Latest release v0.13.0 has CVE-2021-3538 (score 9.8) from dependency github.com/satori/go.uuid v1.2.0

[srlobo]

Hi

mysqld_exporter showed up in a security scan because it contains github.com/satori/go.uuid@v1.2.0

https://nvd.nist.gov/vuln/detail/CVE-2021-3538

github.com/satori/go.uuid is used in collector/slave_hosts.go.

Would it be possible to make a patch release on docker hub containing an updated version of this module?

[SuperQ]

It looks like the vulnerability is for generating UUIDs from that library. This collector only uses the library to parse UUID from MySQL. Therefore this collector / version is not vulnerable to CVE-2021-3538.

Please do not report results from vulnerability scanners without actively verifying that there is a vulnerability. These version-based scanners often produce false-positives.

[srlobo]

Ok, but it's not a good idea to link to unmaintained code anyway (as told in the project discussion): satori/go.uuid#73 (comment)

They're suggesting change to https://github.com/gofrs/uuid

[SuperQ]

PRs welcome.