Open mcramer-billgo opened 3 weeks ago
PR to address is here: https://github.com/sirupsen/logrus/pull/1435
Running into CI runner issues where the installed version of GO is pinned to 1.13 in the windows runner causing AppVeyor to fail the build.
gopkg.in/yaml.v3
v3.0.0
(fixed in v3.0.1
)github.com/stretchr/testify/assert
and github.com/stretchr/testify/require
ONLY in its testsuitegithub.com/stretchr/testify/assert
uses gopkg.in/yaml.v3
only for YAMLEq
and YAMLEqf
which the logrus testsuite doesn't usegithub.com/stretchr/testify
now has a build tag that allows to stop linking with gopkg.in/yaml.v3
See stretchr/testify#1579 (not yet available in a published release, but the build tag can be enabled here right now for a future upgrade).So this is not at all "2 High severity vulnerabilities".
This issue can be closed as irrelevant.
Disclaimer: I'm one Testify co-maintainer.
To resolve the following High Sev vulnerabilities, update go.mod to use
github.com/stretchr/testify v1.9.0
instead ofgithub.com/stretchr/testify v1.7.0
Snyk test output before:
✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: github.com/stretchr/testify/require@1.7.0 From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.0
✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: github.com/stretchr/testify/require@1.7.0 From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.1
Snyk test output after: ✔ Tested 6 dependencies for known issues, no vulnerable paths found.