search

openzipkin / zipkin-go

Zipkin distributed tracing library for go.
Apache License 2.0
612 stars 114 forks source link

Vulnerable Dependency - gopkg.in/yaml.v2 #211

Closed 42shadow42 closed 1 year ago

42shadow42 commented 2 years ago

Our scanning tools have picked up a vulnerability in the zipkin dependency version we are using 0.4.0. In order to resolve this vulnerability we need to eliminate the following dependencies from the zipkin dependency tree.

gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

https://www.mend.io/vulnerability-database/CVE-2022-28948

basvanbeek commented 1 year ago

fixed in release 0.4.2