Mail.Ru easyjson library security concerns

[buchekalex]

Hello,

I would like to bring to your attention a concern regarding one of the dependencies used in the swaggo/swag library, specifically the easyjson library.

The easyjson library is developed by Mail.ru, a company controlled by the Russian government. Due to security policies and compliance checks within our company, we are not allowed to use any libraries or software developed by entities associated with the Russian government.

Request

To ensure the security and compliance of our projects, we kindly request that you consider replacing the easyjson library with an alternative solution. One viable option could be to use the standard encoding/json package provided by Go, which is well-supported and maintained.

We understand that this may require some changes to the codebase, and we appreciate your efforts in maintaining the security and integrity of the swaggo/swag library.

Potential Impact

Updating the dependency to a more secure and compliant library will help in:

• Enhancing the security of projects using swaggo/swag.
• Ensuring compliance with various organizational and governmental policies.
• Maintaining trust and reliability in the swaggo/swag library within the global developer community.

Thank you for your attention to this matter. We appreciate your consideration and look forward to your response.

[bbrodriges]

As far as I can see easyjson is used only in example directory and does not required for proper package operation.

[ubogdan]

This project is an Open Source and is maintained by a community, not a government.

The library is an indirect requirement and it comes from go-openapi and there is no way to remove it. If your company policy is so strict, you can write OAS specs by hand.

Thanks for raising the concern.

[barrybarrette]

Hi @ubogdan,

Understanding that this stems from the go-openapi dependency, they are actively working on the issue here: go-openapi/swag#68

Once that issue is resolved, would you be open to making the necessary adjustments to allow users of this package to specify their preferred JSON serializer?

[SE-Bruno]

The issue is fixed upstream. go-openapi/swag#68 is closed.

[ubogdan]

Hi @ubogdan,

Understanding that this stems from the go-openapi dependency, they are actively working on the issue here: go-openapi/swag#68

Once that issue is resolved, would you be open to making the necessary adjustments to allow users of this package to specify their preferred JSON serializer?

I'm open to allow any improvements , especialy the security related ones as soon as we don't break anything or we are not changing the default behavior.

Image how it will be to ask 12k community users that might have 2-3 projects based on swag to update their pipeline every time we "fix" something.

I can do the necesary adjustmens when Ill hage some spare time, meanhile if someone needs it more urgently, feel free to open a PR and I will help wiht a review.

[alexandear]

Finally, go-openapi/swag#136 removes the mailru/easyjson dependency in go-openapi/swag#136, so we can simply update https://github.com/go-openapi/spec to the newest version, which includes the latest go-openapi/swag release. I implemented this in #2108.