chore(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security]

[sevojulj]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/in-toto/in-toto-golang	v0.10.0 → v0.11.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

in-toto-golang and in-toto-python have inconsistent negation behavior

GHSA-pmwq-pjrm-6p5r

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Severity

• CVSS Score: 4.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-pmwq-pjrm-6p5r
• https://github.com/in-toto/in-toto-golang/pull/462
• https://github.com/in-toto/in-toto-golang/commit/36d782ffb2ca3adbffcdce1fd971c23319dd4469
• https://github.com/in-toto/in-toto-golang

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

in-toto/in-toto-golang (github.com/in-toto/in-toto-golang)

v0.11.0

Compare Source

What's Changed

• chore(deps): bump the all group with 2 updates by @​dependabot[bot] in #​453
• chore(deps): bump the all group across 1 directory with 2 updates by @​dependabot[bot] in #​452
• chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 by @​dependabot[bot] in #​457
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​459
• match: Replace ^ with ! for negation in character classes by @​adityasaky in #​462

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[sevojulj]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/docker/cli	v29.4.0+incompatible -> v29.4.0+incompatible
gopkg.in/yaml.v3	v3.0.1 -> v3.0.1

[sevojulj]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.