-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sec): upgrade gopkg.in/yaml.v3 to 3.0.0 #1640
fix(sec): upgrade gopkg.in/yaml.v3 to 3.0.0 #1640
Conversation
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## master #1640 +/- ##
=======================================
Coverage 83.68% 83.68%
=======================================
Files 19 19
Lines 3813 3813
=======================================
Hits 3191 3191
Misses 530 530
Partials 92 92 ☔ View full report in Codecov by Sentry. |
@chncaption Thanks for your contribution. |
* Update README_zh-CN.md (#1545) remove repeat net/http * Add option to set template delimiters (#1499) * Add template action delimiter cli flag * Add delims to generator config and template Also adds tests using the "quote" test as a base. This has to have a custom Instance name or it will clash with the "quotes" one and panic since it will have registered two "swagger" instances in the package test. * Add testdata for custom delim flags Based on the "quote" testdata. * Add delims to the spec, with tests. Make sure we don't add delims if they are empty. This shouldn't be possible, but might as well be safe. * Go mod tidy and sum update * Make the CLI experience a bit cleaner * Revert go.mod and sum * Update readme * fix bug: enums of explicit type conversion (#1556) Signed-off-by: sdghchj <sdghchj@qq.com> * add retract to fix proxy cache caused by accidentally pushed tags (#1562) * add retract caused by accidentally pushed tags * update version to match new tag version --------- Co-authored-by: Tobias Theel <tt@fino.digital> * docs: doc to pt Add option to set template delims. (#1563) * fix: lint error for generated docs.go (#1583) Co-authored-by: wanglonghui7 <wanglonghui7@jd.com> * fix bug: enums of underscored number (#1581) Signed-off-by: sdghchj <sdghchj@qq.com> * fix using tab (\t) as separator for custom type names (#1594) * chore(deps): bump github.com/gin-gonic/gin (#1598) Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.7.7 to 1.9.1. - [Release notes](https://github.com/gin-gonic/gin/releases) - [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md) - [Commits](gin-gonic/gin@v1.7.7...v1.9.1) --- updated-dependencies: - dependency-name: github.com/gin-gonic/gin dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/gin-gonic/gin in /example/celler (#1599) Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.7.7 to 1.9.1. - [Release notes](https://github.com/gin-gonic/gin/releases) - [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md) - [Commits](gin-gonic/gin@v1.7.7...v1.9.1) --- updated-dependencies: - dependency-name: github.com/gin-gonic/gin dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/gin-gonic/gin in /example/go-module-support (#1600) Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.7.7 to 1.9.1. - [Release notes](https://github.com/gin-gonic/gin/releases) - [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md) - [Commits](gin-gonic/gin@v1.7.7...v1.9.1) --- updated-dependencies: - dependency-name: github.com/gin-gonic/gin dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix required params parsing for routes with multiple paths and multiple params (#1621) * fix required params parsing for routes with multiple paths and multiple params * fix incorrect variable declaration of validParams * parser: if all tags negate return true on no hits (#1624) * parser: if all tags negate return true on no hits * fix: enums in body got parse incorrectly (#1625) * parse binary literal const (#1593) * support binary const Signed-off-by: sdghchj <sdghchj@qq.com> * add test Signed-off-by: sdghchj <sdghchj@qq.com> --------- Signed-off-by: sdghchj <sdghchj@qq.com> * feat: global security (#1620) * global security * improve test * add cli flag --pdl to determine whether parse operations in dependency (#1605) * change cli flag to parse operations in dependency Signed-off-by: sdghchj <sdghchj@qq.com> * change cli flag to parse operations in dependency Signed-off-by: sdghchj <sdghchj@qq.com> * add cli flag --pdl to determine whether parse operations in dependency Signed-off-by: sdghchj <sdghchj@qq.com> * add cli flag --pdl to determine whether parse operations in dependency Signed-off-by: sdghchj <sdghchj@qq.com> * add cli flag --pdl to determine whether parse operations in dependency Signed-off-by: sdghchj <sdghchj@qq.com> --------- Signed-off-by: sdghchj <sdghchj@qq.com> * feat: add --packagePrefix=P for only parse packages matched by prefix P (#1582) * enchancement: report which property is triggering a parsing error (#1439) * add byte check before and after file is formatted (#1637) * feat: preserve file permission when write formatted files (#1636) test: add a test case to validate permission equal * docs(readme): fix param brace (#1647) * chore(deps): bump gopkg.in/yaml.v3 (#1663) Bumps gopkg.in/yaml.v3 from 3.0.0-20200615113413-eeeca48fe776 to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * yaml.v3 security patch (#1664) * test: remove redundant `filepath.Clean` call (#1675) * chore(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 (#1686) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0. - [Commits](golang/net@v0.8.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/markdown (#1685) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.17.0. - [Commits](golang/net@v0.7.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * When the return value defined by the @success tag is equal to a null value, make fixes to prevent a null pointer exception occurs (#1667) * chore(deps): bump golang.org/x/net in /example/go-module-support (#1682) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/object-map-example (#1684) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/celler (#1683) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: add PT and EN examples for Go generic types (#1697) * Update README.md (#1698) Adding instructions to finish the steps in `Getting started` section before `How to use it with Gin` It is easy for anybody to miss out that section which causes unwanted failures in the Swagger UI * update gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 to 3.0.0 (#1640) * improve docker container usage (#1704) * Update Go build version for Docker container * Explicitly specify copy target * Set ENTRYPOINT * Move binary to /bin * Add docker usage instructions to the README * Set /code as the default WORKDIR --------- Co-authored-by: Norman Gehrsitz <git@gehrsitz.eu> * fix issue #1662: find definitions from external packages first (#1666) Signed-off-by: sdghchj <sdghchj@qq.com> * Drop support for go v1.17.x (#1723) * Drop support for go v1.17.x Signed-off-by: sdghchj <sdghchj@qq.com> * Add flag state #1628 (#1629) * add state flag * fix deps (#1724) Signed-off-by: sdghchj <sdghchj@qq.com> * chore(deps): bump golang.org/x/crypto in /example/celler (#1727) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](golang/crypto@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/crypto in /example/go-module-support (#1726) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](golang/crypto@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/crypto in /example/object-map-example (#1725) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](golang/crypto@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deprecate some parts of routers in an operation (#1735) Signed-off-by: sdghchj <sdghchj@qq.com> * bug: array form filed name should not contains bracket which led to invalid fieldname in ts codegen (#1706) * Struct fields supported for header and path param types (#1740) * Support object data types for header params Add initial struct test for header names and validation. * Add form and query struct test for operations * Operation param add path struct model support and tests wip: fix merge * fix #1742 (#1744) * fix #1742 Signed-off-by: sdghchj <sdghchj@qq.com> * Feat: Support generic with map params (#1746) * support generic with map params Signed-off-by: sdghchj <sdghchj@qq.com> * Update version.go (#1751) * Update operation.go (#1753) getUnderlyingSchema can return nil, so it has to be checked here otherwise the code is exposed to invalid memory address or nil pointer dereference * fix: remove dropped tags from general infos (#1764) * fix: remove unneeded tags from general infos Signed-off-by: sdghchj <sdghchj@qq.com> * Update docker go build version to 1.21 (#1758) * add support for "title" tag (#1762) feat: add support for "title" tag in structField struct to allow specifying a custom field title * chore: fix some typos in comments (#1788) Signed-off-by: camcui <cuishua@sina.cn> * bump go version (#1797) * bump go version * cleanup pipeline * chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 (#1793) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. - [Commits](golang/net@v0.17.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/markdown (#1792) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. - [Commits](golang/net@v0.17.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/celler (#1794) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. - [Commits](golang/net@v0.17.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/go-module-support (#1795) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. - [Commits](golang/net@v0.17.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/net in /example/object-map-example (#1796) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. - [Commits](golang/net@v0.17.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Handle case of empty GOROOT (#1798) In some situations, such as when using the go-swag Nix package, runtime.GOROOT() will be empty, and RangeFiles will skip all source paths since technically, all paths are prefixed with the empty string. See also NixOS/nixpkgs#224701 May resolve some cases of #1622. * Added multiline support for @description attribute for securityDefinitions (#1786) * Feat: multi-arch docker image (#1756) * Feat: multi-arch docker image - adapt Dockerfile to support cross-compilation depending on TARGETARCH and TARGETOS variables see https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/ - set target platforms for docker/build-push-action * Support running on forks * Fix ARG format * Fix docker digest step * Restrict permissions * Update action versions * Set $TARGETPLATFORM explicitly docker/build-push-action#820 (comment) --------- Co-authored-by: Norman Gehrsitz <45375059+ngehrsitz@users.noreply.github.com> * chore(deps): bump google.golang.org/protobuf (#1773) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/protobuf (#1774) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/protobuf in /example/celler (#1775) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix issue: #1780: filter $GOROOT path (#1827) Signed-off-by: song <tinysong1226@gmail.com> * feat: read from stdin, write to stdout (#1831) (#1832) Co-authored-by: Bruno Bonatto <bruno.bonatto@simfrete.com.br> * Added suport for parsing comments inside of function bodies (#1824) Added suport for parsing comments inside of function bodies --------- Co-authored-by: Jonas Ha <jonas-ha@outlook.com> * adds support for complex types with function scope (#1813) * [Issue 1812] fix misalignment in expected.json and api.go messing with parser_test (#1836) * Fixes Issue 1829 (#1830) * fix: fixes a bug that could select wrong tag description markdown file * fixes parser to be able to parse file names with and without ext * Fix global overrides for any/interface ref types (#1835) When overriding with any or interface{}, the code should prefer the "any" (empty) schema instead, not the object schema since that's different e.g. * adds support for pointer function scoped fields (#1841) * fix parse nested structs and aliases (#1866) Co-authored-by: ma.mikhaylov <ma.mikhaylov@tinkoff.ru> * Fix generics used with function scoped types (#1883) * Fix param comment escaping issue (#1890) This commit fixes a param comment issue where a "\n" gets escaped so it would not be applied to the output swagger file. * support markdown description for declaration (#1893) * feat: support markdown description for declaration * fix: range PackagesDefinitions.uniqueDefinitions cause panic --------- Co-authored-by: xinbi.nie <xinbi.nie@voidtech.com.cn> * update README (#1856) * Update docs for request and response headers (#1825) * fix:parse all field names declared in a row (#1872) * fix:parse all fields names declared in a row * Flags to parse internal and dependency package (#1894) * fix: failing assert in enums test on 32bit (#1634) * Feat: Add support for parenthesis in router patterns (#1859) * chore: Update ci.yml (#1902) * new release (#1901) * fix some issues * fix unit tests --------- Signed-off-by: sdghchj <sdghchj@qq.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: camcui <cuishua@sina.cn> Signed-off-by: song <tinysong1226@gmail.com> Co-authored-by: tzxdtc10 <tzxdtc10@gmail.com> Co-authored-by: Leo Palmer Sunmo <leosunmo@users.noreply.github.com> Co-authored-by: sdghchj <sdghchj@qq.com> Co-authored-by: Nerzal <theel.tobias@gmx.de> Co-authored-by: Tobias Theel <tt@fino.digital> Co-authored-by: Paulo Lopes Estevão <66704496+Paulo-Lopes-Estevao@users.noreply.github.com> Co-authored-by: lowang-bh <lhui_wang@163.com> Co-authored-by: wanglonghui7 <wanglonghui7@jd.com> Co-authored-by: Martin W. Kirst <maki@bitkings.de> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> Co-authored-by: Roy Marples <roy@marples.name> Co-authored-by: Billy Ho <77315748+hohobilly@users.noreply.github.com> Co-authored-by: nameoffnv <553619+nameoffnv@users.noreply.github.com> Co-authored-by: Shengyu Zhang <reg@silverrainz.me> Co-authored-by: Sakis <sakishrist@gmail.com> Co-authored-by: Daniel Moncada <daniel.g.moncada@gmail.com> Co-authored-by: wholesome-ghoul <99685814+wholesome-ghoul@users.noreply.github.com> Co-authored-by: Shimizu1111 <70021314+Shimizu1111@users.noreply.github.com> Co-authored-by: Renan Silva <rpedrodasilva10@gmail.com> Co-authored-by: Saurabh Chatterjee <2438415+saurabhchatterjee23@users.noreply.github.com> Co-authored-by: caption <101684156+chncaption@users.noreply.github.com> Co-authored-by: ngehrsitz <45375059+ngehrsitz@users.noreply.github.com> Co-authored-by: Norman Gehrsitz <git@gehrsitz.eu> Co-authored-by: Ivan Volkov <volkoffskij@gmail.com> Co-authored-by: Jinof <1474121785@qq.com> Co-authored-by: Joe Shaw <joe.r.shaw@gmail.com> Co-authored-by: Mathieu Chauvet <mathieu.chauvet@gmail.com> Co-authored-by: Matteo Bassan <44482835+matteobassan@users.noreply.github.com> Co-authored-by: camcui <166618273+camcui@users.noreply.github.com> Co-authored-by: Evan Goode <mail@evangoo.de> Co-authored-by: Vladimir Avchenov <vladimir.lsk.cool@gmail.com> Co-authored-by: Timo Naroska <tnaroska@yahoo.com> Co-authored-by: bob <tinysong1226@gmail.com> Co-authored-by: bfbonatto <bfbonatto@gmail.com> Co-authored-by: Bruno Bonatto <bruno.bonatto@simfrete.com.br> Co-authored-by: j-d-ha <61319894+j-d-ha@users.noreply.github.com> Co-authored-by: Jonas Ha <jonas-ha@outlook.com> Co-authored-by: Kristoffer Fage Jensen <kristofferfage@gmail.com> Co-authored-by: Michi H <Kafkalasch@users.noreply.github.com> Co-authored-by: Ezequiel Rodriguez <ezequiel@users.noreply.github.com> Co-authored-by: zdon0 <100082302+zdon0@users.noreply.github.com> Co-authored-by: ma.mikhaylov <ma.mikhaylov@tinkoff.ru> Co-authored-by: Berk Karaal <karaalberk7@gmail.com> Co-authored-by: Yuki Omoto <omoto.aijus@gmail.com> Co-authored-by: nicoxix <13716553+nicoxb@users.noreply.github.com> Co-authored-by: xinbi.nie <xinbi.nie@voidtech.com.cn> Co-authored-by: Eike Haller <58111764+eksrha@users.noreply.github.com> Co-authored-by: Harsh Mittal <harshmittal2210@gmail.com> Co-authored-by: Leso_KN <info@lesosoftware.com> Co-authored-by: alifemove <140655906+alifemove@users.noreply.github.com>
What happened?
There are 1 security vulnerabilities found in gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
What did I do?
Upgrade gopkg.in/yaml.v3 from v3.0.0-20200615113413-eeeca48fe776 to 3.0.0 for vulnerability fix
What did you expect to happen?
Ideally, no insecure libs should be used.
How can we automate the detection of these types of issues?
By using the GitHub Actions configurations provided by murphysec, we can conduct automatic code security checks in our CI pipeline.
The specification of the pull request
PR Specification from OSCS