rubenfonseca
commented
1 year ago Thank you for your message. As far as I understand, we're not using go-yaml <= 2.2.4. Please feel free to re-open if you disagree.
Closed hiltol closed 1 year ago
rubenfonseca
commented
1 year ago Thank you for your message. As far as I understand, we're not using go-yaml <= 2.2.4. Please feel free to re-open if you disagree.
balazs-marjan
commented
1 year ago Hi, @rubenfonseca
So this dependency of yours github.com/sanathkr/go-yaml is actually an old fork of the go-yaml library, right?. Some scanning tools - like https://www.mend.io/'s solution - can detect forks like this.
The concern is obvious, any vulnerability found in the original library since the time of the fork remains unaddressed.
hiltol
commented
1 year ago Hi @rubenfonseca thanks for the follow-up. This mod https://github.com/awslabs/goformation/blob/master/go.mod#L6 is a fork of go-yaml which contains the vulnerability. I don't seem to have permissions to re-open the issue. Could you re-open?
hiltol
commented
1 year ago Thank you!
Hi, our scans detected https://github.com/advisories/GHSA-6q6q-88xp-6f2r in the github.com/sanathkr/go-yaml module which hasn't been updated in 5 years. The suggested fix is to upgrade to go-yaml > 2.2.4.