6 matches found
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest
Summary Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardles...
EUVD-2025-4090
Malicious code in bioql PyPI...
CVE-2025-25204
gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect:...
GHSA-FGW4-V983-MGP8 `gh attestation verify` returns incorrect exit code during verification if no attestations are present
Summary A bug in GitHub's Artifact Attestation CLI tool, gh attestation verify, may return an incorrect zero exit status when no matching attestations are found for the specified --predicate-type or the default https://slsa.dev/provenance/v1 if not specified. This issue only arises if an artifact...
`gh attestation verify` returns incorrect exit code during verification if no attestations are present
Summary A bug in GitHub's Artifact Attestation CLI tool, gh attestation verify, may return an incorrect zero exit status when no matching attestations are found for the specified --predicate-type or the default https://slsa.dev/provenance/v1 if not specified. This issue only arises if an artifact...
CVE-2025-25204
gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect:...