tianshimoyi
commented
1 year ago @jiayouxujin Does github.com/satori/go.uuid have any security implications? Can you describe it?
Closed jiayouxujin closed 10 months ago
tianshimoyi
commented
1 year ago @jiayouxujin Does github.com/satori/go.uuid have any security implications? Can you describe it?
jiayouxujin
commented
1 year ago @jiayouxujin Does github.com/satori/go.uuid have any security implications? Can you describe it?
@tianshimoyi Sure. From the results of Docker scan, we can see the following results #18 :
✗ High severity vulnerability found in github.com/satori/go.uuid
Description: Insecure Randomness
Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
Introduced through: github.com/satori/go.uuid@1.2.0
From: github.com/satori/go.uuid@1.2.0Then I imported the image to the Snyk platform, and the detailed report is as follows:
Overview:
github.com/satori/go.uuid provides a pure Go implementation of Universally Unique Identifier (UUID).
Affected versions of this package are vulnerable to Insecure Randomness, which produces predictable UUID identifiers due to the limited number of bytes read when using the g.rand.Read function.
Note: This vulnerability was introduced on the master branch of satori/go.uuid after version 1.2.0. This was fixed in commit d91630c8510268e75203009fe7daf2b8e1d60c45.I checked the commit history of the satori/go.uuid repository, and version 1.2.0 does not include this commit.
Hi, Considering the security concerns with the dependency
github.com/satori/go.uuid, we should replace it.