You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@arrow.apache.org by "Dominic Barnes (Jira)" <ji...@apache.org> on 2022/06/06 21:29:00 UTC
[jira] [Created] (ARROW-16759) [Go]
Dominic Barnes created ARROW-16759:
--------------------------------------
Summary: [Go]
Key: ARROW-16759
URL: https://issues.apache.org/jira/browse/ARROW-16759
Project: Apache Arrow
Issue Type: Task
Components: Go
Affects Versions: 8.0.0, 7.0.0
Reporter: Dominic Barnes
The packges under github.com/apache/arrow/go currently have a dependency on github.com/stretchr/testify v1.7.0 which has a dependency on gopkg.in/yaml.v3 that has an outstanding security vulnerability. ([CVE-2022-28948|https://github.com/advisories/GHSA-hp87-p4gw-j4gq])
While testify is only used during tests, this is not distinguished by the go toolchain and other tools like Snyk which scan the dependency chain for vulnerabilities. Unfortunately, due to Go's [Minimal version selection|[https://go.dev/ref/mod#minimal-version-selection],] this ends up requiring us to visit our dependencies to ensure this security vulnerability is addressed.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)