gopkg.in/yaml.v2:v2.4.0 is End Of Life support, Can we use v3?

[ijajmulani]

I can see gopkg.in/yaml.v2 is being used. Our BlackDuck scan shows gopkg.in/yaml.v2 version is EOLed. Hence can we update this component to latest v3 version.

[bwplotka]

Interesting. We don't use yaml. We will have to check in the transient dependency who uses it. At least Prometheus common has this. Can you add same issue on https://github.com/prometheus/common?

Thanks!

[trend-shihyi-wu]

Hello, due to the current inclusion of gopkg.in/[email protected], a vulnerability CVE-2022-28948 has been detected. As per compliance requirements, it is necessary to address this issue within the given deadline. I would like to inquire if there are any plans to upgrade to gopkg.in/yaml.v3 v3.0.1 in order to resolve this matter. Thank you for your attention.

[bwplotka]

This project does not use anything related to YAML, it does not use this module, so it's not vulnerable.

Plus the vulnerability you mention is for v3 version only, not for v2 (see e.g. Teamwork/kommentaar#91 (comment))

[ijajmulani]

Hi @bwplotka
Looks as a sub dependency it yaml v2 is getting used. https://github.com/prometheus/client_golang/blob/main/go.mod#L29

vulnerability is for v2 version not for v3.

[bwplotka]

The fact it's in go.mod especially in indirect part, does not mean this code or the code we depend on actively use it. This likely comes from prometheus/common module and we don't use its types that additionally support some yaml encoding.

I still suspect the vuln is for v3 only. Can you show me the vuln part of v2 code?

Nevertheless we could check how to kill yaml indirect dep or move to v3, but it's not urgent IMO

[bwplotka]

Can you share any information about v2 EOL? Can't find any official statement.

[kakkoyun]

Ok we need to remove the dependency now https://github.com/go-yaml/yaml?tab=readme-ov-file#this-project-is-unmaintained

[bwplotka]

I hope it's not some odd April fools joke:

Some forks exists https://github.com/kubernetes-sigs/yaml

However for those who needs yaml lib going forward, looks like https://github.com/goccy/go-yaml is being recommended, also by the author of gopkg.in/yaml.

Anyway, I will reiterate:

• We don't depend directly on any gopkg.in/yaml.* version.

go mod graph | grep yaml
github.com/prometheus/client_golang gopkg.in/[email protected] # indirect dep coming from a direct common dependency.
github.com/prometheus/[email protected] gopkg.in/[email protected]
github.com/prometheus/[email protected] gopkg.in/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]

We don't use any YAML logic, so any of those scan, vuln results are false alerts.

As a client_golang project we can do 2 things:

1. Promote and help with the upgrade of common. I added issue for this Consider switching gopkg.in/yaml.* to github.com/goccy/go-yaml proposals#49.
2. Stop depending on common which we discuss a bit but it's quite a challenge.

This issue is not enough reasons to do (2), so I am closing this issue and marking it as a duplicate with prometheus/proposals#49. Feel free to comment and discuss in case we missed something! Thanks!