Skip to content

fix: remove satori/go.uuid dependency (CVE-2021-3538)#1630

Merged
james00012 merged 1 commit intomainfrom
fix/remove-satori-uuid-cve-1624
Dec 2, 2025
Merged

fix: remove satori/go.uuid dependency (CVE-2021-3538)#1630
james00012 merged 1 commit intomainfrom
fix/remove-satori-uuid-cve-1624

Conversation

@james00012
Copy link
Copy Markdown
Contributor

@james00012 james00012 commented Nov 29, 2025
edited
Loading

Summary

Remove the vulnerable satori/go.uuid transitive dependency by migrating Azure SDK packages from Track 1 (old) to Track 2 (new).

Why this change?

The satori/go.uuid library has CVE-2021-3538, a vulnerability where the generated UUIDs are predictable due to insufficient randomness seeding. The library is also unmaintained - the author has abandoned it and the repository is archived.

The old Azure SDK for Go (Track 1, using github.com/Azure/azure-sdk-for-go/services/...) depends on satori/go.uuid. Microsoft has been deprecating Track 1 in favor of Track 2 (github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/...), which uses github.com/google/uuid instead.

The root cause was the datafactory package - it was the one pulling in satori/go.uuid as a transitive dependency.

Migrated Packages

Package Old SDK New SDK
datafactory services/datafactory/mgmt/2018-06-01/datafactory armdatafactory/v9
keyvault services/keyvault/mgmt/.../keyvault + keyvault/auth armkeyvault + azsecrets/azkeys/azcertificates
postgresql profiles/latest/postgresql/mgmt/postgresql armpostgresql
sql profiles/latest/sql/mgmt/sql armsql
synapse services/synapse/mgmt/.../synapse armsynapse
appservice services/web/mgmt/.../web armappservice/v2
mysql profiles/latest/mysql/mgmt/mysql armmysql

Breaking Changes

This affects users who call Azure helper functions (e.g., azure.GetSQLServer(), azure.GetMYSQLServer(), azure.GetDataFactory()) and access fields on the returned structs.

Users who only use boolean helpers like azure.AppExists() or azure.DatabaseExists() are NOT affected.

1. Import changes (if importing SDK types directly)

// Before
import "github.com/Azure/azure-sdk-for-go/profiles/latest/sql/mgmt/sql"

// After
import "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql"

2. Property access paths changed

// Before
server.ServerProperties.State
server.ServerProperties.FullyQualifiedDomainName
factory.FactoryProperties.ProvisioningState

// After
server.Properties.State
server.Properties.FullyQualifiedDomainName
factory.Properties.ProvisioningState

3. Enum/constant types changed

// Before
sql.ServerStateReady
mysql.ServerStateReady

// After
armsql.ServerStateReady
armmysql.ServerStateReady

4. Struct field name changes

// Before (MySQL)
server.Sku.Name
database.DatabaseProperties.Charset

// After
server.SKU.Name
database.Properties.Charset

Test plan

  • go build ./... passes
  • go mod why -m github.com/satori/go.uuid confirms module is no longer needed
  • satori/go.uuid removed from go.mod and go.sum
  • CI tests pass

Fixes #1624

@james00012 james00012 force-pushed the fix/remove-satori-uuid-cve-1624 branch from a921e9b to 57427c2 Compare November 29, 2025 16:11
@james00012
fix: remove satori/go.uuid dependency (CVE-2021-3538)
2b3d00f 
Migrate Azure SDK packages from Track 1 (old) to Track 2 (new) to
remove the vulnerable satori/go.uuid transitive dependency.

The satori/go.uuid library has CVE-2021-3538 (predictable UUIDs due to
insufficient randomness) and is unmaintained/archived. The old Azure
SDK (Track 1) depends on it, but Microsoft's new SDK (Track 2) uses
github.com/google/uuid instead.

Migrated packages:
- datafactory: services/datafactory/mgmt → armdatafactory/v9
- keyvault: services/keyvault/mgmt + keyvault/auth → armkeyvault + azsecrets/azkeys/azcertificates
- postgresql: profiles/latest/postgresql/mgmt → armpostgresql
- sql: profiles/latest/sql/mgmt → armsql
- synapse: services/synapse/mgmt → armsynapse
- appservice: services/web/mgmt → armappservice/v2
- mysql: profiles/latest/mysql/mgmt → armmysql

BREAKING CHANGE: Return types changed for Azure helper functions.
Users importing these types directly will need to update their code
to use the new SDK types (e.g., *datafactory.Factory → *armdatafactory.Factory).

Fixes #1624
@james00012 james00012 force-pushed the fix/remove-satori-uuid-cve-1624 branch from 57427c2 to 2b3d00f Compare November 29, 2025 17:10
@james00012 james00012 marked this pull request as ready for review December 1, 2025 15:43
@james00012 james00012 merged commit 11fb9e7 into main Dec 2, 2025
2 of 3 checks passed
@james00012 james00012 deleted the fix/remove-satori-uuid-cve-1624 branch December 2, 2025 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denis256 denis256 denis256 approved these changes

@yhakbar yhakbar Awaiting requested review from yhakbar yhakbar is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove usage of satori/go.uuid package

2 participants

@james00012 @denis256