github.com/satori/go.uuid is a provides pure Go implementation of Universally Unique Identifier (UUID). Affected versions of this package are vulnerable to Insecure Randomness producing predictable UUID identifiers due to the limited number of bytes read when using the g.rand.Read function. References: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 https://github.com/satori/go.uuid/issues/73 https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
seems like many of our services are using github.com/satori/go.uuid
The issue was introduced by this commit: https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c#diff-0d0495ad16c6f603876bbf484c43b549f53d0b33d4cd74c908b0ee95a94369ea When owner of that repo decided to change the return `(UUID, error)` instead of `UUID`. That commit was after the 1.2.0 release. In the 1.2.0 release the g.rand.Read function is not used. Later with this commit owner changed the introduced g.rand.Read function to ReadFull: https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
AFAICT kubevirt/project-infra suffers from a transitive dependency originating from test-infra: ERROR: /home/dhiller/.cache/bazel/_bazel_dhiller/cbe91df64505157c960ac2806f3cb3c4/external/io_k8s_test_infra/prow/pjutil/BUILD.bazel:11:1: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved and referenced by '@io_k8s_test_infra//prow/pjutil:go_default_library' ERROR: Analysis of target '//external-plugins/rehearse/plugin/handler:go_default_library' failed; build aborted: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved INFO: Elapsed time: 0.949s We need to see whether we can just bump test-infra and then get rid of this.
All Quay images use the unaffected 1.2.0 version of github.com/satori/go.uuid
All Migration Toolkit for Container images use the unaffected 1.2.0 version of github.com/satori/go.uuid
I've started a discussion on github.com/satori/go.uuid repo if that project should be used currently and everyone confirmed that this project was dropped long time ago. Everyone who use it in their code should switch to https://github.com/gofrs/uuid which is a fork to github.com/satori/go.uuid and is still supported. So Engineering should be aware about this and stop using github.com/satori/go.uuid in favor of https://github.com/gofrs/uuid
Statement: An upstream fix has been pushed into the master branch [1], but new release was not published. [1] https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
External References: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 https://github.com/satori/go.uuid/issues/73