github.com/satori/go.uuid is a provides pure Go implementation of Universally Unique Identifier (UUID).
Affected versions of this package are vulnerable to Insecure Randomness producing predictable UUID identifiers due to the limited number of bytes read when using the g.rand.Read function.
seems like many of our services are using github.com/satori/go.uuid
The issue was introduced by this commit:
When owner of that repo decided to change the return `(UUID, error)` instead of `UUID`.
That commit was after the 1.2.0 release.
In the 1.2.0 release the g.rand.Read function is not used.
Later with this commit owner changed the introduced g.rand.Read function to ReadFull:
AFAICT kubevirt/project-infra suffers from a transitive dependency originating from test-infra:
ERROR: /home/dhiller/.cache/bazel/_bazel_dhiller/cbe91df64505157c960ac2806f3cb3c4/external/io_k8s_test_infra/prow/pjutil/BUILD.bazel:11:1: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved and referenced by '@io_k8s_test_infra//prow/pjutil:go_default_library'
ERROR: Analysis of target '//external-plugins/rehearse/plugin/handler:go_default_library' failed; build aborted: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved
INFO: Elapsed time: 0.949s
We need to see whether we can just bump test-infra and then get rid of this.
All Quay images use the unaffected 1.2.0 version of github.com/satori/go.uuid
All Migration Toolkit for Container images use the unaffected 1.2.0 version of github.com/satori/go.uuid
I've started a discussion on github.com/satori/go.uuid repo if that project should be used currently and everyone confirmed that this project was dropped long time ago. Everyone who use it in their code should switch to https://github.com/gofrs/uuid which is a fork to github.com/satori/go.uuid and is still supported.
So Engineering should be aware about this and stop using github.com/satori/go.uuid in favor of https://github.com/gofrs/uuid
An upstream fix has been pushed into the master branch , but new release was not published.