-
Notifications
You must be signed in to change notification settings - Fork 855
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update uuid dependency from satori/go.uuid to gofrs/uuid #1052
Comments
These are really frustrating. There is no production dependency on the insecure library. It was switched to the gofrs fork 2 years ago (jackc/pgtype@cf8fe4a). pgx depends on pgtype. But pgtype tests use pgx to integration test with a real database. This means the pgtype tests can only depend on the 2nd latest pgx which can only depend on the 2nd latest pgtype whose tests can only depend on the 3rd latest pgx, etc... That's messy, but integration testing the type mapping is really important. It really seems unreasonable that Go modules is recursively including test dependencies of test dependencies and the same for security scanners. |
Yeah, its rather unfortunate that this is an issue. Hopefully the proposal you suggested gets implemented. |
Not sure, but can we have a separate repository OR separate module in the same pgtype repository that takes care of integration tests? |
Fix the satori/go.uuid reference to avoid the CVE. More information jackc/pgx#1052 satori/go.uuid#75 satori/go.uuid#73
Is this issue now resolved? |
It is on v5 anyway. |
Hi there, I got the same issue. I agree with @jackc that there is no production dependency on the insecure library. It was switched to the gofrs fork 2 years ago. After a quick investigation, the satori module come from go.sum which was not removed completely either even after switching to gofrs. So, Satori in the go.sum is like junk that makes SCA tools like Snyk show false positives. ➜ pgtype git:(master) go mod graph | grep satori
github.com/jackc/[email protected] github.com/satori/[email protected]
github.com/jackc/pgx/[email protected] github.com/satori/[email protected]
github.com/jackc/[email protected] github.com/satori/[email protected]
github.com/jackc/pgx/[email protected] github.com/satori/[email protected]
github.com/jackc/[email protected] github.com/satori/[email protected]
github.com/jackc/pgx/[email protected] github.com/satori/[email protected] ➜ cd ~/go/pkg/mod/github.com/jackc
➜ grep -r "satori"
./[email protected]/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
./[email protected]/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
./pgx/[email protected]/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= So we just need to delete satori module from go.sum on these repository in the same time:
|
@ne0z Unfortunately, I don't think it is so simple. I tried the change on jackc/pgconn#123. But the next run of I vaguely recall fighting with this on a different dependency and the solution was something like delete all the tests in all the related packages and commit in each package. Run |
Hi @jackc, as I mentioned above, you can't just try jackc/pgconn#123 alone, because that satori module is mentioned on go.sum on your multiple repositories. So you need to delete the satori module on these repositories same time (or merge same time without running |
Hi @jackc I think you are right, deleting all the tests in all the related packages and committing in each package manually was a real hassle. |
In satori repo, use the latest master branch can resolve the CVE issue but the api is changed to return (UUID, error) |
Similar to my previous issue, satori/go.uuid included here is unmaintained and suffers from a 3 year old CVE-2021-3538 which seems to be flagged on Snyk. Upgrading to a maintained fork such as satori/go.uuid (as suggested here) should fix this.
The text was updated successfully, but these errors were encountered: