Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update stretchr/testify to 1.9.0 to resolve 2 High sev Vulnerabilities found in go yaml lib from current version #1434

Closed
mcramer-billgo opened this issue Jun 7, 2024 · 4 comments · May be fixed by #1435
Closed

Update stretchr/testify to 1.9.0 to resolve 2 High sev Vulnerabilities found in go yaml lib from current version #1434

mcramer-billgo opened this issue Jun 7, 2024 · 4 comments · May be fixed by #1435
Labels
stale

Comments

@mcramer-billgo
Copy link

To resolve the following High Sev vulnerabilities, update go.mod to use github.com/stretchr/testify v1.9.0 instead of github.com/stretchr/testify v1.7.0

Snyk test output before:

✗ High severity vulnerability found in gopkg.in/yaml.v3
Description: Denial of Service (DoS)
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
Introduced through: github.com/stretchr/testify/require@1.7.0
From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c
Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
Description: NULL Pointer Dereference
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
Introduced through: github.com/stretchr/testify/require@1.7.0
From: github.com/stretchr/testify/require@1.7.0 > github.com/stretchr/testify/assert@1.7.0 > gopkg.in/yaml.v3@#9f266ea9e77c
Fixed in: 3.0.1

Snyk test output after:
✔ Tested 6 dependencies for known issues, no vulnerable paths found.
@mcramer-billgo
Copy link
Author

PR to address is here: #1435

Running into CI runner issues where the installed version of GO is pinned to 1.13 in the windows runner causing AppVeyor to fail the build.

@mcramer-billgo mcramer-billgo mentioned this issue Jun 7, 2024
Open
@dolmen
Copy link
Contributor

dolmen commented Jun 25, 2024
edited
Loading

  • the "vulnerability" is in gopkg.in/yaml.v3 v3.0.0 (fixed in v3.0.1)
  • logrus uses packages github.com/stretchr/testify/assert and github.com/stretchr/testify/require ONLY in its testsuite
  • github.com/stretchr/testify/assert uses gopkg.in/yaml.v3 only for YAMLEq and YAMLEqf which the logrus testsuite doesn't use
  • github.com/stretchr/testify now has a build tag that allows to stop linking with gopkg.in/yaml.v3 See assert: make YAML dependency pluggable via build tags stretchr/testify#1579 (not yet available in a published release, but the build tag can be enabled here right now for a future upgrade).

So this is not at all "2 High severity vulnerabilities".

This issue can be closed as irrelevant.

Disclaimer: I'm one Testify co-maintainer.

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale label Jul 26, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 9, 2024

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions github-actions bot closed this as completed Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
2 participants
@dolmen @mcramer-billgo