search

stretchr / objx

Go package for dealing with maps, slices, JSON and other data.
MIT License
687 stars 75 forks source link

Fix CVE-2022-28948 - Remove `gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c` #146

Closed vmatyus closed 4 months ago

vmatyus commented 4 months ago

Github Advisor reported a vulnerable package: gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c Here is the CVE report.

One of my application usestestify package as dependency, in the current setup my application is vulnerable, this is why I am asking from you to correct this vulnerability.

I checked the dependency usage in the following way:

go mod graph | grep "gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c"
github.com/stretchr/testify@v1.7.1 gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c

go mod graph | grep "github.com/stretchr/testify@v1.7.1"                 
github.com/stretchr/objx@v0.4.0 github.com/stretchr/testify@v1.7.1

go mod graph | grep "github.com/stretchr/objx@v0.4.0"   
github.com/stretchr/testify@v1.8.0 github.com/stretchr/objx@v0.4.0

go mod graph | grep "github.com/stretchr/testify@v1.8.0"
github.com/stretchr/objx@v0.5.0 github.com/stretchr/testify@v1.8.0

go mod graph | grep "github.com/stretchr/objx@v0.5.0"   
github.com/stretchr/testify@v1.8.4 github.com/stretchr/objx@v0.5.0

go mod graph | grep "github.com/stretchr/testify@v1.8.4"
github.ibm.com/cloudant/rc-sync github.com/stretchr/testify@v1.8.4
github.com/stretchr/testify@v1.8.4 github.com/davecgh/go-spew@v1.1.1
github.com/stretchr/testify@v1.8.4 github.com/pmezard/go-difflib@v1.0.0
github.com/stretchr/testify@v1.8.4 github.com/stretchr/objx@v0.5.0
github.com/stretchr/testify@v1.8.4 gopkg.in/yaml.v3@v3.0.1
github.ibm.com/IAM/context-token@v0.2.3 github.com/stretchr/testify@v1.8.4
github.ibm.com/IAM/pep/v4@v4.2.1-release github.com/stretchr/testify@v1.8.4
github.ibm.com/IAM/token/v5@v5.2.5 github.com/stretchr/testify@v1.8.4

From the above dependency tree can be seen that the vulnerable package is pulled in through github.com/stretchr/objx@v0.5.0.

I would like to ask from you to correct this package vulnerability.

vmatyus commented 4 months ago

Reported the issue to github.com/stretchr/testify: https://github.com/stretchr/testify/issues/1532

vmatyus commented 4 months ago

Thank you!