You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@arrow.apache.org by "Dominic Barnes (Jira)" <ji...@apache.org> on 2022/06/06 21:29:00 UTC

[jira] [Created] (ARROW-16759) [Go]

Dominic Barnes created ARROW-16759:
--------------------------------------

             Summary: [Go]
                 Key: ARROW-16759
                 URL: https://issues.apache.org/jira/browse/ARROW-16759
             Project: Apache Arrow
          Issue Type: Task
          Components: Go
    Affects Versions: 8.0.0, 7.0.0
            Reporter: Dominic Barnes


The packges under github.com/apache/arrow/go currently have a dependency on github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3 that has an outstanding security vulnerability. ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq])

While testify is only used during tests, this is not distinguished by the go toolchain and other tools like Snyk which scan the dependency chain for vulnerabilities. Unfortunately, due to Go's [Minimal version selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up requiring us to visit our dependencies to ensure this security vulnerability is addressed.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)