From bb168a7a3c999077c616be8686520a55839b3274 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 May 2026 01:06:09 +0000 Subject: [PATCH] Bump github.com/in-toto/in-toto-golang Bumps [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) from 0.9.1-0.20240317085821-8e2966059a09 to 0.11.0. - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](https://github.com/in-toto/in-toto-golang/commits/v0.11.0) --- updated-dependencies: - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.11.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 4 +- go.sum | 4 +- .../in-toto-golang/in_toto/attestations.go | 2 +- .../in-toto/in-toto-golang/in_toto/keylib.go | 6 +- .../in-toto/in-toto-golang/in_toto/match.go | 8 +- .../in-toto/in-toto-golang/in_toto/model.go | 10 ++- .../in-toto/in-toto-golang/in_toto/runlib.go | 4 +- .../in_toto/slsa_provenance/common/common.go | 2 +- .../slsa_provenance/v0.1/provenance.go | 4 +- .../slsa_provenance/v0.2/provenance.go | 4 +- .../in_toto/slsa_provenance/v1/provenance.go | 4 +- .../in-toto-golang/in_toto/verifylib.go | 82 ++++++++++++++----- vendor/modules.txt | 6 +- 13 files changed, 97 insertions(+), 43 deletions(-) diff --git a/go.mod b/go.mod index 602b16fc4..4adf12a99 100644 --- a/go.mod +++ b/go.mod @@ -152,7 +152,7 @@ require ( github.com/gdamore/tcell/v2 v2.9.0 // indirect github.com/go-chi/chi/v5 v5.2.4 // indirect github.com/go-errors/errors v1.4.2 // indirect - github.com/go-jose/go-jose/v4 v4.1.3 // indirect + github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.24.1 // indirect @@ -224,7 +224,7 @@ require ( github.com/in-toto/archivista v0.10.0 // indirect github.com/in-toto/attestation v1.1.2 // indirect github.com/in-toto/go-witness v0.9.1 // indirect - github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 // indirect + github.com/in-toto/in-toto-golang v0.11.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jcmturner/aescts/v2 v2.0.0 // indirect github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect diff --git a/go.sum b/go.sum index 351ee8bf8..8df7d4781 100644 --- a/go.sum +++ b/go.sum @@ -662,8 +662,8 @@ github.com/in-toto/attestation v1.1.2 h1:MBFn6lsMq6dptQZJBhalXTcWMb/aJy3V+GX3VYj github.com/in-toto/attestation v1.1.2/go.mod h1:gYFddHMZj3DiQ0b62ltNi1Vj5rC879bTmBbrv9CRHpM= github.com/in-toto/go-witness v0.9.1 h1:tT14ysHhnTcMLjLsp9k6GNGyKxfmr0WmTrJKREnhVGE= github.com/in-toto/go-witness v0.9.1/go.mod h1:9baHJG15esrfao4R3J42mWhQf3yMeKUeioCdQM+i9ek= -github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 h1:cwCITdi9pF50CF8uh40qDbkJ/VrEVzx5AoaHP7OPdEo= -github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09/go.mod h1:yGCBn2JKF1m26FX8GmkcLSOFVjB6khWRxFsHwWIg7hw= +github.com/in-toto/in-toto-golang v0.11.0 h1:nfidMYBFx+E0lnmX5KUnN2Pdm8zdNKal1ayjJuzzRoA= +github.com/in-toto/in-toto-golang v0.11.0/go.mod h1:u3PjTnwFKjp5a1YCcw8SJg0G+tMeKfVoWsWeFMDCMtw= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go index b9ec4b0d6..b03871cbf 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/attestations.go @@ -69,7 +69,7 @@ of the predicate. This struct represents a generic statement. // https://github.com/in-toto/attestation/tree/main/go/v1. type Statement struct { StatementHeader - // Predicate contains type speficic metadata. + // Predicate contains type specific metadata. Predicate interface{} `json:"predicate"` } diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go index bc3069a64..a3994c847 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/keylib.go @@ -405,7 +405,11 @@ func (k *Key) loadKey(keyObj interface{}, pemData *pem.Block, scheme string, key } case ed25519.PrivateKey: pubKeyBytes := key.Public() - if err := k.setKeyComponents(pubKeyBytes.(ed25519.PublicKey), key, ed25519KeyType, scheme, keyIDHashAlgorithms); err != nil { + publicKey, ok := pubKeyBytes.(ed25519.PublicKey) + if !ok { + return fmt.Errorf("pubKeyBytes must be ed25519.PublicKey") + } + if err := k.setKeyComponents(publicKey, key, ed25519KeyType, scheme, keyIDHashAlgorithms); err != nil { return err } case *ecdsa.PrivateKey: diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go index 52373aa75..a581d00f7 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go @@ -22,8 +22,12 @@ var errBadPattern = errors.New("syntax error in pattern") // term: // '*' matches any sequence of non-/ characters // '?' matches any single non-/ character -// '[' [ '^' ] { character-range } ']' +// '[' [ '!' ] { character-range } ']' // character class (must be non-empty) +// +// NOTE: Only '!' is supported for character class negation, not '^'. This is to +// ensure compatibility with in-toto-python. +// // c matches character c (c != '*', '?', '\\', '[') // '\\' c matches character c // @@ -141,7 +145,7 @@ func matchChunk(chunk, s string) (rest string, ok bool, err error) { chunk = chunk[1:] // possibly negated negated := false - if len(chunk) > 0 && chunk[0] == '^' { + if len(chunk) > 0 && chunk[0] == '!' { negated = true chunk = chunk[1:] } diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go index 15226ca60..408153565 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/model.go @@ -355,8 +355,14 @@ func validateArtifacts(artifacts map[string]HashObj) error { for artifactName, artifact := range artifacts { artifactValue := reflect.ValueOf(artifact).MapRange() for artifactValue.Next() { - value := artifactValue.Value().Interface().(string) - hashType := artifactValue.Key().Interface().(string) + value, ok := artifactValue.Value().Interface().(string) + if !ok { + return fmt.Errorf("value is not string") + } + hashType, ok := artifactValue.Key().Interface().(string) + if !ok { + return fmt.Errorf("hash type is not string") + } if err := validateHexString(value); err != nil { return fmt.Errorf("in artifact '%s', %s hash value: %s", artifactName, hashType, err.Error()) diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go index cbc1b513f..4cc032166 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/runlib.go @@ -423,9 +423,9 @@ func InTotoRecordStart(name string, materialPaths []string, key Key, hashAlgorit } /* -InTotoRecordStop ends the creation of a metatadata link file created by +InTotoRecordStop ends the creation of a metadata link file created by InTotoRecordStart. InTotoRecordStop takes in a signed unfinished link metablock -created by InTotoRecordStart and records the hashes of any products creted by +created by InTotoRecordStart and records the hashes of any products created by commands run between InTotoRecordStart and InTotoRecordStop. The resultant finished link metablock is then signed by the provided key and returned. */ diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go index a45a45463..ab6763e85 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common/common.go @@ -4,7 +4,7 @@ package common // algorithm name to lowercase hex-encoded value. type DigestSet map[string]string -// ProvenanceBuilder idenfifies the entity that executed the build steps. +// ProvenanceBuilder identifies the entity that executed the build steps. type ProvenanceBuilder struct { ID string `json:"id"` } diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go index 5978e9229..4470723b8 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1/provenance.go @@ -40,8 +40,8 @@ type ProvenanceMetadata struct { Reproducible bool `json:"reproducible"` } -// ProvenanceComplete indicates wheter the claims in build/recipe are complete. -// For in depth information refer to the specifictaion: +// ProvenanceComplete indicates whether the claims in build/recipe are complete. +// For in depth information refer to the specification: // https://github.com/in-toto/attestation/blob/v0.1.0/spec/predicates/provenance.md type ProvenanceComplete struct { Arguments bool `json:"arguments"` diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go index 40416e29a..3efbb51e8 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2/provenance.go @@ -127,8 +127,8 @@ type ProvenanceMetadata struct { Reproducible bool `json:"reproducible"` } -// ProvenanceComplete indicates wheter the claims in build/recipe are complete. -// For in depth information refer to the specifictaion: +// ProvenanceComplete indicates whether the claims in build/recipe are complete. +// For in depth information refer to the specification: // https://github.com/in-toto/attestation/blob/v0.1.0/spec/predicates/provenance.md type ProvenanceComplete struct { // Parameters if true, means the builder claims that [ProvenanceInvocation.Parameters] is diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go index 1e9988027..5a26445c5 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go @@ -48,7 +48,7 @@ type ProvenanceBuildDefinition struct { // The parameters that are under external control, such as those set by a // user or tenant of the build system. They MUST be complete at SLSA Build - // L3, meaning that that there is no additional mechanism for an external + // L3, meaning that there is no additional mechanism for an external // party to influence the build. (At lower SLSA Build levels, the // completeness MAY be best effort.) @@ -173,7 +173,7 @@ type BuildMetadata struct { // finding associated logs or other ad-hoc analysis. The exact meaning and // format is defined by builder.id; by default it is treated as opaque and // case-sensitive. The value SHOULD be globally unique. - InvocationID string `json:"invocationID,omitempty"` + InvocationID string `json:"invocationId,omitempty"` // The timestamp of when the build started. StartedOn *time.Time `json:"startedOn,omitempty"` diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go index 471df50e7..de9dfa7e6 100644 --- a/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go +++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/verifylib.go @@ -59,7 +59,11 @@ func RunInspections(layout Layout, runDir string, lineNormalization bool, useDSS return nil, err } - retVal := linkEnv.GetPayload().(Link).ByProducts["return-value"] + link, ok := linkEnv.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + retVal := link.ByProducts["return-value"] if retVal != float64(0) { return nil, fmt.Errorf("inspection command '%s' of inspection '%s'"+ " returned a non-zero value: %d", inspection.Run, inspection.Name, @@ -91,13 +95,19 @@ func verifyMatchRule(ruleData map[string]string, return consumed } + dstLink, ok := dstLinkEnv.GetPayload().(Link) + if !ok { + fmt.Printf("invalid metadata") + return consumed + } + // Get artifacts from destination link metadata var dstArtifacts map[string]HashObj switch ruleData["dstType"] { case "materials": - dstArtifacts = dstLinkEnv.GetPayload().(Link).Materials + dstArtifacts = dstLink.Materials case "products": - dstArtifacts = dstLinkEnv.GetPayload().(Link).Products + dstArtifacts = dstLink.Products } // cleanup paths in pattern and artifact maps @@ -216,8 +226,12 @@ func VerifyArtifacts(items []interface{}, // Create shortcuts to materials and products (including hashes) reported // by the item's link, required to verify "match" rules - materials := srcLinkEnv.GetPayload().(Link).Materials - products := srcLinkEnv.GetPayload().(Link).Products + link, ok := srcLinkEnv.GetPayload().(Link) + if !ok { + return fmt.Errorf("invalid metadata") + } + materials := link.Materials + products := link.Products // All other rules only require the material or product paths (without // hashes). We extract them from the corresponding maps and store them as @@ -269,17 +283,24 @@ func VerifyArtifacts(items []interface{}, // TODO: Add logging library (see in-toto/in-toto-golang#4) // fmt.Printf("%s...\n", verificationData["srcType"]) - rules := verificationData["rules"].([][]string) - artifacts := verificationData["artifacts"].(map[string]HashObj) - + rules, ok := verificationData["rules"].([][]string) + if !ok { + return fmt.Errorf(`rules must be of type [][]string`) + } + artifacts, ok := verificationData["artifacts"].(map[string]HashObj) + if !ok { + return fmt.Errorf(`artifacts must be of type map[string]HashObj`) + } // Use artifacts (without hashes) as base queue. Each rule only operates // on artifacts in that queue. If a rule consumes an artifact (i.e. can // be applied successfully), the artifact is removed from the queue. By // applying a DISALLOW rule eventually, verification may return an error, // if the rule matches any artifacts in the queue that should have been // consumed earlier. - queue := verificationData["artifactPaths"].(Set) - + queue, ok := verificationData["artifactPaths"].(Set) + if !ok { + return fmt.Errorf(`queue must be of type Set`) + } // TODO: Add logging library (see in-toto/in-toto-golang#4) // fmt.Printf("Initial state\nMaterials: %s\nProducts: %s\nQueue: %s\n\n", // materialPaths.Slice(), productPaths.Slice(), queue.Slice()) @@ -398,10 +419,16 @@ func ReduceStepsMetadata(layout Layout, // threshold requires, but not all of them are equal? Right now we would // also error. for keyID, linkEnv := range linksPerStep { - if !reflect.DeepEqual(linkEnv.GetPayload().(Link).Materials, - referenceLinkEnv.GetPayload().(Link).Materials) || - !reflect.DeepEqual(linkEnv.GetPayload().(Link).Products, - referenceLinkEnv.GetPayload().(Link).Products) { + link, ok := linkEnv.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + refLink, ok := referenceLinkEnv.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + if !reflect.DeepEqual(link.Materials, refLink.Materials) || + !reflect.DeepEqual(link.Products, refLink.Products) { return nil, fmt.Errorf("link '%s' and '%s' have different"+ " artifacts", fmt.Sprintf(LinkNameFormat, step.Name, referenceKeyID), @@ -432,8 +459,13 @@ func VerifyStepCommandAlignment(layout Layout, } for signerKeyID, linkEnv := range linksPerStep { + link, ok := linkEnv.GetPayload().(Link) + if !ok { + fmt.Printf("invalid metadata") + return + } expectedCommandS := strings.Join(step.ExpectedCommand, " ") - executedCommandS := strings.Join(linkEnv.GetPayload().(Link).Command, " ") + executedCommandS := strings.Join(link.Command, " ") if expectedCommandS != executedCommandS { linkName := fmt.Sprintf(LinkNameFormat, step.Name, signerKeyID) @@ -708,16 +740,24 @@ func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata, firstStepLink := stepsMetadataReduced[layout.Steps[0].Name] lastStepLink := stepsMetadataReduced[layout.Steps[len(layout.Steps)-1].Name] - summaryLink.Materials = firstStepLink.GetPayload().(Link).Materials + firstStepPayloadLink, ok := firstStepLink.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + summaryLink.Materials = firstStepPayloadLink.Materials summaryLink.Name = stepName - summaryLink.Type = firstStepLink.GetPayload().(Link).Type + summaryLink.Type = firstStepPayloadLink.Type - summaryLink.Products = lastStepLink.GetPayload().(Link).Products - summaryLink.ByProducts = lastStepLink.GetPayload().(Link).ByProducts + lastStepPayloadLink, ok := lastStepLink.GetPayload().(Link) + if !ok { + return nil, fmt.Errorf("invalid metadata") + } + summaryLink.Products = lastStepPayloadLink.Products + summaryLink.ByProducts = lastStepPayloadLink.ByProducts // Using the last command of the sublayout as the command // of the summary link can be misleading. Is it necessary to // include all the commands executed as part of sublayout? - summaryLink.Command = lastStepLink.GetPayload().(Link).Command + summaryLink.Command = lastStepPayloadLink.Command } if useDSSE { @@ -845,7 +885,7 @@ the in-toto specification. It requires the metadata of the root layout, a map that contains public keys to verify the root layout signatures, a path to a directory from where it can load link metadata files, which are treated as signed evidence for the steps defined in the layout, a step name, and a -paramater dictionary used for parameter substitution. The step name only +parameter dictionary used for parameter substitution. The step name only matters for sublayouts, where it's important to associate the summary of that step with a unique name. The verification routine is as follows: diff --git a/vendor/modules.txt b/vendor/modules.txt index 19119b5ce..09db1085c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -695,7 +695,7 @@ github.com/go-chi/chi/v5/middleware # github.com/go-errors/errors v1.4.2 ## explicit; go 1.14 github.com/go-errors/errors -# github.com/go-jose/go-jose/v4 v4.1.3 => github.com/go-jose/go-jose/v4 v4.0.5 +# github.com/go-jose/go-jose/v4 v4.1.4 => github.com/go-jose/go-jose/v4 v4.0.5 ## explicit; go 1.21 github.com/go-jose/go-jose/v4 github.com/go-jose/go-jose/v4/cipher @@ -1059,8 +1059,8 @@ github.com/in-toto/go-witness/cryptoutil github.com/in-toto/go-witness/dsse github.com/in-toto/go-witness/log github.com/in-toto/go-witness/timestamp -# github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 -## explicit; go 1.20 +# github.com/in-toto/in-toto-golang v0.11.0 +## explicit; go 1.24.0 github.com/in-toto/in-toto-golang/in_toto github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1