{"package":"github.com/sigstore/cosign","ecosystem":"go","latest_version":"v1.13.6","description":"Code signing and transparency for containers and binaries","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/github.com/sigstore/cosign","repository":"https://github.com/sigstore/cosign","downloads_weekly":5837,"health":{"score":42,"risk":"high","breakdown":{"maintenance":0,"popularity":6,"security":19,"maturity":12,"community":5},"deprecated":false,"max_score":100},"vulnerabilities":{"count":10,"critical":0,"high":0,"medium":3,"low":7,"details":[{"vuln_id":"BIT-cosign-2024-29902","severity":"medium","summary":"Cosign malicious attachments can cause system-wide denial of service","affected_versions":"<=2.2.3|<2.2.4","fixed_version":"2.2.4","source":"osv","published_at":"2024-04-11T17:05:01Z"},{"vuln_id":"BIT-cosign-2024-29903","severity":"medium","summary":"Cosign malicious artifacts can cause machine-wide DoS","affected_versions":"<=2.2.3|<2.2.4","fixed_version":"2.2.4","source":"osv","published_at":"2024-04-11T17:15:46Z"},{"vuln_id":"BIT-cosign-2023-46737","severity":"low","summary":"Cosign vulnerable to possible endless data attack from attacker-controlled registry","affected_versions":"<1.13.2|<2.2.1","fixed_version":"2.2.1","source":"osv","published_at":"2023-11-08T15:02:51Z"},{"vuln_id":"BIT-cosign-2026-39395","severity":"medium","summary":"Cosign's verify-blob-attestation reports false positive when payload parsing fails","affected_versions":">=3.0.0,<3.0.6|<2.6.3","fixed_version":"2.6.3","source":"osv","published_at":"2026-04-08T00:15:44Z"},{"vuln_id":"BIT-cosign-2026-24122","severity":"low","summary":"Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped","affected_versions":"<3.0.5","fixed_version":"3.0.5","source":"osv","published_at":"2026-02-19T22:09:12Z"},{"vuln_id":"BIT-cosign-2023-46737","severity":"unknown","summary":"Denial of service attack from remote registry in github.com/sigstore/cosign","affected_versions":"<2.2.1","fixed_version":"2.2.1","source":"osv","published_at":"2023-11-09T18:40:33Z"},{"vuln_id":"BIT-cosign-2024-29902","severity":"unknown","summary":"Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign","affected_versions":"<2.2.4","fixed_version":"2.2.4","source":"osv","published_at":"2024-06-05T15:10:52Z"},{"vuln_id":"BIT-cosign-2024-29903","severity":"unknown","summary":"Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign","affected_versions":"<2.2.4","fixed_version":"2.2.4","source":"osv","published_at":"2024-06-05T15:10:52Z"},{"vuln_id":"BIT-cosign-2026-22703","severity":"unknown","summary":"Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign","affected_versions":"<2.6.2|<3.0.4","fixed_version":"3.0.4","source":"osv","published_at":"2026-01-13T16:42:40Z"},{"vuln_id":"BIT-cosign-2026-24122","severity":"unknown","summary":"Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign","affected_versions":"<3.0.5","fixed_version":"3.0.5","source":"osv","published_at":"2026-02-23T18:23:15Z"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v1.13.6","total_count":39,"recent":["v1.4.1","v1.10.0-rc.1","v1.10.0","v0.4.0","v1.11.0","v1.5.2","v1.2.1","v0.3.1","v0.1.0","v1.4.0","v1.2.0","v1.13.2","v1.10.1","v1.13.4","v1.13.0","v1.0.1","v1.1.0","v1.11.1","v0.2.0","v1.13.5"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":248,"first_published":null,"last_published":"2024-03-21T22:30:20Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"safe_to_use","issues":[],"use_version":"v1.13.6","version_hint":"Update to >= 3.0.5 to fix known vulnerabilities","summary":"github.com/sigstore/cosign@v1.13.6 is safe to use (health: 42/100)"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":768,"avg_days_between_releases":null,"release_velocity":"stale"}}