GHSA-pmwq-pjrm-6p5r: in-toto-golang and in-toto-python have inconsistent negation behavior

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.