Update go-tuf to v0.5.0

This was triggered by the security advisory [GHSA-3633-5h82-39pq](GHSA-3633-5h82-39pq). Fleet's use of go-tuf is not vulnerable to this issue due to not using key thresholds greater than 1. There were some API changes that necessitate changing the initialization code for the TUF client. See theupdateframework/go-tuf#379 for further discussion.
fleetdm · Oct 6, 2022 · aecad1e · aecad1e
1 parent 92d6161
commit aecad1e
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 52 deletions.
diff --git a/ee/fleetctl/updates.go b/ee/fleetctl/updates.go
@@ -159,7 +159,7 @@ func updatesInitFunc(c *cli.Context) error {
 func updatesRootsCommand() *cli.Command {
 	return &cli.Command{
 		Name:   "roots",
-		Usage:  "Get root keys metadata",
+		Usage:  "Get root metadata",
 		Flags:  updatesFlags(),
 		Action: updatesRootsFunc,
 	}
@@ -171,15 +171,17 @@ func updatesRootsFunc(c *cli.Context) error {
 		return err
 	}
 
-	keys, err := repo.RootKeys()
+	meta, err := repo.GetMeta()
 	if err != nil {
-		return fmt.Errorf("get root metadata: %w", err)
+		return fmt.Errorf("get repo metadata: %w", err)
 	}
-
-	if err := json.NewEncoder(os.Stdout).Encode(keys); err != nil {
-		return fmt.Errorf("encode root metadata: %w", err)
+	rootMeta := meta["root.json"]
+	if rootMeta == nil {
+		return fmt.Errorf("missing root metadata")
 	}
 
+	fmt.Println(string(rootMeta))
+
 	return nil
 }
 

diff --git a/go.mod b/go.mod
@@ -81,7 +81,7 @@ require (
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.8.0
-	github.com/theupdateframework/go-tuf v0.3.0
+	github.com/theupdateframework/go-tuf v0.5.0
 	github.com/throttled/throttled/v2 v2.8.0
 	github.com/tj/assert v0.0.3
 	github.com/ulikunitz/xz v0.5.10
@@ -94,9 +94,9 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0
 	go.opentelemetry.io/otel/sdk v1.10.0
-	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
+	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
+	golang.org/x/sys v0.0.0-20220908164124-27713097b956
 	google.golang.org/grpc v1.49.0
 	gopkg.in/guregu/null.v3 v3.4.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
@@ -256,7 +256,7 @@ require (
 	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.3.1 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/slack-go/slack v0.9.4 // indirect
@@ -291,7 +291,7 @@ require (
 	gocloud.dev v0.24.0 // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
+	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect