chore(deps): Migrate to github.com/go-jose/go-jose/v3

Stop using archived gopkg.in/square/go-jose.v2 pkg Switch to github.com/go-jose/go-jose/v3 instead Fixes CVE-2024-28180 (cherry picked from commit c19b6e6) Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
tektoncd · Apr 8, 2024 · 0ca072b · 0ca072b
1 parent b29a5b9
commit 0ca072b
Show file tree

Hide file tree

Showing 31 changed files with 421 additions and 964 deletions.
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/tektoncd/pipeline
 
-go 1.19
+go 1.21
 
 require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
@@ -27,7 +27,6 @@ require (
 	golang.org/x/exp v0.0.0-20230307190834-24139beb5833
 	golang.org/x/oauth2 v0.9.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0
-	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.27.1
 	k8s.io/apimachinery v0.27.1
 	k8s.io/client-go v0.27.1
@@ -50,6 +49,7 @@ require github.com/benbjohnson/clock v1.1.0 // indirect
 
 require (
 	code.gitea.io/sdk/gitea v0.15.1
+	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/goccy/kpoward v0.1.0
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20230625233257-b8504803389b
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.1
@@ -93,7 +93,6 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/fatih/color v1.13.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa // indirect
@@ -126,6 +125,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.16.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 )
 
 require (

diff --git a/go.sum b/go.sum
diff --git a/pkg/spire/test/ca.go b/pkg/spire/test/ca.go
@@ -29,6 +29,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/cryptosigner"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/bundle/jwtbundle"
 	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
 	"github.com/spiffe/go-spiffe/v2/bundle/x509bundle"
@@ -37,9 +40,6 @@ import (
 	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
 	"github.com/stretchr/testify/require"
 	"github.com/tektoncd/pipeline/pkg/spire/test/x509util"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/cryptosigner"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var (

diff --git a/vendor/github.com/go-jose/go-jose/v3/BUG-BOUNTY.md b/vendor/github.com/go-jose/go-jose/v3/BUG-BOUNTY.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/README.md b/vendor/github.com/go-jose/go-jose/v3/README.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/SECURITY.md b/vendor/github.com/go-jose/go-jose/v3/SECURITY.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go b/vendor/github.com/go-jose/go-jose/v3/asymmetric.go