terratest icon indicating copy to clipboard operation
terratest copied to clipboard

Published 20 hours ago verified publisher icon gruntwork-io

Indirect dependency to vulnerable module github.com/satori/go.uuid v1.2.0 (CVE-2021-3538)

Open AgustinBettati opened this issue 6 months ago • 1 comments

Describe the bug

There is currently an indirect dependency to a vulneranable and unmaintained module github.com/satori/go.uuid v1.2.0. More details on vulnerability can be found here:

  • https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 CVE-2021-3538

Expected behavior From an issue in github.com/satori/go.uuid it appears the remediation in this case to avoid depending on this module all together. Would be good to understand why this indirect dependency is currently defined, and if there is a path forward for replacing it.

AgustinBettati avatar Jan 31 '24 10:01 AgustinBettati

Looks like it is related with azure-sdk:

$ go mod why -m github.com/satori/go.uuid
# github.com/satori/go.uuid
github.com/gruntwork-io/terratest/modules/azure
github.com/Azure/azure-sdk-for-go/services/datafactory/mgmt/2018-06-01/datafactory
github.com/satori/go.uuid

denis256 avatar Feb 02 '24 17:02 denis256