logrus icon indicating copy to clipboard operation
logrus copied to clipboard
verified publisher icon sirupsen

Update stretchr/testify to 1.9.0 to resolve 2 High sev Vulnerabilities found in go yaml lib from current version

Open abetterbuilder opened this issue 1 year ago • 2 comments

To resolve the following High Sev vulnerabilities, update go.mod to use github.com/stretchr/testify v1.9.0 instead of github.com/stretchr/testify v1.7.0

Snyk test output before:

✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: github.com/stretchr/testify/[email protected] From: github.com/stretchr/testify/[email protected] > github.com/stretchr/testify/[email protected] > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: github.com/stretchr/testify/[email protected] From: github.com/stretchr/testify/[email protected] > github.com/stretchr/testify/[email protected] > gopkg.in/yaml.v3@#9f266ea9e77c Fixed in: 3.0.1

Snyk test output after: ✔ Tested 6 dependencies for known issues, no vulnerable paths found.

abetterbuilder avatar Jun 07 '24 17:06 abetterbuilder

PR to address is here: https://github.com/sirupsen/logrus/pull/1435

Running into CI runner issues where the installed version of GO is pinned to 1.13 in the windows runner causing AppVeyor to fail the build.

abetterbuilder avatar Jun 07 '24 17:06 abetterbuilder

  • the "vulnerability" is in gopkg.in/yaml.v3 v3.0.0 (fixed in v3.0.1)
  • logrus uses packages github.com/stretchr/testify/assert and github.com/stretchr/testify/require ONLY in its testsuite
  • github.com/stretchr/testify/assert uses gopkg.in/yaml.v3 only for YAMLEq and YAMLEqf which the logrus testsuite doesn't use
  • github.com/stretchr/testify now has a build tag that allows to stop linking with gopkg.in/yaml.v3 See stretchr/testify#1579 (not yet available in a published release, but the build tag can be enabled here right now for a future upgrade).

So this is not at all "2 High severity vulnerabilities".

This issue can be closed as irrelevant.

Disclaimer: I'm one Testify co-maintainer.

dolmen avatar Jun 25 '24 12:06 dolmen

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Jul 26 '24 01:07 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Aug 09 '24 01:08 github-actions[bot]