Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability CVE-2022-3064 #534

Closed
hiltol opened this issue Jan 11, 2023 · 4 comments · Fixed by #535
Closed

Vulnerability CVE-2022-3064 #534

hiltol opened this issue Jan 11, 2023 · 4 comments · Fixed by #535
Labels
dependencies Pull requests that update a dependency file invalid

Comments

@hiltol
Copy link

hiltol commented Jan 11, 2023

Hi, our scans detected GHSA-6q6q-88xp-6f2r in the github.com/sanathkr/go-yaml module which hasn't been updated in 5 years. The suggested fix is to upgrade to go-yaml > 2.2.4.
@rubenfonseca
Copy link
Contributor

Thank you for your message. As far as I understand, we're not using go-yaml <= 2.2.4. Please feel free to re-open if you disagree.

@balazs-marjan
Copy link

Hi, @rubenfonseca

So this dependency of yours github.com/sanathkr/go-yaml is actually an old fork of the go-yaml library, right?. Some scanning tools - like https://www.mend.io/'s solution - can detect forks like this.

The concern is obvious, any vulnerability found in the original library since the time of the fork remains unaddressed.

@hiltol
Copy link
Author

hiltol commented Jan 12, 2023

Hi @rubenfonseca thanks for the follow-up. This mod https://github.com/awslabs/goformation/blob/master/go.mod#L6 is a fork of go-yaml which contains the vulnerability. I don't seem to have permissions to re-open the issue. Could you re-open?

@rubenfonseca rubenfonseca reopened this Jan 13, 2023
@rubenfonseca rubenfonseca added invalid dependencies Pull requests that update a dependency file and removed invalid labels Jan 13, 2023
@rubenfonseca rubenfonseca mentioned this issue Jan 13, 2023
Merged
@rubenfonseca rubenfonseca linked a pull request Jan 13, 2023 that will close this issue
feat: switch go-yaml implementation to most recent version #535
Merged
@hiltol
Copy link
Author

hiltol commented Jan 13, 2023

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file invalid
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: switch go-yaml implementation to most recent version awslabs/goformation
3 participants
@rubenfonseca @hiltol @balazs-marjan