Improper blob verification in github.com/sigstore/cosign
{
"url": "https://pkg.go.dev/vuln/GO-2022-0998",
"review_status": "REVIEWED"
}{
"imports": [
{
"path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
"symbols": [
"VerifyAttestationCommand.Exec",
"VerifyBlobCmd",
"VerifyCommand.Exec",
"signatures",
"verifyRekorBundle",
"verifyRekorEntry",
"verifySigByUUID"
]
},
{
"path": "github.com/sigstore/cosign/pkg/cosign",
"symbols": [
"TLogUpload",
"TLogUploadInTotoAttestation",
"VerifyBundle",
"VerifyImageAttestations",
"VerifyImageSignature",
"VerifyImageSignatures",
"VerifyLocalImageAttestations",
"VerifyLocalImageSignatures",
"VerifySET",
"VerifyTLogEntry"
]
}
]
}