build(deps): bump github.com/zmap/zlint/v3 from 3.5.0 to 3.6.4 in /tools/mod

[dependabot]

Bumps github.com/zmap/zlint/v3 from 3.5.0 to 3.6.4.

Release notes

Sourced from github.com/zmap/zlint/v3's releases.

v3.6.4

ZLint v3.6.4

The ZMap team is happy to share ZLint v3.6.4.

Thank you to everyone who contributes to ZLint!

New Lints

• e_crl_distrib_points_not_http The scheme of each CRL Distribution Point MUST be 'http'
• e_cs_crl_distribution_points This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service
• e_cs_eku_required If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present
• e_cs_key_usage_required This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
• e_cs_rsa_key_size e_cs_rsa_key_size

Bug Fixes

• Corrected the semantics of e_ev_orgid_inconsistent_subj_and_ext to address Mozilla #1897538 (https://bugzilla.mozilla.org/show_bug.cgi?id=1897538)
• Corrected e_sub_cert_aia_does_not_contain_ocsp_url to have an ineffective date.
• Corrected an issue in the CLI parser wherein filtering on RFC8813 would result in an error.
• Corrected an issue in the CLI parser wherein filtering rules would not be applied when running lints against a CRL.

Changelog

• ddaf5ccd564ba8e5f1115f2885ac9cc9d6451248 util: gtld_map autopull updates for 2024-09-28T16:21:05 UTC (#882)
• 77a646819101c358541ee3dbdc072169fd18ff1b fix: Fix PSD2 based cabfOrganizationIdentifier check (#880)
• 372cdc66ed0f303a0799715f30692e1c95f378a8 RFC8813 is not referrable from the CLI as a valid lint source (#879)
• caa62acd5a7d57f67ef2c5b760f0a54880648d43 Add lint to check that all CRL Distribution Points only contain "http" URLs (per CABF BRs 7.1.2.11.2) (#867)
• 8eb670f6ab021ea56d1f3daefa160b2b18cb0d8d Fix old lint checking that an OCSP URL is present in TLS Server certificates: add ineffective date (#871)
• 2e67fb9993c52daf50ca7f12aaf1ddba877d71e9 Update main.go to have CRL linting lint on provided registry (#874)
• f83e4e2d27c56082d4ecdb4679d8b58ae6996c18 README: Add pkimetal to users list (#873)
• 33ee62a138fc62f3c2102cfc575c4738b0c1030a Add Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPoints (#865)

Full Changelog:zmap/zlint@v3.6.3...v3.6.4

v3.6.4-rc1

ZLint v3.6.4-rc1

The ZMap team is happy to share ZLint v3.6.4-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_crl_distrib_points_not_http The scheme of each CRL Distribution Point MUST be 'http'
• e_cs_crl_distribution_points This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service
• e_cs_eku_required If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present
• e_cs_key_usage_required This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
• e_cs_rsa_key_size e_cs_rsa_key_size

Bug Fixes

• Corrected the semantics of e_ev_orgid_inconsistent_subj_and_ext to address Mozilla #1897538 (https://bugzilla.mozilla.org/show_bug.cgi?id=1897538)
• Corrected e_sub_cert_aia_does_not_contain_ocsp_url to have an ineffective date.
• Corrected an issue in the CLI parser wherein filtering on RFC8813 would result in an error.

... (truncated)

Commits

• ddaf5cc util: gtld_map autopull updates for 2024-09-28T16:21:05 UTC (#882)
• 77a6468 fix: Fix PSD2 based cabfOrganizationIdentifier check (#880)
• 372cdc6 RFC8813 is not referrable from the CLI as a valid lint source (#879)
• caa62ac Add lint to check that all CRL Distribution Points only contain "http" URLs (...
• 8eb670f Fix old lint checking that an OCSP URL is present in TLS Server certificates:...
• 2e67fb9 Update main.go to have CRL linting lint on provided registry (#874)
• f83e4e2 README: Add pkimetal to users list (#873)
• 33ee62a Add Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPo...
• 13c40b2 Fix goreleaser to use the --clean flag rather than --rm-dist (#868)
• 015d220 Add lint to check for a valid business category in EV certificates (#830)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign jmhbnz for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.74%. Comparing base (7cded36) to head (070c075).

❗ Current head 070c075 differs from pull request most recent head b3996b8

Please upload reports for the commit b3996b8 to get more accurate results.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

see 18 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18790      +/-   ##
==========================================
+ Coverage   68.70%   68.74%   +0.04%     
==========================================
  Files         420      420              
  Lines       35512    35512              
==========================================
+ Hits        24399    24414      +15     
+ Misses       9677     9667      -10     
+ Partials     1436     1431       -5     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7cded36...b3996b8. Read the comment docs.

[henrybear327]

Fully indirect

github.com/zmap/zlint/v3 version in all go mod files
./tools/mod/go.mod:	github.com/zmap/zlint/v3 v3.5.0 // indirect

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.