search

stretchr / testify

A toolkit with common assertions and mocks that plays nicely with the standard library
MIT License
22.52k stars 1.56k forks source link

Fix CVE-2022-28948 - Remove `gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c` #1532

Closed vmatyus closed 4 months ago

vmatyus commented 4 months ago

Github Advisor reported a vulnerable package: gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c Here is the CVE report.

One of my application usestestify package as dependency, in the current setup my application is vulnerable, this is why I am asking from you to correct this vulnerability.

I checked the dependency usage in the following way:

go mod graph | grep "gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c"
github.com/stretchr/testify@v1.7.1 gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c

go mod graph | grep "github.com/stretchr/testify@v1.7.1"                 
github.com/stretchr/objx@v0.4.0 github.com/stretchr/testify@v1.7.1

go mod graph | grep "github.com/stretchr/objx@v0.4.0"   
github.com/stretchr/testify@v1.8.0 github.com/stretchr/objx@v0.4.0

go mod graph | grep "github.com/stretchr/testify@v1.8.0"
github.com/stretchr/objx@v0.5.0 github.com/stretchr/testify@v1.8.0

go mod graph | grep "github.com/stretchr/objx@v0.5.0"   
github.com/stretchr/testify@v1.8.4 github.com/stretchr/objx@v0.5.0

go mod graph | grep "github.com/stretchr/testify@v1.8.4"
github.ibm.com/cloudant/rc-sync github.com/stretchr/testify@v1.8.4
github.com/stretchr/testify@v1.8.4 github.com/davecgh/go-spew@v1.1.1
github.com/stretchr/testify@v1.8.4 github.com/pmezard/go-difflib@v1.0.0
github.com/stretchr/testify@v1.8.4 github.com/stretchr/objx@v0.5.0
github.com/stretchr/testify@v1.8.4 gopkg.in/yaml.v3@v3.0.1
github.ibm.com/IAM/context-token@v0.2.3 github.com/stretchr/testify@v1.8.4
github.ibm.com/IAM/pep/v4@v4.2.1-release github.com/stretchr/testify@v1.8.4
github.ibm.com/IAM/token/v5@v5.2.5 github.com/stretchr/testify@v1.8.4

From the above dependency tree can be seen that the vulnerable package is pulled in through github.com/stretchr/objx@v0.5.0.

I would like to ask from you to correct this package vulnerability.

vmatyus commented 4 months ago

Reported the issue to github.com/stretchr/objx: https://github.com/stretchr/objx/issues/146

brackendawson commented 4 months ago

v1.8.4 does not have this vulnerability: https://github.com/stretchr/testify/blob/f97607b89807936ac4ff96748d766cf4b9711f78/go.mod#L9

It is not a problem if vulnerable modules appear in your graph. The vulnerable yaml module will not be built into any of your binaries using testify >= 1.8.4.

vmatyus commented 4 months ago

I could not really differentiate what is compiled into the binaries and what is not. The go.mod and go.sum file contains packages that needed for production and test environment. This way I would like to ask from you to integrate this solution: https://github.com/stretchr/objx/issues/146#event-11963534527 - after it reaches the publish.