-
Notifications
You must be signed in to change notification settings - Fork 207
Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 #4793
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
5
commits into
main
Choose a base branch
from
dependabot/go_modules/github.com/sigstore/timestamp-authority/v2-2.0.6
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+112
−121
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
9dc93c3
Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6
dependabot[bot] 46395e9
Remove stale GO-2025-4192 govulncheck suppression
jhrozek 7a59cfb
Merge conflict resolution: add go.starlark.net dependency from main
github-actions[bot] 25faa7f
Merge remote-tracking branch 'origin/main' into dependabot/go_modules…
Copilot 784c25f
Merge branch 'main' into dependabot/go_modules/github.com/sigstore/ti…
ChrisJBurns File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 The govulncheck suppression for GO-2025-4192 in
.github/workflows/security-scan.ymlhas a stale justification comment claiming 'Fix requires sigstore-go to upgrade to timestamp-authority/v2 which hasn't been released yet,' but this PR upgradestimestamp-authority/v2to v2.0.6, making the comment factually incorrect. The suppression entry (and ideally the comment) should be removed or updated to reflect the current state, and govulncheck should be run to verify whether the vulnerability is still triggered post-upgrade.Extended reasoning...
What the bug is: The file
.github/workflows/security-scan.ymlline 81 containsIGNORED_VULNS="GO-2025-4192 GO-2026-4514 GO-2026-4883 GO-2026-4887", suppressing the govulncheck report for GO-2025-4192 (CVE-2025-66564: excessive memory allocation in sigstore/timestamp-authority). Lines 60-65 of the same file contain a justification comment explaining the suppression: 'Fix requires sigstore-go to upgrade to timestamp-authority/v2 which hasn't been released yet.' This comment is now demonstrably stale.The specific code path: This PR bumps
github.com/sigstore/timestamp-authority/v2from v2.0.3 to v2.0.6 in go.mod (line 247). The go.mod and go.sum diffs confirm that the old v1 module dependency has been fully removed (e.g.,github.com/oklog/ulid v1.3.1andgo.mongodb.org/mongo-driver v1.17.6are gone, replaced bygithub.com/oklog/ulid/v2 v2.1.1), and go.sum now only containsgithub.com/sigstore/timestamp-authority/v2 v2.0.6. The transition to v2 that the suppression comment was waiting for has clearly already happened.Why existing code doesn't prevent it: The IGNORED_VULNS list in security-scan.yml is a manual allowlist. There is no automated mechanism to detect when a suppression becomes stale—developers must track these manually. Dependabot-generated PRs like this one do not touch the security-scan.yml workflow, so the stale suppression was naturally left behind.
Concrete proof: (1) The suppression comment says 'hasn't been released yet,' but the project was already on
timestamp-authority/v2 v2.0.3before this PR. (2) This PR upgrades it further to v2.0.6. (3) The vulnerability GO-2025-4192 is in timestamp-authority v1 (excessive memory allocation in server-side request parsing). Since the project is now fully on v2, the original rationale is resolved. (4) The 'hasn't been released yet' claim was already inaccurate at commit a388093 when the suppression was added, and is even more clearly wrong after this PR.Impact: The stale comment ('which hasn't been released yet') actively misleads developers into believing the upstream fix is still pending. Additionally, if GO-2025-4192 is truly fixed by the v2 upgrade, keeping the suppression means govulncheck will not alert if this vulnerability is somehow re-introduced. The practical security risk is mitigated by the fact that ToolHive only uses timestamp-authority as a client (via sigstore-go) and does not expose the vulnerable server endpoints—so the suppression may still be technically valid even if the comment is wrong.
How to fix: Remove GO-2025-4192 from the IGNORED_VULNS list in
.github/workflows/security-scan.ymlline 81, and delete the associated justification comment at lines 60-65. Run govulncheck locally after the upgrade to confirm whether GO-2025-4192 is still triggered. If it is still flagged (due to a reachable code path), add a fresh, accurate comment explaining the current rationale for the suppression.