Skip to content

Update module github.com/in-toto/in-toto-golang to v0.11.0 [SECURITY] (main)#3292

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-in-toto-in-toto-golang-vulnerability
Open

Update module github.com/in-toto/in-toto-golang to v0.11.0 [SECURITY] (main)#3292
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-in-toto-in-toto-golang-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/in-toto/in-toto-golang v0.10.0v0.11.0 age adoption passing confidence

in-toto-golang and in-toto-python have inconsistent negation behavior

GHSA-pmwq-pjrm-6p5r

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Severity

  • CVSS Score: 4.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

in-toto/in-toto-golang (github.com/in-toto/in-toto-golang)

v0.11.0

Compare Source

What's Changed

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov

codecov Bot commented May 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 53.45% <ø> (+<0.01%) ⬆️
generative 16.79% <ø> (ø)
integration 27.66% <ø> (ø)
unit 69.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate Bot force-pushed the renovate/main-go-github.com-in-toto-in-toto-golang-vulnerability branch from 87277ad to 9259afc Compare May 18, 2026 10:40
@renovate renovate Bot force-pushed the renovate/main-go-github.com-in-toto-in-toto-golang-vulnerability branch 2 times, most recently from ab36fb9 to 302a9ba Compare May 28, 2026 17:45
@renovate renovate Bot force-pushed the renovate/main-go-github.com-in-toto-in-toto-golang-vulnerability branch from 302a9ba to 28f250b Compare June 26, 2026 20:27
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:30 PM UTC · Completed 8:37 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

Medium

  • [Incomplete dependency update] tools/go.mod:334 — The tools/go.mod still pins github.com/in-toto/in-toto-golang at v0.10.0 (indirect dependency). This PR updates the library to v0.11.0 in go.mod and acceptance/go.mod to address GHSA-pmwq-pjrm-6p5r, but misses the tools/go.mod module. While it is an indirect dependency in a tooling-only module, leaving the vulnerable version in place partially undermines the security intent of this PR and creates an inconsistency across modules.
    Remediation: Run go get github.com/in-toto/in-toto-golang@v0.11.0 in the tools/ directory and update tools/go.sum accordingly.

Labels: PR is a security-motivated dependency update for Go modules

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code main renovate requires-manual-review Review requires human judgment size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants