Update module github.com/in-toto/in-toto-golang to v0.11.0 [SECURITY] (release-v0.7)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/in-toto/in-toto-golang	v0.10.0 → v0.11.0

---

in-toto-golang and in-toto-python have inconsistent negation behavior

GHSA-pmwq-pjrm-6p5r

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Severity

• CVSS Score: 4.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-pmwq-pjrm-6p5r
• https://github.com/in-toto/in-toto-golang/pull/462
• https://github.com/in-toto/in-toto-golang/commit/36d782ffb2ca3adbffcdce1fd971c23319dd4469
• https://github.com/advisories/GHSA-pmwq-pjrm-6p5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

in-toto/in-toto-golang (github.com/in-toto/in-toto-golang)

v0.11.0

Compare Source

What's Changed

• chore(deps): bump the all group with 2 updates by @​dependabot[bot] in #​453
• chore(deps): bump the all group across 1 directory with 2 updates by @​dependabot[bot] in #​452
• chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 by @​dependabot[bot] in #​457
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​459
• match: Replace ^ with ! for negation in character classes by @​adityasaky in #​462

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	69.55% <ø> (ø)
integration	69.55% <ø> (ø)
unit	69.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.