📢 CVE-2022-28948 impact analysis

[baywet]

About a week ago gopkg.in/yaml declared a CVE which was updated a couple of hours ago to provide the exact version details of the impact.

Microsoft Graph Go SDKs and Kiota Go libraries pull that dependency transitively through two dependencies:

• github.com/stretchr/testify used to write assertions in our unit tests, this dependency is not added to production builds, and the team has started remediating the issue
• github.com/cjlapao/common-go which provides a number of helpful APIs. The SDK uses the ISO Duration APIs provided by that package which do not call into the yaml package. We've submitted a pull request to upgrade the yaml version on that package. This package also depends on github.com/stretchr/testify.

Microsoft Graph Go SDKs and Kiota Go libraries are not therefore vulnerable to this CVE, and so are your applications that depend on the SDKs as long it doesn't have other dependencies or code paths calling into that yaml dependency.

The full road to resolution is the following:

1. github.com/stretchr/testify merges the update pull request and releases a new version
2. github.com/cjlapao/common-go updates the pull request we submitted with the new github.com/stretchr/testify version, merges it and releases a new version.
3. We update those dependencies and release new versions of all the packages in a "cascading" way (kiota abstractions, then kiota http/azure/json/text, then msgraph-sdk-go-core, then msgraph-sdk-go/msgraph-beta-sdk-go)
4. You upgrade msgraph-sdk-go/msgraph-beta-sdk-go when the release is out (and any other dependency that brings the yaml package)