You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@arrow.apache.org by "Kouhei Sutou (Jira)" <ji...@apache.org> on 2022/07/12 05:47:00 UTC

[jira] [Assigned] (ARROW-16759) [Go]

     [ https://issues.apache.org/jira/browse/ARROW-16759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kouhei Sutou reassigned ARROW-16759:
------------------------------------

    Assignee: Dominic Barnes

> [Go]
> ----
>
>                 Key: ARROW-16759
>                 URL: https://issues.apache.org/jira/browse/ARROW-16759
>             Project: Apache Arrow
>          Issue Type: Task
>          Components: Go
>    Affects Versions: 7.0.0, 8.0.0
>            Reporter: Dominic Barnes
>            Assignee: Dominic Barnes
>            Priority: Minor
>              Labels: pull-request-available
>             Fix For: 9.0.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> The packges under github.com/apache/arrow/go currently have a dependency on github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3 that has an outstanding security vulnerability. ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq])
> While testify is only used during tests, this is not distinguished by the go toolchain and other tools like Snyk which scan the dependency chain for vulnerabilities. Unfortunately, due to Go's [Minimal version selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up requiring us to visit our dependencies to ensure this security vulnerability is addressed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)