Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sec vul CVE-2022-28948 from sirupsen/logrus > stretchr/testify > yaml.v3 #1932

Closed
amaciejk opened this issue Feb 13, 2024 · 2 comments · Fixed by #1938
Closed

Sec vul CVE-2022-28948 from sirupsen/logrus > stretchr/testify > yaml.v3 #1932

amaciejk opened this issue Feb 13, 2024 · 2 comments · Fixed by #1938
Labels
community fixed

Comments

@amaciejk
Copy link

We are using minio-go/v7 and are getting the following security hit:
https://nvd.nist.gov/vuln/detail/CVE-2022-28948

Via the following dep tree:

github.com/minio/minio-go/v7
github.com/sirupsen/logrus
github.com/sirupsen/logrus.test
github.com/stretchr/testify/assert
gopkg.in/yaml.v3

I've opened an issue with sirupsen/logrus here:
sirupsen/logrus#1419

But as logrus doesn't seem to be frequently maintained, possibly you may want to look at removing it?
@amaciejk
Copy link
Author

Note it doesn't look promising for logrus doing this as I also found the following old issue which got auto-closed: sirupsen/logrus#1399

@bh4t bh4t added the community label Feb 15, 2024
@ferhatelmas
Copy link
Contributor

It seems it's solely used for functional testing. How about replacing it with log/slog? Since go1.21, it is in standard library and it means one less dependency.

ferhatelmas added a commit to ferhatelmas/minio-go that referenced this issue Feb 20, 2024
@ferhatelmas
Drop logrus in favor of slog
82a2619 
Related to minio#1932
ferhatelmas added a commit to ferhatelmas/minio-go that referenced this issue Feb 20, 2024
@ferhatelmas
Fix CVE-2022-28948
4215259 
Drop logrus in favor of slog.
Bump testify and use in healthcheck
test to make it direct dependency.

Fixes minio#1932.
@ferhatelmas ferhatelmas mentioned this issue Feb 20, 2024
Merged
harshavardhana pushed a commit that referenced this issue Feb 21, 2024
@ferhatelmas
Fix CVE-2022-28948 (#1938)
de3d492 
Drop logrus in favor of slog.

Fixes #1932.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CVE-2022-28948 ferhatelmas/minio-go
4 participants
@harshavardhana @ferhatelmas @amaciejk @bh4t