search

vmware-tanzu / tanzu-framework

Tanzu Framework provides a set of building blocks to build atop of the Tanzu platform and leverages Carvel packaging and plugins to provide users with a much stronger, more integrated experience than the loose coupling and stand-alone commands of the previous generation of tools.
Apache License 2.0
196 stars 193 forks source link

Move satori/go.uuid to google/uuid #1543

Closed PushkarJ closed 2 years ago

PushkarJ commented 2 years ago

Bug description github.com/satori/go.uuid has the following vulnerability.

✗ High severity vulnerability found in github.com/satori/go.uuid
  Description: Insecure Randomness
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
  Introduced through: github.com/satori/go.uuid@1.2.0
  From: github.com/satori/go.uuid@1.2.0

However, this library is no longer maintained satori/go.uuid#115

Affected product area (please put an X in all that apply)

Expected behavior We are not using any unmaintained dependencies

Steps to reproduce the bug

  1. Clone repo
  2. Download snyk
  3. Run snyk test . inside repo directory

Version (include the SHA if the version is not obvious)

All versions (?)

Environment where the bug was observed (cloud, OS, etc) N/A

Relevant Debug Output (Logs, manifests, etc)

Solution

After input from #1544 switching to google/uuid makes most sense

github-actions[bot] commented 2 years ago

Hey @PushkarJ! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Tanzu Framework.