Fix CVE-2022-28948 - Remove gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c #1532
Closed as not planned
Description
Github Advisor reported a vulnerable package: gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
Here is the CVE report.
One of my application usestestify package as dependency, in the current setup my application is vulnerable, this is why I am asking from you to correct this vulnerability.
I checked the dependency usage in the following way:
go mod graph | grep "gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c"
github.com/stretchr/testify@v1.7.1 gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c
go mod graph | grep "github.com/stretchr/testify@v1.7.1"
github.com/stretchr/objx@v0.4.0 github.com/stretchr/testify@v1.7.1
go mod graph | grep "github.com/stretchr/objx@v0.4.0"
github.com/stretchr/testify@v1.8.0 github.com/stretchr/objx@v0.4.0
go mod graph | grep "github.com/stretchr/testify@v1.8.0"
github.com/stretchr/objx@v0.5.0 github.com/stretchr/testify@v1.8.0
go mod graph | grep "github.com/stretchr/objx@v0.5.0"
github.com/stretchr/testify@v1.8.4 github.com/stretchr/objx@v0.5.0
go mod graph | grep "github.com/stretchr/testify@v1.8.4"
github.ibm.com/cloudant/rc-sync github.com/stretchr/testify@v1.8.4
github.com/stretchr/testify@v1.8.4 github.com/davecgh/go-spew@v1.1.1
github.com/stretchr/testify@v1.8.4 github.com/pmezard/go-difflib@v1.0.0
github.com/stretchr/testify@v1.8.4 github.com/stretchr/objx@v0.5.0
github.com/stretchr/testify@v1.8.4 gopkg.in/yaml.v3@v3.0.1
github.ibm.com/IAM/context-token@v0.2.3 github.com/stretchr/testify@v1.8.4
github.ibm.com/IAM/pep/v4@v4.2.1-release github.com/stretchr/testify@v1.8.4
github.ibm.com/IAM/token/v5@v5.2.5 github.com/stretchr/testify@v1.8.4
From the above dependency tree can be seen that the vulnerable package is pulled in through github.com/stretchr/objx@v0.5.0.
I would like to ask from you to correct this package vulnerability.