): fix dependabot alerts (#1333) 
upgrade to github.com/aws/aws-sdk-go@v1.44.237
upgrade to github.com/aquasecurity/trivy@v0.38.3
upgrade to oras.land/oras-go@v1.2.3
upgrade to github.com/google/go-containerregistry@v0.14.0
upgrade to github.com/moby/buildkit@v0.11.4

Note we can't switch to trivy 0.39.0 as well as some other updates
because they would also require upgrade of cosign to v2 with
breaking api changes

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
 2023-04-06 01:00:12 -07:00
Ramkumar Chinchani
d9173e3ad3
chore(go.mod): fix dependabot alerts (#1330) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-04-05 09:39:15 +03:00
Ramkumar Chinchani
5ad25126b7
chore: fix dependabot alerts (#1320) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-03-29 13:13:16 -07:00
Ramkumar Chinchani
917159143c
chore: fix dependabot alerts (#1312) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-03-27 12:16:29 -07:00
Ramkumar Chinchani
e54c36db12
chore(go.mod): fix dependabot alerts (#1305) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-03-25 22:43:36 +02:00
Ramkumar Chinchani
906f8ce621
chore(deps): fix dependabot alerts (#1291) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-03-22 12:33:21 -07:00
Ramkumar Chinchani
c2bec0d4a8
chore(go.mod): fix dependabot alerts (#1251) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-03-07 09:59:59 +02:00
Andrei Aaron
73b1126bbf
chore(go.mod): fix dependabot alerts (#1247) 
Supersedes:
- https://github.com/project-zot/zot/pull/1132
- https://github.com/project-zot/zot/pull/1243
- https://github.com/project-zot/zot/pull/1244
- https://github.com/project-zot/zot/pull/1245

Also update the AWS SDK libraries used

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
 2023-03-06 11:05:19 -08:00
Andreea Lupu
646250736e
fix(go.mod): replace opencontainers/umoci dependency with project-stacker/umoci (#1240) 
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
 2023-03-05 21:11:07 -08:00
Ramkumar Chinchani
5a2fb4108d
chore(go.mod): fix dependabot alerts (#1228) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-28 17:38:49 +02:00
Ramkumar Chinchani
f6a540747f
chore(go.mod): fix dependabot alerts (#1222) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-23 22:32:20 +02:00
Ramkumar Chinchani
4a56e30cd7
chore(go.mod): fix dependabot alerts (#1218) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-23 09:09:28 +02:00
Ramkumar Chinchani
be33f7b252
chore(go.mod): fix dependabot alerts (#1210) 
* chore(go.mod): fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* chore(test): update image tags

We have cleaned up older golang images in the project.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci(gqlgen): fix gql schema validation GH workflow after npm upgrade

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-17 13:54:49 -08:00
Ramkumar Chinchani
b9a75b2e44
chore(go.mod): fix dependabot alerts (#1194) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-13 12:48:05 -08:00
Andreea Lupu
ee95ab0ffc
fix: call notation-go libs instead of using notation binary (#1104) 
fix: add loading notation path

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
Co-authored-by: Roxana Nemulescu <roxana.nemulescu@gmail.com>
 2023-02-13 10:43:52 -08:00
Ramkumar Chinchani
c154ab02f3
chore(deps): fix dependabot alerts (#1179) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-07 08:52:17 +02:00
Ramkumar Chinchani
863d057e43
chore(deps): fix dependabot alerts (#1153) 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-02-01 00:21:14 -08:00
Lisca Ana-Roberta
976ccfcf0d
fix: removed references to old dist-spec (#1128) 
Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
 2023-01-31 09:35:33 -08:00
Ramkumar Chinchani
b3ed92ef1a
chore(deps): fix dependabot alerts (#1143) 
https://github.com/project-zot/zot/pull/1119
https://github.com/project-zot/zot/pull/1142

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-01-26 22:39:18 -08:00
Ramkumar Chinchani
0938e4704c
chore(deps): fix dependabot alerts (#1131) 
Also, remove go mod redirects and update linter config.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-01-25 10:58:39 -08:00
Andrei Aaron
fac1d1d05d
chore(trivy): update trivy version and enforce OCI compliant repo names in local image storage (#1068) 
1. chore(trivy): update trivy library version

The trivy team switched github.com/urfave/cli for viper so
there are some other code changes as well.

Since we don't use github.com/urfave/cli directly in our software
we needed to add a tools.go in order for "go mod tidy" to not delete it.
See this pattern explained in:
- https://github.com/99designs/gqlgen#quick-start
- https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module
- https://github.com/go-modules-by-example/index/blob/master/010_tools/README.md#walk-through

The jobs using "go get -u" have been updated to use "go install", since go get
modifies the go.mod by upgrading some of the packages, but downgrading trivy to an older
version with broken dependencies

2. fix(storage) Update local storage to ignore folder names not compliant with dist spec
Also updated trivy to download the DB and cache results under the rootDir/_trivy folder

3. fix(s3): one of the s3 tests was missing the skipIt call
This caused a failure when running locally without s3 being available

4. make sure the offline scanning is enabled, and zot only downloads the trivy DB
on the regular schedule, and doesn't download the DB on every image scan

ci: increase build and test timeout as tests are reaching the limit more often

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
 2023-01-18 08:24:44 -08:00
Ramkumar Chinchani
eebc750367
chore(deps): fix dependabot alerts (#1115) 
https://github.com/project-zot/zot/pull/1112
https://github.com/project-zot/zot/pull/1113
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-01-17 09:48:58 +02:00
Ramkumar Chinchani
6ab27fcdcd
chore(deps): fix dependabot alerts (#1098) 
https://github.com/project-zot/zot/pull/1094
https://github.com/project-zot/zot/pull/1095
https://github.com/project-zot/zot/pull/1096
https://github.com/project-zot/zot/pull/1097

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2023-01-10 16:17:19 -08:00
Ramkumar Chinchani
08a8b3d44c
chore(deps): fix dependabot alerts (#1090) 
https://github.com/project-zot/zot/pull/1087
https://github.com/project-zot/zot/pull/1088
https://github.com/project-zot/zot/pull/1089
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-12-29 10:05:22 +02:00
Ramkumar Chinchani
271ffb53cc
chore(deps): fix dependabot alerts (#1080) 
https://github.com/project-zot/zot/pull/1079
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-12-20 15:29:21 -08:00
Ramkumar Chinchani
1c9db99b0d
chore(deps): fix dependabot alerts (#1077) 
https://github.com/project-zot/zot/pull/1071
https://github.com/project-zot/zot/pull/1075
https://github.com/project-zot/zot/pull/1076


Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-12-20 11:59:04 -08:00
Ramkumar Chinchani
2571e8e5fc
chore(deps): fix dependabot alerts (#1074) 
https://github.com/project-zot/zot/pull/1069
https://github.com/project-zot/zot/pull/1070
https://github.com/project-zot/zot/pull/1071
https://github.com/project-zot/zot/pull/1072
https://github.com/project-zot/zot/pull/1073


Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-12-19 14:59:31 -08:00
Ramkumar Chinchani
2efa80d1ec
chore(deps): fix dependabot alerts (#1060) 
https://github.com/project-zot/zot/pull/1057
https://github.com/project-zot/zot/pull/1058
https://github.com/project-zot/zot/pull/1059
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-12-12 14:09:34 -08:00
Ramkumar Chinchani
d78f1d962f
chore(deps): fix dependabot alerts (#1048) 
https://github.com/project-zot/zot/pull/1043
https://github.com/project-zot/zot/pull/1044
https://github.com/project-zot/zot/pull/1045
https://github.com/project-zot/zot/pull/1046
https://github.com/project-zot/zot/pull/1047

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-12-06 09:09:03 -08:00
Ramkumar Chinchani
ffa223de43
chore(deps): fix dependabot alerts (#1030) 
https://github.com/project-zot/zot/pull/1024
https://github.com/project-zot/zot/pull/1025
https://github.com/project-zot/zot/pull/1026
https://github.com/project-zot/zot/pull/1027
https://github.com/project-zot/zot/pull/1028

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-11-29 16:41:01 +02:00
Catalin-George Hofnar
31b9481713
feat(cache): dynamodb implementation (#953) 
Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
 2022-11-22 10:29:57 -08:00
Ramkumar Chinchani
7790b944e3
chore(deps): fix dependabot alerts (#1000) 
https://github.com/project-zot/zot/pull/996
https://github.com/project-zot/zot/pull/997
https://github.com/project-zot/zot/pull/998
https://github.com/project-zot/zot/pull/999

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-11-14 12:29:28 -08:00
Ramkumar Chinchani
94d073ceab
chore(deps): fix dependabot alerts (#977) 
https://github.com/project-zot/zot/pull/973
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-11-08 12:59:18 -08:00
Ramkumar Chinchani
f9b575e1cf
chore(deps): fix dependabot alerts (#965) 
https://github.com/project-zot/zot/pull/959
https://github.com/project-zot/zot/pull/960
https://github.com/project-zot/zot/pull/961
https://github.com/project-zot/zot/pull/962
https://github.com/project-zot/zot/pull/963
https://github.com/project-zot/zot/pull/964

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-11-08 00:39:06 -08:00
Ramkumar Chinchani
c0f93caacb
feat(artifact): add OCI references support (#936) 
Thanks @jdolitsky et al for kicking off these changes at:
https://github.com/oci-playground/zot/commits/main

Thanks @sudo-bmitch for reviewing the patch

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-11-08 00:38:16 -08:00
Ramkumar Chinchani
8b345f0b27
chore(deps): fix dependabot alerts (#945) 
https://github.com/project-zot/zot/pull/939
https://github.com/project-zot/zot/pull/940
https://github.com/project-zot/zot/pull/941
https://github.com/project-zot/zot/pull/942

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-11-01 11:15:26 -07:00
Ramkumar Chinchani
4edecbb429
chore(deps): fix dependabot alerts (#919) 
https://github.com/project-zot/zot/pull/911
https://github.com/project-zot/zot/pull/912
https://github.com/project-zot/zot/pull/913
https://github.com/project-zot/zot/pull/914
https://github.com/project-zot/zot/pull/915
https://github.com/project-zot/zot/pull/916
https://github.com/project-zot/zot/pull/917

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-10-24 15:18:48 -07:00
Ramkumar Chinchani
7d08985f75
chore(deps): fix dependabot alerts (#885) 
https://github.com/project-zot/zot/pull/879
https://github.com/project-zot/zot/pull/880
https://github.com/project-zot/zot/pull/881
https://github.com/project-zot/zot/pull/882

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-10-18 10:06:14 +03:00
Ramkumar Chinchani
5494208556
chore(deps): fix dependabot alerts (#868) 
https://github.com/project-zot/zot/pull/864
https://github.com/project-zot/zot/pull/865
https://github.com/project-zot/zot/pull/866

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-10-10 12:19:05 -07:00
Ramkumar Chinchani
f235f88426
chore(deps): update dependabot dependency update alerts (#845) 
https://github.com/project-zot/zot/pull/819
https://github.com/project-zot/zot/pull/841
https://github.com/project-zot/zot/pull/842
https://github.com/project-zot/zot/pull/843
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-10-03 14:33:52 -07:00
Ramkumar Chinchani
04da7fb1b7
fix dependabot alerts (#809) 
https://github.com/project-zot/zot/pull/805

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-09-22 11:27:55 +03:00
Ramkumar Chinchani
e5decaa47e fix dependabot alerts 
https://github.com/project-zot/zot/pull/800
https://github.com/project-zot/zot/pull/801
https://github.com/project-zot/zot/pull/805

https://github.com/project-zot/zot/security/dependabot/26
https://github.com/project-zot/zot/security/dependabot/30

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-09-21 16:07:04 -07:00
Ramkumar Chinchani
7804ba7ce0
fix dependabot alerts (#795) 
https://github.com/project-zot/zot/pull/778
https://github.com/project-zot/zot/pull/780
https://github.com/project-zot/zot/pull/781
https://github.com/project-zot/zot/pull/782
https://github.com/project-zot/zot/security/dependabot/27
https://github.com/project-zot/zot/security/dependabot/29

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-09-21 10:04:08 +03:00
Ramkumar Chinchani
d68bbf6743 fix security alerts from artifacthub 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-09-08 09:24:33 +03:00
Ramkumar Chinchani
cda1f4989d fix dependabot alerts 
https://github.com/project-zot/zot/pull/755
https://github.com/project-zot/zot/pull/758
https://github.com/project-zot/zot/pull/759
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-08-29 22:28:17 -07:00
Ramkumar Chinchani
2ff8e8b7d2 fix dependabot alerts 
https://github.com/project-zot/zot/pull/737
https://github.com/project-zot/zot/pull/738
https://github.com/project-zot/zot/pull/739
https://github.com/project-zot/zot/pull/740

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-08-23 09:38:30 -07:00
Ramkumar Chinchani
2929a62998 fix dependabot alerts 
https://github.com/project-zot/zot/pull/725
https://github.com/project-zot/zot/pull/726
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-08-15 11:47:27 -07:00
Ramkumar Chinchani
4b8e288cd3 fix dependabot alerts 
https://github.com/project-zot/zot/pull/712
https://github.com/project-zot/zot/pull/714

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-08-13 00:02:36 -07:00
Ramkumar Chinchani
86401de3b0 fix dependabot alerts 
https://github.com/project-zot/zot/pull/706
https://github.com/project-zot/zot/pull/707

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-08-07 18:09:08 +03:00
Ramkumar Chinchani
ae73290929 fix dependabot alerts 
https://github.com/project-zot/zot/pull/689
https://github.com/project-zot/zot/pull/690
https://github.com/project-zot/zot/pull/691

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-08-04 09:36:19 +03:00
Ramkumar Chinchani
49fb609f28 fix dependabot alerts 
https://github.com/project-zot/zot/pull/682

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-29 10:42:37 -07:00
Ramkumar Chinchani
3d72dad507 fix dependabot alerts 
https://github.com/project-zot/zot/pull/674
https://github.com/project-zot/zot/pull/676
https://github.com/project-zot/zot/pull/677
https://github.com/project-zot/zot/pull/678

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-27 08:48:51 +03:00
Laurentiu Niculae
7e3d063319 freeform querry api 
Signed-off-by: Laurentiu Niculae <themelopeus@gmail.com>
 2022-07-20 10:03:11 -07:00
Ramkumar Chinchani
317064ffc9 fix dependabot alerts 
https://github.com/project-zot/zot/pull/647
https://github.com/project-zot/zot/pull/648
https://github.com/project-zot/zot/pull/649
https://github.com/project-zot/zot/pull/650
https://github.com/project-zot/zot/pull/651
https://github.com/project-zot/zot/pull/652
https://github.com/project-zot/zot/pull/653
https://github.com/project-zot/zot/pull/656

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-18 14:59:27 -07:00
Andrei Aaron
43160dcc43 Update to graphql 1.17.13 
We encountered some problems with using the existing folder structure,
but it looks like running the tooling with the latest versions works after
we regenerated the project using 'gql init' and refactoring to separate
the login previously in resolvers.go.

- the autogenerated code is now under the gql_generated folder
- the file resolvers.go now contains only the code which is not
rewritten by the gqlgen framework
- the file schema.resolvers.go is rewritten when gqlgen runs,
and we'll only keep there the actual resolvers matching query names
Changes we observed to schema.resolvers.go when gqlgen runs include
reordering methods, and renaming function parameters to match the
names used in schema.graphql
- we now have a gqlgen.yaml config file which governs the behavior of
gqlgen (can be tweaked to restructure the folder structure of the
generated code in the future)

Looks like the new graphql server has better validation
1 Returns 422 instead of 200 for missing query string - had to update tests
2 Correctly uncovered an error in a test for a bad `%` in query string.

As as result of 2, a `masked` bug was found in the way we check if images are
signed with Notary, the signatures were reasched for with the media type
of the image manifest itself instead of the media type for notation.
Fixed this bug, and improved error messages.
This bug would have also been reproducible with main branch if the bad `%`
in the test would have fixed.

Updated the linter to ignore some issues with the code which is
always rewritten when running:
`go run github.com/99designs/gqlgen@v0.17.13 generate`

Add a workflow to test gqlgen works and has no uncommitted changes

Signed-off-by: Andrei Aaron <andaaron@cisco.com>
 2022-07-18 12:55:40 -07:00
Ramkumar Chinchani
37b3345199 fix dependabot alerts 
https://github.com/project-zot/zot/pull/629
https://github.com/project-zot/zot/pull/631
https://github.com/project-zot/zot/pull/632

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-15 14:22:39 -07:00
Ramkumar Chinchani
4ae1a908a0 fix dependabot alerts CVE-2022-33082/GHSA-2m4x-4q9j-w97g 
https://github.com/project-zot/zot/security/dependabot/24

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-07-07 23:58:51 -07:00
Alex Stan
66484c8ca9 changed go version to 1.18 
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
 2022-06-09 04:38:06 -07:00
Ramkumar Chinchani
0edee009c0 fix CVE-2022-28946/GHSA-x7f3-62pm-9p38 
https://github.com/project-zot/zot/security/dependabot/17
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-06-06 11:43:36 -07:00
Ramkumar Chinchani
d07de27402 fix CVE-2022-26945/GHSA-x24g-9w7v-vprh 
https://github.com/project-zot/zot/security/dependabot/22

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-06-06 11:43:36 -07:00
laurentiuNiculae
c9b32c73ae added more types of severity 
Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
 2022-06-03 09:44:54 -07:00
Ramkumar Chinchani
dbe23e58f9 fix CVE-2022-28948/GHSA-hp87-p4gw-j4gq 
https://github.com/project-zot/zot/security/dependabot/18

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-25 15:13:45 -07:00
Ramkumar Chinchani
6b841809e3 fix CVE-2022-29173/GHSA-66x3-6cw3-v5gj 
https://github.com/project-zot/zot/security/dependabot/16

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-25 11:34:24 -07:00
Petu Eusebiu
da4acaf178 sync: preserve upstream digests after syncing images 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-05-25 10:19:36 -07:00
Ramkumar Chinchani
a5e091e3d2 fix CVE-2022-29162/GHSA-f3fp-gc8g-vw66 
https://github.com/project-zot/zot/security/dependabot/15

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-24 12:53:48 -07:00
Shivam Mishra
36c9631000 ext: use distribution spec route prefix for extension api 
Following the spec defined here https://github.com/opencontainers/distribution-spec/tree/main/extensions

Signed-off-by: Shivam Mishra <shimish2@cisco.com>
 2022-05-22 16:35:16 -07:00
Ramkumar Chinchani
c1bf4456d0 update cosign deps 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-22 09:15:01 -07:00
Ramkumar Chinchani
6d593b468f dependabot alert: fix CVE-2022-29810 
https://github.com/project-zot/zot/security/dependabot/14

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-05-03 14:36:41 -07:00
Ramkumar Chinchani
d19a4bf2a1 build(deps): bump github.com/swaggo/http-swagger from 1.2.5 to 1.2.6 
Fixes https://github.com/project-zot/zot/security/dependabot/12

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-04-26 09:31:11 -07:00
Petu Eusebiu
4e20ab8a5d go.mod: update dependencies 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-04-15 10:31:37 -07:00
Petu Eusebiu
f53dc9eb8d sync: Add a new flag to enforce syncing only signed images, closes #455 
sync: When checking if a image is already synced also check for changes in upstream signatures.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-03-24 10:50:01 -07:00
Ramkumar Chinchani
251857fb6e move module deps under project-zot repo 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-21 11:03:19 -07:00
Ramkumar Chinchani
10f0e6c307 fix dependabot alert 
https://github.com/project-zot/zot/security/dependabot/10

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-15 16:55:32 -07:00
laurentiuNiculae
63d94d4ac5 Update dist-spec version automatically 
Warning if config has wrong dist-spec version

Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
 2022-03-14 10:24:03 -07:00
Ramkumar Chinchani
95e4b2054b upgrade module deps 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-04 13:10:58 -08:00
Ramkumar Chinchani
3b9699c536 go.mod: cleanup deps so 'go mod tidy' works 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-04 13:10:58 -08:00
Ramkumar Chinchani
cf70a8d71e CVE-2022-23648: update dependencies in go.mod 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-03 09:55:48 -08:00
Ramkumar Chinchani
bf21435d42 remove linger go.sum entries to fix dependabot alert 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-02 13:28:37 -08:00
Ramkumar Chinchani
8db3e1b192 CVE-2022-23649: fix dependabot alert 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-02 12:01:14 -08:00
Ramkumar Chinchani
3ada6af0de tls: set min version to 1.2 and restrict cipher suites 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-03-02 10:03:50 -08:00
Petu Eusebiu
45968e0bb7 sync: fix inconsistent test, used inject error fw for hard to reach test cases 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2022-03-01 09:56:27 -08:00
Ramkumar Chinchani
bb53552048 bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-02-11 19:19:16 -08:00
Ramkumar Chinchani
c0c6b255e1 dependabot-alert: update 'github.com/open-policy-agent/opa' 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-02-11 19:19:16 -08:00
Ramkumar Chinchani
f66d496257 dependabot-alert: update 'github.com/open-policy-agent/opa' 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-02-11 15:49:54 -08:00
Ramkumar Chinchani
1e5ea7e09c controller: support rate-limiting incoming requests 
helps constraining resource usage and against flood attacks.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-01-24 12:48:13 -08:00
Ramkumar Chinchani
f251e7af10 update go.mod 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-01-24 09:15:46 -08:00
Ramkumar Chinchani
9e98b03f55 go.mod: fix GHSA-mvff-h3cj-wj9c 
update containerd version

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2022-01-07 00:07:10 -08:00
Ramkumar Chinchani
cac7fe4854 storage: use sha256-simd from minio 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-12-28 22:25:11 -08:00
Ramkumar Chinchani
f011192615 fix Dependabot alert about GHSA-v95c-p5hm-xq8f 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-12-08 09:02:48 -08:00
Ramkumar Chinchani
e42e42a2cc artifacts: initial support for artifacts/notaryv2 spec 
https://github.com/oras-project/artifacts-spec
https://github.com/notaryproject/notaryproject

Fixes issue #264

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-12-01 18:55:39 -08:00
Petu Eusebiu
fff6107310 Sync prefix can be an exact match or a glob pattern, closes #297 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2021-11-29 13:10:13 -08:00
Ramkumar Chinchani
a176bf7e83 go.mod: fix another dependabot alert 
GHSA-77vh-xpmg-72qh

pull in upstream github.com/opencontainers/image-spec where this is
fixed.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-18 14:32:20 -08:00
Ramkumar Chinchani
528e239e78 go.mod: tidy go.mod 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-18 13:16:47 -08:00
Ramkumar Chinchani
bdfbebeb5a dependabot: fix dependabot alerts 
Fix GHSA-77vh-xpmg-72qh
Fix GHSA-5j5w-g665-5m35

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-18 11:56:50 -08:00
Ramkumar Chinchani
bb537265cc go.mod: upgrade module deps 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-11-17 14:49:22 -08:00
Petu Eusebiu
9c568c0ee2 storage: add s3 backend support (without GC and dedupe) 
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2021-11-15 08:09:00 -08:00
Petu Eusebiu
19003e8a71 Added new extension "sync" 
Periodically poll registries and pull images according to sync's config
Added sync on demand, syncing when clients asks for an image which
zot doesn't have.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
 2021-10-21 10:32:46 -07:00
Shivam Mishra
d930adbd49 search: update trivy 
trivy updated to v0.20.0
trivy-db updated to bec0c6a
fanal updated to f7efd1b
 2021-10-13 16:37:31 -07:00
Ramkumar Chinchani
d69ee3f562 go.mod: update go.mod to fix dependabot alert 
https://github.com/advisories/GHSA-c2h3-6mxw-7mvq

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-10-04 14:03:37 -07:00
Shivam Mishra
63fef3e48c search: added graphql api to return repository list with latest tag 2021-09-27 14:36:20 -07:00
Ramkumar Chinchani
0b302d9614 go.mod: update deps to address dependabot alerts 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-09-23 13:59:26 -07:00
Ramkumar Chinchani
6f0a73b2a6 go.mod: update umoci dep 
There is a performance regression in umoci [1] which is fixed in [2].

References:
[1] https://github.com/opencontainers/umoci/issues/373
[2] https://github.com/opencontainers/umoci/pull/375

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
 2021-09-23 10:07:33 -07:00
Petu Eusebiu
609d85d875 Add identity-based access control, closes #51 
Add a cli subcommand to verify config files validity
 2021-08-30 13:56:27 -07:00
Ramkumar Chinchani
26926ad4c2 go.mod: update modules 2021-08-25 11:51:23 -07:00
Shivam Mishra
53b5fa6493 dedupe: stat blob path before creating link 2021-08-09 09:40:35 -07:00
Petu Eusebiu
1c1e7358f7 Migrate builds from travis to github actions 2021-06-29 13:58:39 -07:00
Shivam Mishra
28974e81dc config: support multiple storage locations 
added support to point multiple storage locations in zot by running multiple instance of zot in background.

see examples/config-multiple.json for more info about config.

Closes #181
 2021-05-21 10:18:28 -07:00
Shivam Mishra
2cf2c16137 Added graphql api feature for image vulnerability scanning 2020-08-18 22:44:34 -07:00
Shivam Mishra
e537f27f00 Added search extension and integrated trivy to support image vulnerability scanning 2020-08-18 21:03:48 -07:00
Ramkumar Chinchani
324a517ea3 gc: add a policy to skip garbage collecting new blobs 
We perform inline garbage collection of orphan blobs. However, the
dist-spec poses a problem because blobs begin their life as orphan blobs
and then a manifest is add which refers to these blobs.

We use umoci's GC() to perform garbage collection and policy support
has been added recently which can control whether a blob can be skipped
for GC.

In this patch, we use a time-based policy to skip blobs.
 2020-07-06 15:52:35 -07:00
Tanmay Naik
ad684ac44b cli: add config and images command 
Extends the existing zot CLI to add commands for listing all images and
their details on a zot server.
Listing all images introduces the need for configurations.

Each configuration has a name and URL at the least. Check 'zot config
-h' for more details.

The user can specify the URL of zot server explicitly while running the
command or configure a URL and pass it directly.

Adding a configuration:
zot config add aci-zot <zot-url>

Run 'zot config --help' for more.

Listing all images:
zot images --url <zot-url>

Pass a config instead of the url:
zot images <config-name>

Filter the list of images by image name:
zot images <config-name> --name <image-name>

Run 'zot images --help' for all details

- Stores configurations in '$HOME/.zot' file

Add CLI README
 2020-07-02 14:30:35 -04:00
Shivam Mishra
85d3e1db4b Changed umoci import path 2020-06-25 17:04:32 -07:00
Ramkumar Chinchani
25f5a45296 dedupe: use hard links to dedupe blobs 
As the number of repos and layers increases, the greater the probability
that layers are duplicated. We dedupe using hard links when content is
the same. This is intended to be purely a storage layer optimization.
Access control when available is orthogonal this optimization.

Add a durable cache to help speed up layer lookups.

Update README.

Add more unit tests.
 2020-04-03 09:29:12 -07:00
Ramkumar Chinchani
fe471a3c35 gc: fix test cases since umoci GC is more strict 
umoci GC enforces a valid index.json and current tests were a little
lax.
 2020-03-20 10:58:21 -07:00
Tycho Andersen
95d4a7ce04 zot: run GC after manifest removal 
Clients today expect the repo to clean up if there are unused blobs, not to
manually delete things they think are unused. Let's do that, and use
umoci's code to do it since it's tested and works.

v2: also run GC on update as well as delete

v3: fix up error return paths needing two args

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
 2020-03-20 10:58:21 -07:00
Peter Engelbert
b636ce2da1 Fix auth scope on endpoints without repo name 
Resolves #71

Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
 2020-01-31 18:04:38 -06:00
Peter Engelbert
268b4088fd Add support for bearer/token auth 
New options added to configuration file to reference a public key used
to validate authorization tokens signed by an auth server with
corresponding private key.

Resolves #24

Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
 2020-01-27 12:42:23 -06:00
Ramkumar Chinchani
5f71b764fc go.mod: update json-iterator 
older versions of json-iterator appear to have an issue with maps.

We are most certainly hitting this panic with maps.
https://github.com/anuvu/zot/blob/master/pkg/api/routes.go#L898

On the json-iterator/go side,
   json-iterator/go@acfec88
   json-iterator/go#388
 2020-01-07 14:04:01 -08:00
Josh Dolitsky
271b916a26 feat(compliance): Add JSON output option 
This adds a new --json flag to the compliance subcommand, which
will output the compliance test results as minified JSON to stdout.

Also a few other small additions:
- Exit 1 if compliance tests fail
- Use random port for test server using freeport library (added)

Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
 2019-12-13 14:57:51 -06:00
Ramkumar Chinchani
7779188a9c ldap: pull in external library code so go modules are in control 
1) github.com/jtblin/go-ldap-client is an abandoned project and not keeping
up with go modules, so pull that code in (single file, BSD license)

2) minor refactor ldap as a result of 1)

3) update go.mod
 2019-12-11 14:17:06 -08:00
Ramkumar Chinchani
9ae9e40b67 log: improve logging 
- add a panic recovery handler
        - add logs on unexpected error paths
        - use logger's panic method
 2019-11-26 14:18:20 -08:00
Tycho Andersen
5df6b36a78 update deps 
I just did a fresh 'make' of zot, and it generated these changes to go.mod
and go.sum; let's include them.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
 2019-10-15 15:38:40 -06:00
Ramkumar Chinchani
6295e0c91e auth: add LDAP support 
fixes #23
 2019-09-20 11:54:49 -07:00
Ramkumar Chinchani
322190de1e coverage: add unit test cases 2019-09-18 13:29:16 -07:00
Ramkumar Chinchani
10199457b4 auth: allow for world-readable deployment mode 2019-08-28 15:39:49 -07:00
Ramkumar Chinchani
066bf1b9eb router: move to gorilla/mux to support multiple name path components 2019-07-10 18:22:20 -07:00