Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Replace vulnerable satori/go.uuid with gofrs/uuid (#43)
The satori/go.uuid library has a known vulnerability described in [CVE-2021-3538](https://www.cvedetails.com/cve/CVE-2021-3538/), > A flaw was found in github.com/satori/go.uuid in versions from commit > 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to > d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the > g.rand.Read function the generated UUIDs are predictable for an attacker. and [gofrs/uuid](https://github.com/gofrs/uuid#project-history) is a fork of satori that was created to fix the vulnerabilities, as the original project is no longer maintained. A detail to take into account is that the gofrs forces error handling when UUID creation fails, which only happens for v4 UUIDs when a random number couldn't be obtained from the source. This should be a very low percentage and in practice shouldn't happen (even less for this project as it is something you run locally or in tests), but nevertheless the error *should* be handled. As with satori this problem still existed, but it panicked when it failed, to maintain the behaviour uuid.Must is used, which panics when an error occurs. Satori panic reference: [1](https://github.com/satori/go.uuid/blob/v1.2.0/generator.go#L153) [2](https://github.com/satori/go.uuid/blob/f58768cc1a7a7e77a3bd49e98cdd21419399b6a3/generator.go#L199)
- Loading branch information