Cosign 1.*.* branch

[GarrykZ]

IDs

CVE-2022-36056, CVE-2022-35929, CVE-2022-23649

Description

These CVEs is valid for cosign version 1, but also appearing if using cosign v2.
I'm using cosign 2.2.4 in alpine 3.18, installed by apk-file from vendor.
There is some proofs:

~ $ apk list |grep installed
alpine-baselayout-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.14.4-r0 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.36.1-r7 x86_64 {busybox} (GPL-2.0-only) [installed]
busybox-binsh-1.36.1-r7 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-bundle-20240226-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
cosign-2.2.4 x86_64 {cosign} (Apache License 2.0) [installed]

~ $ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.2.4
GitCommit:     fb651b4ddd8176bd81756fca2d988dd8611f514d
GitTreeState:  clean
BuildDate:     2024-04-10T21:57:27Z
GoVersion:     go1.21.8
Compiler:      gc
Platform:      linux/amd64

Reproduction Steps

1. Install cosign 2.2.4 from apk-file for alpine x86-64
2. Checks version by commands: "cosign version" & "apk list"
3. Sadly saw these CVEs in trivy for harbor.

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine 3.18.7 x86-64

Debug Output

Can't do it with trivy-server

Version

v0.49.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct