Update module github.com/in-toto/in-toto-golang to v0.11.0 [SECURITY] (release-v0.6)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/in-toto/in-toto-golang	v0.9.0 → v0.11.0

---

in-toto-golang and in-toto-python have inconsistent negation behavior

GHSA-pmwq-pjrm-6p5r

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Severity

• CVSS Score: 4.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-pmwq-pjrm-6p5r
• https://github.com/in-toto/in-toto-golang/pull/462
• https://github.com/in-toto/in-toto-golang/commit/36d782ffb2ca3adbffcdce1fd971c23319dd4469
• https://github.com/advisories/GHSA-pmwq-pjrm-6p5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

in-toto/in-toto-golang (github.com/in-toto/in-toto-golang)

v0.11.0

Compare Source

What's Changed

• chore(deps): bump the all group with 2 updates by @​dependabot[bot] in #​453
• chore(deps): bump the all group across 1 directory with 2 updates by @​dependabot[bot] in #​452
• chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 by @​dependabot[bot] in #​457
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​459
• match: Replace ^ with ! for negation in character classes by @​adityasaky in #​462

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

v0.10.0

Compare Source

What's Changed

• chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 by @​dependabot[bot] in #​232
• Update maintainers and governance by @​adityasaky in #​233
• chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @​dependabot[bot] in #​234
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.3 to 2.1.5 by @​dependabot[bot] in #​235
• chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @​dependabot[bot] in #​236
• Fix expired signature in test by @​adityasaky in #​241
• chore(deps): bump golang.org/x/sys from 0.8.0 to 0.9.0 by @​dependabot[bot] in #​240
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.5 to 2.1.6 by @​dependabot[bot] in #​239
• chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 by @​dependabot[bot] in #​242
• chore(deps): bump google.golang.org/grpc from 1.56.0 to 1.56.1 by @​dependabot[bot] in #​243
• Update GitHub Actions workflows by @​adityasaky in #​246
• chore(deps): bump golang.org/x/sys from 0.9.0 to 0.10.0 by @​dependabot[bot] in #​245
• remove linters that are no longer supported and add to make file by @​pxp928 in #​249
• Add match products feature by @​adityasaky in #​237
• Remove unfinished link on record stop by @​PradyumnaKrishna in #​248
• chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.56.2 by @​dependabot[bot] in #​250
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.6.0 to 0.7.0 by @​dependabot[bot] in #​251
• chore(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 by @​dependabot[bot] in #​255
• Add tests for coverage in envelope.go by @​adityasaky in #​256
• chore(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 by @​dependabot[bot] in #​257
• chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @​dependabot[bot] in #​258
• chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in #​259
• Fixes filepath pattern matching in windows by @​PradyumnaKrishna in #​254
• chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @​dependabot[bot] in #​261
• chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @​dependabot[bot] in #​262
• chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 by @​dependabot[bot] in #​263
• chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.0 by @​dependabot[bot] in #​264
• chore(deps): bump google.golang.org/grpc from 1.58.0 to 1.58.1 by @​dependabot[bot] in #​266
• Deprecate Provenance v1 struct in favor of /attestation protobufs by @​marcelamelara in #​267
• chore(deps): bump google.golang.org/grpc from 1.58.1 to 1.58.2 by @​dependabot[bot] in #​269
• chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​270
• Drop use of any for hash objects by @​adityasaky in #​238
• chore(deps): bump golang.org/x/sys from 0.12.0 to 0.13.0 by @​dependabot[bot] in #​271
• chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @​dependabot[bot] in #​273
• chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @​dependabot[bot] in #​272
• chore(deps): bump golang.org/x/net from 0.12.0 to 0.17.0 by @​dependabot[bot] in #​274
• chore(deps): bump google.golang.org/grpc from 1.58.3 to 1.59.0 by @​dependabot[bot] in #​275
• chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​276
• Trigger workflow on pushes only to master branch by @​adityasaky in #​280
• chore(deps): bump golang.org/x/sys from 0.13.0 to 0.14.0 by @​dependabot[bot] in #​278
• chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @​dependabot[bot] in #​277
• add openssf scorecard by @​viveksahu26 in #​281
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @​dependabot[bot] in #​282
• Fix coveralls, use action by @​adityasaky in #​285
• Secure System Lab Sign/Verify by @​Forrin in #​279
• chore(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 by @​dependabot[bot] in #​287
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot[bot] in #​289
• chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.60.0 by @​dependabot[bot] in #​290
• chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @​dependabot[bot] in #​291
• chore(deps): bump google.golang.org/grpc from 1.60.0 to 1.60.1 by @​dependabot[bot] in #​292
• chore(deps): bump github.com/in-toto/attestation from 0.1.1-0.20230828220013-11b7a1a4ca51 to 1.0.1 by @​dependabot[bot] in #​294
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 by @​dependabot[bot] in #​293
• chore(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0 by @​dependabot[bot] in #​295
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 by @​dependabot[bot] in #​296
• chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @​dependabot[bot] in #​298
• chore(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0 by @​dependabot[bot] in #​299
• chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 3.7.1 by @​dependabot[bot] in #​300
• chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.61.1 by @​dependabot[bot] in #​301
• chore(deps): bump google.golang.org/grpc from 1.61.1 to 1.62.0 by @​dependabot[bot] in #​302
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot[bot] in #​303
• chore(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 by @​dependabot[bot] in #​304
• chore(deps): bump google.golang.org/grpc from 1.62.0 to 1.62.1 by @​dependabot[bot] in #​305
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @​dependabot[bot] in #​306
• chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot[bot] in #​307
• chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @​dependabot[bot] in #​308
• chore(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.0 by @​dependabot[bot] in #​310
• chore(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 by @​dependabot[bot] in #​311
• chore(deps): bump google.golang.org/grpc from 1.63.0 to 1.63.2 by @​dependabot[bot] in #​312
• chore(deps): bump github.com/in-toto/attestation from 1.0.1 to 1.0.2 by @​dependabot[bot] in #​313
• Bump Go versions by @​adityasaky in #​314
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 by @​dependabot[bot] in #​309
• chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 by @​dependabot[bot] in #​317
• chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @​dependabot[bot] in #​318
• chore(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 by @​dependabot[bot] in #​319
• chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​320
• chore(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0 by @​dependabot[bot] in #​321
• chore(deps): bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 by @​dependabot[bot] in #​322
• chore(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.0 by @​dependabot[bot] in #​324
• chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 by @​dependabot[bot] in #​323
• chore(deps): bump golangci/golangci-lint-action from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​325
• Fix serialization of SLSA BuildMetadata.InvocationID by @​msuozzo in #​328
• chore(deps): bump actions/checkout from 4.1.5 to 4.1.6 by @​dependabot[bot] in #​330
• Added necessary checks for type assertion by @​Yaxhveer in #​327
• chore(deps): bump coverallsapp/github-action from 2.2.3 to 2.3.0 by @​dependabot[bot] in #​326
• chore(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0 by @​dependabot[bot] in #​329
• chore(deps): bump github.com/in-toto/attestation from 1.0.2 to 1.1.0 by @​dependabot[bot] in #​331
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot[bot] in #​337
• chore(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​335
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.2.0 to 2.3.0 by @​dependabot[bot] in #​338
• chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 by @​dependabot[bot] in #​341
• chore(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0 by @​dependabot[bot] in #​340
• chore(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @​dependabot[bot] in #​336
• chore(deps): bump golang.org/x/sys from 0.22.0 to 0.24.0 by @​dependabot[bot] in #​344
• chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.65.0 by @​dependabot[bot] in #​339
• chore(deps): bump golang.org/x/sys from 0.24.0 to 0.25.0 by @​dependabot[bot] in #​346
• chore(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 by @​dependabot[bot] in #​342
• chore(deps): bump google.golang.org/grpc from 1.65.0 to 1.66.0 by @​dependabot[bot] in #​345
• chore(deps): bump google.golang.org/grpc from 1.66.0 to 1.66.1 by @​dependabot[bot] in #​348
• chore(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2 by @​dependabot[bot] in #​349
• chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot[bot] in #​351
• chore(deps): bump google.golang.org/grpc from 1.66.2 to 1.67.1 by @​dependabot[bot] in #​352
• chore(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot[bot] in #​353
• chore(deps): bump coverallsapp/github-action from 2.3.0 to 2.3.1 by @​dependabot[bot] in #​357
• chore(deps): bump coverallsapp/github-action from 2.3.1 to 2.3.2 by @​dependabot[bot] in #​358
• chore(deps): bump coverallsapp/github-action from 2.3.2 to 2.3.3 by @​dependabot[bot] in #​359
• chore(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot[bot] in #​360
• chore(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @​dependabot[bot] in #​361
• chore(deps): bump coverallsapp/github-action from 2.3.3 to 2.3.4 by @​dependabot[bot] in #​362
• chore(deps): bump golang.org/x/sys from 0.25.0 to 0.27.0 by @​dependabot[bot] in #​364
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.3.0 to 2.4.0 by @​dependabot[bot] in #​354
• Bump versions by @​adityasaky in #​365
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot[bot] in #​366
• chore(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 by @​dependabot[bot] in #​367
• chore(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 by @​dependabot[bot] in #​368
• chore(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot[bot] in #​370
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot[bot] in #​372
• chore(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 by @​dependabot[bot] in #​371
• chore(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 by @​dependabot[bot] in #​373
• chore(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 by @​dependabot[bot] in #​374
• chore(deps): bump google.golang.org/grpc from 1.69.2 to 1.69.4 by @​dependabot[bot] in #​375
• chore(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @​dependabot[bot] in #​376
• chore(deps): bump golang.org/x/net from 0.31.0 to 0.33.0 by @​dependabot[bot] in #​377
• chore(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot[bot] in #​378
• chore(deps): bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 by @​dependabot[bot] in #​380
• chore(deps): bump coverallsapp/github-action from 2.3.4 to 2.3.6 by @​dependabot[bot] in #​381
• chore(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 by @​dependabot[bot] in #​379
• chore(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​384
• chore(deps): bump golang.org/x/sys from 0.29.0 to 0.30.0 by @​dependabot[bot] in #​383
• chore(deps): bump golangci/golangci-lint-action from 6.3.0 to 6.3.2 by @​dependabot[bot] in #​386
• chore(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.4.1 by @​dependabot[bot] in #​388
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot[bot] in #​390
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 by @​dependabot[bot] in #​391
• chore(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 by @​dependabot[bot] in #​392
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.4.0 to 2.5.0 by @​dependabot[bot] in #​382
• chore(deps): bump golangci/golangci-lint-action from 6.4.1 to 6.5.0 by @​dependabot[bot] in #​389
• chore(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 by @​dependabot[bot] in #​393
• chore(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot[bot] in #​396
• chore(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot[bot] in #​399
• chore: fix some comments by @​dockercui in #​397
• Fix typos by @​co63oc in #​410
• chore(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot[bot] in #​411
• Bump dependencies by @​adityasaky in #​409
• chore(deps): bump google.golang.org/grpc from 1.71.0 to 1.72.1 by @​dependabot[bot] in #​412
• chore(deps): bump golangci/golangci-lint-action from 6.5.1 to 8.0.0 by @​dependabot[bot] in #​407
• chore(deps): bump google.golang.org/grpc from 1.72.1 to 1.72.2 by @​dependabot[bot] in #​413
• chore(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 by @​dependabot[bot] in #​414
• chore(deps): bump github.com/in-toto/attestation from 1.1.1 to 1.1.2 by @​dependabot[bot] in #​415
• chore(deps): bump golang.org/x/sys from 0.33.0 to 0.34.0 by @​dependabot[bot] in #​416
• chore(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2 by @​dependabot[bot] in #​418
• chore(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @​dependabot[bot] in #​440
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] in #​419
• chore(deps): bump golang.org/x/sys from 0.34.0 to 0.39.0 by @​dependabot[bot] in #​445
• chore(deps): bump google.golang.org/grpc from 1.74.2 to 1.78.0 by @​dependabot[bot] in #​446
• Modernize CI and automation by @​adityasaky in #​447
• chore(deps): bump the all group with 3 updates by @​dependabot[bot] in #​449
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @​dependabot[bot] in #​448
• chore(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0 in the all group by @​dependabot[bot] in #​450

New Contributors

• @​PradyumnaKrishna made their first contribution in #​248
• @​marcelamelara made their first contribution in #​267
• @​viveksahu26 made their first contribution in #​281
• @​Forrin made their first contribution in #​279
• @​msuozzo made their first contribution in #​328
• @​Yaxhveer made their first contribution in #​327
• @​dockercui made their first contribution in #​397
• @​co63oc made their first contribution in #​410

Full Changelog: in-toto/in-toto-golang@v0.9.0...v0.10.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/secure-systems-lab/go-securesystemslib	v0.9.0 -> v0.10.0
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.6 -> v1.0.10
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20251222181119-0a764e51fe1b
google.golang.org/protobuf	v1.36.10 -> v1.36.11

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	70.92% <ø> (ø)
integration	70.92% <ø> (ø)
unit	70.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v0.11.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.