Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix]fix security yaml.v3 CVE-2022-28948 #58

Merged
merged 1 commit into from May 10, 2023
Merged

[fix]fix security yaml.v3 CVE-2022-28948 #58

merged 1 commit into from May 10, 2023

Conversation

dongjiang1989
Copy link
Contributor

@dongjiang1989
Copy link
Contributor Author

@pohly PTAL! when you have time

@pohly
Copy link
Contributor

pohly commented May 10, 2023

Not sure whether a CVE for yaml really affects zapr, but these updates seem useful anyway - let's merge.

@pohly pohly merged commit 6e2be81 into go-logr:master May 10, 2023
10 of 11 checks passed
@dongjiang1989
Copy link
Contributor Author

dongjiang1989 commented May 11, 2023
edited

Not sure whether a CVE for yaml really affects zapr, but these updates seem useful anyway - let's merge.

Security report:
image

update yaml.v3 to v3.0.1 version.

@pohly Please release new tag and version. add @dongjiang1989 as a member.

@pohly
Copy link
Contributor

pohly commented May 11, 2023

Just because there is a security report doesn't mean that a project is vulnerable... in this case it's clearly not (zapr doesn't do YAML unmarshaling).

@dongjiang1989
Copy link
Contributor Author

Just because there is a security report doesn't mean that a project is vulnerable... in this case it's clearly not (zapr doesn't do YAML unmarshaling).

I agree! Security report just a security risk, not a real bug. https://github.com/kubernetes-sigs/controller-runtime project import zapr. kubernetes-sigs also just report Stricter Security Checks

@dongjiang1989 dongjiang1989 mentioned this pull request May 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dongjiang1989 @pohly