Fix for SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488

srfrog · srfrog · commit f9127c917e19 · 2021-09-15T01:35:10.000-04:00
High severity vulnerability found in github.com/satori/go.uuid Description: Insecure Randomness Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 Introduced through: github.com/satori/go.uuid@1.2.0 From: github.com/satori/go.uuid@1.2.0
diff --git a/go.mod b/go.mod
@@ -5,13 +5,12 @@ go 1.17
 require (
 	camlistore.org v0.0.0-20171230002226-a5a65f0d8b22
 	github.com/garyburd/redigo v1.6.2
-	github.com/satori/go.uuid v1.2.0
+	github.com/gofrs/uuid v4.0.0+incompatible
 	github.com/sirupsen/logrus v1.8.1
 	github.com/srfrog/go-strarr v1.0.0
 )
 
 require (
 	github.com/codehack/go-strarr v1.0.0 // indirect
 	golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )
diff --git a/go.sum b/go.sum
@@ -6,15 +6,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/garyburd/redigo v1.6.2 h1:yE/pwKCrbLpLpQICzYTeZ7JsTA/C53wFTJHaEtRqniM=
 github.com/garyburd/redigo v1.6.2/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
+github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/srfrog/go-strarr v1.0.0 h1:UYP9F2BkH8BfVoseDo/HiyVuxM63YOsLe7rxkMlD5lk=
@@ -23,5 +18,3 @@ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/util.go b/util.go
@@ -9,7 +9,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/satori/go.uuid"
+	"github.com/gofrs/uuid"
 )
 
 // These status codes are inaccessible in net/http but they work with http.StatusText().
@@ -41,7 +41,7 @@ const (
 // A valid ID must be between 20 and 200 chars in length, and URL-encoded.
 func NewRequestID(id string) string {
 	if id == "" {
-		return uuid.NewV4().String()
+		return uuid.Must(uuid.NewV4()).String()
 	}
 	l := 0
 	for i, c := range id {
@@ -53,12 +53,12 @@ func NewRequestID(id string) string {
 		case i > 199:
 			fallthrough
 		default:
-			return uuid.NewV4().String()
+			return uuid.Must(uuid.NewV4()).String()
 		}
 		l = i
 	}
 	if l < 20 {
-		return uuid.NewV4().String()
+		return uuid.Must(uuid.NewV4()).String()
 	}
 	return id
 }

Original file line number	Diff line number	Diff line change
`@@ -5,13 +5,12 @@ go 1.17`
`5`	`5`	`require (`
`6`	`6`	`camlistore.org v0.0.0-20171230002226-a5a65f0d8b22`
`7`	`7`	`github.com/garyburd/redigo v1.6.2`
`8`		`- github.com/satori/go.uuid v1.2.0`
	`8`	`+ github.com/gofrs/uuid v4.0.0+incompatible`
`9`	`9`	`github.com/sirupsen/logrus v1.8.1`
`10`	`10`	`github.com/srfrog/go-strarr v1.0.0`
`11`	`11`	`)`
`12`	`12`
`13`	`13`	`require (`
`14`	`14`	`github.com/codehack/go-strarr v1.0.0 // indirect`
`15`	`15`	`golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 // indirect`
`16`		`- gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect`
`17`	`16`	`)`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import (`
`9`	`9`	`"strconv"`
`10`	`10`	`"strings"`
`11`	`11`
`12`		`- "github.com/satori/go.uuid"`
	`12`	`+ "github.com/gofrs/uuid"`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`// These status codes are inaccessible in net/http but they work with http.StatusText().`
`@@ -41,7 +41,7 @@ const (`
`41`	`41`	`// A valid ID must be between 20 and 200 chars in length, and URL-encoded.`
`42`	`42`	`func NewRequestID(id string) string {`
`43`	`43`	`if id == "" {`
`44`		`- return uuid.NewV4().String()`
	`44`	`+ return uuid.Must(uuid.NewV4()).String()`
`45`	`45`	`}`
`46`	`46`	`l := 0`
`47`	`47`	`for i, c := range id {`
`@@ -53,12 +53,12 @@ func NewRequestID(id string) string {`
`53`	`53`	`case i > 199:`
`54`	`54`	`fallthrough`
`55`	`55`	`default:`
`56`		`- return uuid.NewV4().String()`
	`56`	`+ return uuid.Must(uuid.NewV4()).String()`
`57`	`57`	`}`
`58`	`58`	`l = i`
`59`	`59`	`}`
`60`	`60`	`if l < 20 {`
`61`		`- return uuid.NewV4().String()`
	`61`	`+ return uuid.Must(uuid.NewV4()).String()`
`62`	`62`	`}`
`63`	`63`	`return id`
`64`	`64`	`}`