chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#224)

dependabot[bot] · afsmeira · web-flow · commit 4bd5c84507a3 · 2026-01-23T13:53:45.000Z
* chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.4.3 to 1.5.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.4.3...v1.5.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * test: Add new expected vulnerabilities to test results --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Meira <andre.meira@codacy.com>
diff --git a/docs/multiple-tests/all-patterns/results.xml b/docs/multiple-tests/all-patterns/results.xml
@@ -24,7 +24,7 @@
         <error
             source="vulnerability_medium"
             line="1"
-            message="Insecure dependency maven/org.apache.logging.log4j/log4j-core@2.17.0 (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Missing TLS hostname verification in Socket appender) (update to 2.25.3)"
+            message="Insecure dependency maven/org.apache.logging.log4j/log4j-core@2.17.0 (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Information disclosure via missing TLS hostname verification) (update to 2.25.3)"
             severity="warning"
         />
         <error
diff --git a/docs/multiple-tests/pattern-vulnerability-medium/results.xml b/docs/multiple-tests/pattern-vulnerability-medium/results.xml
@@ -194,7 +194,7 @@
         <error
             source="vulnerability_medium"
             line="1"
-            message="Insecure dependency maven/org.apache.logging.log4j/log4j-core@2.17.0 (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Missing TLS hostname verification in Socket appender) (update to 2.25.3)"
+            message="Insecure dependency maven/org.apache.logging.log4j/log4j-core@2.17.0 (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Information disclosure via missing TLS hostname verification) (update to 2.25.3)"
             severity="warning"
         />
         <error
@@ -215,7 +215,7 @@
         <error
             source="vulnerability_medium"
             line="14"
-            message="Insecure dependency maven/org.apache.logging.log4j/log4j-core@2.17.0 (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Missing TLS hostname verification in Socket appender) (update to 2.25.3)"
+            message="Insecure dependency maven/org.apache.logging.log4j/log4j-core@2.17.0 (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Information disclosure via missing TLS hostname verification) (update to 2.25.3)"
             severity="warning"
         />
     </file>
diff --git a/go.mod b/go.mod
@@ -20,11 +20,11 @@ require (
 	al.essio.dev/pkg/shellescape v1.6.0 // indirect
 	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go v0.121.6 // indirect
-	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth v0.18.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
-	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/storage v1.57.1 // indirect
 	cyphar.com/go-pathrs v0.2.1 // indirect
 	dario.cat/mergo v1.0.2 // indirect
@@ -146,7 +146,7 @@ require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-chi/chi/v5 v5.2.4 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
@@ -157,12 +157,12 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.24.1 // indirect
-	github.com/go-openapi/errors v0.22.4 // indirect
-	github.com/go-openapi/jsonpointer v0.22.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.3 // indirect
+	github.com/go-openapi/errors v0.22.6 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
 	github.com/go-openapi/loads v0.23.2 // indirect
 	github.com/go-openapi/runtime v0.29.2 // indirect
-	github.com/go-openapi/spec v0.22.1 // indirect
+	github.com/go-openapi/spec v0.22.3 // indirect
 	github.com/go-openapi/strfmt v0.25.0 // indirect
 	github.com/go-openapi/swag v0.25.4 // indirect
 	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
@@ -195,8 +195,8 @@ require (
 	github.com/google/licenseclassifier/v2 v2.0.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
-	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect
+	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
@@ -316,7 +316,7 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sigstore/cosign/v2 v2.6.2 // indirect
 	github.com/sigstore/protobuf-specs v0.5.0 // indirect
-	github.com/sigstore/rekor v1.4.3 // indirect
+	github.com/sigstore/rekor v1.5.0 // indirect
 	github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
 	github.com/sigstore/sigstore v1.10.3 // indirect
 	github.com/sigstore/sigstore-go v1.1.4 // indirect
@@ -381,19 +381,19 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/net v0.48.0 // indirect
-	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/term v0.38.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.40.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
-	google.golang.org/api v0.257.0 // indirect
-	google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect
-	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/api v0.260.0 // indirect
+	google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
diff --git a/go.sum b/go.sum

-Original file line number
+Diff line change
         <error
             source="vulnerability_medium"
             line="1"
 -            message="Insecure dependency maven/org.apache.logging.log4j/[email protected] (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Missing TLS hostname verification in Socket appender) (update to 2.25.3)"
 +            message="Insecure dependency maven/org.apache.logging.log4j/[email protected] (CVE-2025-68161: Apache Log4j: Apache Log4j Core: Information disclosure via missing TLS hostname verification) (update to 2.25.3)"
             severity="warning"
         />
         <error