QID 982560
QID 982560: Go (go) Security Update for github.com/sylabs/sif (GHSA-4gh8-x3vv-phhg)
Security update has been released for github.com/sylabs/sif to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
The `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.
Solution
A patch is available in versions 1.2.3 and newer of the module. Users are encouraged to upgrade.Workaround:
Users passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
```
go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
```
Users passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
```
go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
```
Vendor References
- GHSA-4gh8-x3vv-phhg -
github.com/advisories/GHSA-4gh8-x3vv-phhg
CVEs related to QID 982560
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-4gh8-x3vv-phhg | github.com/sylabs/sif |
github.com/advisories/GHSA-4gh8-x3vv-phhg |