Yaml3.0.0 vulnerability via objx v0.5.0 #1292
Comments
|
I'm wondering if we really can fix this problem without changing the objx library or breaking the circular dependency somehow. It will be inside this loop until the vulnerable version. |
|
I am seeing the same issue. Because of the circular dependency, updating one package will still leave a reference to respective dependency, and so we go down the stairs back to the older versions with the vulnerabilities. |
|
The vulnerable % go list -m all
github.com/stretchr/testify
github.com/davecgh/go-spew v1.1.1
github.com/pmezard/go-difflib v1.0.0
github.com/stretchr/objx v0.5.0
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
gopkg.in/yaml.v3 v3.0.1
|
|
You might be able to solve this using an
Exact details may vary. |
|
Thank you @mgibson-r7. This absolutely solved the old dependencies issue! |
|
Adding this to my |
dolmen
added a commit
to dolmen-go/stretchr-objx.fork
that referenced
this issue
Jul 4, 2023
In go.mod exclude the previous of testify to break the dependency cycle. Fixes stretchr#124 and stretchr/testify#1292 (once testify upgrades). go mod edit -exclude=github.com/stretchr/testify@v1.8.0 go mod tidy
2 tasks
dolmen
added a commit
that referenced
this issue
Aug 9, 2023
In go.mod exclude the old version of testify brought by objx. This allows to break the dependency cycle and completely remove the dependency link to old versions of dependencies (some of which had security issues). Closes #1292. go mod edit -exclude=github.com/stretchr/testify@v1.8.2 && go.mod
MovieStoreGuy
added a commit
that referenced
this issue
Jan 21, 2024
Fix dependency cycle with objx #1292
algitbot
pushed a commit
to alpinelinux/build-server-status
that referenced
this issue
May 6, 2024
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/stretchr/testify](https://github.com/stretchr/testify) | require | minor | `v1.8.0` -> `v1.9.0` | --- ### Release Notes <details> <summary>stretchr/testify (github.com/stretchr/testify)</summary> ### [`v1.9.0`](https://github.com/stretchr/testify/releases/tag/v1.9.0) [Compare Source](stretchr/testify@v1.8.4...v1.9.0) #### What's Changed - Fix Go modules version by [@​SuperQ](https://github.com/SuperQ) in stretchr/testify#1394 - Document that require is not safe to call in created goroutines by [@​programmer04](https://github.com/programmer04) in stretchr/testify#1392 - Remove myself from MAINTAINERS.md by [@​mvdkleijn](https://github.com/mvdkleijn) in stretchr/testify#1367 - Correct spelling/grammar by [@​echarrod](https://github.com/echarrod) in stretchr/testify#1389 - docs: Update URLs in README by [@​davidjb](https://github.com/davidjb) in stretchr/testify#1349 - Update mockery link to Github Pages in README by [@​LandonTClipp](https://github.com/LandonTClipp) in stretchr/testify#1346 - docs: Fix typos in tests and comments by [@​alexandear](https://github.com/alexandear) in stretchr/testify#1410 - CI: tests from go1.17 by [@​SuperQ](https://github.com/SuperQ) in stretchr/testify#1409 - Fix adding ? when no values passed by [@​lesichkovm](https://github.com/lesichkovm) in stretchr/testify#1320 - codegen: use standard header for generated files by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1406 - mock: AssertExpectations log reason only on failure by [@​hikyaru-suzuki](https://github.com/hikyaru-suzuki) in stretchr/testify#1360 - assert: fix flaky TestNeverTrue by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1417 - README: fix typos "set up" vs "setup" by [@​ossan-dev](https://github.com/ossan-dev) in stretchr/testify#1428 - mock: move regexp compilation outside of `Called` by [@​aud10slave](https://github.com/aud10slave) in stretchr/testify#631 - assert: refactor internal func getLen() by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1445 - mock: deprecate type AnythingOfTypeArgument ([#​1434](stretchr/testify#1434)) by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1441 - Remove no longer needed assert.canConvert by [@​alexandear](https://github.com/alexandear) in stretchr/testify#1470 - assert: ObjectsAreEqual: use time.Equal for time.Time types by [@​tscales](https://github.com/tscales) in stretchr/testify#1464 - Bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in stretchr/testify#1466 - Bump actions/setup-go from 3.2.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot) in stretchr/testify#1451 - fix: make EventuallyWithT concurrency safe by [@​czeslavo](https://github.com/czeslavo) in stretchr/testify#1395 - assert: fix httpCode and HTTPBody occur panic when http.Handler read Body by [@​hidu](https://github.com/hidu) in stretchr/testify#1484 - assert.EqualExportedValues: fix handling of arrays by [@​zrbecker](https://github.com/zrbecker) in stretchr/testify#1473 - .github: use latest Go versions by [@​kevinburkesegment](https://github.com/kevinburkesegment) in stretchr/testify#1489 - assert: Deprecate EqualExportedValues by [@​HaraldNordgren](https://github.com/HaraldNordgren) in stretchr/testify#1488 - suite: refactor test assertions by [@​alexandear](https://github.com/alexandear) in stretchr/testify#1474 - suite: fix SetupSubTest and TearDownSubTest execution order by [@​linusbarth](https://github.com/linusbarth) in stretchr/testify#1471 - docs: Fix deprecation comments for http package by [@​alexandear](https://github.com/alexandear) in stretchr/testify#1335 - Add map support doc comments to Subset and NotSubset by [@​jedevc](https://github.com/jedevc) in stretchr/testify#1306 - TestErrorIs/TestNotErrorIs: check error message contents by [@​craig65535](https://github.com/craig65535) in stretchr/testify#1435 - suite: fix subtest names (fix [#​1501](stretchr/testify#1501)) by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1504 - assert: improve unsafe.Pointer tests by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1505 - assert: simplify isNil implementation by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1506 - assert.InEpsilonSlice: fix expected/actual order and other improvements by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1483 - Fix dependency cycle with objx [#​1292](stretchr/testify#1292) by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1453 - mock: refactor TestIsArgsEqual by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1444 - mock: optimize argument matching checks by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1416 - assert: fix TestEventuallyTimeout by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1412 - CI: add go 1.21 in GitHub Actions by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1450 - suite: fix recoverAndFailOnPanic to report test failure at the right location by [@​dolmen](https://github.com/dolmen) in stretchr/testify#1502 - Update maintainers by [@​brackendawson](https://github.com/brackendawson) in stretchr/testify#1533 - assert: Fix EqualValues to handle overflow/underflow by [@​arjunmahishi](https://github.com/arjunmahishi) in stretchr/testify#1531 - assert: better formatting for Len() error by [@​kevinburkesegment](https://github.com/kevinburkesegment) in stretchr/testify#1485 - Ensure AssertExpectations does not fail in skipped tests by [@​ianrose14](https://github.com/ianrose14) in stretchr/testify#1331 - suite: fix deadlock in suite.Require()/Assert() by [@​arjunmahishi](https://github.com/arjunmahishi) in stretchr/testify#1535 - Revert "assert: ObjectsAreEqual: use time.Equal for time.Time type" by [@​brackendawson](https://github.com/brackendawson) in stretchr/testify#1537 - \[chore] Add issue templates by [@​arjunmahishi](https://github.com/arjunmahishi) in stretchr/testify#1538 - Update the build status badge by [@​brackendawson](https://github.com/brackendawson) in stretchr/testify#1540 - Update Github workflows setup-go to V5 by [@​hendrywiranto](https://github.com/hendrywiranto) in stretchr/testify#1545 - Support Pointer to Struct in EqualExportedValues by [@​Lucaber](https://github.com/Lucaber) in stretchr/testify#1517 - README: drop link to gorc by [@​guettli](https://github.com/guettli) in stretchr/testify#1248 - http_assertions: honour the msgAndArgs provided with each assertion by [@​arjunmahishi](https://github.com/arjunmahishi) in stretchr/testify#1548 - fix typos in comments and tests by [@​ccoVeille](https://github.com/ccoVeille) in stretchr/testify#1247 - Include the auto-release notes in releases by [@​brackendawson](https://github.com/brackendawson) in stretchr/testify#1550 - Add `NotImplements` and variants by [@​hslatman](https://github.com/hslatman) in stretchr/testify#1385 - Add support to compare uintptr by [@​bogdandrutu](https://github.com/bogdandrutu) in stretchr/testify#1339 - build(deps): bump github.com/stretchr/objx from 0.5.1 to 0.5.2 by [@​dependabot](https://github.com/dependabot) in stretchr/testify#1552 #### New Contributors - [@​SuperQ](https://github.com/SuperQ) made their first contribution in stretchr/testify#1394 - [@​programmer04](https://github.com/programmer04) made their first contribution in stretchr/testify#1392 - [@​echarrod](https://github.com/echarrod) made their first contribution in stretchr/testify#1389 - [@​davidjb](https://github.com/davidjb) made their first contribution in stretchr/testify#1349 - [@​LandonTClipp](https://github.com/LandonTClipp) made their first contribution in stretchr/testify#1346 - [@​alexandear](https://github.com/alexandear) made their first contribution in stretchr/testify#1410 - [@​lesichkovm](https://github.com/lesichkovm) made their first contribution in stretchr/testify#1320 - [@​dolmen](https://github.com/dolmen) made their first contribution in stretchr/testify#1406 - [@​hikyaru-suzuki](https://github.com/hikyaru-suzuki) made their first contribution in stretchr/testify#1360 - [@​ossan-dev](https://github.com/ossan-dev) made their first contribution in stretchr/testify#1428 - [@​aud10slave](https://github.com/aud10slave) made their first contribution in stretchr/testify#631 - [@​tscales](https://github.com/tscales) made their first contribution in stretchr/testify#1464 - [@​czeslavo](https://github.com/czeslavo) made their first contribution in stretchr/testify#1395 - [@​hidu](https://github.com/hidu) made their first contribution in stretchr/testify#1484 - [@​zrbecker](https://github.com/zrbecker) made their first contribution in stretchr/testify#1473 - [@​kevinburkesegment](https://github.com/kevinburkesegment) made their first contribution in stretchr/testify#1489 - [@​linusbarth](https://github.com/linusbarth) made their first contribution in stretchr/testify#1471 - [@​jedevc](https://github.com/jedevc) made their first contribution in stretchr/testify#1306 - [@​craig65535](https://github.com/craig65535) made their first contribution in stretchr/testify#1435 - [@​arjunmahishi](https://github.com/arjunmahishi) made their first contribution in stretchr/testify#1531 - [@​ianrose14](https://github.com/ianrose14) made their first contribution in stretchr/testify#1331 - [@​hendrywiranto](https://github.com/hendrywiranto) made their first contribution in stretchr/testify#1545 - [@​Lucaber](https://github.com/Lucaber) made their first contribution in stretchr/testify#1517 - [@​guettli](https://github.com/guettli) made their first contribution in stretchr/testify#1248 - [@​ccoVeille](https://github.com/ccoVeille) made their first contribution in stretchr/testify#1247 - [@​hslatman](https://github.com/hslatman) made their first contribution in stretchr/testify#1385 - [@​bogdandrutu](https://github.com/bogdandrutu) made their first contribution in stretchr/testify#1339 **Full Changelog**: stretchr/testify@v1.8.4...v1.9.0 ### [`v1.8.4`](https://github.com/stretchr/testify/releases/tag/v1.8.4) [Compare Source](stretchr/testify@v1.8.3...v1.8.4) #### What's Changed - Create GitHub release when new release tag is pushed by [@​aldas](https://github.com/aldas) in stretchr/testify#1354 #### New Contributors - [@​aldas](https://github.com/aldas) made their first contribution in stretchr/testify#1354 **Full Changelog**: stretchr/testify@v1.8.3...v1.8.4 ### [`v1.8.3`](https://github.com/stretchr/testify/releases/tag/v1.8.3) [Compare Source](stretchr/testify@v1.8.2...v1.8.3) #### What's Changed - Compare public elements of struct by [@​mchlp](https://github.com/mchlp) in stretchr/testify#1309 - assert: fix error message formatting for NotContains by [@​wwade](https://github.com/wwade) in stretchr/testify#1362 - allow testing for functional options by [@​nbaztec](https://github.com/nbaztec) in stretchr/testify#1023 - add EventuallyWithT assertion by [@​tobikris](https://github.com/tobikris) in stretchr/testify#1264 - EqualExportedValues: Handle nested pointer, slice and map fields by [@​HaraldNordgren](https://github.com/HaraldNordgren) in stretchr/testify#1379 #### New Contributors - [@​mchlp](https://github.com/mchlp) made their first contribution in stretchr/testify#1309 - [@​wwade](https://github.com/wwade) made their first contribution in stretchr/testify#1362 - [@​nbaztec](https://github.com/nbaztec) made their first contribution in stretchr/testify#1023 - [@​tobikris](https://github.com/tobikris) made their first contribution in stretchr/testify#1264 **Full Changelog**: stretchr/testify@v1.8.2...v1.8.3 ### [`v1.8.2`](https://github.com/stretchr/testify/releases/tag/v1.8.2) [Compare Source](stretchr/testify@v1.8.1...v1.8.2) #### What's Changed - Add opportunity to trigger setup/teardown for subtest by [@​qerdcv](https://github.com/qerdcv) in stretchr/testify#1246 - fix: fix bug for check unsafe.Pointer isNil by [@​sunpe](https://github.com/sunpe) in stretchr/testify#1319 - Fix Call.Unset() panic (issue [#​1236](stretchr/testify#1236)) by [@​lisitsky](https://github.com/lisitsky) in stretchr/testify#1250 - Fix `CallerInfo()` source file paths by [@​bozaro](https://github.com/bozaro) in stretchr/testify#1288 - assert: Fix Subset/NotSubset when map is missing keys from the subset by [@​danielwhite](https://github.com/danielwhite) in stretchr/testify#1261 #### New Contributors - [@​qerdcv](https://github.com/qerdcv) made their first contribution in stretchr/testify#1246 - [@​sunpe](https://github.com/sunpe) made their first contribution in stretchr/testify#1319 - [@​lisitsky](https://github.com/lisitsky) made their first contribution in stretchr/testify#1250 - [@​bozaro](https://github.com/bozaro) made their first contribution in stretchr/testify#1288 - [@​danielwhite](https://github.com/danielwhite) made their first contribution in stretchr/testify#1261 **Full Changelog**: stretchr/testify@v1.8.1...v1.8.2 ### [`v1.8.1`](https://github.com/stretchr/testify/releases/tag/v1.8.1) [Compare Source](stretchr/testify@v1.8.0...v1.8.1) #### What's Changed - Bump github.com/stretchr/objx from 0.4.0 to 0.5.0 by [@​dependabot](https://github.com/dependabot) in stretchr/testify#1283 **Full Changelog**: stretchr/testify@v1.8.0...v1.8.1 </details> --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yODYuMSIsInVwZGF0ZWRJblZlciI6IjM3LjI4Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> See merge request alpine/infra/build-server-status!12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
testify@v1.8.1 includes objx v0.5.0 which includes testify@v1.8.0 which eventually includes yaml.v3@v3.0.0 which has a Denial of Service CWE 400 and a Null Pointer deference CWE 476 vulnerability.
go mod graph(excerpts):github.com/stretchr/testify@v1.8.1 github.com/stretchr/objx@v0.5.0
github.com/stretchr/objx@v0.5.0 github.com/stretchr/testify@v1.8.0
github.com/stretchr/testify@v1.8.0 github.com/stretchr/objx@v0.4.0
github.com/stretchr/objx@v0.4.0 github.com/stretchr/testify@v1.7.1
github.com/stretchr/testify@v1.7.1 gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c
Perhaps a fix would be to tag the latest objx to say 0.5.1, update testify to point to that version and cut a new tag for testify that everyone can include.
Thanks.
The text was updated successfully, but these errors were encountered: