Light

CVE-2022-37614: Critical Vulnerability in mockery module about azure-pipelines-task-lib HOT 16 OPEN

luxaflow commented on May 26, 2024 3

CVE-2022-37614: Critical Vulnerability in mockery module

from azure-pipelines-task-lib.

Comments (16)

jessehouwing commented on May 26, 2024 2

As far as I can tell, this has merged:
01d398f

from azure-pipelines-task-lib.

maksimu commented on May 26, 2024 1

any updates on this? Security team of one of our customers is demanding us to upgrade our library with the patched version of mockery.

from azure-pipelines-task-lib.

Vertex-btb commented on May 26, 2024 1

@joshftb Two weeks ago this was given the 'triage' label and then removed. Your latest response indicates that this vulnerability may not be exploitable, yet the issue remains 'Open.' Please advise if Microsoft is planning to update their references to use the newest version of mockery that is not vulnerable (according to SNYK there are no 'next non-vulnerable versions') or plans to close this issue.

from azure-pipelines-task-lib.

lgmorand commented on May 26, 2024 1

thanks Jesse! Le sam. 16 sept. 2023 à 11:45, Jesse Houwing ***@***.***> a écrit :

Compatibility checks with the existing tasks in the azure-pipelines-tasks and introduction of the node20 handler and other priorities. Merging this pull request has consequences beyond this library. — Reply to this email directly, view it on GitHub <#955 (comment)> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTRVVZWRHPDF7RGGVJIPK3X2VKIFBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDSNJXGU4DIMBQG6SG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBTHA3DIOJSHE2IFJDUPFYGLJLJONZXKZNFOZQWY5LFVIYTQMBZHEZTKNJRGWBKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGI4TKNZVHA2DAMBXU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

from azure-pipelines-task-lib.

aleksandrlevochkin commented on May 26, 2024

Hi @luxaflow thank you for reporting this issue, this is currently being worked on.

from azure-pipelines-task-lib.

joshftb commented on May 26, 2024

@maksimu mockery is only used for testing, so none of its exports will see prod. Also, the task does not use the vulnerable component of that library anyways.

from azure-pipelines-task-lib.

rajarajan2801 commented on May 26, 2024

Team, Any updates on this? If the task doesn't use the vulnerable component, Can you please advise why this issue is not closed? We need to respond back to our Security team about the status of this issue.

from azure-pipelines-task-lib.

aleksandrlevochkin commented on May 26, 2024

@Vertex-btb, @rajarajan2801 Mockery is indeed used only for testing. This issue is not closed, as we're preparing a replacement, and it's not merged yet.

from azure-pipelines-task-lib.

JuanDuhalde12 commented on May 26, 2024

Hi, any updates on this?. I have a task created and I depends on solve this issue to be able to deploy it. Thanks

from azure-pipelines-task-lib.

lgmorand commented on May 26, 2024

hi :)
not a single commit on the PR for a full month since the Lilia's work. any idea when we could expect it or what is blocking because all checks seem OK ? thanks <3

from azure-pipelines-task-lib.

jessehouwing commented on May 26, 2024

Compatibility checks with the existing tasks in the azure-pipelines-tasks and introduction of the node20 handler and other priorities. Merging this pull request has consequences beyond this library.

from azure-pipelines-task-lib.

github-actions commented on May 26, 2024

This issue has had no activity in 90 days. Please comment if it is not actually stale

from azure-pipelines-task-lib.

lgmorand commented on May 26, 2024

not stale :)

from azure-pipelines-task-lib.

PratMoha commented on May 26, 2024

Any update on this issue?
Waiting for the fix for quite some time now. It is becoming critical to us as we're unable to upgrade our packages to a higher version as the security check fails for azure-pipelines-task-lib.

from azure-pipelines-task-lib.

PratMoha commented on May 26, 2024

Thanks jesse.

from azure-pipelines-task-lib.

Related Issues (20)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.