fix(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/in-toto/in-toto-golang	v0.9.0 → v0.11.0

---

in-toto-golang and in-toto-python have inconsistent negation behavior

GHSA-pmwq-pjrm-6p5r

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Severity

• CVSS Score: 4.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-pmwq-pjrm-6p5r
• https://github.com/in-toto/in-toto-golang/pull/462
• https://github.com/in-toto/in-toto-golang/commit/36d782ffb2ca3adbffcdce1fd971c23319dd4469
• https://github.com/advisories/GHSA-pmwq-pjrm-6p5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

in-toto/in-toto-golang (github.com/in-toto/in-toto-golang)

v0.11.0

Compare Source

What's Changed

• chore(deps): bump the all group with 2 updates by @​dependabot[bot] in #​453
• chore(deps): bump the all group across 1 directory with 2 updates by @​dependabot[bot] in #​452
• chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 by @​dependabot[bot] in #​457
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​459
• match: Replace ^ with ! for negation in character classes by @​adityasaky in #​462

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

v0.10.0

Compare Source

What's Changed

• chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 by @​dependabot[bot] in #​232
• Update maintainers and governance by @​adityasaky in #​233
• chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @​dependabot[bot] in #​234
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.3 to 2.1.5 by @​dependabot[bot] in #​235
• chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @​dependabot[bot] in #​236
• Fix expired signature in test by @​adityasaky in #​241
• chore(deps): bump golang.org/x/sys from 0.8.0 to 0.9.0 by @​dependabot[bot] in #​240
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.5 to 2.1.6 by @​dependabot[bot] in #​239
• chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 by @​dependabot[bot] in #​242
• chore(deps): bump google.golang.org/grpc from 1.56.0 to 1.56.1 by @​dependabot[bot] in #​243
• Update GitHub Actions workflows by @​adityasaky in #​246
• chore(deps): bump golang.org/x/sys from 0.9.0 to 0.10.0 by @​dependabot[bot] in #​245
• remove linters that are no longer supported and add to make file by @​pxp928 in #​249
• Add match products feature by @​adityasaky in #​237
• Remove unfinished link on record stop by @​PradyumnaKrishna in #​248
• chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.56.2 by @​dependabot[bot] in #​250
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.6.0 to 0.7.0 by @​dependabot[bot] in #​251
• chore(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 by @​dependabot[bot] in #​255
• Add tests for coverage in envelope.go by @​adityasaky in #​256
• chore(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 by @​dependabot[bot] in #​257
• chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @​dependabot[bot] in #​258
• chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in #​259
• Fixes filepath pattern matching in windows by @​PradyumnaKrishna in #​254
• chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @​dependabot[bot] in #​261
• chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @​dependabot[bot] in #​262
• chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 by @​dependabot[bot] in #​263
• chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.0 by @​dependabot[bot] in #​264
• chore(deps): bump google.golang.org/grpc from 1.58.0 to 1.58.1 by @​dependabot[bot] in #​266
• Deprecate Provenance v1 struct in favor of /attestation protobufs by @​marcelamelara in #​267
• chore(deps): bump google.golang.org/grpc from 1.58.1 to 1.58.2 by @​dependabot[bot] in #​269
• chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​270
• Drop use of any for hash objects by @​adityasaky in #​238
• chore(deps): bump golang.org/x/sys from 0.12.0 to 0.13.0 by @​dependabot[bot] in #​271
• chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @​dependabot[bot] in #​273
• chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @​dependabot[bot] in #​272
• chore(deps): bump golang.org/x/net from 0.12.0 to 0.17.0 by @​dependabot[bot] in #​274
• chore(deps): bump google.golang.org/grpc from 1.58.3 to 1.59.0 by @​dependabot[bot] in #​275
• chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​276
• Trigger workflow on pushes only to master branch by @​adityasaky in #​280
• chore(deps): bump golang.org/x/sys from 0.13.0 to 0.14.0 by @​dependabot[bot] in #​278
• chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @​dependabot[bot] in #​277
• add openssf scorecard by @​viveksahu26 in #​281
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @​dependabot[bot] in #​282
• Fix coveralls, use action by @​adityasaky in #​285
• Secure System Lab Sign/Verify by @​Forrin in #​279
• chore(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 by @​dependabot[bot] in #​287
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot[bot] in #​289
• chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.60.0 by @​dependabot[bot] in #​290
• chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @​dependabot[bot] in #​291
• chore(deps): bump google.golang.org/grpc from 1.60.0 to 1.60.1 by @​dependabot[bot] in #​292
• chore(deps): bump github.com/in-toto/attestation from 0.1.1-0.20230828220013-11b7a1a4ca51 to 1.0.1 by @​dependabot[bot] in #​294
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 by @​dependabot[bot] in #​293
• chore(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0 by @​dependabot[bot] in #​295
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 by @​dependabot[bot] in #​296
• chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @​dependabot[bot] in #​298
• chore(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0 by @​dependabot[bot] in #​299
• chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 3.7.1 by @​dependabot[bot] in #​300
• chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.61.1 by @​dependabot[bot] in #​301
• chore(deps): bump google.golang.org/grpc from 1.61.1 to 1.62.0 by @​dependabot[bot] in #​302
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot[bot] in #​303
• chore(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 by @​dependabot[bot] in #​304
• chore(deps): bump google.golang.org/grpc from 1.62.0 to 1.62.1 by @​dependabot[bot] in #​305
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @​dependabot[bot] in #​306
• chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot[bot] in #​307
• chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @​dependabot[bot] in #​308
• chore(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.0 by @​dependabot[bot] in #​310
• chore(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 by @​dependabot[bot] in #​311
• chore(deps): bump google.golang.org/grpc from 1.63.0 to 1.63.2 by @​dependabot[bot] in #​312
• chore(deps): bump github.com/in-toto/attestation from 1.0.1 to 1.0.2 by @​dependabot[bot] in #​313
• Bump Go versions by @​adityasaky in #​314
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 by @​dependabot[bot] in #​309
• chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 by @​dependabot[bot] in #​317
• chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @​dependabot[bot] in #​318
• chore(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 by @​dependabot[bot] in #​319
• chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​320
• chore(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0 by @​dependabot[bot] in #​321
• chore(deps): bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 by @​dependabot[bot] in #​322
• chore(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.0 by @​dependabot[bot] in #​324
• chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 by @​dependabot[bot] in #​323
• chore(deps): bump golangci/golangci-lint-action from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​325
• Fix serialization of SLSA BuildMetadata.InvocationID by @​msuozzo in #​328
• chore(deps): bump actions/checkout from 4.1.5 to 4.1.6 by @​dependabot[bot] in #​330
• Added necessary checks for type assertion by @​Yaxhveer in #​327
• chore(deps): bump coverallsapp/github-action from 2.2.3 to 2.3.0 by @​dependabot[bot] in #​326
• chore(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0 by @​dependabot[bot] in #​329
• chore(deps): bump github.com/in-toto/attestation from 1.0.2 to 1.1.0 by @​dependabot[bot] in #​331
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot[bot] in #​337
• chore(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​335
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.2.0 to 2.3.0 by @​dependabot[bot] in #​338
• chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 by @​dependabot[bot] in #​341
• chore(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0 by @​dependabot[bot] in #​340
• chore(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @​dependabot[bot] in #​336
• chore(deps): bump golang.org/x/sys from 0.22.0 to 0.24.0 by @​dependabot[bot] in #​344
• chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.65.0 by @​dependabot[bot] in #​339
• chore(deps): bump golang.org/x/sys from 0.24.0 to 0.25.0 by @​dependabot[bot] in #​346
• chore(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 by @​dependabot[bot] in #​342
• chore(deps): bump google.golang.org/grpc from 1.65.0 to 1.66.0 by @​dependabot[bot] in #​345
• chore(deps): bump google.golang.org/grpc from 1.66.0 to 1.66.1 by @​dependabot[bot] in #​348
• chore(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2 by @​dependabot[bot] in #​349
• chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot[bot] in #​351
• chore(deps): bump google.golang.org/grpc from 1.66.2 to 1.67.1 by @​dependabot[bot] in #​352
• chore(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot[bot] in #​353
• chore(deps): bump coverallsapp/github-action from 2.3.0 to 2.3.1 by @​dependabot[bot] in #​357
• chore(deps): bump coverallsapp/github-action from 2.3.1 to 2.3.2 by @​dependabot[bot] in #​358
• chore(deps): bump coverallsapp/github-action from 2.3.2 to 2.3.3 by @​dependabot[bot] in #​359
• chore(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot[bot] in #​360
• chore(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @​dependabot[bot] in #​361
• chore(deps): bump coverallsapp/github-action from 2.3.3 to 2.3.4 by @​dependabot[bot] in #​362
• chore(deps): bump golang.org/x/sys from 0.25.0 to 0.27.0 by @​dependabot[bot] in #​364
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.3.0 to 2.4.0 by @​dependabot[bot] in #​354
• Bump versions by @​adityasaky in #​365
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot[bot] in #​366
• chore(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 by @​dependabot[bot] in #​367
• chore(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 by @​dependabot[bot] in #​368
• chore(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot[bot] in #​370
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot[bot] in #​372
• chore(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 by @​dependabot[bot] in #​371
• chore(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 by @​dependabot[bot] in #​373
• chore(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 by @​dependabot[bot] in #​374
• chore(deps): bump google.golang.org/grpc from 1.69.2 to 1.69.4 by @​dependabot[bot] in #​375
• chore(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @​dependabot[bot] in #​376
• chore(deps): bump golang.org/x/net from 0.31.0 to 0.33.0 by @​dependabot[bot] in #​377
• chore(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot[bot] in #​378
• chore(deps): bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 by @​dependabot[bot] in #​380
• chore(deps): bump coverallsapp/github-action from 2.3.4 to 2.3.6 by @​dependabot[bot] in #​381
• chore(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 by @​dependabot[bot] in #​379
• chore(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​384
• chore(deps): bump golang.org/x/sys from 0.29.0 to 0.30.0 by @​dependabot[bot] in #​383
• chore(deps): bump golangci/golangci-lint-action from 6.3.0 to 6.3.2 by @​dependabot[bot] in #​386
• chore(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.4.1 by @​dependabot[bot] in #​388
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot[bot] in #​390
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 by @​dependabot[bot] in #​391
• chore(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 by @​dependabot[bot] in #​392
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.4.0 to 2.5.0 by @​dependabot[bot] in #​382
• chore(deps): bump golangci/golangci-lint-action from 6.4.1 to 6.5.0 by @​dependabot[bot] in #​389
• chore(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 by @​dependabot[bot] in #​393
• chore(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot[bot] in #​396
• chore(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot[bot] in #​399
• chore: fix some comments by @​dockercui in #​397
• Fix typos by @​co63oc in #​410
• chore(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot[bot] in #​411
• Bump dependencies by @​adityasaky in #​409
• chore(deps): bump google.golang.org/grpc from 1.71.0 to 1.72.1 by @​dependabot[bot] in #​412
• chore(deps): bump golangci/golangci-lint-action from 6.5.1 to 8.0.0 by @​dependabot[bot] in #​407
• chore(deps): bump google.golang.org/grpc from 1.72.1 to 1.72.2 by @​dependabot[bot] in #​413
• chore(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 by @​dependabot[bot] in #​414
• chore(deps): bump github.com/in-toto/attestation from 1.1.1 to 1.1.2 by @​dependabot[bot] in #​415
• chore(deps): bump golang.org/x/sys from 0.33.0 to 0.34.0 by @​dependabot[bot] in #​416
• chore(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2 by @​dependabot[bot] in #​418
• chore(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @​dependabot[bot] in #​440
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] in #​419
• chore(deps): bump golang.org/x/sys from 0.34.0 to 0.39.0 by @​dependabot[bot] in #​445
• chore(deps): bump google.golang.org/grpc from 1.74.2 to 1.78.0 by @​dependabot[bot] in #​446
• Modernize CI and automation by @​adityasaky in #​447
• chore(deps): bump the all group with 3 updates by @​dependabot[bot] in #​449
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @​dependabot[bot] in #​448
• chore(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0 in the all group by @​dependabot[bot] in #​450

New Contributors

• @​PradyumnaKrishna made their first contribution in #​248
• @​marcelamelara made their first contribution in #​267
• @​viveksahu26 made their first contribution in #​281
• @​Forrin made their first contribution in #​279
• @​msuozzo made their first contribution in #​328
• @​Yaxhveer made their first contribution in #​327
• @​dockercui made their first contribution in #​397
• @​co63oc made their first contribution in #​410

Full Changelog: in-toto/in-toto-golang@v0.9.0...v0.10.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 22 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.23.2 -> 1.24.0
github.com/google/go-cmp	v0.6.0 -> v0.7.0
github.com/secure-systems-lab/go-securesystemslib	v0.9.0 -> v0.10.0
github.com/in-toto/attestation	v1.1.0 -> v1.1.2
github.com/spf13/cobra	v1.8.1 -> v1.10.2
golang.org/x/mod	v0.25.0 -> v0.30.0
github.com/go-jose/go-jose/v4	v4.0.5 -> v4.1.4
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric	v1.33.0 -> v1.39.0
google.golang.org/genproto/googleapis/api	v0.0.0-20241209162323-e6fa225c2576 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250102185135-69823020774d -> v0.0.0-20251222181119-0a764e51fe1b
github.com/go-logr/logr	v1.4.2 -> v1.4.3
github.com/spf13/pflag	v1.0.5 -> v1.0.10
go.opentelemetry.io/otel	v1.33.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.33.0 -> v1.39.0
golang.org/x/crypto	v0.36.0 -> v0.46.0
golang.org/x/net	v0.38.0 -> v0.48.0
golang.org/x/sync	v0.15.0 -> v0.19.0
golang.org/x/sys	v0.31.0 -> v0.41.0
golang.org/x/term	v0.30.0 -> v0.38.0
golang.org/x/text	v0.23.0 -> v0.32.0
google.golang.org/grpc	v1.69.4 -> v1.79.3
google.golang.org/protobuf	v1.36.3 -> v1.36.11