Sec vul CVE-2022-28948 from pkg/credentials > ini.v1 > stretchr/testify > yaml.v3

[amaciejk]

We are using latest minio-go v7.0.70 and are seeing:
GHSA-hp87-p4gw-j4gq
https://nvd.nist.gov/vuln/detail/CVE-2022-28948

Dep tree is:

github.com/minio/minio-go/v7/pkg/credentials
gopkg.in/ini.v1
gopkg.in/ini.v1.test
github.com/stretchr/testify/assert
gopkg.in/yaml.v3

an updated go.sum shows:

github.com/minio/minio-go/v7 v7.0.70 h1:1u9NtMgfK1U42kUxcsl5v0yj6TEOPR497OAQxpJnn2g=
github.com/minio/minio-go/v7 v7.0.70/go.mod h1:4yBA8v80xGA30cfM3fz0DKYMXunWl/AV/6tWEs9ryzo=
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

2020 seems quite old compared to 2022 or latest even.

Looks like stretchr/testify have fixed in v1.8.4 or later:
stretchr/testify#1532
so perhaps it is ini.v1 that needs fixing?

[marktheunissen]

Thanks @amaciejk this is from testing code in a dependancy (note gopkg.in/ini.v1.test in your dep tree) but it's worth updating these so that vulnerability scanners don't report false positives.