This commit replaces the vulnerable satori uuid library with google's uuid library. (#221)

cromulus · melekes · web-flow · commit 0144e0b636c9 · 2024-08-19T12:44:43.000+04:00
this is the relevant CVE: https://pkg.go.dev/vuln/GO-2022-0244 Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
diff --git a/go.mod b/go.mod
@@ -3,9 +3,9 @@ module github.com/informalsystems/tm-load-test
 go 1.20
 
 require (
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/prometheus/client_golang v1.16.0
-	github.com/satori/go.uuid v1.2.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
diff --git a/go.sum b/go.sum
@@ -13,6 +13,8 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -36,8 +38,6 @@ github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPH
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
diff --git a/pkg/loadtest/worker.go b/pkg/loadtest/worker.go
@@ -7,9 +7,9 @@ import (
 	"time"
 	"unicode"
 
+	"github.com/google/uuid"
 	"github.com/gorilla/websocket"
 	"github.com/informalsystems/tm-load-test/internal/logging"
-	uuid "github.com/satori/go.uuid"
 )
 
 const (
@@ -321,5 +321,5 @@ func isValidWorkerID(id string) bool {
 }
 
 func makeWorkerID() string {
-	return strings.ReplaceAll(uuid.NewV4().String(), "-", "")
+	return strings.ReplaceAll(uuid.New().String(), "-", "")
 }

Original file line number	Diff line number	Diff line change
`@@ -7,9 +7,9 @@ import (`
`7`	`7`	`"time"`
`8`	`8`	`"unicode"`
`9`	`9`
	`10`	`+ "github.com/google/uuid"`
`10`	`11`	`"github.com/gorilla/websocket"`
`11`	`12`	`"github.com/informalsystems/tm-load-test/internal/logging"`
`12`		`- uuid "github.com/satori/go.uuid"`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`const (`
`@@ -321,5 +321,5 @@ func isValidWorkerID(id string) bool {`
`321`	`321`	`}`
`322`	`322`
`323`	`323`	`func makeWorkerID() string {`
`324`		`- return strings.ReplaceAll(uuid.NewV4().String(), "-", "")`
	`324`	`+ return strings.ReplaceAll(uuid.New().String(), "-", "")`
`325`	`325`	`}`