opentelemetry-go icon indicating copy to clipboard operation
opentelemetry-go copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Security: update gopkg.in/yaml.v3 vulnerable package

Open k-meister opened this issue 2 years ago • 2 comments

Problem Statement

Yaml v3 package, which is our indirect dependency, is considered vulnerable https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557

Proposed Solution

Update deps to a patched versions

k-meister avatar Sep 16 '22 09:09 k-meister

This project does not include a dependency on gopkg.in/yaml.v3:

$ grep -Rn 'gopkg.in/yaml.v3' | sed 's#^.*gopkg\.in\/yaml\.v3 \([^\/ ]\+\).*$#\1#' | sort -u
v3.0.0-20200313102051-9f266ea9e77c
v3.0.0-20210107192922-496545a6307b
v3.0.1

Can you link to the dependency in a project go.mod that needs to be changed?

MrAlias avatar Sep 16 '22 14:09 MrAlias

It's present in go.mod https://github.com/open-telemetry/opentelemetry-go/blob/main/go.mod#L16

We definitely need github.com/stretchr/testify v1.8.0 to fix this, but not sure if this will be enough

k-meister avatar Sep 16 '22 15:09 k-meister

I'm seeing 3.0.0 being used:

open-telemetry/opentelemetry-go›  git:(main) grep -Rn 'gopkg.in/yaml.v3' | sed 's#^.*gopkg\.in\/yaml\.v3 \([^\/ ]\+\).*$#\1#' | sort -u
./bridge/opencensus/go.sum:57:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./bridge/opencensus/opencensusmetric/go.sum:95:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./bridge/opencensus/opencensusmetric/go.sum:96:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./bridge/opencensus/test/go.sum:96:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./bridge/opencensus/test/go.sum:97:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./bridge/opentracing/go.mod:19: gopkg.in/yaml.v3 v3.0.1 // indirect
./bridge/opentracing/go.sum:19:gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
./bridge/opentracing/go.sum:20:gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./example/fib/go.sum:12:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./example/jaeger/go.sum:20:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./example/jaeger/go.sum:21:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./example/namedtracer/go.sum:12:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./example/otel-collector/go.sum:420:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./example/otel-collector/go.sum:421:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./example/passthrough/go.sum:12:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./example/prometheus/go.sum:475:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./example/zipkin/go.sum:212:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./example/zipkin/go.sum:213:gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
./example/zipkin/go.sum:214:gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/jaeger/go.mod:20:   gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/jaeger/go.sum:20:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/jaeger/go.sum:21:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/internal/retry/go.mod:13:      gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/internal/retry/go.sum:12:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/internal/retry/go.sum:13:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/otlpmetric/go.mod:31:  gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/otlpmetric/go.sum:417:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/otlpmetric/go.sum:418:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/otlpmetric/otlpmetricgrpc/go.mod:32:   gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/otlpmetric/otlpmetricgrpc/go.sum:424:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/otlpmetric/otlpmetricgrpc/go.sum:425:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/otlpmetric/otlpmetrichttp/go.mod:32:   gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/otlpmetric/otlpmetrichttp/go.sum:424:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/otlpmetric/otlpmetrichttp/go.sum:425:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/otlptrace/go.mod:29:   gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/otlptrace/go.sum:424:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/otlptrace/go.sum:425:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/otlptrace/otlptracegrpc/go.mod:30:     gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/otlptrace/otlptracegrpc/go.sum:431:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/otlptrace/otlptracegrpc/go.sum:432:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/otlp/otlptrace/otlptracehttp/go.mod:29:     gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/otlp/otlptrace/otlptracehttp/go.sum:423:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/otlp/otlptrace/otlptracehttp/go.sum:424:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/prometheus/go.mod:29:       gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/prometheus/go.sum:479:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/prometheus/go.sum:480:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/stdout/stdoutmetric/go.mod:20:      gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/stdout/stdoutmetric/go.sum:18:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/stdout/stdoutmetric/go.sum:19:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/stdout/stdouttrace/go.mod:23:       gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./exporters/stdout/stdouttrace/go.sum:18:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./exporters/stdout/stdouttrace/go.sum:19:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/zipkin/go.mod:20:   gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
./exporters/zipkin/go.sum:217:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./exporters/zipkin/go.sum:218:gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
./exporters/zipkin/go.sum:219:gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./go.mod:16:    gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./go.sum:17:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./go.sum:18:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./internal/tools/go.mod:193:    gopkg.in/yaml.v3 v3.0.1 // indirect
./internal/tools/go.sum:1261:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./internal/tools/go.sum:1262:gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./internal/tools/go.sum:1263:gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
./internal/tools/go.sum:1264:gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./metric/go.mod:16:     gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./metric/go.sum:16:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./metric/go.sum:17:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./schema/go.mod:14:     gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./schema/go.sum:14:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./schema/go.sum:15:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./sdk/go.mod:20:        gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./sdk/go.sum:19:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./sdk/go.sum:20:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./sdk/metric/go.mod:19: gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./sdk/metric/go.sum:18:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./sdk/metric/go.sum:19:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
./trace/go.mod:16:      gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
./trace/go.sum:12:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
./trace/go.sum:13:gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

However it seems dependabot should have upgraded us?

dmathieu avatar Sep 20 '22 09:09 dmathieu

This looks to be resolved, on the latest commit at least (ad45631b53faa74191fcee37c8f010e520af67e1):

$ grep -Rn 'gopkg.in/yaml.v3' | grep -v 'go\.sum' | sed 's#^.*gopkg\.in\/yaml\.v3 \([^\/ ]\+\).*$#\1#' | sort -u
v3.0.1

MrAlias avatar Oct 18 '22 23:10 MrAlias