search

sirupsen / logrus

Structured, pluggable logging for Go.
MIT License
24.79k stars 2.27k forks source link

Update stretchr/testify to 1.9.0 to resolve 2 High sev Vulnerabilities found in go yaml lib from current version #1434

Closed mcramer-billgo closed 3 months ago

mcramer-billgo commented 5 months ago

To resolve the following High Sev vulnerabilities, update go.mod to use github.com/stretchr/testify v1.9.0 instead of github.com/stretchr/testify v1.7.0

Snyk test output before:

✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: github.com/stretchr/testify/require@1.7.0 From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: github.com/stretchr/testify/require@1.7.0 From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.1

Snyk test output after: ✔ Tested 6 dependencies for known issues, no vulnerable paths found.

mcramer-billgo commented 5 months ago

PR to address is here: https://github.com/sirupsen/logrus/pull/1435

Running into CI runner issues where the installed version of GO is pinned to 1.13 in the windows runner causing AppVeyor to fail the build.

dolmen commented 5 months ago

So this is not at all "2 High severity vulnerabilities".

This issue can be closed as irrelevant.

Disclaimer: I'm one Testify co-maintainer.

github-actions[bot] commented 4 months ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 3 months ago

This issue was closed because it has been inactive for 14 days since being marked as stale.