Open mcramer-billgo opened 3 weeks ago
mcramer-billgo
commented
3 weeks ago PR to address is here: https://github.com/sirupsen/logrus/pull/1435
Running into CI runner issues where the installed version of GO is pinned to 1.13 in the windows runner causing AppVeyor to fail the build.
dolmen
commented
1 week ago gopkg.in/yaml.v3 v3.0.0 (fixed in v3.0.1)github.com/stretchr/testify/assert and github.com/stretchr/testify/require ONLY in its testsuitegithub.com/stretchr/testify/assert uses gopkg.in/yaml.v3 only for YAMLEq and YAMLEqf which the logrus testsuite doesn't usegithub.com/stretchr/testify now has a build tag that allows to stop linking with gopkg.in/yaml.v3 See stretchr/testify#1579 (not yet available in a published release, but the build tag can be enabled here right now for a future upgrade).So this is not at all "2 High severity vulnerabilities".
This issue can be closed as irrelevant.
Disclaimer: I'm one Testify co-maintainer.
To resolve the following High Sev vulnerabilities, update go.mod to use
github.com/stretchr/testify v1.9.0instead ofgithub.com/stretchr/testify v1.7.0Snyk test output before:
✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: github.com/stretchr/testify/require@1.7.0 From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.0
✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: github.com/stretchr/testify/require@1.7.0 From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.1
Snyk test output after: ✔ Tested 6 dependencies for known issues, no vulnerable paths found.