The siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid
module used as a dependency.
A patch is available in version >= v1.2.1-0.20180404165556-75cca531ea76 of the module. Users are encouraged to upgrade.
Fixed by https://github.com/hpcng/sif/pull/90
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76
https://github.com/satori/go.uuid/issues/73
If you have any questions or comments about this advisory:
Open an issue in https://github.com/hpcng/sif/issues