Skip to content

Bumped to latest version of Go 1.17
Compare
Choose a tag to compare
@nsmithuk nsmithuk released this 18 Sep 12:21
· 10 commits to master since this release
3.11.3
1bbbfed
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode. 
Replace vulnerable satori/go.uuid with gofrs/uuid (#43)

The satori/go.uuid library has a known vulnerability described in
[CVE-2021-3538](https://www.cvedetails.com/cve/CVE-2021-3538/),

> A flaw was found in github.com/satori/go.uuid in versions from commit
> 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to
> d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the
> g.rand.Read function the generated UUIDs are predictable for an attacker.

and [gofrs/uuid](https://github.com/gofrs/uuid#project-history) is a fork of
satori that was created to fix the vulnerabilities, as the original project
is no longer maintained.

A detail to take into account is that the gofrs forces error handling when UUID
creation fails, which only happens for v4 UUIDs when a random number couldn't be
obtained from the source. This should be a very low percentage and in practice
shouldn't happen (even less for this project as it is something you run locally
or in tests), but nevertheless the error *should* be handled.

As with satori this problem still existed, but it panicked when it failed, to
maintain the behaviour uuid.Must is used, which panics when an error occurs.

Satori panic reference:
[1](https://github.com/satori/go.uuid/blob/v1.2.0/generator.go#L153)
[2](https://github.com/satori/go.uuid/blob/f58768cc1a7a7e77a3bd49e98cdd21419399b6a3/generator.go#L199)
Assets 2
Loading