vexctl> git describe
v0.4.1-96-g558125d
vexctl> govulncheck .
=== Symbol Results ===
Vulnerability #1: GO-2026-4559
Sending certain HTTP/2 frames can cause a server to panic in
golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2026-4559
Module: golang.org/x/net
Found in: golang.org/x/net@v0.50.0
Fixed in: golang.org/x/net@v0.51.0
(...)
Vulnerability #2: GO-2026-4529
Cosign considered signatures valid with expired intermediate certificates
when transparency log verification is skipped in github.com/sigstore/cosign
More info: https://pkg.go.dev/vuln/GO-2026-4529
Module: github.com/sigstore/cosign/v2
Found in: github.com/sigstore/cosign/v2@v2.6.2
Fixed in: N/A
Example traces found:
#1: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls all.init
#2: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which calls attestation.init
#3: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls auth.init
#4: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls blob.LoadFileOrURL
#5: internal/cmd/main.go:68:27: cmd.Execute calls cobra.Command.Execute, which eventually calls blob.UnrecognizedSchemeError.Error
#6: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init, which calls blob.init
#7: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls buildkite.init
#8: pkg/ctl/implementation.go:256:25: ctl.attachAttestation calls bundle.EntryToBundle
#9: pkg/ctl/implementation.go:28:2: ctl.init calls bundle.init
#10: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls client.init
#11: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls cosign.FetchAttestations
#12: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference
#13: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls cosign.GeneratePrivateKey
#14: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls cosign.LoadPrivateKey
#15: pkg/attestation/attestation.go:191:45: attestation.appendSignatureDataToTLog calls cosign.TLogUploadDSSEEnvelope
#16: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls cosign.TrustedCert
#17: internal/cmd/main.go:68:27: cmd.Execute calls cobra.Command.Execute, which eventually calls cosign.VerificationFailure.Error
#18: internal/cmd/main.go:68:27: cmd.Execute calls cobra.Command.Execute, which eventually calls cosign.VerificationFailure.Unwrap
#19: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which calls cosign.init
#20: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init
#21: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init, which calls ctutil.init
#22: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls empty.Signatures
#23: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls empty.emptyImage.Get
#24: pkg/ctl/implementation.go:29:2: ctl.init calls mutate.init, which calls empty.init
#25: pkg/ctl/implementation.go:312:39: ctl.defaultVexCtlImplementation.ReadImageAttestations calls options.RegistryOptions.ClientOpts, which eventually calls env.Getenv
#26: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls env.LookupEnv
#27: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls env.Variable.String
#28: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which calls env.init
#29: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls envvar.init
#30: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls filesystem.init
#31: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls fulcio.init
#32: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls fulcio.init
#33: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls fulcioroots.init
#34: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls fulcioverifier.init
#35: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls git.GetProvider
#36: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls git.init
#37: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls github.Gh.GetSecret
#38: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls github.New
#39: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls github.init
#40: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls github.init
#41: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls gitlab.Gl.GetSecret
#42: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls gitlab.New
#43: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls gitlab.init
#44: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls google.init
#45: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls key.init
#46: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls kubernetes.GetKeyPairSecret
#47: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls kubernetes.init
#48: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init, which calls layout.init
#49: pkg/ctl/implementation.go:275:48: ctl.attachAttestation calls mutate.AttachAttestationToEntity
#50: pkg/ctl/implementation.go:29:2: ctl.init calls mutate.init
#51: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which calls mutate.signedImage.Attestations
#52: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which calls mutate.signedImageIndex.Attestations
#53: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which calls mutate.signedUnknown.Attestations
#54: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which calls mutate.signedUnknown.Digest
#55: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which eventually calls now.Now
#56: pkg/ctl/implementation.go:29:2: ctl.init calls mutate.init, which calls now.init
#57: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls oci.DockerMediaTypes
#58: internal/cmd/main.go:68:27: cmd.Execute calls cobra.Command.Execute, which eventually calls oci.MaxLayersExceeded.Error
#59: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls oci.NewMaxLayersExceeded
#60: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init, which calls oci.init
#61: pkg/ctl/implementation.go:312:39: ctl.defaultVexCtlImplementation.ReadImageAttestations calls options.RegistryOptions.ClientOpts
#62: pkg/attestation/attestation.go:184:36: attestation.appendSignatureDataToTLog calls rekor.NewClient, which calls options.UserAgent
#63: pkg/ctl/implementation.go:26:2: ctl.init calls options.init
#64: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls payload.init
#65: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pivkey.GetKeyWithSlot
#66: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pivkey.Key.Certificate
#67: pkg/attestation/attestation.go:149:2: attestation.signAttestation calls sign.SignerVerifier.Close, which calls pivkey.Key.Close
#68: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pivkey.Key.SignerVerifier
#69: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls pivkey.init
#70: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pkcs11key.GetKeyWithURIConfig
#71: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pkcs11key.Key.Certificate
#72: pkg/attestation/attestation.go:149:2: attestation.signAttestation calls sign.SignerVerifier.Close, which calls pkcs11key.Key.Close
#73: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pkcs11key.Key.SignerVerifier
#74: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pkcs11key.NewPkcs11UriConfig
#75: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls pkcs11key.Pkcs11UriConfig.Parse
#76: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls pkcs11key.init
#77: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls privacy.init
#78: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls providers.Register
#79: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls providers.init
#80: pkg/attestation/attestation.go:184:36: attestation.appendSignatureDataToTLog calls rekor.NewClient
#81: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls rekor.init
#82: pkg/attestation/attestation.go:21:2: attestation.init calls rekor.init
#83: internal/cmd/main.go:68:27: cmd.Execute calls cobra.Command.Execute, which eventually calls remote.EntityNotFoundError.Error
#84: pkg/ctl/implementation.go:312:39: ctl.defaultVexCtlImplementation.ReadImageAttestations calls options.RegistryOptions.ClientOpts, which calls remote.GetEnvTargetRepository
#85: pkg/ctl/implementation.go:241:40: ctl.attachAttestation calls remote.ResolveDigest
#86: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which calls remote.SignedEntity
#87: pkg/ctl/implementation.go:312:39: ctl.defaultVexCtlImplementation.ReadImageAttestations calls options.RegistryOptions.ClientOpts, which calls remote.WithPrefix
#88: pkg/ctl/implementation.go:312:39: ctl.defaultVexCtlImplementation.ReadImageAttestations calls options.RegistryOptions.ClientOpts, which calls remote.WithRemoteOptions
#89: pkg/ctl/implementation.go:312:39: ctl.defaultVexCtlImplementation.ReadImageAttestations calls options.RegistryOptions.ClientOpts, which calls remote.WithTargetRepository
#90: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations
#91: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls remote.image.Attestations
#92: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls remote.index.Attestations
#93: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init, which calls remote.init
#94: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which calls remote.init
#95: pkg/ctl/implementation.go:30:2: ctl.init calls remote.init
#96: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls remote.sigs.ConfigLayer
#97: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls remote.sigs.Get
#98: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts
#99: pkg/attestation/attestation.go:149:2: attestation.signAttestation calls sign.SignerVerifier.Close
#100: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init
#101: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls signature.New
#102: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls signature.SignerVerifierFromKeyRef
#103: pkg/ctl/implementation.go:30:2: ctl.init calls remote.init, which calls signature.init
#104: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which calls signature.init
#105: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which eventually calls signature.sigLayer.Annotations
#106: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls signature.sigLayer.Payload
#107: pkg/ctl/implementation.go:29:2: ctl.init calls mutate.init, which calls signed.init
#108: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls size.CheckSize
#109: internal/cmd/main.go:68:27: cmd.Execute calls cobra.Command.Execute, which eventually calls size.MaxLayerSizeExceeded.Error
#110: pkg/ctl/implementation.go:30:2: ctl.init calls remote.init, which calls size.init
#111: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which eventually calls spiffe.init
#112: pkg/ctl/implementation.go:265:35: ctl.attachAttestation calls static.NewAttestation
#113: pkg/ctl/implementation.go:261:44: ctl.attachAttestation calls static.WithAnnotations
#114: pkg/ctl/implementation.go:255:40: ctl.attachAttestation calls static.WithBundle
#115: pkg/ctl/implementation.go:251:42: ctl.attachAttestation calls static.WithCertChain
#116: pkg/ctl/implementation.go:248:51: ctl.attachAttestation calls static.WithLayerMediaType
#117: pkg/ctl/implementation.go:31:2: ctl.init calls static.init
#118: pkg/ctl/implementation.go:281:39: ctl.attachAttestation calls remote.WriteAttestations, which eventually calls static.staticLayer.Annotations
#119: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls static.staticLayer.Compressed
#120: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls static.staticLayer.DiffID
#121: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls static.staticLayer.Digest
#122: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls static.staticLayer.MediaType
#123: pkg/ctl/implementation.go:316:55: ctl.defaultVexCtlImplementation.ReadImageAttestations calls cosign.FetchAttestationsForReference, which eventually calls static.staticLayer.Payload
#124: pkg/ctl/implementation.go:26:2: ctl.init calls options.init, which eventually calls static.staticLayer.Size
#125: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls tsa.init
#126: pkg/ctl/implementation.go:32:2: ctl.init calls types.init
#127: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which calls ui.Infof
#128: pkg/attestation/attestation.go:145:38: attestation.signAttestation calls sign.SignerFromKeyOpts, which eventually calls ui.Warnf
#129: pkg/ctl/implementation.go:27:2: ctl.init calls cosign.init, which calls ui.init
#130: pkg/attestation/attestation.go:22:2: attestation.init calls sign.init, which calls walk.init
Your code is affected by 2 vulnerabilities from 2 modules.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
vexctl (as of 558125d) dependency
github.com/sigstore/cosign/v2has vulnerability GO-2026-4529 which is fixed only inv3i.e.v3.0.5.