Is it safe to use TestNG that has vulnerabilities?

[Test Account]

Is it safe to use TestNG that has vulnerabilities? I can see the latest version 7.7.1 and it shows Vulnerabilities from dependencies: CVE-2022-1471.
I want to use this dependency in my Maven project. I am a beginner please guide me.

[⇜Krishnan Mahadevan⇝]

The vulnerability that you are mentioning comes from the snakeyaml dependency that TestNG brings in as an optional dependency.

If you are using suite files that are in xml format, then you are not using the snakeyaml dependency and so it shouldnt affect you in any way.

Thanks & Regards
Krishnan Mahadevan

"All the desirable things in life are either illegal, expensive, fattening or in love with someone else!"
My Scribblings @ http://wakened-cognition.blogspot.com/

My Technical Scribblings @ https://rationaleemotions.com/

On Wed, Apr 5, 2023 at 5:41 PM Test Account <autot...@gmail.com> wrote:

Is it safe to use TestNG that has vulnerabilities? I can see the latest version 7.7.1 and it shows Vulnerabilities from dependencies: CVE-2022-1471.
I want to use this dependency in my Maven project. I am a beginner please guide me.

--
You received this message because you are subscribed to the Google Groups "testng-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to testng-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/testng-users/8176f5ec-8f32-4f55-971f-f6739150aa95n%40googlegroups.com.

[Sven Johansson]

On Wed, Apr 5, 2023 at 2:11 PM Test Account <autot...@gmail.com> wrote:

Is it safe to use TestNG that has vulnerabilities? I can see the latest version 7.7.1 and it shows Vulnerabilities from dependencies: CVE-2022-1471.
I want to use this dependency in my Maven project. I am a beginner please guide me.

It's unlikely that you will be deserializing any YAML data from untrusted sources when you run your test suite.

If you do - stop doing it. And also make sure that that your test dependencies, such as testng, are in fact test dependencies and not bundled with the production artifact.

In other words, I wouldn't worry about it.  

[Madhura Deshpande]

Thanks for the quick response. 
Krishnan Mahadevan, I will be using testng.xml suite. So, it's safe to use the dependency then right? 

Thanks,

Madhura

[Vamshee Chowdhary]

Hello Madhura, 

You can also exclude the dependency that has vulnerabilities, you can do this in both gradle and maven Pom depending on your use case. 

Thank you

--

You received this message because you are subscribed to the Google Groups "testng-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to testng-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/testng-users/caf9b399-c07d-4ea3-a19d-c313ba72ac1an%40googlegroups.com.