Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CWE 330 #144

Merged
merged 2 commits into from
Jun 9, 2021
Merged

Conversation

martinkennelly
Copy link
Member

Upgraded sprig from v2 to v3 which states no Go API changes for v3 major release upgrade in order to upgrade vulnerable dependency goutils to 1.1.1.

Snyk report: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSGOUTILS-1296313

This operator doesn't seem vulnerable to this packages vulnerability, but I am trying to maintain a clean snyk scan.

Steps taken to reproduce and fix:

  • snyk test
  • manually change sprig to v3 in pkg/render/render.go
  • go mod tidy
  • go mod vendor

Signed-off-by: Kennelly, Martin <[email protected]>
Upgrade sprig to ver.3 which updates CWE-330
vulnerable goutils to 1.1.1.
Sprig ver.3 retains the same Go API as ver.2.

Signed-off-by: Martin Kennelly <[email protected]>
@pliurh
Copy link
Collaborator

pliurh commented Jun 8, 2021

/lgtm

@github-actions github-actions bot added the lgtm label Jun 8, 2021
Copy link
Collaborator

@e0ne e0ne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants