CVE-2022-35930

Name of the Vulnerable Software and Affected Versions PolicyController versions prior to 0.2.1

Description The issue arises when there is at least one attestation with a valid signature and no attestations of the type being verified, with --type defaulting to "custom". This results in a false positive, leading to an admission when it should not be admitted. An example image to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2.

Recommendations To resolve this issue, users should upgrade to version 0.2.1 or greater. There are no workarounds for users unable to upgrade.