Merge branch 'master' into at_specific_time

Author: cameracker

.github/dependabot.yml

@@ -4,6 +4,10 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    groups:
+      all:
+        patterns:
+          - "*"  # Group all updates into a single larger pull request.
 
   - package-ecosystem: gomod
     directory: /

.github/workflows/codeql.yml

@@ -40,17 +40,12 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4f0ceda83afa9bc55df7b6c611b81435fa53d987 # v2.25.4
+        uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +55,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@4f0ceda83afa9bc55df7b6c611b81435fa53d987 # v2.25.4
+        uses: github/codeql-action/autobuild@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +68,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4f0ceda83afa9bc55df7b6c611b81435fa53d987 # v2.25.4
+        uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -16,12 +16,7 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-        with:
-          egress-policy: audit
-
       - name: 'Checkout Repository'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/go.yml

@@ -17,19 +17,13 @@ jobs:
     env:
       GO111MODULE: auto
     steps:
-
-    - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-      with:
-        egress-policy: audit
-
     - name: Build
-      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: '1.19.x'
+        go-version: '1.22.x'
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Build
       run: go build -v ./...
@@ -38,27 +32,23 @@ jobs:
       run: go test ./... -race -coverprofile=coverage.txt -covermode=atomic
 
     - name: Coverage
-      uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1
+      uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+      env:
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build-legacy:
     name: Build + Test Previous Stable
     runs-on: ubuntu-latest
     env:
       GO111MODULE: auto
     steps:
-
-    - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-      with:
-        egress-policy: audit
-
     - name: Build
-      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: '1.18.x'
+        go-version: '1.21.x'
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Build
       run: go build -v ./...

.github/workflows/scorecards.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
 
@@ -58,14 +58,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4f0ceda83afa9bc55df7b6c611b81435fa53d987 # v2.25.4
+        uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
         with:
           sarif_file: results.sarif

README.md

@@ -5,6 +5,9 @@
 [![Go Reference](https://pkg.go.dev/badge/github.com/gofrs/uuid/v5.svg)](https://pkg.go.dev/github.com/gofrs/uuid/v5)
 [![Coverage Status](https://codecov.io/gh/gofrs/uuid/branch/master/graphs/badge.svg?branch=master)](https://codecov.io/gh/gofrs/uuid/)
 [![Go Report Card](https://goreportcard.com/badge/github.com/gofrs/uuid)](https://goreportcard.com/report/github.com/gofrs/uuid)
+[![CodeQL](https://github.com/gofrs/uuid/actions/workflows/codeql.yml/badge.svg)](https://github.com/gofrs/uuid/actions/workflows/codeql.yml)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8929/badge)](https://www.bestpractices.dev/projects/8929)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gofrs/uuid/badge)](https://scorecard.dev/viewer/?uri=github.com/gofrs/uuid)
 
 Package uuid provides a pure Go implementation of Universally Unique Identifiers
 (UUID) variant as defined in RFC-9562. This package supports both the creation

SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+We support the latest version of this library. We do not guarantee support of previous versions. If a defect is reported, it will generally be fixed on the latest version 
+(provided it exists) irrespective of whether it was introduced in a prior version.
+
+## Reporting a Vulnerability
+
+If you discover a vulnerability against this package, please report it in the issues tab with a `vulnerability` label. We will examine promptly.
+
+If you would like to disclose the vulnerability privately, you may reach the maintainers in our [channel](https://gophers.slack.com/archives/CBP4N9BEU) on the gophers slack.
+
+## Security Scorecard
+
+This project submits security [results](https://scorecard.dev/viewer/?uri=github.com/gofrs/uuid) to the [OpenSSF Scorecard](https://securityscorecards.dev/). 
+
+### Actively Maintained
+
+One heuristic these scorecards measure to gauge whether a package is safe for consumption is an "Actively Maintained" metric. Because this library implements UUIDs,
+it is very stable - there is not much maintenance required other than adding/updating newer UUID versions, keeping up to date with latest versions of Go, and responding
+to reported exploits. As a result, periods of low active maintenance are to be expected. 

codec_test.go

@@ -23,10 +23,7 @@ package uuid
 
 import (
 	"bytes"
-	"flag"
-	"fmt"
-	"os"
-	"path/filepath"
+	"regexp"
 	"strings"
 	"testing"
 )
@@ -403,28 +400,110 @@ func BenchmarkParseV4(b *testing.B) {
 	}
 }
 
-var seedFuzzCorpus = flag.Bool("seed_fuzz_corpus", false, "seed fuzz test corpus")
+const uuidPattern = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
 
-func TestSeedFuzzCorpus(t *testing.T) {
-	// flag.Parse() is called for us by the test binary.
-	if !*seedFuzzCorpus {
-		t.Skip("seeding fuzz test corpus only on demand")
+var fromBytesCorpus = [][]byte{
+	{0x6b, 0xa7, 0xb8, 0x10, 0x9d, 0xad, 0x11, 0xd1, 0x80, 0xb4, 0x00, 0xc0, 0x4f, 0xd4, 0x30, 0xc8},
+	{4, 8, 15, 16, 23, 42},
+}
+
+// FuzzFromBytesFunc is a fuzz testing suite that exercises the FromBytes function
+func FuzzFromBytesFunc(f *testing.F) {
+	for _, seed := range fromBytesCorpus {
+		f.Add(seed)
 	}
-	corpusDir := filepath.Join(".", "testdata", "corpus")
-	writeSeedFile := func(name, data string) error {
-		path := filepath.Join(corpusDir, name)
-		return os.WriteFile(path, []byte(data), os.ModePerm)
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Fatal("uuid regexp failed to compile")
 	}
-	for _, fst := range fromStringTests {
-		name := "seed_valid_" + fst.variant
-		if err := writeSeedFile(name, fst.input); err != nil {
-			t.Fatal(err)
+	f.Fuzz(func(t *testing.T, payload []byte) {
+		u, err := FromBytes(payload)
+		if len(payload) != Size && err == nil {
+			t.Errorf("%v did not result in an error", payload)
+		}
+		if len(payload) == Size && u == Nil {
+			t.Errorf("%v resulted in Nil uuid", payload)
 		}
+		if len(payload) == Size && !uuidRegexp.MatchString(u.String()) {
+			t.Errorf("%v resulted in invalid uuid %s", payload, u.String())
+		}
+		// otherwise, allow to pass if no panic
+	})
+}
+
+// FuzzFromBytesOrNilFunc is a fuzz testing suite that exercises the FromBytesOrNil function
+func FuzzFromBytesOrNilFunc(f *testing.F) {
+	for _, seed := range fromBytesCorpus {
+		f.Add(seed)
 	}
-	for i, s := range invalidFromStringInputs {
-		name := fmt.Sprintf("seed_invalid_%d", i)
-		if err := writeSeedFile(name, s); err != nil {
-			t.Fatal(err)
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Error("uuid regexp failed to compile")
+	}
+	f.Fuzz(func(t *testing.T, payload []byte) {
+		u := FromBytesOrNil(payload)
+		if len(payload) != Size && u != Nil {
+			t.Errorf("%v resulted in non Nil uuid %s", payload, u.String())
+		}
+		if len(payload) == Size && u == Nil {
+			t.Errorf("%v resulted Nil uuid", payload)
+		}
+		if len(payload) == Size && !uuidRegexp.MatchString(u.String()) {
+			t.Errorf("%v resulted in invalid uuid %s", payload, u.String())
+		}
+		// otherwise, allow to pass if no panic
+	})
+}
+
+var fromStringCorpus = []string{
+	"6ba7b810-9dad-11d1-80b4-00c04fd430c8",
+	"6BA7B810-9DAD-11D1-80B4-00C04FD430C8",
+	"{6BA7B810-9DAD-11D1-80B4-00C04FD430C8}",
+	"urn:uuid:6BA7B810-9DAD-11D1-80B4-00C04FD430C8",
+	"6BA7B8109DAD11D180B400C04FD430C8",
+	"{6BA7B8109DAD11D180B400C04FD430C8}",
+	"urn:uuid:6BA7B8109DAD11D180B400C04FD430C8",
+}
+
+// FuzzFromStringFunc is a fuzz testing suite that exercises the FromString function
+func FuzzFromStringFunc(f *testing.F) {
+	for _, seed := range fromStringCorpus {
+		f.Add(seed)
+	}
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Fatal("uuid regexp failed to compile")
+	}
+	f.Fuzz(func(t *testing.T, payload string) {
+		u, err := FromString(payload)
+		if err != nil {
+			if u == Nil {
+				t.Errorf("%s resulted in Nil uuid", payload)
+			}
+			if !uuidRegexp.MatchString(u.String()) {
+				t.Errorf("%s resulted in invalid uuid %s", payload, u.String())
+			}
 		}
+		// otherwise, allow to pass if no panic
+	})
+}
+
+// FuzzFromStringOrNil is a fuzz testing suite that exercises the FromStringOrNil function
+func FuzzFromStringOrNilFunc(f *testing.F) {
+	for _, seed := range fromStringCorpus {
+		f.Add(seed)
+	}
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Error("uuid regexp failed to compile")
 	}
+	f.Fuzz(func(t *testing.T, payload string) {
+		u := FromStringOrNil(payload)
+		if u != Nil {
+			if !uuidRegexp.MatchString(u.String()) {
+				t.Errorf("%s resulted in invalid uuid %s", payload, u.String())
+			}
+		}
+		// otherwise, allow to pass if no panic
+	})
 }

fuzz.go

@@ -611,6 +611,7 @@ func testNewV7(t *testing.T) {
 	t.Run("FaultyRand", makeTestNewV7FaultyRand())
 	t.Run("FaultyRandWithOptions", makeTestNewV7FaultyRandWithOptions())
 	t.Run("ShortRandomRead", makeTestNewV7ShortRandomRead())
+	t.Run("ShortRandomReadWithOptions", makeTestNewV7ShortRandomReadWithOptions())
 	t.Run("KSortable", makeTestNewV7KSortable())
 	t.Run("ClockSequence", makeTestNewV7ClockSequence())
 }