Update uuid dependency from satori/go.uuid to gofrs/uuid #1052
Comments
|
These are really frustrating. There is no production dependency on the insecure library. It was switched to the gofrs fork 2 years ago (jackc/pgtype@cf8fe4a). pgx depends on pgtype. But pgtype tests use pgx to integration test with a real database. This means the pgtype tests can only depend on the 2nd latest pgx which can only depend on the 2nd latest pgtype whose tests can only depend on the 3rd latest pgx, etc... That's messy, but integration testing the type mapping is really important. It really seems unreasonable that Go modules is recursively including test dependencies of test dependencies and the same for security scanners. |
|
Yeah, its rather unfortunate that this is an issue. Hopefully the proposal you suggested gets implemented. |
|
Not sure, but can we have a separate repository OR separate module in the same pgtype repository that takes care of integration tests? |
Fix the satori/go.uuid reference to avoid the CVE. More information jackc/pgx#1052 satori/go.uuid#75 satori/go.uuid#73
|
Is this issue now resolved? |
It is on v5 anyway. |
|
Hi there, I got the same issue. I agree with @jackc that there is no production dependency on the insecure library. It was switched to the gofrs fork 2 years ago. After a quick investigation, the satori module come from go.sum which was not removed completely either even after switching to gofrs. So, Satori in the go.sum is like junk that makes SCA tools like Snyk show false positives. ➜ pgtype git:(master) go mod graph | grep satori
github.com/jackc/pgtype@v0.0.0-20190828014616-a8802b16cc59 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgx/v4@v4.0.0-pre1.0.20190824185557-6972a5742186 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgtype@v0.0.0-20190824184912-ab885b375b90 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgx/v4@v4.0.0-20190421002000-1b8f0016e912 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgtype@v0.0.0-20190421001408-4ed0de4755e0 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgx/v4@v4.0.0-20190420224344-cc3461e65d96 github.com/satori/go.uuid@v1.2.0➜ cd ~/go/pkg/mod/github.com/jackc
➜ grep -r "satori"
./pgmock@v0.0.0-20210724152146-4ad1a8207f65/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
./pgconn@v1.9.1-0.20210724152538-d89c8390a530/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
./pgx/v4@v4.12.1-0.20210724153913-640aa07df17c/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=So we just need to delete satori module from go.sum on these repository in the same time:
|
|
@ne0z Unfortunately, I don't think it is so simple. I tried the change on jackc/pgconn#123. But the next run of I vaguely recall fighting with this on a different dependency and the solution was something like delete all the tests in all the related packages and commit in each package. Run |
|
Hi @jackc, as I mentioned above, you can't just try jackc/pgconn#123 alone, because that satori module is mentioned on go.sum on your multiple repositories. So you need to delete the satori module on these repositories same time (or merge same time without running |
|
Hi @jackc I think you are right, deleting all the tests in all the related packages and committing in each package manually was a real hassle. |
|
In satori repo, use the latest master branch can resolve the CVE issue but the api is changed to return (UUID, error) |
Similar to my previous issue, satori/go.uuid included here is unmaintained and suffers from a 3 year old CVE-2021-3538 which seems to be flagged on Snyk. Upgrading to a maintained fork such as satori/go.uuid (as suggested here) should fix this.
The text was updated successfully, but these errors were encountered: