x/vulndb: potential Go vuln in github.com/sylabs/sif: GHSA-4gh8-x3vv-phhg

[GoVulnBot]

In GitHub Security Advisory GHSA-4gh8-x3vv-phhg, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/sylabs/sif	1.2.3	< 1.2.3

Cross references:

• CVE-2021-29499 appears in issue x/vulndb: potential Go vuln in github.com/sylabs/sif: CVE-2021-29499, GHSA-4gh8-x3vv-phhg #912 NOT_IMPORTABLE
• GHSA-4gh8-x3vv-phhg appears in issue x/vulndb: potential Go vuln in github.com/sylabs/sif: CVE-2021-29499, GHSA-4gh8-x3vv-phhg #912 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 1.2.3
    packages:
      - package: github.com/sylabs/sif
description: |
    ### Impact

    The `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.

    ### Patches
    A patch is available in versions 1.2.3 and newer of the module. Users are encouraged to upgrade.

    ### Workarounds
    Users passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:

    ```
    go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
    ```
cves:
  - CVE-2021-29499
ghsas:
  - GHSA-4gh8-x3vv-phhg

[tatianab]

Duplicate of #912