From 0b7f287e8ced537f978751dd656bda1787da98e6 Mon Sep 17 00:00:00 2001
From: Romain Dartigues <romain.dartigues.ext@orange.com>
Date: Tue, 14 May 2024 16:56:55 +0200
Subject: [PATCH] replace satori/go.uuid with google/uuid (CVE-2021-3538)

Dependency go:github.com/satori/go.uuid:v1.2.0 is vulnerable

CVE-2021-3538 9.8 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability with High severity foundResults powered by Checkmarx(c)
---
 main.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index fa385ae..8959e15 100644
--- a/main.go
+++ b/main.go
@@ -3,14 +3,15 @@ package main
 import (
 	"code.cloudfoundry.org/lager"
 	"context"
+	"crypto/sha1"
 	"encoding/base64"
 	"flag"
 	"fmt"
 	"github.com/cloudfoundry-community/gautocloud"
 	"github.com/cloudfoundry-community/gautocloud/connectors/generic"
+	"github.com/google/uuid"
 	"github.com/pivotal-cf/brokerapi"
 	"github.com/pivotal-cf/brokerapi/domain"
-	"github.com/satori/go.uuid"
 	"net/http"
 	"net/url"
 	"os"
@@ -102,9 +103,9 @@ func NewFakeProxyBroker(proxyConfig ProxyConfig) *FakeProxyBroker {
 }
 
 func (b *FakeProxyBroker) Services(context.Context) ([]domain.Service, error) {
-	rootUUid, _ := uuid.FromString(ROOT_UUID)
-	serviceUuid := uuid.NewV5(rootUUid, b.proxyConfig.Name+"-service")
-	planUuid := uuid.NewV5(rootUUid, b.proxyConfig.Name+"-plan")
+	rootUUid, _ := uuid.Parse(ROOT_UUID)
+	serviceUuid := uuid.NewHash(sha1.New(), rootUUid, []byte(b.proxyConfig.Name+"-service"), 5)
+	planUuid := uuid.NewHash(sha1.New(), rootUUid, []byte(b.proxyConfig.Name+"-plan"), 5)
 
 	metadata := &domain.ServiceMetadata{
 		DocumentationUrl: b.proxyConfig.DocumentationURL,