Skip to content

Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6)#4801

Merged
Hayden-IO merged 3 commits into
mainfrom
vulnfix
Apr 6, 2026
Merged

Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6)#4801
Hayden-IO merged 3 commits into
mainfrom
vulnfix

Conversation

@Hayden-IO

@Hayden-IO Hayden-IO commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

AttestationToPayloadJSON parses the attestation and checks that the predicate type matches the expected type provided by the user. Previously, when this function was called for old-format bundles and detached signatures, any error returned was silently ignored, so malformed attestations would be accepted and cosign would report a successful verification. For new-format bundles, this check was never performed at all, so the attestaion would be accepted even if it did not match the type given by the user. This change ensures that errors are handled correctly and that the check is performed for both paths.

Summary

Release Note

Documentation

@cmurphy
Merge commit from fork
f822812 
AttestationToPayloadJSON parses the attestation and checks that the
predicate type matches the expected type provided by the user.
Previously, when this function was called for old-format bundles and
detached signatures, any error returned was silently ignored, so
malformed attestations would be accepted and cosign would report a
successful verification. For new-format bundles, this check was never
performed at all, so the attestaion would be accepted even if it did not
match the type given by the user. This change ensures that errors are
handled correctly and that the check is performed for both paths.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@Hayden-IO Hayden-IO requested a review from a team as a code owner April 6, 2026 20:16
@Hayden-IO Hayden-IO requested a review from cmurphy April 6, 2026 20:16
@Hayden-IO
Remove unparam linting for test func
500a116 
Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
cmurphy
cmurphy previously approved these changes Apr 6, 2026
View reviewed changes
@cmurphy
Fix e2e tests for new DSSE predicate check
714c6a0 
cosign now enforces using the --type field to specify the predicate for
verification with the new bundle format. The CLI uses "custom" by
default, so it will always be set. In the e2e tests, it wasn't being set
and the tests were using a made-up predicate name, so we add that
parameter to make the tests conform.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@Hayden-IO Hayden-IO requested a review from cmurphy April 6, 2026 21:29
@Hayden-IO Hayden-IO merged commit f1ad3ee into main Apr 6, 2026
29 checks passed
@Hayden-IO Hayden-IO deleted the vulnfix branch April 6, 2026 21:40
@crazy-max crazy-max mentioned this pull request Apr 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmurphy cmurphy cmurphy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Hayden-IO @cmurphy