Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sec): upgrade gopkg.in/yaml.v3 to 3.0.0 #1640

Merged
merged 1 commit into from
Nov 7, 2023

Conversation

chncaption
Copy link
Contributor

What happened?

There are 1 security vulnerabilities found in gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776

What did I do?

Upgrade gopkg.in/yaml.v3 from v3.0.0-20200615113413-eeeca48fe776 to 3.0.0 for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

How can we automate the detection of these types of issues?

By using the GitHub Actions configurations provided by murphysec, we can conduct automatic code security checks in our CI pipeline.

The specification of the pull request

PR Specification from OSCS

@codecov
Copy link

codecov bot commented Aug 15, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (27b27bd) 83.68% compared to head (e3b3bd0) 83.68%.
Report is 3 commits behind head on master.

❗ Current head e3b3bd0 differs from pull request most recent head fd8830b. Consider uploading reports for the commit fd8830b to get more accurate results

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #1640   +/-   ##
=======================================
  Coverage   83.68%   83.68%           
=======================================
  Files          19       19           
  Lines        3813     3813           
=======================================
  Hits         3191     3191           
  Misses        530      530           
  Partials       92       92           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ubogdan ubogdan merged commit c7c63fc into swaggo:master Nov 7, 2023
9 checks passed
@ubogdan
Copy link
Contributor

ubogdan commented Nov 7, 2023

@chncaption Thanks for your contribution.

ubogdan added a commit that referenced this pull request Oct 19, 2024
* Update README_zh-CN.md (#1545)

remove repeat net/http

* Add option to set template delimiters (#1499)

* Add template action delimiter cli flag

* Add delims to generator config and template

Also adds tests using the "quote" test as a base. This has to have a
custom Instance name or it will clash with the "quotes" one and panic
since it will have registered two "swagger" instances in the package
test.

* Add testdata for custom delim flags

Based on the "quote" testdata.

* Add delims to the spec, with tests.

Make sure we don't add delims if they are empty. This shouldn't be
possible, but might as well be safe.

* Go mod tidy and sum update

* Make the CLI experience a bit cleaner

* Revert go.mod and sum

* Update readme

* fix bug: enums of explicit type conversion (#1556)

Signed-off-by: sdghchj <[email protected]>

* add retract to fix proxy cache caused by accidentally pushed tags (#1562)

* add retract caused by accidentally pushed tags

* update version to match new tag version

---------

Co-authored-by: Tobias Theel <[email protected]>

* docs: doc to pt Add option to set template delims. (#1563)

* fix: lint error for generated docs.go (#1583)

Co-authored-by: wanglonghui7 <[email protected]>

* fix bug: enums of underscored number (#1581)

Signed-off-by: sdghchj <[email protected]>

* fix using tab (\t) as separator for custom type names (#1594)

* chore(deps): bump github.com/gin-gonic/gin (#1598)

Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.7.7 to 1.9.1.
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.7.7...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/gin-gonic/gin in /example/celler (#1599)

Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.7.7 to 1.9.1.
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.7.7...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/gin-gonic/gin in /example/go-module-support (#1600)

Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.7.7 to 1.9.1.
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.7.7...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix required params parsing for routes with multiple paths and multiple params (#1621)

* fix required params parsing for routes with multiple paths and multiple params

* fix incorrect variable declaration of validParams

* parser: if all tags negate return true on no hits (#1624)

* parser: if all tags negate return true on no hits

* fix: enums in body got parse incorrectly (#1625)

* parse binary literal const (#1593)

* support binary const

Signed-off-by: sdghchj <[email protected]>

* add test

Signed-off-by: sdghchj <[email protected]>

---------

Signed-off-by: sdghchj <[email protected]>

* feat: global security (#1620)

* global security

* improve test

* add cli flag --pdl to determine whether parse operations in dependency (#1605)

* change cli flag to parse operations in dependency

Signed-off-by: sdghchj <[email protected]>

* change cli flag to parse operations in dependency

Signed-off-by: sdghchj <[email protected]>

* add cli flag --pdl to determine whether parse operations in dependency

Signed-off-by: sdghchj <[email protected]>

* add cli flag --pdl to determine whether parse operations in dependency

Signed-off-by: sdghchj <[email protected]>

* add cli flag --pdl to determine whether parse operations in dependency

Signed-off-by: sdghchj <[email protected]>

---------

Signed-off-by: sdghchj <[email protected]>

* feat: add --packagePrefix=P for only parse packages matched by prefix P (#1582)

* enchancement: report which property is triggering a parsing error (#1439)

* add byte check before and after file is formatted (#1637)

* feat: preserve file permission when write formatted files (#1636)

test: add a test case to validate permission equal

* docs(readme): fix param brace (#1647)

* chore(deps): bump gopkg.in/yaml.v3 (#1663)

Bumps gopkg.in/yaml.v3 from 3.0.0-20200615113413-eeeca48fe776 to 3.0.0.

---
updated-dependencies:
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* yaml.v3 security patch (#1664)

* test: remove redundant `filepath.Clean` call (#1675)

* chore(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 (#1686)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0.
- [Commits](golang/net@v0.8.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/markdown (#1685)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.17.0.
- [Commits](golang/net@v0.7.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* When the return value defined by the @success tag is equal to a null value, make fixes to prevent a null pointer exception occurs (#1667)

* chore(deps): bump golang.org/x/net in /example/go-module-support (#1682)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0.
- [Commits](golang/net@v0.10.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/object-map-example (#1684)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0.
- [Commits](golang/net@v0.10.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/celler (#1683)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0.
- [Commits](golang/net@v0.10.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: add PT and EN examples for Go generic types (#1697)

* Update README.md (#1698)

Adding instructions to finish the steps in `Getting started` section before `How to use it with Gin`
It is easy for anybody to miss out that section which causes unwanted failures in the Swagger UI

* update gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 to 3.0.0 (#1640)

* improve docker container usage (#1704)

* Update Go build version for Docker container

* Explicitly specify copy target

* Set ENTRYPOINT

* Move binary to /bin

* Add docker usage instructions to the README

* Set /code as the default WORKDIR

---------

Co-authored-by: Norman Gehrsitz <[email protected]>

* fix issue #1662: find definitions from external packages first (#1666)

Signed-off-by: sdghchj <[email protected]>

* Drop support for go v1.17.x (#1723)

* Drop support for go v1.17.x 

Signed-off-by: sdghchj <[email protected]>

* Add flag state #1628 (#1629)

* add state flag

* fix deps (#1724)

Signed-off-by: sdghchj <[email protected]>

* chore(deps): bump golang.org/x/crypto in /example/celler (#1727)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0.
- [Commits](golang/crypto@v0.14.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/crypto in /example/go-module-support (#1726)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0.
- [Commits](golang/crypto@v0.14.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/crypto in /example/object-map-example (#1725)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0.
- [Commits](golang/crypto@v0.14.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* deprecate some parts of routers in an operation (#1735)

Signed-off-by: sdghchj <[email protected]>

* bug: array form filed name should not contains bracket which led to invalid fieldname in ts codegen (#1706)

* Struct fields supported for header and path param types (#1740)

* Support object data types for header params

Add initial struct test for header names and validation.

* Add form and query struct test for operations

* Operation param add path struct model support and tests

wip: fix merge

* fix #1742 (#1744)

* fix #1742

Signed-off-by: sdghchj <[email protected]>

* Feat: Support generic with map params (#1746)

* support generic with map params

Signed-off-by: sdghchj <[email protected]>

* Update version.go (#1751)

* Update operation.go (#1753)

getUnderlyingSchema can return nil, so it has to be checked here otherwise the code is exposed to invalid memory address or nil pointer dereference

* fix: remove dropped tags from general infos (#1764)

* fix: remove unneeded tags from general infos
Signed-off-by: sdghchj <[email protected]>

* Update docker go build version to 1.21 (#1758)

* add support for "title" tag (#1762)

feat: add support for "title" tag in structField struct to allow specifying a custom field title

* chore: fix some typos in comments (#1788)

Signed-off-by: camcui <[email protected]>

* bump go version (#1797)

* bump go version
* cleanup pipeline

* chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 (#1793)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0.
- [Commits](golang/net@v0.17.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/markdown (#1792)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0.
- [Commits](golang/net@v0.17.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/celler (#1794)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0.
- [Commits](golang/net@v0.17.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/go-module-support (#1795)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0.
- [Commits](golang/net@v0.17.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/net in /example/object-map-example (#1796)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0.
- [Commits](golang/net@v0.17.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Handle case of empty GOROOT (#1798)

In some situations, such as when using the go-swag Nix package, runtime.GOROOT() will be empty, and RangeFiles will skip all source paths since technically, all paths are prefixed with the empty string.

See also NixOS/nixpkgs#224701

May resolve some cases of #1622.

* Added multiline support for @description attribute for securityDefinitions (#1786)

* Feat: multi-arch docker image (#1756)

* Feat: multi-arch docker image

- adapt Dockerfile to support cross-compilation depending on TARGETARCH and TARGETOS variables see https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
- set target platforms for docker/build-push-action

* Support running on forks

* Fix ARG format

* Fix docker digest step

* Restrict permissions

* Update action versions

* Set $TARGETPLATFORM explicitly

docker/build-push-action#820 (comment)

---------

Co-authored-by: Norman Gehrsitz <[email protected]>

* chore(deps): bump google.golang.org/protobuf (#1773)

Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/protobuf (#1774)

Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/protobuf in /example/celler (#1775)

Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix issue: #1780: filter $GOROOT path (#1827)

Signed-off-by: song <[email protected]>

* feat: read from stdin, write to stdout (#1831) (#1832)

Co-authored-by: Bruno Bonatto <[email protected]>

* Added suport for parsing comments inside of function bodies (#1824)

Added suport for parsing comments inside of function bodies

---------

Co-authored-by: Jonas Ha <[email protected]>

* adds support for complex types with function scope (#1813)

* [Issue 1812] fix misalignment in expected.json and api.go messing with parser_test (#1836)

* Fixes Issue 1829 (#1830)

* fix: fixes a bug that could select wrong tag description markdown file

* fixes parser to be able to parse file names with and without ext

* Fix global overrides for any/interface ref types (#1835)

When overriding with any or interface{}, the code should prefer the "any" (empty) schema instead, not the object schema since that's different e.g.

* adds support for pointer function scoped fields (#1841)

* fix parse nested structs and aliases (#1866)

Co-authored-by: ma.mikhaylov <[email protected]>

* Fix generics used with function scoped types (#1883)

* Fix param comment escaping issue (#1890)

This commit fixes a param comment issue where a "\n" gets escaped so it would not be applied to the output swagger file.

* support markdown description for declaration (#1893)

* feat: support markdown description for declaration

* fix: range PackagesDefinitions.uniqueDefinitions cause panic

---------

Co-authored-by: xinbi.nie <[email protected]>

* update README (#1856)

* Update docs for request and response headers (#1825)

* fix:parse all field names declared in a row (#1872)

* fix:parse all fields names declared in a row

* Flags to parse internal and dependency package (#1894)

* fix: failing assert in enums test on 32bit (#1634)

* Feat: Add support for parenthesis in router patterns (#1859)

* chore: Update ci.yml (#1902)

* new release (#1901)

* fix some issues

* fix unit tests

---------

Signed-off-by: sdghchj <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: camcui <[email protected]>
Signed-off-by: song <[email protected]>
Co-authored-by: tzxdtc10 <[email protected]>
Co-authored-by: Leo Palmer Sunmo <[email protected]>
Co-authored-by: sdghchj <[email protected]>
Co-authored-by: Nerzal <[email protected]>
Co-authored-by: Tobias Theel <[email protected]>
Co-authored-by: Paulo Lopes Estevão <[email protected]>
Co-authored-by: lowang-bh <[email protected]>
Co-authored-by: wanglonghui7 <[email protected]>
Co-authored-by: Martin W. Kirst <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Phenix66 <[email protected]>
Co-authored-by: Roy Marples <[email protected]>
Co-authored-by: Billy Ho <[email protected]>
Co-authored-by: nameoffnv <[email protected]>
Co-authored-by: Shengyu Zhang <[email protected]>
Co-authored-by: Sakis <[email protected]>
Co-authored-by: Daniel Moncada <[email protected]>
Co-authored-by: wholesome-ghoul <[email protected]>
Co-authored-by: Shimizu1111 <[email protected]>
Co-authored-by: Renan Silva <[email protected]>
Co-authored-by: Saurabh Chatterjee <[email protected]>
Co-authored-by: caption <[email protected]>
Co-authored-by: ngehrsitz <[email protected]>
Co-authored-by: Norman Gehrsitz <[email protected]>
Co-authored-by: Ivan Volkov <[email protected]>
Co-authored-by: Jinof <[email protected]>
Co-authored-by: Joe Shaw <[email protected]>
Co-authored-by: Mathieu Chauvet <[email protected]>
Co-authored-by: Matteo Bassan <[email protected]>
Co-authored-by: camcui <[email protected]>
Co-authored-by: Evan Goode <[email protected]>
Co-authored-by: Vladimir Avchenov <[email protected]>
Co-authored-by: Timo Naroska <[email protected]>
Co-authored-by: bob <[email protected]>
Co-authored-by: bfbonatto <[email protected]>
Co-authored-by: Bruno Bonatto <[email protected]>
Co-authored-by: j-d-ha <[email protected]>
Co-authored-by: Jonas Ha <[email protected]>
Co-authored-by: Kristoffer Fage Jensen <[email protected]>
Co-authored-by: Michi H <[email protected]>
Co-authored-by: Ezequiel Rodriguez <[email protected]>
Co-authored-by: zdon0 <[email protected]>
Co-authored-by: ma.mikhaylov <[email protected]>
Co-authored-by: Berk Karaal <[email protected]>
Co-authored-by: Yuki Omoto <[email protected]>
Co-authored-by: nicoxix <[email protected]>
Co-authored-by: xinbi.nie <[email protected]>
Co-authored-by: Eike Haller <[email protected]>
Co-authored-by: Harsh Mittal <[email protected]>
Co-authored-by: Leso_KN <[email protected]>
Co-authored-by: alifemove <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants