Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update gopkg.in/yaml.v2 to v2.2.8 #199

Closed
wants to merge 1 commit into from

Conversation

katexochen
Copy link

Fixes the following vulnerabilities found during a scan:

https://pkg.go.dev/vuln/GO-2022-0956
https://pkg.go.dev/vuln/GO-2021-0061
https://pkg.go.dev/vuln/GO-2020-0036

Checking nixpkg agebox
Scanning your code and 182 packages across 17 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2022-0956
    Excessive resource consumption in gopkg.in/yaml.v2
  More info: https://pkg.go.dev/vuln/GO-2022-0956
  Module: gopkg.in/yaml.v2
    Found in: gopkg.in/[email protected]
    Fixed in: gopkg.in/[email protected]
    Example traces found:
      #1: internal/storage/fs/track.go:74:22: fs.TrackRepository.GetSecretRegistry calls yaml.Unmarshal, which eventually calls yaml.Unmarshal

Vulnerability #2: GO-2021-0061
    Denial of service in gopkg.in/yaml.v2
  More info: https://pkg.go.dev/vuln/GO-2021-0061
  Module: gopkg.in/yaml.v2
    Found in: gopkg.in/[email protected]
    Fixed in: gopkg.in/[email protected]
    Example traces found:
      #1: internal/storage/fs/track.go:74:22: fs.TrackRepository.GetSecretRegistry calls yaml.Unmarshal, which eventually calls yaml.Unmarshal

Vulnerability #3: GO-2020-0036
    Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2
  More info: https://pkg.go.dev/vuln/GO-2020-0036
  Module: gopkg.in/yaml.v2
    Found in: gopkg.in/[email protected]
    Fixed in: gopkg.in/[email protected]
    Example traces found:
      #1: internal/storage/fs/track.go:74:22: fs.TrackRepository.GetSecretRegistry calls yaml.Unmarshal, which eventually calls yaml.Unmarshal

Your code is affected by 3 vulnerabilities from 1 module.
This scan also found 5 vulnerabilities in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

@katexochen katexochen requested a review from slok as a code owner April 27, 2024 14:27
@katexochen katexochen closed this Oct 4, 2024
@katexochen katexochen deleted the fix-vulns branch October 4, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant