diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 8f42ec29053..f5ec107d83f 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -78,7 +78,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Minikube - uses: manusa/actions-setup-minikube@v2.9.0 + uses: manusa/actions-setup-minikube@v2.10.0 with: minikube version: 'v1.24.0' kubernetes version: ${{ matrix.k8s }} diff --git a/docker-compose.yml b/docker-compose.yml index da4bedd3b7f..1a603f13669 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -138,7 +138,7 @@ services: volumes: - defectdojo_data:/var/lib/mysql postgres: - image: postgres:16.1-alpine@sha256:a1b267d05ee39210d162185f52645687c7e63fbe25b8c58ccd7f81f0a7e2ad97 + image: postgres:16.1-alpine@sha256:884718395ee967fc70374563f3b4d72f0c61f48f81868decb9fa452915fe070e profiles: - postgres-rabbitmq - postgres-redis @@ -149,14 +149,14 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.11-alpine@sha256:382561a75b70c00e4ae0f1788a1a6b032eace5073abadb25547496879c65c7c2 + image: rabbitmq:3.12.12-alpine@sha256:9ab2478b7f459334d0afb70fb5dfce2d3e74152cfa3c82913843798f03b40f72 profiles: - mysql-rabbitmq - postgres-rabbitmq volumes: - defectdojo_rabbitmq:/var/lib/rabbitmq redis: - image: redis:7.2.3-alpine@sha256:090276da2603db19b154602c374f505d94c10ea57e9749fc3e68e955284bf0fd + image: redis:7.2.4-alpine@sha256:995e6eaab954e92cadf1a0bb1eab71ae3baae8e02ea4354fd8aa136a61e42247 profiles: - mysql-redis - postgres-redis diff --git a/docs/content/en/getting_started/upgrading/2.31.md b/docs/content/en/getting_started/upgrading/2.31.md new file mode 100644 index 00000000000..c07494e8174 --- /dev/null +++ b/docs/content/en/getting_started/upgrading/2.31.md @@ -0,0 +1,7 @@ +--- +title: 'Upgrading to DefectDojo Version 2.31.x' +toc_hide: true +weight: -20240102 +description: No special instructions. +--- +There are no special instructions for upgrading to 2.31.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.31.0) for the contents of the release. diff --git a/docs/content/en/integrations/source-code-repositories.md b/docs/content/en/integrations/source-code-repositories.md index b8a0f2fe19d..7b7f5f04671 100644 --- a/docs/content/en/integrations/source-code-repositories.md +++ b/docs/content/en/integrations/source-code-repositories.md @@ -7,18 +7,47 @@ weight: 5 Findings can have a filepath and a line number as the location of the vulnerability. This is typically set when scanning an application with a Static Application Security Test (SAST) tool. If the repository of the source code is specified in the Engagement, DefectDojo will present the filepath as a link and the user can navigate directly to the location of the vulnerability. -## Setting the repository in the Engagement +## Setting the repository in the Engagement and Test -While editing the Engagement, users can set the URL of the repo. It needs to be the URL including the branch, e.g. https://github.com/DefectDojo/django-DefectDojo/tree/dev (GitHub) or https://gitlab.com/gitlab-org/gitlab/-/tree/master (GitLab). +### Engagement +While editing the Engagement, users can set the URL of the specific SCM repo. +For Interactive Engagement it needs to be the URL including the branch: +- for GitHub - like https://github.com/DefectDojo/django-DefectDojo/tree/dev +![Edit Engagement (GitHub)](../../../static/images/source-code-repositories_1.png) +- for GitLab - like https://gitlab.com/gitlab-org/gitlab/-/tree/master +![Edit Engagement (Gitlab)](../../../static/images/source-code-repositories-gitlab_1.png) +- for public BitBucket - like (like git clone url) +![Edit Engagement (Bitbucket public)](../../../static/images/source-code-repositories-bitbucket_1.png) +- for standalone/onpremise BitBucket https://bb.example.com/scm/some-project/some-repo.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url) +![Edit Engagement (Bitbucket standalone)](../../../static/images/source-code-repositories-bitbucket-onpremise_1.png) + +For CI/CD Engagement, where user could set commit hash, branch/tag and code line it should look like examples below: +- for GitHub - like https://github.com/DefectDojo/django-DefectDojo +- for GitLab - like https://gitlab.com/gitlab-org/gitlab +- for public BitBucket - like https://bitbucket.org/some-user/some-project.git (like git clone url) +- for standalone/onpremise BitBucket https://bb.example.com/scm/some-project.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url) + +If user does not set commit hash or branch/tag in appropriate fields of CI/CD Engagement edit form, the URL should look like in Interactive Engagement edit form. + +SCM navigation URL is composed from Repo URL using SCM Type. Github/Gitlab SCM type is default, but user could set certain SCM type in Product custom field "scm-type". + +Product custom fields: + +![Product custom fields](../../../static/images/product-custom-fields_1.png) + +Product SCM type add: + +![Product scm type](../../../static/images/product-scm-type_1.png) + +Possible SCM types could be 'github', 'gitlab', 'bitbucket', 'bitbucket-standalone' or nothing (for default github). -![Edit Engagement](../../images/source-code-repositories_1.png) ## Link in Finding When viewing a finding, the location will be presented as a link, if the repository of the source code has been set in the Engagement: -![Link to location](../../images/source-code-repositories_2.png) +![Link to location](../../../static/images/source-code-repositories_2.png) Clicking on this link will open a new tab in the browser, with the source file of the vulnerability at the corresponding line number: -![View in repository](../../images/source-code-repositories_3.png) +![View in repository](../../../static/images/source-code-repositories_3.png) diff --git a/docs/package-lock.json b/docs/package-lock.json index 5f9df412924..3da14d5d770 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -6,7 +6,7 @@ "": { "devDependencies": { "autoprefixer": "10.4.16", - "postcss": "8.4.32", + "postcss": "8.4.33", "postcss-cli": "10.1.0" } }, @@ -608,9 +608,9 @@ } }, "node_modules/postcss": { - "version": "8.4.32", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.32.tgz", - "integrity": "sha512-D/kj5JNu6oo2EIy+XL/26JEDTlIbB8hw85G8StOE6L74RQAVVP5rej6wxCNqyMbR4RkPfqvezVbPw81Ngd6Kcw==", + "version": "8.4.33", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.33.tgz", + "integrity": "sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==", "dev": true, "funding": [ { @@ -1382,9 +1382,9 @@ "dev": true }, "postcss": { - "version": "8.4.32", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.32.tgz", - "integrity": "sha512-D/kj5JNu6oo2EIy+XL/26JEDTlIbB8hw85G8StOE6L74RQAVVP5rej6wxCNqyMbR4RkPfqvezVbPw81Ngd6Kcw==", + "version": "8.4.33", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.33.tgz", + "integrity": "sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==", "dev": true, "requires": { "nanoid": "^3.3.7", diff --git a/docs/package.json b/docs/package.json index b3a5cc626a5..b457069379a 100644 --- a/docs/package.json +++ b/docs/package.json @@ -1,6 +1,6 @@ { "devDependencies": { - "postcss": "8.4.32", + "postcss": "8.4.33", "autoprefixer": "10.4.16", "postcss-cli": "10.1.0" } diff --git a/docs/static/images/product-custom-fields_1.png b/docs/static/images/product-custom-fields_1.png new file mode 100644 index 00000000000..98ffc74fb27 Binary files /dev/null and b/docs/static/images/product-custom-fields_1.png differ diff --git a/docs/static/images/product-scm-type_1.png b/docs/static/images/product-scm-type_1.png new file mode 100644 index 00000000000..cd60414bb7c Binary files /dev/null and b/docs/static/images/product-scm-type_1.png differ diff --git a/docs/static/images/source-code-repositories-bitbucket-onpremise_1.png b/docs/static/images/source-code-repositories-bitbucket-onpremise_1.png new file mode 100644 index 00000000000..6b333abbd36 Binary files /dev/null and b/docs/static/images/source-code-repositories-bitbucket-onpremise_1.png differ diff --git a/docs/static/images/source-code-repositories-bitbucket_1.png b/docs/static/images/source-code-repositories-bitbucket_1.png new file mode 100644 index 00000000000..d3e85d6b19b Binary files /dev/null and b/docs/static/images/source-code-repositories-bitbucket_1.png differ diff --git a/docs/static/images/source-code-repositories-gitlab_1.png b/docs/static/images/source-code-repositories-gitlab_1.png new file mode 100644 index 00000000000..2aa43b63d1e Binary files /dev/null and b/docs/static/images/source-code-repositories-gitlab_1.png differ diff --git a/dojo/announcement/signals.py b/dojo/announcement/signals.py index 8c61d4f4ad9..5b89d71d780 100644 --- a/dojo/announcement/signals.py +++ b/dojo/announcement/signals.py @@ -22,3 +22,16 @@ def add_announcement_to_new_user(sender, instance, **kwargs): UserAnnouncement.objects.get_or_create( user=dojo_user, announcement=announcement ) + + +@receiver(post_save, sender=Announcement) +def announcement_post_save(sender, instance, created, **kwargs): + if created: + UserAnnouncement.objects.bulk_create( + [ + UserAnnouncement( + user=user_id, announcement=instance + ) + for user_id in Dojo_User.objects.all() + ] + ) diff --git a/dojo/announcement/views.py b/dojo/announcement/views.py index 8e9c155398a..2544dba3539 100644 --- a/dojo/announcement/views.py +++ b/dojo/announcement/views.py @@ -9,7 +9,7 @@ from dojo.utils import add_breadcrumb from dojo.forms import AnnouncementCreateForm, AnnouncementRemoveForm -from dojo.models import Announcement, UserAnnouncement, Dojo_User +from dojo.models import Announcement, UserAnnouncement from dojo.authorization.authorization_decorators import ( user_is_configuration_authorized, ) @@ -50,15 +50,6 @@ def configure_announcement(request): announcement.style = form.cleaned_data["style"] announcement.dismissable = form.cleaned_data["dismissable"] announcement.save() - if created: - UserAnnouncement.objects.bulk_create( - [ - UserAnnouncement( - user=user_id, announcement=announcement - ) - for user_id in Dojo_User.objects.all() - ] - ) messages.add_message( request, messages.SUCCESS, diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 4801e8038e9..49e3486fe2c 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -86,6 +86,7 @@ Answered_Survey, General_Survey, Check_List, + Announcement, ) from dojo.tools.factory import ( @@ -2130,6 +2131,10 @@ class ImportScanSerializer(serializers.Serializer): product_type_id = serializers.IntegerField(read_only=True) statistics = ImportStatisticsSerializer(read_only=True, required=False) + apply_tags_to_findings = serializers.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + required=False, + ) def save(self, push_to_jira=False): data = self.validated_data @@ -2148,6 +2153,7 @@ def save(self, push_to_jira=False): commit_hash = data.get("commit_hash", None) api_scan_configuration = data.get("api_scan_configuration", None) service = data.get("service", None) + apply_tags_to_findings = data.get("apply_tags_to_findings", False) source_code_management_uri = data.get( "source_code_management_uri", None ) @@ -2240,6 +2246,7 @@ def save(self, push_to_jira=False): service=service, title=test_title, create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, + apply_tags_to_findings=apply_tags_to_findings, ) if test: @@ -2408,6 +2415,10 @@ class ReImportScanSerializer(TaggitSerializer, serializers.Serializer): product_type_id = serializers.IntegerField(read_only=True) statistics = ImportStatisticsSerializer(read_only=True, required=False) + apply_tags_to_findings = serializers.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + required=False + ) def save(self, push_to_jira=False): logger.debug("push_to_jira: %s", push_to_jira) @@ -2420,6 +2431,7 @@ def save(self, push_to_jira=False): close_old_findings_product_scope = data.get( "close_old_findings_product_scope" ) + apply_tags_to_findings = data.get("apply_tags_to_findings", False) do_not_reactivate = data.get("do_not_reactivate", False) version = data.get("version", None) build_id = data.get("build_id", None) @@ -2520,6 +2532,7 @@ def save(self, push_to_jira=False): service=service, do_not_reactivate=do_not_reactivate, create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, + apply_tags_to_findings=apply_tags_to_findings, ) if test_import: @@ -2957,6 +2970,9 @@ class NotificationsSerializer(serializers.ModelSerializer): sla_breach = MultipleChoiceField( choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION ) + sla_breach_combined = MultipleChoiceField( + choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION + ) risk_acceptance_expiration = MultipleChoiceField( choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION ) @@ -3147,3 +3163,20 @@ class QuestionnaireGeneralSurveySerializer(serializers.ModelSerializer): class Meta: model = General_Survey fields = "__all__" + + +class AnnouncementSerializer(serializers.ModelSerializer): + + class Meta: + model = Announcement + fields = "__all__" + + def create(self, validated_data): + validated_data["id"] = 1 + try: + return super().create(validated_data) + except IntegrityError as e: + if 'duplicate key value violates unique constraint "dojo_announcement_pkey"' in str(e): + raise serializers.ValidationError("No more than one Announcement is allowed") + else: + raise diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 5f1d662e4e2..47415125c24 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -82,6 +82,7 @@ Answered_Survey, General_Survey, Check_List, + Announcement, ) from dojo.endpoint.views import get_endpoint_ids from dojo.reports.views import ( @@ -3777,3 +3778,14 @@ class QuestionnaireAnsweredSurveyViewSet( ], serializers.QuestionnaireAnsweredSurveySerializer, ).to_schema() + + +# Authorization: configuration +class AnnouncementViewSet( + DojoModelViewSet +): + serializer_class = serializers.AnnouncementSerializer + queryset = Announcement.objects.all() + filter_backends = (DjangoFilterBackend,) + filterset_fields = "__all__" + permission_classes = (permissions.UserHasConfigurationPermissionStaff,) diff --git a/dojo/db_migrations/0195_alter_announcement_dismissable.py b/dojo/db_migrations/0195_alter_announcement_dismissable.py new file mode 100644 index 00000000000..0896390bae2 --- /dev/null +++ b/dojo/db_migrations/0195_alter_announcement_dismissable.py @@ -0,0 +1,18 @@ +# Generated by Django 4.1.13 on 2023-12-05 12:53 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0194_alter_finding_component_name'), + ] + + operations = [ + migrations.AlterField( + model_name='announcement', + name='dismissable', + field=models.BooleanField(blank=True, default=False, help_text='Ticking this box allows users to dismiss the current announcement', verbose_name='Dismissable?'), + ), + ] diff --git a/dojo/db_migrations/0196_notifications_sla_breach_combined.py b/dojo/db_migrations/0196_notifications_sla_breach_combined.py new file mode 100644 index 00000000000..f37cf6fda3f --- /dev/null +++ b/dojo/db_migrations/0196_notifications_sla_breach_combined.py @@ -0,0 +1,19 @@ +# Generated by Django 4.1.10 on 2023-09-12 11:29 + +from django.db import migrations +import multiselectfield.db.fields + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0195_alter_announcement_dismissable'), + ] + + operations = [ + migrations.AddField( + model_name='notifications', + name='sla_breach_combined', + field=multiselectfield.db.fields.MultiSelectField(blank=True, choices=[('slack', 'slack'), ('msteams', 'msteams'), ('mail', 'mail'), ('alert', 'alert')], default=('alert', 'alert'), help_text='Get notified of (upcoming) SLA breaches (a message per project)', max_length=24, verbose_name='SLA breach (combined)'), + ), + ] diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index 635248f0f2e..45b45833e0b 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -670,6 +670,7 @@ def post(self, request, eid=None, pid=None): api_scan_configuration = form.cleaned_data.get('api_scan_configuration', None) service = form.cleaned_data.get('service', None) close_old_findings = form.cleaned_data.get('close_old_findings', None) + apply_tags_to_findings = form.cleaned_data.get('apply_tags_to_findings', False) # close_old_findings_prodct_scope is a modifier of close_old_findings. # If it is selected, close_old_findings should also be selected. close_old_findings_product_scope = form.cleaned_data.get('close_old_findings_product_scope', None) @@ -736,7 +737,7 @@ def post(self, request, eid=None, pid=None): minimum_severity=minimum_severity, endpoints_to_add=list(form.cleaned_data['endpoints']) + added_endpoints, scan_date=scan_date, version=version, branch_tag=branch_tag, build_id=build_id, commit_hash=commit_hash, push_to_jira=push_to_jira, close_old_findings=close_old_findings, close_old_findings_product_scope=close_old_findings_product_scope, group_by=group_by, api_scan_configuration=api_scan_configuration, service=service, - create_finding_groups_for_all_findings=create_finding_groups_for_all_findings) + create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, apply_tags_to_findings=apply_tags_to_findings) message = f'{scan_type} processed a total of {finding_count} findings' diff --git a/dojo/fixtures/dojo_testdata.json b/dojo/fixtures/dojo_testdata.json index 6faa265e73e..62486cb90cf 100644 --- a/dojo/fixtures/dojo_testdata.json +++ b/dojo/fixtures/dojo_testdata.json @@ -170,6 +170,54 @@ "content_type": 3 } }, + { + "model": "auditlog.logentry", + "pk": 803, + "fields": { + "content_type": 28, + "object_pk": "1", + "object_id": 1, + "object_repr": "BodgeIt", + "action": 0, + "changes": "{\"product\": [\"None\", \"dojo.Cred_Mapping.None\"], \"product_meta\": [\"None\", \"dojo.DojoMeta.None\"], \"name\": [\"None\", \"BodgeIt\"], \"description\": [\"None\", \"[Features](https://github.com/psiinon/bodgeit) and characteristics:\\r\\n\\r\\n* Easy to install - just requires java and a servlet engine, e.g. Tomcat\\r\\n* Self contained (no additional dependencies other than to 2 in the above line)\\r\\n* Easy to change on the fly - all the functionality is implemented in JSPs, so no IDE required\\r\\n* Cross platform\\r\\n* Open source\\r\\n* No separate db to install and configure - it uses an 'in memory' db that is automatically (re)initialized on start up\"], \"product_manager\": [\"None\", \"(admin)\"], \"technical_contact\": [\"None\", \"(user2)\"], \"team_manager\": [\"None\", \"(product_manager)\"], \"prod_type\": [\"None\", \"Commerce\"], \"id\": [\"None\", \"1\"], \"tid\": [\"None\", \"0\"], \"prod_numeric_grade\": [\"None\", \"5\"], \"business_criticality\": [\"None\", \"high\"], \"platform\": [\"None\", \"web\"], \"lifecycle\": [\"None\", \"production\"], \"origin\": [\"None\", \"internal\"], \"user_records\": [\"None\", \"1000000000\"], \"revenue\": [\"None\", \"1000.00\"], \"external_audience\": [\"None\", \"True\"], \"internet_accessible\": [\"None\", \"True\"], \"enable_simple_risk_acceptance\": [\"None\", \"False\"], \"enable_full_risk_acceptance\": [\"None\", \"True\"]}", + "actor": null, + "remote_addr": null, + "timestamp": "2021-10-22T01:24:54.921Z", + "additional_data": null + } + }, + { + "model": "auditlog.logentry", + "pk": 804, + "fields": { + "content_type": 28, + "object_pk": "2", + "object_id": 2, + "object_repr": "Internal CRM App", + "action": 0, + "changes": "{\"product\": [\"None\", \"dojo.Cred_Mapping.None\"], \"product_meta\": [\"None\", \"dojo.DojoMeta.None\"], \"name\": [\"None\", \"Internal CRM App\"], \"description\": [\"None\", \"* New product in development that attempts to follow all best practices\"], \"product_manager\": [\"None\", \"(product_manager)\"], \"technical_contact\": [\"None\", \"(product_manager)\"], \"team_manager\": [\"None\", \"(user2)\"], \"prod_type\": [\"None\", \"Commerce\"], \"id\": [\"None\", \"2\"], \"tid\": [\"None\", \"0\"], \"business_criticality\": [\"None\", \"medium\"], \"platform\": [\"None\", \"web\"], \"lifecycle\": [\"None\", \"construction\"], \"origin\": [\"None\", \"internal\"], \"external_audience\": [\"None\", \"False\"], \"internet_accessible\": [\"None\", \"False\"], \"enable_simple_risk_acceptance\": [\"None\", \"False\"], \"enable_full_risk_acceptance\": [\"None\", \"True\"]}", + "actor": null, + "remote_addr": null, + "timestamp": "2021-10-22T01:24:55.044Z", + "additional_data": null + } + }, + { + "model": "auditlog.logentry", + "pk": 805, + "fields": { + "content_type": 28, + "object_pk": "3", + "object_id": 3, + "object_repr": "Apple Accounting Software", + "action": 0, + "changes": "{\"product\": [\"None\", \"dojo.Cred_Mapping.None\"], \"product_meta\": [\"None\", \"dojo.DojoMeta.None\"], \"name\": [\"None\", \"Apple Accounting Software\"], \"description\": [\"None\", \"Accounting software is typically composed of various modules, different sections dealing with particular areas of accounting. Among the most common are:\\r\\n\\r\\n**Core modules**\\r\\n\\r\\n* Accounts receivable\\u2014where the company enters money received\\r\\n* Accounts payable\\u2014where the company enters its bills and pays money it owes\\r\\n* General ledger\\u2014the company's \\\"books\\\"\\r\\n* Billing\\u2014where the company produces invoices to clients/customers\"], \"product_manager\": [\"None\", \"(admin)\"], \"technical_contact\": [\"None\", \"(user2)\"], \"team_manager\": [\"None\", \"(user2)\"], \"prod_type\": [\"None\", \"Billing\"], \"id\": [\"None\", \"3\"], \"tid\": [\"None\", \"0\"], \"business_criticality\": [\"None\", \"high\"], \"platform\": [\"None\", \"web\"], \"lifecycle\": [\"None\", \"production\"], \"origin\": [\"None\", \"purchased\"], \"user_records\": [\"None\", \"5000\"], \"external_audience\": [\"None\", \"True\"], \"internet_accessible\": [\"None\", \"False\"], \"enable_simple_risk_acceptance\": [\"None\", \"False\"], \"enable_full_risk_acceptance\": [\"None\", \"True\"]}", + "actor": null, + "remote_addr": null, + "timestamp": "2021-10-22T01:24:55.071Z", + "additional_data": null + } + }, { "pk": 1, "model": "dojo.system_settings", @@ -2988,5 +3036,14 @@ "is_authn_provider": false, "url": "https://google.com" } + }, + { + "model": "dojo.announcement", + "pk": 1, + "fields": { + "message": "test message", + "dismissable": true, + "style": "danger" + } } ] \ No newline at end of file diff --git a/dojo/forms.py b/dojo/forms.py index e2d31684fca..fd2b6844ec3 100755 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -471,6 +471,12 @@ class ImportScanForm(forms.Form): label="Close old findings within this product", required=False, initial=False) + apply_tags_to_findings = forms.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + label="Apply Tags to Findings", + required=False, + initial=False + ) if is_finding_groups_enabled(): group_by = forms.ChoiceField(required=False, choices=Finding_Group.GROUP_BY_OPTIONS, help_text='Choose an option to automatically group new findings by the chosen option.') @@ -557,6 +563,12 @@ class ReImportScanForm(forms.Form): api_scan_configuration = forms.ModelChoiceField(Product_API_Scan_Configuration.objects, required=False, label='API Scan Configuration') service = forms.CharField(max_length=200, required=False, help_text="A service is a self-contained piece of functionality within a Product. This is an optional field which is used in deduplication of findings when set.") source_code_management_uri = forms.URLField(max_length=600, required=False, help_text="Resource link to source code") + apply_tags_to_findings = forms.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + label="Apply Tags to Findings", + required=False, + initial=False + ) if is_finding_groups_enabled(): group_by = forms.ChoiceField(required=False, choices=Finding_Group.GROUP_BY_OPTIONS, help_text='Choose an option to automatically group new findings by the chosen option') @@ -2592,11 +2604,12 @@ def __init__(self, *args, **kwargs): self.initial['test_added'] = '' self.initial['scan_added'] = '' self.initial['sla_breach'] = '' + self.initial['sla_breach_combined'] = '' self.initial['risk_acceptance_expiration'] = '' class Meta: model = Notifications - fields = ['engagement_added', 'close_engagement', 'test_added', 'scan_added', 'sla_breach', 'risk_acceptance_expiration'] + fields = ['engagement_added', 'close_engagement', 'test_added', 'scan_added', 'sla_breach', 'sla_breach_combined', 'risk_acceptance_expiration'] class AjaxChoiceField(forms.ChoiceField): @@ -2932,16 +2945,9 @@ def clean(self): class AnnouncementCreateForm(forms.ModelForm): - dismissable = forms.BooleanField( - label=_('Dismissable?'), - initial=False, - required=False, - help_text=_('Ticking this box allows users to dismiss the current announcement') - ) - class Meta: model = Announcement - fields = ['message', 'style'] + fields = "__all__" class AnnouncementRemoveForm(AnnouncementCreateForm): diff --git a/dojo/importers/importer/importer.py b/dojo/importers/importer/importer.py index e9508d5ec18..baed2c8d421 100644 --- a/dojo/importers/importer/importer.py +++ b/dojo/importers/importer/importer.py @@ -244,7 +244,7 @@ def close_old_findings(self, test, scan_date_time, user, push_to_jira=None, serv def import_scan(self, scan, scan_type, engagement, lead, environment, active=None, verified=None, tags=None, minimum_severity=None, user=None, endpoints_to_add=None, scan_date=None, version=None, branch_tag=None, build_id=None, commit_hash=None, push_to_jira=None, close_old_findings=False, close_old_findings_product_scope=False, - group_by=None, api_scan_configuration=None, service=None, title=None, create_finding_groups_for_all_findings=True): + group_by=None, api_scan_configuration=None, service=None, title=None, create_finding_groups_for_all_findings=True, apply_tags_to_findings=False): logger.debug(f'IMPORT_SCAN: parameters: {locals()}') @@ -363,6 +363,10 @@ def import_scan(self, scan, scan_type, engagement, lead, environment, active=Non test_import = importer_utils.update_import_history(Test_Import.IMPORT_TYPE, active, verified, tags, minimum_severity, endpoints_to_add, version, branch_tag, build_id, commit_hash, push_to_jira, close_old_findings, test, new_findings, closed_findings) + if apply_tags_to_findings and tags: + for finding in test_import.findings_affected.all(): + for tag in tags: + finding.tags.add(tag) logger.debug('IMPORT_SCAN: Generating notifications') notifications_helper.notify_test_created(test) diff --git a/dojo/importers/reimporter/reimporter.py b/dojo/importers/reimporter/reimporter.py index a31d3673c7d..39db0d7e3e0 100644 --- a/dojo/importers/reimporter/reimporter.py +++ b/dojo/importers/reimporter/reimporter.py @@ -42,6 +42,7 @@ def process_parsed_findings( scan_date=None, do_not_reactivate=False, create_finding_groups_for_all_findings=True, + apply_tags_to_findings=False, **kwargs, ): @@ -111,7 +112,6 @@ def process_parsed_findings( findings = reimporter_utils.match_new_finding_to_existing_finding( item, test, deduplication_algorithm ) - deduplicationLogger.debug( "found %i findings matching with current new finding", len(findings) ) @@ -571,6 +571,7 @@ def reimport_scan( service=None, do_not_reactivate=False, create_finding_groups_for_all_findings=True, + apply_tags_to_findings=False, ): logger.debug(f"REIMPORT_SCAN: parameters: {locals()}") @@ -741,7 +742,10 @@ def reimport_scan( reactivated_findings, untouched_findings, ) - + if apply_tags_to_findings and tags: + for finding in test_import.findings_affected.all(): + for tag in tags: + finding.tags.add(tag) logger.debug("REIMPORT_SCAN: Generating notifications") updated_count = ( diff --git a/dojo/models.py b/dojo/models.py index 27e17e19c72..71c6f7ad2df 100755 --- a/dojo/models.py +++ b/dojo/models.py @@ -3023,26 +3023,125 @@ def get_file_path_with_link(self): link = self.get_file_path_with_raw_link() return create_bleached_link(link, self.file_path) + def get_scm_type(self): + # extract scm type from product custom field 'scm-type' + + if hasattr(self.test.engagement, 'product'): + dojo_meta = DojoMeta.objects.filter(product=self.test.engagement.product, name='scm-type').first() + if dojo_meta: + st = dojo_meta.value.strip() + if st: + return st.lower() + return 'github' + + def bitbucket_public_prepare_scm_base_link(self, uri): + # bitbucket public (https://bitbucket.org) url template for browse is: + # https://bitbucket.org// + # but when you get repo url for git, its template is: + # https://bitbucket.org//.git + # so to create browser url - git url should be recomposed like below: + + parts_uri = uri.split('.git') + return parts_uri[0] + + def bitbucket_public_prepare_scm_link(self, uri): + # if commit hash or branch/tag is set for engagement/test - + # hash or branch/tag should be appended to base browser link + + link = self.bitbucket_public_prepare_scm_base_link(uri) + if self.test.commit_hash: + link += '/src/' + self.test.commit_hash + '/' + self.file_path + elif self.test.engagement.commit_hash: + link += '/src/' + self.test.engagement.commit_hash + '/' + self.file_path + elif self.test.branch_tag: + link += '/src/' + self.test.branch_tag + '/' + self.file_path + elif self.test.engagement.branch_tag: + link += '/src/' + self.test.engagement.branch_tag + '/' + self.file_path + else: + link += '/src/master/' + self.file_path + + return link + + def bitbucket_standalone_prepare_scm_base_link(self, uri): + # bitbucket onpremise/standalone url template for browse is: + # https://bb.example.com/projects//repos/ + # but when you get repo url for git, its template is: + # https://bb.example.com/scm//.git + # or for user public repo^ + # https://bb.example.com/users//repos/ + # but when you get repo url for git, its template is: + # https://bb.example.com/scm//.git (username often could be prefixed with ~) + # so to create borwser url - git url should be recomposed like below: + + parts_uri = uri.split('.git') + parts_scm = parts_uri[0].split('/scm/') + parts_project = parts_scm[1].split('/') + project = parts_project[0] + if project.startswith('~'): + return parts_scm[0] + '/users/' + parts_project[0][1:] + '/repos/' + parts_project[1] + '/browse' + else: + return parts_scm[0] + '/projects/' + parts_project[0] + '/repos/' + parts_project[1] + '/browse' + + def bitbucket_standalone_prepare_scm_link(self, uri): + # if commit hash or branch/tag is set for engagement/test - + # hash or barnch/tag should be appended to base browser link + + link = self.bitbucket_standalone_prepare_scm_base_link(uri) + if self.test.commit_hash: + link += '/' + self.file_path + '?at=' + self.test.commit_hash + elif self.test.engagement.commit_hash: + link += '/' + self.file_path + '?at=' + self.test.engagement.commit_hash + elif self.test.branch_tag: + link += '/' + self.file_path + '?at=' + self.test.branch_tag + elif self.test.engagement.branch_tag: + link += '/' + self.file_path + '?at=' + self.test.engagement.branch_tag + else: + link += '/' + self.file_path + + return link + + def github_prepare_scm_link(self, uri): + link = uri + + if self.test.commit_hash: + link += '/blob/' + self.test.commit_hash + '/' + self.file_path + elif self.test.engagement.commit_hash: + link += '/blob/' + self.test.engagement.commit_hash + '/' + self.file_path + elif self.test.branch_tag: + link += '/blob/' + self.test.branch_tag + '/' + self.file_path + elif self.test.engagement.branch_tag: + link += '/blob/' + self.test.engagement.branch_tag + '/' + self.file_path + else: + link += '/' + self.file_path + + return link + def get_file_path_with_raw_link(self): if self.file_path is None: return None + link = self.test.engagement.source_code_management_uri - if (self.test.engagement.source_code_management_uri is not None - and "https://github.com/" in self.test.engagement.source_code_management_uri): - if self.test.commit_hash: - link += '/blob/' + self.test.commit_hash + '/' + self.file_path - elif self.test.engagement.commit_hash: - link += '/blob/' + self.test.engagement.commit_hash + '/' + self.file_path - elif self.test.branch_tag: - link += '/blob/' + self.test.branch_tag + '/' + self.file_path - elif self.test.engagement.branch_tag: - link += '/blob/' + self.test.engagement.branch_tag + '/' + self.file_path + scm_type = self.get_scm_type() + if (self.test.engagement.source_code_management_uri is not None): + if scm_type == 'github' or ("https://github.com/" in self.test.engagement.source_code_management_uri): + link = self.github_prepare_scm_link(link) + elif scm_type == 'bitbucket-standalone': + link = self.bitbucket_standalone_prepare_scm_link(link) + elif scm_type == 'bitbucket': + link = self.bitbucket_public_prepare_scm_link(link) else: link += '/' + self.file_path else: link += '/' + self.file_path + + # than - add line part to browser url if self.line: - link = link + '#L' + str(self.line) + if scm_type == 'github' or scm_type == 'gitlab': + link = link + '#L' + str(self.line) + elif scm_type == 'bitbucket-standalone': + link = link + '#' + str(self.line) + elif scm_type == 'bitbucket': + link = link + '#lines-' + str(self.line) return link def get_references_with_links(self): @@ -3498,9 +3597,14 @@ class Announcement(models.Model): message = models.CharField(max_length=500, help_text=_("This dismissable message will be displayed on all pages for authenticated users. It can contain basic html tags, for example https://example.com"), default='') - dismissable = models.BooleanField(default=False, null=True, blank=True) style = models.CharField(max_length=64, choices=ANNOUNCEMENT_STYLE_CHOICES, default='info', help_text=_("The style of banner to display. (info, success, warning, danger)")) + dismissable = models.BooleanField(default=False, + null=False, + blank=True, + verbose_name=_('Dismissable?'), + help_text=_('Ticking this box allows users to dismiss the current announcement'), + ) class UserAnnouncement(models.Model): @@ -3784,6 +3888,9 @@ class Notifications(models.Model): risk_acceptance_expiration = MultiSelectField(choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION, blank=True, verbose_name=_('Risk Acceptance Expiration'), help_text=_('Get notified of (upcoming) Risk Acceptance expiries')) + sla_breach_combined = MultiSelectField(choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION, blank=True, + verbose_name=_('SLA breach (combined)'), + help_text=_('Get notified of (upcoming) SLA breaches (a message per project)')) class Meta: constraints = [ @@ -3823,6 +3930,7 @@ def merge_notifications_list(cls, notifications_list): result.review_requested = merge_sets_safe(result.review_requested, notifications.review_requested) result.other = merge_sets_safe(result.other, notifications.other) result.sla_breach = merge_sets_safe(result.sla_breach, notifications.sla_breach) + result.sla_breach_combined = merge_sets_safe(result.sla_breach_combined, notifications.sla_breach_combined) result.risk_acceptance_expiration = merge_sets_safe(result.risk_acceptance_expiration, notifications.risk_acceptance_expiration) return result diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 33f0f0c12bf..ec105309fbb 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -223,7 +223,8 @@ DD_EDITABLE_MITIGATED_DATA=(bool, False), # new feature that tracks history across multiple reimports for the same test DD_TRACK_IMPORT_HISTORY=(bool, True), - + # Delete Auditlogs older than x month; -1 to keep all logs + DD_AUDITLOG_FLUSH_RETENTION_PERIOD=(int, -1), # Allow grouping of findings in the same test, for example to group findings per dependency # DD_FEATURE_FINDING_GROUPS feature is moved to system_settings, will be removed from settings file DD_FEATURE_FINDING_GROUPS=(bool, True), @@ -1131,6 +1132,10 @@ def saml2_attrib_map_format(dict): 'schedule': timedelta(minutes=1), 'args': [timedelta(minutes=1)] }, + 'flush_auditlog': { + 'task': 'dojo.tasks.flush_auditlog', + 'schedule': timedelta(hours=8), + }, 'update-findings-from-source-issues': { 'task': 'dojo.tools.tool_issue_updater.update_findings_from_source_issues', 'schedule': timedelta(hours=3), @@ -1225,7 +1230,7 @@ def saml2_attrib_map_format(dict): 'Acunetix360 Scan': ['title', 'description'], 'Terrascan Scan': ['vuln_id_from_tool', 'title', 'severity', 'file_path', 'line', 'component_name'], 'Trivy Operator Scan': ['title', 'severity', 'vulnerability_ids'], - 'Trivy Scan': ['title', 'severity', 'vulnerability_ids', 'cwe'], + 'Trivy Scan': ['title', 'severity', 'vulnerability_ids', 'cwe', 'description'], 'TFSec Scan': ['severity', 'vuln_id_from_tool', 'file_path', 'line'], 'Snyk Scan': ['vuln_id_from_tool', 'file_path', 'component_name', 'component_version'], 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], @@ -1699,4 +1704,8 @@ def saml2_attrib_map_format(dict): # Dictates whether cloud banner is created or not CREATE_CLOUD_BANNER = env('DD_CREATE_CLOUD_BANNER') +# ------------------------------------------------------------------------------ +# Auditlog +# ------------------------------------------------------------------------------ +AUDITLOG_FLUSH_RETENTION_PERIOD = env('DD_AUDITLOG_FLUSH_RETENTION_PERIOD') ENABLE_AUDITLOG = env('DD_ENABLE_AUDITLOG') diff --git a/dojo/tasks.py b/dojo/tasks.py index eaf47986807..50d48049a80 100644 --- a/dojo/tasks.py +++ b/dojo/tasks.py @@ -1,5 +1,7 @@ import logging -from datetime import timedelta +from auditlog.models import LogEntry +from datetime import timedelta, date +from dateutil.relativedelta import relativedelta from django.db.models import Count, Prefetch from django.conf import settings from django.urls import reverse @@ -86,6 +88,26 @@ def cleanup_alerts(*args, **kwargs): logger.info('total number of alerts deleted: %s', total_deleted_count) +@app.task(bind=True) +def flush_auditlog(*args, **kwargs): + retention_period = settings.AUDITLOG_FLUSH_RETENTION_PERIOD + + if retention_period < 0: + logger.info("Flushing auditlog is disabled") + return + + logger.info("Running Cleanup Task for Logentries with %d Months retention", retention_period) + retention_date = date.today() - relativedelta(months=retention_period) + subset = LogEntry.objects.filter(timestamp__date__lt=retention_date) + event_count = subset.count() + logger.debug("Initially received %d Logentries", event_count) + if event_count > 0: + subset._raw_delete(subset.db) + logger.debug('Total number of audit log entries deleted: %s', event_count) + else: + logger.debug('No outdated Logentries found') + + @app.task(bind=True) def async_dupe_delete(*args, **kwargs): try: diff --git a/dojo/templates/notifications/mail/sla_breach_combined.tpl b/dojo/templates/notifications/mail/sla_breach_combined.tpl new file mode 100644 index 00000000000..5b88a656e27 --- /dev/null +++ b/dojo/templates/notifications/mail/sla_breach_combined.tpl @@ -0,0 +1,72 @@ +{% load i18n %} +{% load navigation_tags %} +{% load display_tags %} + + + {% autoescape on %} +

{% trans "Hello" %} {{ user.get_full_name }},

+

+ {% trans "Product summary" %}: +

    +
  • {% trans "name" %}: {{ product.name }}
    • +
  • {% trans "product type" %}: {{ product.prod_type }}
    • +
  • {% trans "team manager" %}: {{ product.team_manager }}
    • +
  • {% trans "product manager" %}: {{ product.product_manager }}
    • +
  • {% trans "technical contact" %}: {{ product.technical_contact }}
    • +
+

+

+ {% if breach_kind == 'breached' %} + {% blocktranslate trimmed %} + These security findings have breached their SLA: + {% endblocktranslate %} + {% elif breach_kind == 'prebreach' %} + {% blocktranslate trimmed %} + These security findings are about to breach their SLA: + {% endblocktranslate %} + {% elif breach_kind == 'breaching' %} + {% blocktranslate trimmed %} + These security findings breaching their SLA today: + {% endblocktranslate %} + {% else %} + This should not happen, check 'breach_kind' and 'kind' properties value in the source code. + {% endif %} +
+

    + {% for f in findings %} + {% url 'view_finding' f.id as finding_url %} +
  • + "{{ f.title }}" ({{ f.severity }} {% trans "severity" %}), {% trans "SLA age" %}: {{ f.sla_age }} +
    • + {% endfor %} +
+
+ {% trans "Please refer to your SLA documentation for further guidance" %} +

+ {% trans "Kind regards" %}, +
+ {% if system_settings.team_name %} + {{ system_settings.team_name }} + {% else %} + Defect Dojo + {% endif %} +
+

+ {% url 'notifications' as notification_url %} + {% trans "You can manage your notification settings here" %}: {{ notification_url|full_url }} +

+ {% if system_settings.disclaimer and system_settings.disclaimer.strip %} +
+
+ {% trans "Disclaimer" %} +
+

{{ system_settings.disclaimer }}

+
+ {% endif %} + {% endautoescape %} + + diff --git a/dojo/tools/cyclonedx/parser.py b/dojo/tools/cyclonedx/parser.py index b174d7ab878..608a1f8aa51 100644 --- a/dojo/tools/cyclonedx/parser.py +++ b/dojo/tools/cyclonedx/parser.py @@ -418,6 +418,8 @@ def _get_findings_json(self, file, test): component_name, component_version = self._get_component( components, reference ) + if not description: + description = "Description was not provided." finding = Finding( title=f"{component_name}:{component_version} | {vulnerability.get('id')}", test=test, diff --git a/dojo/tools/kiuwan/parser.py b/dojo/tools/kiuwan/parser.py index 00e06a9edb4..e1b7d540ec2 100644 --- a/dojo/tools/kiuwan/parser.py +++ b/dojo/tools/kiuwan/parser.py @@ -58,9 +58,12 @@ def get_findings(self, filename, test): findingdict["file"] = row["File"] findingdict["line_number"] = row["Line number"] findingdict["description"] = ( - "**Vulnerability type** : " + "**Software characteristic** : " + row["Software characteristic"] + "\n\n" + + "**Vulnerability type** : " + + row["Vulnerability type"] + + "\n\n" + "**CWE Scope** : " + row["CWE Scope"] + "\n\n" @@ -116,6 +119,8 @@ def get_findings(self, filename, test): + finding.title + "|" + finding.description + + "|" + + str(finding.cwe) ).encode("utf-8") ).hexdigest() diff --git a/dojo/tools/nikto/parser.py b/dojo/tools/nikto/parser.py index 5092ba44d3d..b5c9cafe4b9 100644 --- a/dojo/tools/nikto/parser.py +++ b/dojo/tools/nikto/parser.py @@ -43,26 +43,28 @@ def get_findings(self, filename, test): def process_json(self, file, test): data = json.load(file) - + if len(data) == 1 and type(data) is list: + data = data[0] dupes = dict() host = data.get("host") port = data.get("port") if port is not None: port = int(port) for vulnerability in data.get("vulnerabilities", []): + description = "\n".join([ + f"**id:** `{vulnerability.get('id')}`", + f"**msg:** `{vulnerability.get('msg')}`", + f"**HTTP Method:** `{vulnerability.get('method')}`", + ]) + if vulnerability.get('OSVDB') is not None: + description += "\n" + f"**OSVDB:** `{vulnerability.get('OSVDB')}`" finding = Finding( title=vulnerability.get("msg"), severity="Info", # Nikto doesn't assign severity, default to Info - description="\n".join( - [ - f"**id:** `{vulnerability.get('id')}`", - f"**msg:** `{vulnerability.get('msg')}`", - f"**HTTP Method:** `{vulnerability.get('method')}`", - f"**OSVDB:** `{vulnerability.get('OSVDB')}`", - ] - ), + description=description, vuln_id_from_tool=vulnerability.get("id"), nb_occurences=1, + references=vulnerability.get("references") ) # manage if we have an ID from OSVDB if "OSVDB" in vulnerability and "0" != vulnerability.get("OSVDB"): diff --git a/dojo/tools/qualys/parser.py b/dojo/tools/qualys/parser.py index 14ecbe564d2..567233b0f61 100644 --- a/dojo/tools/qualys/parser.py +++ b/dojo/tools/qualys/parser.py @@ -67,13 +67,16 @@ def split_cvss(value, _temp): return if len(value) > 4: split = value.split(" (") - _temp["CVSS_value"] = float(split[0]) - # remove ")" at the end - _temp["CVSS_vector"] = CVSS3( - "CVSS:3.0/" + split[1][:-1] - ).clean_vector() + if _temp.get("CVSS_value") is None: + _temp["CVSS_value"] = float(split[0]) + # remove ")" at the end + if _temp.get("CVSS_vector") is None: + _temp["CVSS_vector"] = CVSS3( + "CVSS:3.0/" + split[1][:-1] + ).clean_vector() else: - _temp["CVSS_value"] = float(value) + if _temp.get("CVSS_value") is None: + _temp["CVSS_value"] = float(value) def parse_finding(host, tree): @@ -252,6 +255,8 @@ def parse_finding(host, tree): finding.active = _temp["active"] if _temp.get("CVSS_vector") is not None: finding.cvssv3 = _temp.get("CVSS_vector") + if _temp.get("CVSS_value") is not None: + finding.cvssv3_score = _temp.get("CVSS_value") finding.verified = True finding.unsaved_endpoints = list() finding.unsaved_endpoints.append(ep) diff --git a/dojo/tools/snyk/parser.py b/dojo/tools/snyk/parser.py index 0918fc7f110..b5ee592cabe 100755 --- a/dojo/tools/snyk/parser.py +++ b/dojo/tools/snyk/parser.py @@ -42,23 +42,25 @@ def parse_json(self, json_output): def get_items(self, tree, test): items = {} - target_file = tree.get("displayTargetFile", None) - upgrades = tree.get("remediation", {}).get("upgrade", None) + iterator = 0 if "vulnerabilities" in tree: + target_file = tree.get("displayTargetFile", None) + upgrades = tree.get("remediation", {}).get("upgrade", None) vulnerabilityTree = tree["vulnerabilities"] - for node in vulnerabilityTree: item = self.get_item( node, test, target_file=target_file, upgrades=upgrades ) - unique_key = node["title"] + str( - node["packageName"] - + str(node["version"]) - + str(node["from"]) - + str(node["id"]) + items[iterator] = item + iterator += 1 + elif "runs" in tree and tree["runs"][0].get("results"): + results = tree["runs"][0]["results"] + for node in results: + item = self.get_code_item( + node, test ) - items[unique_key] = item - + items[iterator] = item + iterator += 1 return list(items.values()) def get_item(self, vulnerability, test, target_file=None, upgrades=None): @@ -211,5 +213,48 @@ def get_item(self, vulnerability, test, target_file=None, upgrades=None): current_pack_version, upgraded_pack ) finding.mitigation += "\n - ".join(tertiary_upgrade_list) + return finding + def get_code_item(self, vulnerability, test): + ruleId = vulnerability["ruleId"] + ruleIndex = vulnerability["ruleIndex"] + message = vulnerability["message"]["text"] + score = vulnerability["properties"]["priorityScore"] + locations_uri = vulnerability["locations"][0]["physicalLocation"]["artifactLocation"]["uri"] + locations_uriBaseId = vulnerability["locations"][0]["physicalLocation"]["artifactLocation"]["uriBaseId"] + locations_startLine = vulnerability["locations"][0]["physicalLocation"]["region"]["startLine"] + locations_endLine = vulnerability["locations"][0]["physicalLocation"]["region"]["endLine"] + locations_startColumn = vulnerability["locations"][0]["physicalLocation"]["region"]["startColumn"] + locations_endColumn = vulnerability["locations"][0]["physicalLocation"]["region"]["endColumn"] + isAutofixable = vulnerability["properties"]["isAutofixable"] + if score <= 399: + severity = "Low" + elif score <= 699: + severity = "Medium" + elif score <= 899: + severity = "High" + else: + severity = "Critical" + # create the finding object + finding = Finding( + title=ruleId + "_" + locations_uri, + test=test, + severity=severity, + description="**ruleId**: " + str(ruleId) + "\n" + + "**ruleIndex**: " + str(ruleIndex) + "\n" + + "**message**: " + str(message) + "\n" + + "**score**: " + str(score) + "\n" + + "**uri**: " + locations_uri + "\n" + + "**uriBaseId**: " + locations_uriBaseId + "\n" + + "**startLine**: " + str(locations_startLine) + "\n" + + "**endLine**: " + str(locations_endLine) + "\n" + + "**startColumn**: " + str(locations_startColumn) + "\n" + + "**endColumn**: " + str(locations_endColumn) + "\n" + + "**isAutofixable**: " + str(isAutofixable) + "\n", + false_p=False, + duplicate=False, + out_of_scope=False, + static_finding=True, + dynamic_finding=False, + ) return finding diff --git a/dojo/tools/trivy/parser.py b/dojo/tools/trivy/parser.py index 22f8310251d..f07a4b34bee 100644 --- a/dojo/tools/trivy/parser.py +++ b/dojo/tools/trivy/parser.py @@ -55,17 +55,20 @@ def get_description_for_scan_types(self, scan_type): return "Import trivy JSON scan report." def convert_cvss_score(self, raw_value): - val = float(raw_value) - if val == 0.0: + if raw_value is None: return "Info" - elif val < 4.0: - return "Low" - elif val < 7.0: - return "Medium" - elif val < 9.0: - return "High" else: - return "Critical" + val = float(raw_value) + if val == 0.0: + return "Info" + elif val < 4.0: + return "Low" + elif val < 7.0: + return "Medium" + elif val < 9.0: + return "High" + else: + return "Critical" def get_findings(self, scan_file, test): scan_data = scan_file.read() @@ -173,8 +176,13 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""): if severity_source is not None and cvss is not None: cvssclass = cvss.get(severity_source, None) if cvssclass is not None: - severity = self.convert_cvss_score(cvssclass.get("V3Score", None)) - cvssv3 = dict(cvssclass).get("V3Vector", None) + if cvssclass.get("V3Score") is not None: + severity = self.convert_cvss_score(cvssclass.get("V3Score")) + cvssv3 = dict(cvssclass).get("V3Vector") + elif cvssclass.get("V2Score") is not None: + severity = self.convert_cvss_score(cvssclass.get("V2Score")) + else: + severity = self.convert_cvss_score(None) else: severity = TRIVY_SEVERITIES[vuln["Severity"]] else: diff --git a/dojo/tools/zap/parser.py b/dojo/tools/zap/parser.py index c62362cab53..f7411daea21 100755 --- a/dojo/tools/zap/parser.py +++ b/dojo/tools/zap/parser.py @@ -71,7 +71,7 @@ def get_findings(self, file, test): # The report is in the regular XML format, without requests and responses. # Use the default settings for constructing the request # and response fields. - request = f"{instance.findtext('method')} {endpoint.query}#{endpoint.fragment}" + request = f"Method: {instance.findtext('method')} \nParam: {instance.findtext('param')} \nAttack: {instance.findtext('attack')} \nEndpointQuery: {endpoint.query} \nEndpointFragment: {endpoint.fragment}" response = f"{instance.findtext('evidence')}" # we remove query and fragment because with some configuration diff --git a/dojo/urls.py b/dojo/urls.py index cde14708936..fa15f977da9 100755 --- a/dojo/urls.py +++ b/dojo/urls.py @@ -23,7 +23,8 @@ NotificationsViewSet, EngagementPresetsViewset, NetworkLocationsViewset, UserContactInfoViewSet, \ ProductAPIScanConfigurationViewSet, UserProfileView, EndpointMetaImporterView, \ ConfigurationPermissionViewSet, QuestionnaireQuestionViewSet, QuestionnaireAnswerViewSet, \ - QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet + QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet, \ + AnnouncementViewSet from dojo.utils import get_system_setting from dojo.development_environment.urls import urlpatterns as dev_env_urls @@ -131,6 +132,7 @@ v2_api.register(r'questionnaire_engagement_questionnaires', QuestionnaireEngagementSurveyViewSet) v2_api.register(r'questionnaire_general_questionnaires', QuestionnaireGeneralSurveyViewSet) v2_api.register(r'questionnaire_questions', QuestionnaireQuestionViewSet) +v2_api.register(r'announcements', AnnouncementViewSet) ur = [] ur += dev_env_urls ur += endpoint_urls diff --git a/dojo/utils.py b/dojo/utils.py index 40cc68f192d..4d32d416c13 100644 --- a/dojo/utils.py +++ b/dojo/utils.py @@ -17,7 +17,7 @@ from django.conf import settings from django.core.mail import send_mail from django.core.paginator import Paginator -from django.urls import get_resolver, reverse +from django.urls import get_resolver, reverse, get_script_prefix from django.db.models import Q, Sum, Case, When, IntegerField, Value, Count from django.utils import timezone from django.utils.translation import gettext as _ @@ -1860,19 +1860,89 @@ def sla_compute_and_notify(*args, **kwargs): """ import dojo.jira_link.helper as jira_helper - def _notify(finding, title): - if not finding.test.engagement.product.disable_sla_breach_notifications: - create_notification( - event='sla_breach', - title=title, - finding=finding, - url=reverse('view_finding', args=(finding.id,)), - sla_age=sla_age - ) - - if do_jira_sla_comment: - logger.info("Creating JIRA comment to notify of SLA breach information.") - jira_helper.add_simple_jira_comment(jira_instance, jira_issue, title) + class NotificationEntry: + def __init__(self, finding=None, jira_issue=None, do_jira_sla_comment=False): + self.finding = finding + self.jira_issue = jira_issue + self.do_jira_sla_comment = do_jira_sla_comment + + def _add_notification(finding, kind): + # jira_issue, do_jira_sla_comment are taken from the context + # kind can be one of: breached, prebreach, breaching + if finding.test.engagement.product.disable_sla_breach_notifications: + return + + notification = NotificationEntry(finding=finding, + jira_issue=jira_issue, + do_jira_sla_comment=do_jira_sla_comment) + + pt = finding.test.engagement.product.prod_type.name + p = finding.test.engagement.product.name + + if pt in combined_notifications: + if p in combined_notifications[pt]: + if kind in combined_notifications[pt][p]: + combined_notifications[pt][p][kind].append(notification) + else: + combined_notifications[pt][p][kind] = [notification] + else: + combined_notifications[pt][p] = {kind: [notification]} + else: + combined_notifications[pt] = {p: {kind: [notification]}} + + def _notification_title_for_finding(finding, kind, sla_age): + title = "Finding %s - " % (finding.id) + if kind == 'breached': + abs_sla_age = abs(sla_age) + period = "day" + if abs_sla_age > 1: + period = "days" + title += "SLA breached by %d %s! Overdue notice" % (abs_sla_age, period) + elif kind == 'prebreach': + title += "SLA pre-breach warning - %d day(s) left" % (sla_age) + elif kind == 'breaching': + title += "SLA is breaching today" + + return title + + def _create_notifications(): + for pt in combined_notifications: + for p in combined_notifications[pt]: + for kind in combined_notifications[pt][p]: + # creating notifications on per-finding basis + + # we need this list for combined notification feature as we + # can not supply references to local objects as + # create_notification() arguments + findings_list = [] + + for n in combined_notifications[pt][p][kind]: + title = _notification_title_for_finding(n.finding, kind, n.finding.sla_days_remaining()) + + create_notification( + event='sla_breach', + title=title, + finding=n.finding, + url=reverse('view_finding', args=(n.finding.id,)), + ) + + if n.do_jira_sla_comment: + logger.info("Creating JIRA comment to notify of SLA breach information.") + jira_helper.add_simple_jira_comment(jira_instance, n.jira_issue, title) + + findings_list.append(n.finding) + + # producing a "combined" SLA breach notification + title_combined = "SLA alert (%s): product type '%s', product '%s'" % (kind, pt, p) + product = combined_notifications[pt][p][kind][0].finding.test.engagement.product + create_notification( + event='sla_breach_combined', + title=title_combined, + product=product, + findings=findings_list, + breach_kind=kind, + base_url=get_script_prefix(), + ) # exit early on flags system_settings = System_Settings.objects.get() @@ -1882,6 +1952,8 @@ def _notify(finding, title): jira_issue = None jira_instance = None + # notifications list per product per product type + combined_notifications = {} try: if system_settings.enable_finding_sla: logger.info("About to process findings for SLA notifications.") @@ -1970,23 +2042,21 @@ def _notify(finding, title): logger.info("Finding {} has breached by {} days.".format(finding.id, abs(sla_age))) abs_sla_age = abs(sla_age) if not system_settings.enable_notify_sla_exponential_backoff or abs_sla_age == 1 or (abs_sla_age & (abs_sla_age - 1) == 0): - period = "day" - if abs_sla_age > 1: - period = "days" - _notify(finding, 'Finding {} - SLA breached by {} {}! Overdue notice'.format(finding.id, abs_sla_age, period)) + _add_notification(finding, 'breached') else: logger.info("Skipping notification as exponential backoff is enabled and the SLA is not a power of two") # The finding is within the pre-breach period elif (sla_age > 0) and (sla_age <= settings.SLA_NOTIFY_PRE_BREACH): pre_breach_count += 1 logger.info("Security SLA pre-breach warning for finding ID {}. Days remaining: {}".format(finding.id, sla_age)) - _notify(finding, 'Finding {} - SLA pre-breach warning - {} day(s) left'.format(finding.id, sla_age)) + _add_notification(finding, 'prebreach') # The finding breaches the SLA today elif (sla_age == 0): at_breach_count += 1 logger.info("Security SLA breach warning. Finding ID {} breaching today ({})".format(finding.id, sla_age)) - _notify(finding, "Finding {} - SLA is breaching today".format(finding.id)) + _add_notification(finding, 'breaching') + _create_notifications() logger.info("SLA run results: Pre-breach: {}, at-breach: {}, post-breach: {}, post-breach-no-notify: {}, with-jira: {}, TOTAL: {}".format( pre_breach_count, at_breach_count, diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 5d041652207..e90015e8756 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -22,6 +22,9 @@ spec: defectdojo.org/component: initializer app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.initializer.labels }} + {{- toYaml .Values.initializer.labels | nindent 8 }} + {{- end }} annotations: {{- with .Values.initializer.annotations }} {{- toYaml . | nindent 8 }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index c54c036066f..99b648f6a8a 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -104,7 +104,7 @@ monitoring: # Add the nginx prometheus exporter sidecar prometheus: enabled: false - image: nginx/nginx-prometheus-exporter:1.0.0 + image: nginx/nginx-prometheus-exporter:1.1.0 imagePullPolicy: IfNotPresent annotations: {} @@ -304,6 +304,7 @@ initializer: helm.sh/hook: "post-install,post-upgrade" } annotations: {} + labels: {} keepSeconds: 60 affinity: {} nodeSelector: {} diff --git a/requirements.txt b/requirements.txt index 43225bd929f..ab920a5d083 100644 --- a/requirements.txt +++ b/requirements.txt @@ -29,21 +29,21 @@ djangorestframework==3.14.0 gunicorn==21.2.0 html2text==2020.1.16 humanize==4.9.0 -jira==3.5.2 +jira==3.6.0 PyGithub==1.58.2 -lxml==4.9.4 -Markdown==3.5.1 +lxml==5.1.0 +Markdown==3.5.2 mysqlclient==2.1.1 openpyxl==3.1.2 xlrd==1.2.0 -Pillow==10.1.0 # required by django-imagekit +Pillow==10.2.0 # required by django-imagekit psycopg2-binary==2.9.9 cryptography==41.0.7 python-dateutil==2.8.2 pytz==2023.3.post1 redis==5.0.1 requests==2.31.0 -sqlalchemy==2.0.23 # Required by Celery broker transport +sqlalchemy==2.0.25 # Required by Celery broker transport supervisor==4.2.5 urllib3==1.26.18 uWSGI==2.0.23 @@ -53,12 +53,12 @@ titlecase==2.4.1 social-auth-app-django==5.4.0 social-auth-core==4.5.1 Python-jose==3.3.0 -gitpython==3.1.40 +gitpython==3.1.41 debugpy==1.8.0 python-gitlab==4.3.0 drf_yasg==1.21.5 cpe==1.2.1 -packageurl-python==0.13.1 +packageurl-python==0.13.4 django-crum==0.7.9 JSON-log-formatter==0.5.2 django-split-settings==1.2.0 @@ -74,12 +74,12 @@ hyperlink==21.0.0 django-test-migrations==1.3.0 djangosaml2==1.9.0 drf-spectacular==0.27.0 -drf-spectacular-sidecar==2023.12.1 +drf-spectacular-sidecar==2024.1.1 django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.9 # Required for Celery Broker AWS (SQS) support +boto3==1.34.17 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 -vulners==2.1.1 +vulners==2.1.2 fontawesomefree==6.5.1 diff --git a/unittests/scans/cyclonedx/issue_9277.json b/unittests/scans/cyclonedx/issue_9277.json new file mode 100644 index 00000000000..c415dbbf6d6 --- /dev/null +++ b/unittests/scans/cyclonedx/issue_9277.json @@ -0,0 +1,8026 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:0a6ed783-9138-4492-8d51-a4d02937ca69", + "version": 1, + "metadata": { + "timestamp": "2024-01-04T15:25:30+00:00", + "tools": [ + { + "vendor": "aquasecurity", + "name": "trivy", + "version": "0.48.1" + } + ], + "component": { + "bom-ref": "pkg:oci/ubuntu@sha256%3A6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fubuntu", + "type": "container", + "name": "ubuntu:latest", + "purl": "pkg:oci/ubuntu@sha256%3A6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fubuntu", + "properties": [ + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:ImageID", + "value": "sha256:174c8c134b2a94b5bb0b37d9a2b6ba0663d82d23ebf62bd51f74a2fd457333da" + }, + { + "name": "aquasecurity:trivy:RepoDigest", + "value": "ubuntu@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b" + }, + { + "name": "aquasecurity:trivy:RepoTag", + "value": "ubuntu:latest" + }, + { + "name": "aquasecurity:trivy:SchemaVersion", + "value": "2" + } + ] + } + }, + "components": [ + { + "bom-ref": "5303f1e6-739c-497b-8ad9-01b5318e8266", + "type": "operating-system", + "name": "ubuntu", + "version": "22.04", + "properties": [ + { + "name": "aquasecurity:trivy:Class", + "value": "os-pkgs" + }, + { + "name": "aquasecurity:trivy:Type", + "value": "ubuntu" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "adduser", + "version": "3.118ubuntu5", + "hashes": [ + { + "alg": "SHA-256", + "content": "53c30389227d4d16f1108a1df7ae1540c890378318335d1dc7ee95b7257f1f17" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "adduser@3.118ubuntu5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "adduser" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.118ubuntu5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "apt", + "version": "2.4.11", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "apt@2.4.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apt" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.4.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "base-files", + "version": "12ubuntu4.4", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "base-files@12ubuntu4.4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "base-files" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12ubuntu4.4" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Colin Watson " + }, + "name": "base-passwd", + "version": "3.5.52build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "b82ef485b59eb330ed56bc4afc54c6bd809e158da0019788ff0ba3cbab9d7bf9" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "base-passwd@3.5.52build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "base-passwd" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.5.52build1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "bash", + "version": "5.1-6ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "543fc0be88d2cf33ada88fe0cf82e1ec3fdcdd56e411dd2958eb3ef6e1a3d2fa" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "bash@5.1-6ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "bash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "bsdutils", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "8e863dcd6b6efbdccb83ef32fea9d80a051e48ae2311e718ea46d18bf1a4eab8" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "bsdutils@1:2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "coreutils", + "version": "8.32-4.1ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "b4bef42afe93036b1010a8b4cb03f0d3e715eed64d0cd88f7a945be40d0316f6" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "coreutils@8.32-4.1ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "coreutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4.1ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "8.32" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "dash", + "version": "0.5.11+git20210903+057cd650a4ed-3build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "a539a1fc715f9f52cf9159e1f2c8d254a611d1f2c176a25ca7d99372fa76f4b8" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "FSFUL" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "dash@0.5.11+git20210903+057cd650a4ed-3build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.5.11+git20210903+057cd650a4ed" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "debconf", + "version": "1.5.79ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "395a65b3a9539304391456d4d0e5531f4249f297b6e67eb0fcaf2ff77ddc3dc3" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debconf@1.5.79ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debconf" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.79ubuntu1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "debianutils", + "version": "5.5-1ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "a285df5a72f6eadd75a042c148f4a26c6bead543e73077f12d8d0069b315082d" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debianutils@5.5-1ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debianutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "diffutils", + "version": "3.8-0ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "521bdc309168c15662347d4a861ece04d85745dbf9237b1e166d4f90f35c1bb5" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL" + } + } + ], + "purl": "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "diffutils@1:3.8-0ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "diffutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.8" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "dpkg", + "version": "1.21.1ubuntu2.2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "public-domain-s-s-d" + } + }, + { + "license": { + "name": "public-domain-md5" + } + } + ], + "purl": "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "dpkg@1.21.1ubuntu2.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dpkg" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.21.1ubuntu2.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "e2fsprogs", + "version": "1.46.5-2ubuntu1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "e2fsprogs@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "findutils", + "version": "4.8.0-1ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "36b82c9455c45b4f1b88d07bdf30a1b62a4ad6164595b55254c0def2265ff4d6" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "findutils@4.8.0-1ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "findutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Core developers " + }, + "name": "gcc-12-base", + "version": "12.3.0-1ubuntu1~22.04", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.2" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gcc-12-base@12.3.0-1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "gpgv", + "version": "2.2.27-3ubuntu2.1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "permissive" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "RFC-Reference" + } + }, + { + "license": { + "name": "TinySCHEME" + } + }, + { + "license": { + "name": "CC0-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gpgv@2.2.27-3ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gnupg2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.2.27" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "grep", + "version": "3.7-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "26d08b9c96962528c73c13b5c11f245b91e49edab15f73bf8705bad1472a0113" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "grep@3.7-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "grep" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "gzip", + "version": "1.10-4ubuntu4.1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3+-no-invariant" + } + }, + { + "license": { + "name": "FSF-manpages" + } + }, + { + "license": { + "name": "GFDL-3" + } + } + ], + "purl": "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gzip@1.10-4ubuntu4.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gzip" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu4.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.10" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "hostname", + "version": "3.23ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "cec0448fef88a43a3c232fd9df555ca4c468cf5e16ddf3a1b0a5f7b7f076e413" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "hostname@3.23ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "hostname" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.23ubuntu2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "init-system-helpers", + "version": "1.62", + "hashes": [ + { + "alg": "SHA-256", + "content": "810bc27b9b3cecab056d80d726de535ca68f00fcd955683bf46674d779f4e710" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "init-system-helpers@1.62" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "init-system-helpers" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.62" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libacl1", + "version": "2.3.1-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "4db2c64ec74f673ed022e92cce7b83d0cbe0b779e02ca60a56ba59ae07754e05" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libacl1@2.3.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "acl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libapt-pkg6.0", + "version": "2.4.11", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libapt-pkg6.0@2.4.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apt" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.4.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libattr1", + "version": "2.5.1-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "bb4448dcade4f169846d6e3dc00b768f39afd16db07877f595a1d3d92d191050" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libattr1@1:2.5.1-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "attr" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libaudit-common", + "version": "3.0.7-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "86697036d05c956b5b42339bf61ecf3743f7c6fd4d59a67ab16add9a2cd7802a" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaudit-common@1:3.0.7-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "audit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.7" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libaudit1", + "version": "3.0.7-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "36710fbc49150a13f14f1f9c2c8288ee840cf9425f8a609c22fefa6b64eb51c1" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaudit1@1:3.0.7-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "audit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.7" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libblkid1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "f5ce929bf28632d227588fcc58b1aa6ec609dc89420161347a758f16efcdb34f" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libblkid1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libbz2-1.0", + "version": "1.0.8-5build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "3bfeaf4259eadbb7faa09feee86cd6cad172cd95907d7465afd0eb5aebb5433f" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-variant" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libbz2-1.0@1.0.8-5build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "bzip2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.8" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libc-bin", + "version": "2.35-0ubuntu3.5", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc-bin@2.35-0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "glibc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.35" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libc6", + "version": "2.35-0ubuntu3.5", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc6@2.35-0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "glibc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.35" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcap-ng0", + "version": "0.7.9-2.2build3", + "hashes": [ + { + "alg": "SHA-256", + "content": "124d0c8748a841f279e996298ef8aac69a249e294792f4b5e16dc00496f1d3ac" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcap-ng0@0.7.9-2.2build3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libcap-ng" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2.2build3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.7.9" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcap2", + "version": "2.44-1ubuntu0.22.04.1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcap2@1:2.44-1ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libcap2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.44" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcom-err2", + "version": "1.46.5-2ubuntu1.1", + "purl": "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcom-err2@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcrypt1", + "version": "4.4.27-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "3fa566e9f861a08736cbc5a97562d9d6e4f0c00450fbeafcb6d7583423b04a98" + } + ], + "purl": "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcrypt1@1:4.4.27-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxcrypt" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.4.27" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libdb5.3", + "version": "5.3.28+dfsg1-0.8ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "ce60e446c9cb0e94bb4b4d0fe4f969e772edec250deb186bacf955e4d196548b" + } + ], + "purl": "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdb5.3@5.3.28+dfsg1-0.8ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "db5.3" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0.8ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.3.28+dfsg1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libdebconfclient0", + "version": "0.261ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "508d09720201f533ee98fa139dbf49d7d980a053693809be11609559f81eb2c0" + } + ], + "purl": "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdebconfclient0@0.261ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "cdebconf" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.261ubuntu1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libext2fs2", + "version": "1.46.5-2ubuntu1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libext2fs2@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libffi8", + "version": "3.4.2-4", + "hashes": [ + { + "alg": "SHA-256", + "content": "b4f88c91fa6f4c942097be6abfc365fb133c5e147640168cbb7704fd855eac10" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libffi8@3.4.2-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libffi" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Core developers " + }, + "name": "libgcc-s1", + "version": "12.3.0-1ubuntu1~22.04", + "purl": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgcc-s1@12.3.0-1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgcrypt20", + "version": "1.9.4-3ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "fe7d7e9f83b280f4fafaaa3852e462f43a9e854bc268e06667da2bf1b3e9d658" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgcrypt20@1.9.4-3ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgcrypt20" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.9.4" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgmp10", + "version": "6.2.1+dfsg-3ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "d199a77e11701d4d620dd4f62e05740e3072dce893856ea3bbaa6ae9fa19fef1" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgmp10@2:6.2.1+dfsg-3ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gmp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.2.1+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgnutls30", + "version": "3.7.3-4ubuntu1.3", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + }, + { + "license": { + "name": "CC0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "LGPLv3+" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgnutls30@3.7.3-4ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gnutls28" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgpg-error0", + "version": "1.43-3", + "hashes": [ + { + "alg": "SHA-256", + "content": "1fbacdf9bd1e431cee874a697b339f6f925182bc79bba5a112b53669b33265c5" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "g10-permissive" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgpg-error0@1.43-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgpg-error" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.43" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgssapi-krb5-2@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libhogweed6", + "version": "3.7.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "2402ac51ebc760799b01f3fd4933126c5eb446e5b043832601fb589f5e50c363" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GAP" + } + } + ], + "purl": "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libhogweed6@3.7.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nettle" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libidn2-0", + "version": "2.3.2-2build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "bc935e1871aa4a75d3f4ff549af32b7316aecfbea2200d85055878767b8398c8" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Unicode" + } + } + ], + "purl": "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libidn2-0@2.3.2-2build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libidn2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libk5crypto3@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libkeyutils1", + "version": "1.6.1-2ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "940daf78ee0229549b4eabc92ffd79dd038ed96a44e2e912305a23540cf22a0a" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkeyutils1@1.6.1-2ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "keyutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.6.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkrb5-3@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkrb5support0@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "liblz4-1", + "version": "1.9.3-2build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "ac9b54d0feb840345060c74fb687675c5e1eb2b195effafae38c5f9991041e98" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblz4-1@1.9.3-2build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "lz4" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.9.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "liblzma5", + "version": "5.2.5-2ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "8f1c46e7d3f5102a5e4fdca7c949728a343ba71c2a7c124118df2c13d4c444f7" + } + ], + "licenses": [ + { + "license": { + "name": "PD" + } + }, + { + "license": { + "name": "probably-PD" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "permissive-fsf" + } + }, + { + "license": { + "name": "Autoconf" + } + }, + { + "license": { + "name": "permissive-nowarranty" + } + }, + { + "license": { + "name": "none" + } + }, + { + "license": { + "name": "config-h" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "noderivs" + } + }, + { + "license": { + "name": "PD-debian" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblzma5@5.2.5-2ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "xz-utils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.2.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libmount1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "d38fb72ed15461ac652215fa488c5fc3b4e6c86dcc6341eb833aef8dc8ad6e0f" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libmount1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libncurses6", + "version": "6.3-2ubuntu0.1", + "purl": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libncurses6@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libncursesw6", + "version": "6.3-2ubuntu0.1", + "purl": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libncursesw6@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libnettle8", + "version": "3.7.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "6da09e685e5587f8873f662b007de45f75424fb33d2c4a51837380e683d33c7e" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GAP" + } + } + ], + "purl": "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnettle8@3.7.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nettle" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libnsl2", + "version": "1.3.0-2build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "cfeef478f96ace59617f4f93c2497776b98a33c99bf3602af46844ccf9cba9d3" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "permissive-fsf" + } + }, + { + "license": { + "name": "permissive-makefile-in" + } + }, + { + "license": { + "name": "permissive-autoconf-m4-no-warranty" + } + }, + { + "license": { + "name": "GPL-3+-autoconf-exception" + } + }, + { + "license": { + "name": "permissive-configure" + } + }, + { + "license": { + "name": "GPL-2+-autoconf-exception" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "GPL-2+-libtool-exception" + } + }, + { + "license": { + "name": "permissive-autoconf-m4" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnsl2@1.3.0-2build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libnsl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libp11-kit0", + "version": "0.24.0-6build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "70d9009af3c5cbf70c374b493f3a51f4d722757a8efe0d89af9796da78a51262" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "permissive-like-automake-output" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "ISC+IBM" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "same-as-rest-of-p11kit" + } + } + ], + "purl": "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libp11-kit0@0.24.0-6build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "p11-kit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.24.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam-modules-bin", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-modules-bin@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam-modules", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-modules@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam-runtime", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-runtime@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam0g", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam0g@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpcre2-8-0", + "version": "10.39-3ubuntu0.1", + "purl": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpcre2-8-0@10.39-3ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pcre2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "10.39" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpcre3", + "version": "8.39-13ubuntu0.22.04.1", + "purl": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpcre3@2:8.39-13ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pcre3" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "13ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "8.39" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libprocps8", + "version": "3.3.17-6ubuntu2.1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libprocps8@2:3.3.17-6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "procps" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3.17" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libseccomp2", + "version": "2.5.3-2ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "684ebb02924935f6c176eea7d42ac367fcd8f019450e4782c79e5abb349d6aab" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libseccomp2@2.5.3-2ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libseccomp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libselinux1", + "version": "3.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "b96c6b40ee2388bd51341cb11c0f1d5bcca29b9180b6e3a77a06b881f2913f7e" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libselinux1@3.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libselinux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsemanage-common", + "version": "3.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "bb60d1049ed3d7838b395785cab09f2210c04878fcae9391ea3499f62d04ec2d" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsemanage-common@3.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsemanage" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsemanage2", + "version": "3.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "0ab2748fce09293ca2c4c1214460409f834be1736ec1b1841927302efd8fa9da" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsemanage2@3.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsemanage" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsepol2", + "version": "3.3-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "d47b019f21865a9692e361d260e96a3234fd934cee37026dad8f41228d9363d8" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsepol2@3.3-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsepol" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsmartcols1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "b61722721fc4e2534823e391e6ed73655cf8c5b13e2977003f3b930f166260b0" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsmartcols1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libss2", + "version": "1.46.5-2ubuntu1.1", + "purl": "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libss2@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libssl3", + "version": "3.0.2-0ubuntu1.12", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libssl3@3.0.2-0ubuntu1.12" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openssl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu1.12" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Core developers " + }, + "name": "libstdc++6", + "version": "12.3.0-1ubuntu1~22.04", + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libstdc++6@12.3.0-1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsystemd0", + "version": "249.11-0ubuntu3.11", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-2 with Linux-syscall-note exception" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsystemd0@249.11-0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "systemd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "249.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtasn1-6", + "version": "4.18.0-4build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "c4258c87f569f6070312ad4b64a35cb00a9fffca07982b4aac5a3f340ab3e2cd" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtasn1-6@4.18.0-4build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtasn1-6" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.18.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtinfo6", + "version": "6.3-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtinfo6@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtirpc-common", + "version": "1.3.2-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "__AUTO_PERMISSIVE__" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "PERMISSIVE" + } + } + ], + "purl": "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtirpc-common@1.3.2-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtirpc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtirpc3", + "version": "1.3.2-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "__AUTO_PERMISSIVE__" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "PERMISSIVE" + } + } + ], + "purl": "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtirpc3@1.3.2-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtirpc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libudev1", + "version": "249.11-0ubuntu3.11", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-2 with Linux-syscall-note exception" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libudev1@249.11-0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "systemd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "249.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libunistring2", + "version": "1.0-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "988fb59de6a0a313844277e8a6e45d3dc16f5ea75a603a46b16b936426f0ac65" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "FreeSoftware" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.2+" + } + }, + { + "license": { + "name": "GPL-2+ with distribution exception" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "GFDL-1.2" + } + } + ], + "purl": "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libunistring2@1.0-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libunistring" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libuuid1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "94f24383876c575a85c4fd87226e72fe9c9bbdbb52b6f4d71dade805e0d60d48" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libuuid1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libxxhash0", + "version": "0.8.1-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "71cf4300213c7ce65deadf37a21dc250d8162cdf1e41d7fda1e279a390051169" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxxhash0@0.8.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "xxhash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libzstd1", + "version": "1.4.8+dfsg-3build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "ae7db00ce8b093e50c994518b90203544e063b4bc574836a048bb142b950b2c9" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libzstd1@1.4.8+dfsg-3build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libzstd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.8+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "login", + "version": "4.8.1-2ubuntu2.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "login@1:4.8.1-2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "shadow" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "logsave", + "version": "1.46.5-2ubuntu1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "logsave@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "lsb-base", + "version": "11.1.0ubuntu4", + "hashes": [ + { + "alg": "SHA-256", + "content": "23ac3e99b0c2cd0179a7f40fa5a24248345e16c515f222164dad2a638b4f04cf" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "lsb-base@11.1.0ubuntu4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "lsb" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "11.1.0ubuntu4" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "mawk", + "version": "1.3.4.20200120-3", + "hashes": [ + { + "alg": "SHA-256", + "content": "73aea4eef18e9960e04ea2de58c3ee1bb552af6c1dc889ab33c6c896d3387c97" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "mawk@1.3.4.20200120-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "mawk" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.4.20200120" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "mount", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "0f7242d9ffbc6a1147a633f0cff1de1476f436fe72846501d9232b63845dfdc3" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "mount@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "ncurses-base", + "version": "6.3-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ncurses-base@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "ncurses-bin", + "version": "6.3-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ncurses-bin@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "passwd", + "version": "4.8.1-2ubuntu2.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "passwd@1:4.8.1-2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "shadow" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "perl-base", + "version": "5.34.0-3ubuntu1.3", + "licenses": [ + { + "license": { + "name": "GPL-1.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "REGCOMP" + } + }, + { + "license": { + "name": "GPL-2.0-with-bison-exception" + } + }, + { + "license": { + "name": "Unicode" + } + }, + { + "license": { + "name": "BZIP" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "RRA-KEEP-THIS-NOTICE" + } + }, + { + "license": { + "name": "BSD-3-clause-with-weird-numbering" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "TEXT-TABS" + } + }, + { + "license": { + "name": "BSD-4-clause-POWERDOG" + } + }, + { + "license": { + "name": "BSD-3-clause-GENERIC" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "SDBM-PUBLIC-DOMAIN" + } + }, + { + "license": { + "name": "DONT-CHANGE-THE-GPL" + } + }, + { + "license": { + "name": "Artistic-dist" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Artistic-2" + } + }, + { + "license": { + "name": "HSIEH-DERIVATIVE" + } + }, + { + "license": { + "name": "HSIEH-BSD" + } + } + ], + "purl": "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "perl-base@5.34.0-3ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "perl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.34.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "procps", + "version": "3.3.17-6ubuntu2.1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "procps@2:3.3.17-6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "procps" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3.17" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "sed", + "version": "4.8-1ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "cb871eba3078dbfe67770e9b8c2087cf568f06769611360a7de293a806f266c5" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sed@4.8-1ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sed" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "sensible-utils", + "version": "0.0.17", + "hashes": [ + { + "alg": "SHA-256", + "content": "68fa82f5a319ffe48f51ea874117be3d6781c5f6b2ac4f172485fa690ebde4a3" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "All-permissive" + } + }, + { + "license": { + "name": "configure" + } + }, + { + "license": { + "name": "installsh" + } + } + ], + "purl": "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sensible-utils@0.0.17" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sensible-utils" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.0.17" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "sysvinit-utils", + "version": "3.01-1ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "54c24d33f48253b1460a32208d3f91f30f97fb5094ffa03afb2d687ab4319a04" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sysvinit-utils@3.01-1ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sysvinit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.01" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "tar", + "version": "1.34+dfsg-1ubuntu0.1.22.04.2", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "tar@1.34+dfsg-1ubuntu0.1.22.04.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "tar" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu0.1.22.04.2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.34+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Dimitri John Ledkov " + }, + "name": "ubuntu-keyring", + "version": "2021.03.26", + "hashes": [ + { + "alg": "SHA-256", + "content": "0d0e7ed6b112f5d03eabf3c7eb01ebdacf9c57714b279e90495cfc58c8c4520f" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ubuntu-keyring@2021.03.26" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ubuntu-keyring" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2021.03.26" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "usrmerge", + "version": "25ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "43bed2d23b2005c0690017d7bf8c332d0fd73fea18be245bd838a3fe104c93ad" + } + ], + "licenses": [ + { + "license": { + "name": "GPL v2" + } + }, + { + "license": { + "name": "later" + } + } + ], + "purl": "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "usrmerge@25ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "usrmerge" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "25ubuntu2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "util-linux", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "df52c8d589844aaf98b24fb22a9ce1be677eb30c70d8311c1a10c8c2d8b988d2" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "util-linux@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "zlib1g", + "version": "1.2.11.dfsg-2ubuntu9.2", + "licenses": [ + { + "license": { + "name": "Zlib" + } + } + ], + "purl": "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "zlib1g@1:1.2.11.dfsg-2ubuntu9.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "zlib" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu9.2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.11.dfsg" + } + ] + } + ], + "dependencies": [ + { + "ref": "5303f1e6-739c-497b-8ad9-01b5318e8266", + "dependsOn": [ + "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:oci/ubuntu@sha256%3A6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fubuntu", + "dependsOn": [ + "5303f1e6-739c-497b-8ad9-01b5318e8266" + ] + } + ], + "vulnerabilities": [ + { + "id": "CVE-2016-2781", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + + "ratings": [ + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 2.1, + "severity": "info", + "method": "CVSSv2", + "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N" + }, + { + "source": { + "name": "nvd" + }, + "score": 6.5, + "severity": "medium", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.2, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C" + }, + { + "source": { + "name": "redhat" + }, + "score": 8.6, + "severity": "medium", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 20 + ], + "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2016-2781" + }, + { + "url": "http://seclists.org/oss-sec/2016/q1/452" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/3" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2016-2781" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + }, + { + "url": "https://lore.kernel.org/patchwork/patch/793178/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-2781" + } + ], + "published": "2017-02-07T15:59:00+00:00", + "updated": "2023-11-07T02:32:03+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "8.32-4.1ubuntu1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "TEMP-0290435-0B57B5", + "source": { + "name": "debian", + "url": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "ratings": [ + { + "source": { + "name": "debian" + }, + "severity": "low" + } + ], + "advisories": [ + { + "url": "https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5" + } + ], + "affects": [ + { + "ref": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64&distro=debian-10.12", + "versions": [ + { + "version": "1.30+dfsg-6", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2017-11164", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 7.8, + "severity": "high", + "method": "CVSSv2", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 3.3, + "severity": "low", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 674 + ], + "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2017-11164" + }, + { + "url": "http://openwall.com/lists/oss-security/2017/07/11/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/11/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/12/1" + }, + { + "url": "http://www.securityfocus.com/bid/99575" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2017-11164" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-11164" + } + ], + "published": "2017-07-11T03:29:00+00:00", + "updated": "2023-11-07T02:38:10+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "versions": [ + { + "version": "2:8.39-13ubuntu0.22.04.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2016-20013", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 5, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 770 + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2016-20013" + }, + { + "url": "https://akkadia.org/drepper/SHA-crypt.txt" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20013" + }, + { + "url": "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/" + }, + { + "url": "https://twitter.com/solardiz/status/795601240151457793" + } + ], + "published": "2022-02-19T05:15:09+00:00", + "updated": "2022-03-03T16:43:19+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "2.35-0ubuntu3.5", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "2.35-0ubuntu3.5", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-27943", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "amazon" + }, + "severity": "low" + }, + { + "source": { + "name": "nvd" + }, + "score": 4.3, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 674 + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-27943" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-27943" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27943" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039" + }, + { + "url": "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79" + }, + { + "url": "https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-27943" + } + ], + "published": "2022-03-26T13:15:07+00:00", + "updated": "2023-11-07T03:45:32+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "12.3.0-1ubuntu1~22.04", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "12.3.0-1ubuntu1~22.04", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "12.3.0-1ubuntu1~22.04", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-29383", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 3.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "photon" + }, + "severity": "low" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 74 + ], + "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-29383" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-29383" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29383" + }, + { + "url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d" + }, + { + "url": "https://github.com/shadow-maint/shadow/pull/687" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-29383" + }, + { + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/" + }, + { + "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + } + ], + "published": "2023-04-14T22:15:07+00:00", + "updated": "2023-04-24T18:05:30+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "versions": [ + { + "version": "1:4.8.1-2ubuntu2.1", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "versions": [ + { + "version": "1:4.8.1-2ubuntu2.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2020-22916", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "description": "An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2020-22916" + }, + { + "url": "http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2020-22916" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234987" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1214590" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22916" + }, + { + "url": "https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability" + }, + { + "url": "https://github.com/tukaani-project/xz/issues/61" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22916" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2020-22916" + }, + { + "url": "https://tukaani.org/xz/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-22916" + } + ], + "published": "2023-08-22T19:16:19+00:00", + "updated": "2023-11-07T03:19:47+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "5.2.5-2ubuntu1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-3715", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.8, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.6, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "medium" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 787, + 119 + ], + "description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-3715" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0340" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3715" + }, + { + "url": "https://bugzilla.redhat.com/2126720" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126720" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3715" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-0340.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0340" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2022-3715.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-0340.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3715" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3715" + } + ], + "published": "2023-01-05T15:15:10+00:00", + "updated": "2023-02-24T18:38:10+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "5.1-6ubuntu1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-3219", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 3.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.2, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 787 + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-3219" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3219" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127010" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3219" + }, + { + "url": "https://dev.gnupg.org/D556" + }, + { + "url": "https://dev.gnupg.org/T5993" + }, + { + "url": "https://marc.info/?l=oss-security&m=165696590211434&w=4" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230324-0001/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3219" + } + ], + "published": "2023-02-23T20:15:12+00:00", + "updated": "2023-05-26T16:31:34+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "2.2.27-3ubuntu2.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-4899", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 400 + ], + "description": "asdfasfdA vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-4899" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-4899" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4899" + }, + { + "url": "https://github.com/facebook/zstd" + }, + { + "url": "https://github.com/facebook/zstd/issues/3200" + }, + { + "url": "https://github.com/facebook/zstd/pull/3220" + }, + { + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zstd/PYSEC-2023-121.yaml" + }, + { + "url": "https://github.com/sergey-dryabzhinsky/python-zstd/commit/c8a619aebdbd6b838fbfef6e19325a70f631a4c6" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230725-0005/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4899" + } + ], + "published": "2023-03-31T20:15:07+00:00", + "updated": "2023-11-07T03:59:16+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "1.4.8+dfsg-3build1", + "status": "affected" + } + ] + } + ] + } + ] + } + \ No newline at end of file diff --git a/unittests/scans/kiuwan/issue_9308.csv b/unittests/scans/kiuwan/issue_9308.csv new file mode 100644 index 00000000000..f4326fcd287 --- /dev/null +++ b/unittests/scans/kiuwan/issue_9308.csv @@ -0,0 +1,3 @@ +Rule code,Rule,Priority,CWE,Software characteristic,Vulnerability type,Language,Effort,File,Line number,Line text,Source file,Source line number,Source line text,Muted,Normative,Status,CWE Scope,Framework +OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar,Avoid unused local variable,High,101,Maintainability,Other,Typescript,03m,file.js,12,self = this,,,,No,"Agile Alliance:Concise-CDED,CWE:563",none,, +OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar,Avoid unused local variable,High,102,Maintainability,Other,Typescript,03m,another-file.js,12,self = this,,,,No,"Agile Alliance:Concise-CDED,CWE:563",none,, diff --git a/unittests/scans/nikto/issue_9274.json b/unittests/scans/nikto/issue_9274.json new file mode 100644 index 00000000000..fa014208196 --- /dev/null +++ b/unittests/scans/nikto/issue_9274.json @@ -0,0 +1,62 @@ +[ + { + "host": "example.com", + "ip": "203.0.113.37", + "port": "443", + "banner": "", + "vulnerabilities": [ + { + "id": "999986", + "method": "GET", + "url": "/", + "msg": "Retrieved via header: 1.1 google." + }, + { + "id": "999978", + "references": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options", + "method": "GET", + "url": "/", + "msg": "/:X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead." + }, + { + "id": "999103", + "references": "https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/", + "method": "GET", + "url": "/robots.txt", + "msg": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type." + }, + { + "id": "999996", + "references": "https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt", + "method": "GET", + "url": "/robots.txt", + "msg": "contains 1 entry which should be manually viewed." + }, + { + "id": "999962", + "method": "GET", + "url": "/images/8f7c0a6.ico", + "msg": ": Server banner changed from 'nginx' to 'ghs'." + }, + { + "id": "999966", + "references": "http://breachattack.com/", + "method": "GET", + "url": "/", + "msg": "The Content-Encoding header is set to \\\"deflate\\\" which may mean that the server is vulnerable to the BREACH attack." + }, + { + "id": "999100", + "method": "GET", + "url": "/", + "msg": "Uncommon header 'x-google-gfe-load-report' found, with contents: utilization_percent: 51.177505 queries_per_second: 20382 errors_per_second: 0." + }, + { + "id": "999100", + "method": "GET", + "url": "/", + "msg": "Uncommon header 'x-google-gfe-backend-request-cost' found, with contents: 51.177506531784765." + } + ] + } + ] \ No newline at end of file diff --git a/unittests/scans/snyk/snykcode_issue_9270.json b/unittests/scans/snyk/snykcode_issue_9270.json new file mode 100644 index 00000000000..b9a56f85c44 --- /dev/null +++ b/unittests/scans/snyk/snykcode_issue_9270.json @@ -0,0 +1,10782 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "javascript/XSS", + "name": "XSS", + "shortDescription": { + "text": "Cross-site Scripting (XSS)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## Best practices for prevention\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "XSS", + "Security", + "SourceNetworkRequest", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/mjackson/unpkg/commit/db69375e9c944a115e0d542485694e5529e1ddd7?diff=split#diff-59f9f1a3f7e9116d78e320b8b4f3739db8ceaddcff22dae7d19dbc2a5304024aL-1", + "lines": [ + { + "line": "res.status(404).send(`Cannot find main file \"${mainFilename}\" in package ${req.packageSpec}`)\n", + "lineNumber": 95, + "lineChange": "removed" + }, + { + "line": "res.status(404).type('text').send(`Cannot find main file \"${mainFilename}\" in package ${req.packageSpec}`)\n", + "lineNumber": 95, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/themeblvd/backroad/commit/08be2967098668a994d9d8bd034452c7b5b1ae6b?diff=split#diff-a73913970ad590fbf5ed8688eed6f7eda75939c6217a98c2d583e27709b7226fL-1", + "lines": [ + { + "line": "res.status(500).send(err);\n", + "lineNumber": 80, + "lineChange": "removed" + }, + { + "line": "res.status(404).send({ message: 'User not found.' });\n", + "lineNumber": 80, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/embark-framework/embark/commit/efbe71f5e25a3070088a3ea3a08e953e8e446a52?diff=split#diff-7c96a33de8e6615819fd2eccdb5d047d6fde50184a37faf63235fcf90319a606L-1", + "lines": [ + { + "line": "return res.send(\"-- couldn't profile \" + contractName + \" - it's not deployed or could be an interface\");\n", + "lineNumber": 82, + "lineChange": "removed" + }, + { + "line": "return res.send({error: \"-- couldn't profile \" + contractName + \" - it's not deployed or could be an interface\"});\n", + "lineNumber": 82, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 141, + "cwe": [ + "CWE-79" + ] + } + }, + { + "id": "javascript/NoRateLimitingForExpensiveWebOperation", + "name": "NoRateLimitingForExpensiveWebOperation", + "shortDescription": { + "text": "Allocation of Resources Without Limits or Throttling" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\n\nWithout unlimited resources, software operating in the real world is inherently limited in the resources it may consume; similarly, servers are limited by the number of simultaneous sessions they can handle. Therefore, it is important for developers to design software that considers these real-world physical (or virtual) limitations and limits user sessions accordingly, both in terms of the number of user sessions and in the quantity of resources each user may demand. Software with this weakness does not include such limitations and as a result, individual user sessions may consume too many resources, leading to unintended software behavior including, potentially, denial of service. This can be compared to a single restaurant customer emptying out the entire buffet, leaving no food for other customers--or an entire busload mobbing the buffet all at once, with a similar effect. This may happen inadvertently or as a result of an attack by a malicious user.\n\n## Best practices for prevention\n* Test extensively to obtain baseline values indicating how the software performs in the real world under various conditions (normal and peak); use these values to determine reasonable software limits.\n* Set clear limits for all flexible parameters such as maximum allocable memory, number of processes within a given timeframe, file descriptors, requests per client, number of records per request, etc. This is particularly true for any parameters within user control.\n* Release all resources when no longer in use, including incorporating timeouts for inactive users, processes, and resources.\n* Familiarize Dev, Ops, and IT teams with best practices for recognizing and preventing DoS attacks and out-of-control resource allocation to prevent catastrophic failures.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoRateLimitingForExpensiveWebOperation", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ministryofjustice/apvs-external-web/commit/0c9c9b33869909092d7cb442f10e76a08e4acb60?diff=split#diff-322f0482bd28fc40f84fcb0aaf208fef7fb63082d462cf02d11f46e59c531c24L-1", + "lines": [ + { + "line": "// rate limiting\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "if (config.RATE_LIMITING_ENABLED === 'true') {\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": " app.enable('trust proxy')\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": " var limiter = new RateLimit({\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": " windowMs: parseInt(config.RATE_LIMITING_WINDOW_MILLISECONDS),\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": " max: parseInt(config.RATE_LIMITING_REQUEST_LIMIT),\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": " delayMs: 0, // disable delaying - full speed until the max limit is reached\n", + "lineNumber": 49, + "lineChange": "added" + }, + { + "line": " skip: function (req) {\n", + "lineNumber": 50, + "lineChange": "added" + }, + { + "line": " return req.url.startsWith('/public') // skip public assets\n", + "lineNumber": 51, + "lineChange": "added" + }, + { + "line": " }\n", + "lineNumber": 52, + "lineChange": "added" + }, + { + "line": " })\n", + "lineNumber": 53, + "lineChange": "added" + }, + { + "line": " // apply to all requests\n", + "lineNumber": 54, + "lineChange": "added" + }, + { + "line": " app.use(limiter)\n", + "lineNumber": 55, + "lineChange": "added" + }, + { + "line": "}\n", + "lineNumber": 56, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 57, + "lineChange": "added" + }, + { + "line": "var packageJson = require('../package.json')\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": "var developmentMode = app.get('env') === 'development'\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "var releaseVersion = packageJson.version\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": "var serviceName = 'Get help with prison visits'\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": "app.set('view engine', 'html')\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": "app.set('views', path.join(__dirname, 'views'))\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": "nunjucks(app, {\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " watch: developmentMode,\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " noCache: developmentMode\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": "app.use('/public', express.static(path.join(__dirname, 'public')))\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": "app.use('/public', express.static(path.join(__dirname, 'govuk_modules', 'govuk_template')))\n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": "app.use('/public', express.static(path.join(__dirname, 'govuk_modules', 'govuk_frontend_toolkit')))\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": "app.use(favicon(path.join(__dirname, 'govuk_modules', 'govuk_template', 'images', 'favicon.ico')))\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": "// Basic auth\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "if (config.BASIC_AUTH_ENABLED === 'true') {\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": " app.use(function (req, res, next) {\n", + "lineNumber": 78, + "lineChange": "none" + }, + { + "line": " var credentials = auth(req)\n", + "lineNumber": 79, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 80, + "lineChange": "none" + }, + { + "line": " if (req.url === '' || req.url === '/' || req.url === '/status') {\n", + "lineNumber": 81, + "lineChange": "none" + }, + { + "line": " next() // must leave root url free for Azure gateway\n", + "lineNumber": 82, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 83, + "lineChange": "none" + }, + { + "line": " if (!credentials ||\n", + "lineNumber": 84, + "lineChange": "none" + }, + { + "line": " credentials.name !== config.BASIC_AUTH_USERNAME ||\n", + "lineNumber": 85, + "lineChange": "none" + }, + { + "line": " credentials.pass !== config.BASIC_AUTH_PASSWORD) {\n", + "lineNumber": 86, + "lineChange": "none" + }, + { + "line": " res.statusCode = 401\n", + "lineNumber": 87, + "lineChange": "none" + }, + { + "line": " res.setHeader('WWW-Authenticate', 'Basic realm=\"APVS External Web\"')\n", + "lineNumber": 88, + "lineChange": "none" + }, + { + "line": " res.end('Access denied')\n", + "lineNumber": 89, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 90, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 91, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 92, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 93, + "lineChange": "none" + }, + { + "line": " })\n", + "lineNumber": 94, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 95, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 96, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.json())\n", + "lineNumber": 97, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.urlencoded({ extended: false }))\n", + "lineNumber": 98, + "lineChange": "none" + }, + { + "line": "app.use(expressSanitized())\n", + "lineNumber": 99, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 100, + "lineChange": "none" + }, + { + "line": "// Send assetPath to all views.\n", + "lineNumber": 101, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 102, + "lineChange": "none" + }, + { + "line": " res.locals.asset_path = '/public/'\n", + "lineNumber": 103, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 104, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 105, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 106, + "lineChange": "none" + }, + { + "line": "// Add variables that are available in all views.\n", + "lineNumber": 107, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 108, + "lineChange": "none" + }, + { + "line": " res.locals.serviceName = serviceName\n", + "lineNumber": 109, + "lineChange": "none" + }, + { + "line": " res.locals.releaseVersion = 'v' + releaseVersion\n", + "lineNumber": 110, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 111, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 112, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 113, + "lineChange": "none" + }, + { + "line": "// Set locale for translations.\n", + "lineNumber": 114, + "lineChange": "none" + }, + { + "line": "i18n.configure({\n", + "lineNumber": 115, + "lineChange": "none" + }, + { + "line": " locales: ['en', 'cy'],\n", + "lineNumber": 116, + "lineChange": "none" + }, + { + "line": " directory: path.join(__dirname, '/locales'),\n", + "lineNumber": 117, + "lineChange": "none" + }, + { + "line": " updateFiles: config.I18N_UPDATEFILES || true\n", + "lineNumber": 118, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 119, + "lineChange": "none" + }, + { + "line": "app.use(i18n.init)\n", + "lineNumber": 120, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 121, + "lineChange": "none" + }, + { + "line": "// Log each HTML request and it's response.\n", + "lineNumber": 122, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 123, + "lineChange": "none" + }, + { + "line": " // Log response started.\n", + "lineNumber": 124, + "lineChange": "none" + }, + { + "line": " log.info({ request: req }, 'Route Started.')\n", + "lineNumber": 125, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 126, + "lineChange": "none" + }, + { + "line": " // Log response finished.\n", + "lineNumber": 127, + "lineChange": "none" + }, + { + "line": " onFinished(res, function () {\n", + "lineNumber": 128, + "lineChange": "none" + }, + { + "line": " log.info({ response: res }, 'Route Complete.')\n", + "lineNumber": 129, + "lineChange": "none" + }, + { + "line": " })\n", + "lineNumber": 130, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 131, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 132, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 133, + "lineChange": "none" + }, + { + "line": "// Use cookie parser middleware (required for csurf)\n", + "lineNumber": 134, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser(config.EXT_APPLICATION_SECRET, { httpOnly: true, secure: config.EXT_SECURE_COOKIE === 'true' }))\n", + "lineNumber": 135, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 136, + "lineChange": "none" + }, + { + "line": "// Check for valid CSRF tokens on state-changing methods.\n", + "lineNumber": 137, + "lineChange": "none" + }, + { + "line": "var csrfProtection = csurf({ cookie: { httpOnly: true, secure: config.EXT_SECURE_COOKIE === 'true' } })\n", + "lineNumber": 138, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 139, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 140, + "lineChange": "none" + }, + { + "line": " csrfExcludeRoutes.forEach(function (route) {\n", + "lineNumber": 141, + "lineChange": "none" + }, + { + "line": " if (req.originalUrl.includes(route) && req.method === 'POST') {\n", + "lineNumber": 142, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 143, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 144, + "lineChange": "none" + }, + { + "line": " csrfProtection(req, res, next)\n", + "lineNumber": 145, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 146, + "lineChange": "none" + }, + { + "line": " })\n", + "lineNumber": 147, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 148, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 149, + "lineChange": "none" + }, + { + "line": "// Generate CSRF tokens to be sent in POST requests\n", + "lineNumber": 150, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 151, + "lineChange": "none" + }, + { + "line": " if (req.hasOwnProperty('csrfToken')) {\n", + "lineNumber": 152, + "lineChange": "none" + }, + { + "line": " res.locals.csrfToken = req.csrfToken()\n", + "lineNumber": 153, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 154, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 155, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 156, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 157, + "lineChange": "none" + }, + { + "line": "// Build the router to route all HTTP requests and pass to the routes file for route configuration.\n", + "lineNumber": 158, + "lineChange": "none" + }, + { + "line": "var router = express.Router()\n", + "lineNumber": 159, + "lineChange": "none" + }, + { + "line": "routes(router)\n", + "lineNumber": 160, + "lineChange": "none" + }, + { + "line": "app.use('/', router)\n", + "lineNumber": 161, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 162, + "lineChange": "none" + }, + { + "line": "// catch 404 and forward to error handler.\n", + "lineNumber": 163, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 164, + "lineChange": "none" + }, + { + "line": " var err = new Error('Not Found')\n", + "lineNumber": 165, + "lineChange": "none" + }, + { + "line": " err.status = 404\n", + "lineNumber": 166, + "lineChange": "none" + }, + { + "line": " res.status(404)\n", + "lineNumber": 167, + "lineChange": "none" + }, + { + "line": " next(err)\n", + "lineNumber": 168, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 169, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 170, + "lineChange": "none" + }, + { + "line": "// catch CSRF token errors\n", + "lineNumber": 171, + "lineChange": "none" + }, + { + "line": "app.use(function (err, req, res, next) {\n", + "lineNumber": 172, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/SOSML/SOSML/commit/7e27f8b78d458f8ca8a4313730af19de6dc948a2?diff=split#diff-4e0d36557976efd053a8a93638c538d9c6530933aceca263867cd67b5ed9e5baL-1", + "lines": [ + { + "line": "var callDockerLimiter = new RateLimit({\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": " windowMs: 10*60*1000, // 1 hour window\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": " delayAfter: 10, // begin slowing down responses after the first 10 requests\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": " delayMs: 100, // slow down subsequent responses by 100 milliseconds per request\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": " max: 50, // start blocking after 50 requests\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": " message: \"Too many requests made from this IP, please try again in a few minutes\"\n", + "lineNumber": 29, + "lineChange": "added" + }, + { + "line": "});\n", + "lineNumber": 30, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "function evalSMLCode(payload, response) {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " let dockerrunner = cmd.get(\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " 'docker run --cpus=1 --memory=128m --rm -i --read-only derjesko/mosmlfallback',\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " function (err, data, stderr) {\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " var last_line = data.split(/\\r?\\n/).pop();\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " var error_code = parseInt(last_line.substring(2));\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " error_text = '';\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " if (error_code > 0) {\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " if (error_code == 124) {\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " error_text = 'SML hit the time limit of 3 seconds.';\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, 'SML exited with ' + error_code);\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, error_text);\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": " );\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.write(payload);\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.destroy();\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "function readFile(name, callback) {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": " fs.readFile(name, 'utf8', function (err, data) {\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": " if (err) {\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " return console.log(err);\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": " callback(data);\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": "function outputFile(name, response) {\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": " readFile(name, function (data) {\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": "function listDir(name, response) {\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": " fs.readdir(name, function (err, items) {\n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/json');\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": " response.end(JSON.stringify({codes: items}));\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": "server.post('/api/fallback/',\n", + "lineNumber": 69, + "lineChange": "removed" + }, + { + "line": "server.post('/api/fallback/', callDockerLimiter,\n", + "lineNumber": 78, + "lineChange": "added" + }, + { + "line": " function (request, response) {\n", + "lineNumber": 79, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/SOSML/SOSML/commit/7e27f8b78d458f8ca8a4313730af19de6dc948a2?diff=split#diff-4e0d36557976efd053a8a93638c538d9c6530933aceca263867cd67b5ed9e5baL-1", + "lines": [ + { + "line": "var callDockerLimiter = new RateLimit({\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": " windowMs: 10*60*1000, // 1 hour window\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": " delayAfter: 10, // begin slowing down responses after the first 10 requests\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": " delayMs: 100, // slow down subsequent responses by 100 milliseconds per request\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": " max: 50, // start blocking after 50 requests\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": " message: \"Too many requests made from this IP, please try again in a few minutes\"\n", + "lineNumber": 29, + "lineChange": "added" + }, + { + "line": "});\n", + "lineNumber": 30, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "function evalSMLCode(payload, response) {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " let dockerrunner = cmd.get(\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " 'docker run --cpus=1 --memory=128m --rm -i --read-only derjesko/mosmlfallback',\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " function (err, data, stderr) {\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " var last_line = data.split(/\\r?\\n/).pop();\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " var error_code = parseInt(last_line.substring(2));\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " error_text = '';\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " if (error_code > 0) {\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " if (error_code == 124) {\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " error_text = 'SML hit the time limit of 3 seconds.';\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, 'SML exited with ' + error_code);\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, error_text);\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": " );\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.write(payload);\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.destroy();\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "function readFile(name, callback) {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": " fs.readFile(name, 'utf8', function (err, data) {\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": " if (err) {\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " return console.log(err);\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": " callback(data);\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": "function outputFile(name, response) {\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": " readFile(name, function (data) {\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": "function listDir(name, response) {\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": " fs.readdir(name, function (err, items) {\n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/json');\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": " response.end(JSON.stringify({codes: items}));\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": "server.post('/api/fallback/',\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": " function (request, response) {\n", + "lineNumber": 79, + "lineChange": "none" + }, + { + "line": " var payload = request.body.code;\n", + "lineNumber": 80, + "lineChange": "none" + }, + { + "line": " evalSMLCode(payload, response);\n", + "lineNumber": 81, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 82, + "lineChange": "none" + }, + { + "line": ");\n", + "lineNumber": 83, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 84, + "lineChange": "none" + }, + { + "line": "server.post('/api/validate/',\n", + "lineNumber": 76, + "lineChange": "removed" + }, + { + "line": "server.post('/api/validate/', callDockerLimiter,\n", + "lineNumber": 85, + "lineChange": "added" + }, + { + "line": " function (request, response) {\n", + "lineNumber": 86, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 27, + "cwe": [ + "CWE-770" + ] + } + }, + { + "id": "javascript/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "Ssrf", + "Security", + "SourceHttpBody", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/brislink/specter/commit/2b9c8046b4b1670e76011dad9c23dc67884f310a?diff=split#diff-b82186eeba82312da558b62cb554e48a69ad2768b38736aed0640d42fa7230a1L-1", + "lines": [ + { + "line": "\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\t\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\trequest(headers,function(error,response,body){\t\t\n", + "lineNumber": 13, + "lineChange": "removed" + }, + { + "line": "\t\t\t\t\n", + "lineNumber": 14, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 15, + "lineChange": "removed" + }, + { + "line": " var resultCount = paginationSize - 1;\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": " var results = body.hits;\n", + "lineNumber": 17, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": "\tif(results.hits.length===0) return res.send(404);\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": "\t\tvar total = body.hits.hits.length;\n", + "lineNumber": 20, + "lineChange": "removed" + }, + { + "line": "\t\tvar common = {\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": "\t\t\t\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": "\t\t\tdata : results.hits.slice(0,resultCount),\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "\t\t\tpageNo : pageNo,\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "\t\t\ttotal: total,\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "\t\t\tpreferences : preferences,\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\t\t\tindex: preferences.tagIndex\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\t\t};\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": " var dataToRender = helpers.buildResponse(common);\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": "\t\tdataToRender.tag = tag;\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": "\t\treturn res.render(constants.views.tagResults,dataToRender);\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " });\n", + "lineNumber": 33, + "lineChange": "removed" + } + ] + }, + { + "commitURL": "https://github.com/IoTKETI/Mobius/commit/df05de87c5d8c6f5f8625558c02e57b3260cf361?diff=split#diff-9c349b5d37e276e7b4ed18ad832fbe3772d2135fbca2d6dde6861d8cebb7a842L-1", + "lines": [ + { + "line": " else if(usesecure === 'enable') {\n", + "lineNumber": 230, + "lineChange": "none" + }, + { + "line": " options = {\n", + "lineNumber": 229, + "lineChange": "removed" + }, + { + "line": " hostname: usecoapcbhost,\n", + "lineNumber": 230, + "lineChange": "removed" + }, + { + "line": " port: usecsebaseport,\n", + "lineNumber": 231, + "lineChange": "removed" + }, + { + "line": " path: request.url,\n", + "lineNumber": 232, + "lineChange": "removed" + }, + { + "line": " method: request.method,\n", + "lineNumber": 233, + "lineChange": "removed" + }, + { + "line": " headers: headers,\n", + "lineNumber": 234, + "lineChange": "removed" + }, + { + "line": " ca: fs.readFileSync('ca-crt.pem')\n", + "lineNumber": 235, + "lineChange": "removed" + }, + { + "line": " };\n", + "lineNumber": 236, + "lineChange": "removed" + }, + { + "line": " options.ca = fs.readFileSync('ca-crt.pem');\n", + "lineNumber": 231, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 237, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 2, + "cwe": [ + "CWE-918" + ] + } + }, + { + "id": "javascript/NoHardcodedPasswords", + "name": "NoHardcodedPasswords", + "shortDescription": { + "text": "Use of Hardcoded Credentials" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\n\nDevelopers may use hardcoded credentials for convenience when coding in order to simplify their workflow. While they are responsible for removing these before production, occasionally this task may fall through the cracks. This also becomes a maintenance challenge when credentials are re-used across multiple applications.\n\nOnce attackers gain access, they may take advantage of privilege level to remove or alter data, take down a site or app, or hold any of the above for ransom. The risk across multiple similar projects is even greater. If code containing the credentials is reused across multiple projects, they will all be compromised.\n\n## Best practices for prevention\n* Plan software architecture such that keys and passwords are always stored outside the code, wherever possible.\n* Plan encryption into software architecture for all credential information and ensure proper handling of keys, credentials, and passwords.\n* Prompt for a secure password on first login rather than hard-code a default password.\n* If a hardcoded password or credential must be used, limit its use, for example, to system console users rather than via the network.\n* Use strong hashes for inbound password authentication, ideally with randomly assigned salts to increase the difficulty level in case of brute-force attack.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoHardcodedPasswords", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/MosheWorld/Teacher-Student-Backend/commit/8578b6d9666996ebbfeffc058b22ef076bb856ba?diff=split#diff-0d543c6db9caf085d6e9f704ed0a1ec6baf47092768cfcb746a3e42266d83672L-1", + "lines": [ + { + "line": "user: 'studyhubemail@gmail.com',\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "pass: 'nuaheuvhpv'\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "user: process.env.EMAIL_USERNAME,\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": "pass: process.env.EMAIL_PASSWORD\n", + "lineNumber": 24, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/huluoyang/freecodecamp.cn/commit/277a09a3c3062263b61fb0bf02e17fd2be8ccb79?diff=split#diff-407d92ccd5a2b9275fe28f063fc49fbbedf9a87cfa6a1c3b8c72ce4b86858787L-1", + "lines": [ + { + "line": "user: 'huluoyang@gmail.com',\n", + "lineNumber": 12, + "lineChange": "removed" + }, + { + "line": "pass: 'nopainnogain'\n", + "lineNumber": 13, + "lineChange": "removed" + }, + { + "line": "user: process.env.MANDRILL_USER || false,\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "pass: process.env.MANDRILL_PASSWORD\n", + "lineNumber": 14, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/tubackkhoa/tkframework/commit/0ac0f7964f71d71d3930e554cbaf928f39f4540f?diff=split#diff-ad73f37992e2c25b9ad0d945783289cbf65b92741918fabea31bfe5b9de96688L-1", + "lines": [ + { + "line": "password: \"abc123ABC\",\n", + "lineNumber": 15, + "lineChange": "removed" + }, + { + "line": "password: process.env.DB_PASS,\n", + "lineNumber": 15, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 44, + "cwe": [ + "CWE-798", + "CWE-259" + ] + } + }, + { + "id": "javascript/NoSqli", + "name": "NoSqli", + "shortDescription": { + "text": "NoSQL Injection" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nIn an NoSQL injection attack, the user can submit an NoSQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network. This is one of the most commonly exploited categories of vulnerability, but can largely be avoided through good coding practices.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoSqli", + "Security", + "SourceServer", + "SourceHttpBody", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/txwkx/book-room/commit/07d49f6d24577b1cc1f7374cd8156aba894ab481?diff=split#diff-386f21d62bc9118d346e66a9ea781c22cb0570a51656f80313d829b3a47eaeefL-1", + "lines": [ + { + "line": "const mongoose = require('mongoose');\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "//Model\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "const roomSchema = new mongoose.Schema({ name: String, title: String });\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": "const Room = mongoose.model('Room', roomSchema);\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": "const mongoose = require('mongoose'),\n", + "lineNumber": 1, + "lineChange": "added" + }, + { + "line": " ObjectId = mongoose.Types.ObjectId;\n", + "lineNumber": 2, + "lineChange": "added" + }, + { + "line": "const room = require('./models/roomModel');\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "const roomRouter = express.Router();\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "roomRouter.get('/', (req, res) => {\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " let query = {};\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": " Room.find(query, (err, rooms) => {\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": " if(err) res.status(500).send(err);\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": " else res.json(rooms);\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "});\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "roomRouter.get('/:id', (req, res) => {\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " Room.findById(req.params.id, (err, room) => {\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": " const roomId = ObjectId(req.params.id);\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": " room.findById(roomId, (err, room) => {\n", + "lineNumber": 18, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/dnbard/brackets-extension-rating/commit/5005713d903d0f72e9166c852114ee2731b832b1?diff=split#diff-47f1ac8221ebff697d20f61a182c8c58ae0cfdb152ce1fa2f74e322f451d4ae6L-1", + "lines": [ + { + "line": " Extension.findOne({_id: id}, function(err, extension){\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": " if (err){\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": " res.status(500).send(err);\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": " } else if (!extension){\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": " res.status(404).send(extension);\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": " } else {\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": " if (typeof id !== 'string'){\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": " res.status(422).send();\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": " return;\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": " }\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": " if (!registry){\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": " res.status(500).send('Registry is not available');\n", + "lineNumber": 29, + "lineChange": "added" + }, + { + "line": " return;\n", + "lineNumber": 30, + "lineChange": "added" + }, + { + "line": " }\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": " extension = _.filter(registry, function(el){\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": " return el._id === id;\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": " });\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": " if (extension){\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/lydiahallie/CodeBuddy/commit/833bc261d0ea3d8bc879aef9e56819907523eef0?diff=split#diff-7b34d6d0aa663ac1e8442aee4f25c59ced93612f5b90c5fe6279ad48c7df1001L-1", + "lines": [ + { + "line": "const author = await User.findOne({ _id: currentUser._id });\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "const recipient = await User.findOne({ _id: user._id });\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "const author = await User.findOne({ _id: req.user._id });\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": "const recipient = await User.findOne({ _id: id });\n", + "lineNumber": 26, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 9, + "cwe": [ + "CWE-943" + ] + } + }, + { + "id": "javascript/HardcodedSecret/test", + "name": "HardcodedSecret/test", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedSecret", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ridoy/Monk/commit/d702fedf42ebc197c9131a09918affb6adb396ad?diff=split#diff-d20e0c91f722f4a7eb0a8a7dfa4d7799aa292685d66aaeb37f3122ff3594fefdL-1", + "lines": [ + { + "line": "}, 'SECRET');\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": "}, process.env.SECRET);\n", + "lineNumber": 41, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/xiaoshan5733/cms/commit/da6178e57541766a84406b42d526a18b72704180?diff=split#diff-a21b912911c328c339d5f819be1e95f0973d6fdf93c1e8f29ff9bb2fbe9933e4L-1", + "lines": [ + { + "line": "data = jwt.verify(token, 'cms')\n", + "lineNumber": 54, + "lineChange": "removed" + }, + { + "line": "data = jwt.verify(token, config.jwt.secret)\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/sidewalklabs/commonspace/commit/32f2996ef0daad6eadab6ac8dacef8cd68048704?diff=split#diff-8a8ae07582c9d433ec8c2e5c4310ff8901e604f4965c5b90a49117ad46c47595L-1", + "lines": [ + { + "line": "const token = jwt.sign(user, 'secret');\n", + "lineNumber": 50, + "lineChange": "removed" + }, + { + "line": "return res.json({user, token});\n", + "lineNumber": 51, + "lineChange": "removed" + }, + { + "line": "const token = jwt.sign(user, process.env.jwt_secret);\n", + "lineNumber": 53, + "lineChange": "added" + }, + { + "line": "return res.json({token});\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 60, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/JwtDecodeMethod", + "name": "JwtDecodeMethod", + "shortDescription": { + "text": "Insecure JWT Verification Method" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nSome JSON Web Token (JWT) parse/decode methods do not enforce validation or integrity checks of the JWT. If an application relies on these methods to authenticate users, an attacker could create arbitrary JWTs that may be accepted by the application.\n\n### Best practices for prevention\n\n- Always enforce JWT signature verification by using safe verification methods to ensure the structure and integrity of the JWT is validated before processing.\n\n## Best practices for prevention\n* [JWT Validation](https://auth0.com/docs/secure/tokens/json-web-tokens/validate-json-web-tokens)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "JwtDecodeMethod", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 0, + "cwe": [ + "CWE-347" + ] + } + }, + { + "id": "javascript/HardcodedNonCryptoSecret", + "name": "HardcodedNonCryptoSecret", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedNonCryptoSecret", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/DanielMil/Authentication-Server/commit/310ce5500e9e751ee2fd9f3018bf772e9aae8364?diff=split#diff-dcdc3e0b3362edb8fec2a51d3fa51f8fb8af8f70247e06d9887fa934834c9122L-1", + "lines": [ + { + "line": "// Set environment variables\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "const sessionSecret: any = process.env.SESSION_SECRET;\n", + "lineNumber": 15, + "lineChange": "added" + }, + { + "line": "const dbConnection: any = process.env.MONGO_URI; \n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": "// Mongo config\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "const DB_CONNECTION: any = process.env.MONGO_URI; \n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "mongoose.connect(DB_CONNECTION, { useNewUrlParser: true })\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " .then(() => console.log(\"Succesfully connected to MongoDB.\"))\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " .catch((err: mongoose.Error) => console.error(err));\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "const MongoStore = mongoStore(session); \n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "const db: any = mongoose.connection;\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "// Fix mongo deprecation warnings\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "mongoose.set('useNewUrlParser', true);\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "mongoose.set('useFindAndModify', false);\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "mongoose.set('useCreateIndex', true);\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "// Configure express session\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser());\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "app.use(session({\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " secret: \"secret\",\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": " secret: sessionSecret,\n", + "lineNumber": 33, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/virena-app/virena/commit/8058527e8ef71bfa81f0cb0fb35eb80d00e08fdb?diff=split#diff-186488e26aa960d29fec244ac086f15e024c5a84df47eeba233d9b8d2525de2dL-1", + "lines": [ + { + "line": "client_id: '8fcf3e5c2d3d5dd78188',\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "client_secret: '0e102c56021e1aa28005b469b3c83ef7cb7e5b0e'\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "client_id: process.env.GITINIT,\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "client_secret: process.env.GITSEE\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/nemtech/nem2-library-js/commit/dd101718759035849eeb9d4a388656acdb5bf6d9?diff=split#diff-59ccc41578f07869060f7aea9ceca193a407696cce3de9f7219f98187f65c5b7L-1", + "lines": [ + { + "line": "const hash = sha3_512.create();\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "hash.update('secret');\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": "const hash = new Ripemd160().update(Buffer.from('Test Hash 160')).digest('Hex');\t\t\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "const secretLockTransaction = {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\tdeadline: deadline(),\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "\tmosaicId: [3646934825, 3576016193],\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "\tmosaicAmount: uint64.fromUint(10000000),\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": "\tduration: uint64.fromUint(100),\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": "\thashAlgorithm: 0,\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "\tsecret: '225fe6d12b73a7d51f2992ce82951dbf8c173fa4',\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "\thashAlgorithm: HashAlgorithm.RIPEMD_160,\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\tsecret: hash,\n", + "lineNumber": 38, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 68, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/HardcodedSecret", + "name": "HardcodedSecret", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedSecret", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ridoy/Monk/commit/d702fedf42ebc197c9131a09918affb6adb396ad?diff=split#diff-d20e0c91f722f4a7eb0a8a7dfa4d7799aa292685d66aaeb37f3122ff3594fefdL-1", + "lines": [ + { + "line": "}, 'SECRET');\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": "}, process.env.SECRET);\n", + "lineNumber": 41, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/xiaoshan5733/cms/commit/da6178e57541766a84406b42d526a18b72704180?diff=split#diff-a21b912911c328c339d5f819be1e95f0973d6fdf93c1e8f29ff9bb2fbe9933e4L-1", + "lines": [ + { + "line": "data = jwt.verify(token, 'cms')\n", + "lineNumber": 54, + "lineChange": "removed" + }, + { + "line": "data = jwt.verify(token, config.jwt.secret)\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/sidewalklabs/commonspace/commit/32f2996ef0daad6eadab6ac8dacef8cd68048704?diff=split#diff-8a8ae07582c9d433ec8c2e5c4310ff8901e604f4965c5b90a49117ad46c47595L-1", + "lines": [ + { + "line": "const token = jwt.sign(user, 'secret');\n", + "lineNumber": 50, + "lineChange": "removed" + }, + { + "line": "return res.json({user, token});\n", + "lineNumber": 51, + "lineChange": "removed" + }, + { + "line": "const token = jwt.sign(user, process.env.jwt_secret);\n", + "lineNumber": 53, + "lineChange": "added" + }, + { + "line": "return res.json({token});\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 60, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/HardcodedNonCryptoSecret/test", + "name": "HardcodedNonCryptoSecret/test", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedNonCryptoSecret", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/DanielMil/Authentication-Server/commit/310ce5500e9e751ee2fd9f3018bf772e9aae8364?diff=split#diff-dcdc3e0b3362edb8fec2a51d3fa51f8fb8af8f70247e06d9887fa934834c9122L-1", + "lines": [ + { + "line": "// Set environment variables\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "const sessionSecret: any = process.env.SESSION_SECRET;\n", + "lineNumber": 15, + "lineChange": "added" + }, + { + "line": "const dbConnection: any = process.env.MONGO_URI; \n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": "// Mongo config\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "const DB_CONNECTION: any = process.env.MONGO_URI; \n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "mongoose.connect(DB_CONNECTION, { useNewUrlParser: true })\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " .then(() => console.log(\"Succesfully connected to MongoDB.\"))\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " .catch((err: mongoose.Error) => console.error(err));\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "const MongoStore = mongoStore(session); \n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "const db: any = mongoose.connection;\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "// Fix mongo deprecation warnings\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "mongoose.set('useNewUrlParser', true);\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "mongoose.set('useFindAndModify', false);\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "mongoose.set('useCreateIndex', true);\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "// Configure express session\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser());\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "app.use(session({\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " secret: \"secret\",\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": " secret: sessionSecret,\n", + "lineNumber": 33, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/virena-app/virena/commit/8058527e8ef71bfa81f0cb0fb35eb80d00e08fdb?diff=split#diff-186488e26aa960d29fec244ac086f15e024c5a84df47eeba233d9b8d2525de2dL-1", + "lines": [ + { + "line": "client_id: '8fcf3e5c2d3d5dd78188',\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "client_secret: '0e102c56021e1aa28005b469b3c83ef7cb7e5b0e'\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "client_id: process.env.GITINIT,\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "client_secret: process.env.GITSEE\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/nemtech/nem2-library-js/commit/dd101718759035849eeb9d4a388656acdb5bf6d9?diff=split#diff-59ccc41578f07869060f7aea9ceca193a407696cce3de9f7219f98187f65c5b7L-1", + "lines": [ + { + "line": "const hash = sha3_512.create();\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "hash.update('secret');\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": "const hash = new Ripemd160().update(Buffer.from('Test Hash 160')).digest('Hex');\t\t\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "const secretLockTransaction = {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\tdeadline: deadline(),\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "\tmosaicId: [3646934825, 3576016193],\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "\tmosaicAmount: uint64.fromUint(10000000),\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": "\tduration: uint64.fromUint(100),\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": "\thashAlgorithm: 0,\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "\tsecret: '225fe6d12b73a7d51f2992ce82951dbf8c173fa4',\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "\thashAlgorithm: HashAlgorithm.RIPEMD_160,\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\tsecret: hash,\n", + "lineNumber": 38, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 68, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/NoHardcodedPasswords/test", + "name": "NoHardcodedPasswords/test", + "shortDescription": { + "text": "Use of Hardcoded Credentials" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nDevelopers may use hardcoded credentials for convenience when coding in order to simplify their workflow. While they are responsible for removing these before production, occasionally this task may fall through the cracks. This also becomes a maintenance challenge when credentials are re-used across multiple applications.\n\nOnce attackers gain access, they may take advantage of privilege level to remove or alter data, take down a site or app, or hold any of the above for ransom. The risk across multiple similar projects is even greater. If code containing the credentials is reused across multiple projects, they will all be compromised.\n\n## Best practices for prevention\n* Plan software architecture such that keys and passwords are always stored outside the code, wherever possible.\n* Plan encryption into software architecture for all credential information and ensure proper handling of keys, credentials, and passwords.\n* Prompt for a secure password on first login rather than hard-code a default password.\n* If a hardcoded password or credential must be used, limit its use, for example, to system console users rather than via the network.\n* Use strong hashes for inbound password authentication, ideally with randomly assigned salts to increase the difficulty level in case of brute-force attack.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoHardcodedPasswords", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/MosheWorld/Teacher-Student-Backend/commit/8578b6d9666996ebbfeffc058b22ef076bb856ba?diff=split#diff-0d543c6db9caf085d6e9f704ed0a1ec6baf47092768cfcb746a3e42266d83672L-1", + "lines": [ + { + "line": "user: 'studyhubemail@gmail.com',\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "pass: 'nuaheuvhpv'\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "user: process.env.EMAIL_USERNAME,\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": "pass: process.env.EMAIL_PASSWORD\n", + "lineNumber": 24, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/huluoyang/freecodecamp.cn/commit/277a09a3c3062263b61fb0bf02e17fd2be8ccb79?diff=split#diff-407d92ccd5a2b9275fe28f063fc49fbbedf9a87cfa6a1c3b8c72ce4b86858787L-1", + "lines": [ + { + "line": "user: 'huluoyang@gmail.com',\n", + "lineNumber": 12, + "lineChange": "removed" + }, + { + "line": "pass: 'nopainnogain'\n", + "lineNumber": 13, + "lineChange": "removed" + }, + { + "line": "user: process.env.MANDRILL_USER || false,\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "pass: process.env.MANDRILL_PASSWORD\n", + "lineNumber": 14, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/tubackkhoa/tkframework/commit/0ac0f7964f71d71d3930e554cbaf928f39f4540f?diff=split#diff-ad73f37992e2c25b9ad0d945783289cbf65b92741918fabea31bfe5b9de96688L-1", + "lines": [ + { + "line": "password: \"abc123ABC\",\n", + "lineNumber": 15, + "lineChange": "removed" + }, + { + "line": "password: process.env.DB_PASS,\n", + "lineNumber": 15, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 44, + "cwe": [ + "CWE-798", + "CWE-259" + ] + } + }, + { + "id": "javascript/HTTPSourceWithUncheckedType", + "name": "HTTPSourceWithUncheckedType", + "shortDescription": { + "text": "Improper Type Validation" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nWhen an object is coming from `req.body` or `req.query`, coming from the express framework. The value of this property can be controlled by the user. This could be abused by an attacker to craft the properties of the object to crash the application or bypass its logic. As such, consider checking the type of the object.\n\nIf this weakness is present, illegitimate input provided from the user's end could lead to unpredictable results such as the program crashing, unauthorized access to secure resources or command execution at the server side. In addition, if the server is overwhelmed by these types of malfunctions, it may lead to denial of service to legitimate users and tasks.\n\nExample:\n\n```\nmodule.exports = function(req, res) {\n var data = req.query;\n // type of value isnt checked before being used\n data.ids = data.ids.split(',');\n doStuff(data.ids);\n\n };\n```\n\n\n\n## Best practices for prevention\n* Adopt a zero-trust model in which all input is considered potentially suspect.\n* Check the type of the object.\n\nExample:\n\n```\nmodule.exports = function(req, res) {\n var data = req.query;\n if (data.ids && typeof data.ids == 'string') {\n\n // type of value is checked\n data.ids = data.ids.split(',');\n doStuff(data.ids);\n } else {}\n };\n```\n\n## References\n\n* [CWE-1287: Improper Validation of Specified Type of Input](https://cwe.mitre.org/data/definitions/1287.html)\n* [JavaScript type confusion: Bypassed input validation (and how to remediate)](https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/)\n* [req.query Documentation](https://expressjs.com/en/4x/api.html#req.query)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HTTPSourceWithUncheckedType", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/alexolivero/Obscurify/commit/e4833d36d4aa981b050caca88919784147fc8d95?diff=split#diff-7b56e6433cf96918ac3b03d1d103fc0286e593ad610f9419dfe3f99309ec33acL-1", + "lines": [ + { + "line": "if( key < req.query.obscurifyScore.toString()){\r\n", + "lineNumber": 145, + "lineChange": "removed" + }, + { + "line": "if( parseInt(key) < parseInt(req.query.obscurifyScore)){\r\n", + "lineNumber": 144, + "lineChange": "added" + }, + { + "line": " usersBelow += value;\r\n", + "lineNumber": 146, + "lineChange": "none" + }, + { + "line": "}\r\n", + "lineNumber": 147, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/ansible-semaphore/semaphore/commit/dc2dac98ad166701ed94f346d99dc2ff44b8a721?diff=split#diff-223cdc8b17a7eed4b42bce8401320629190defc2ac7bc7950b8a1563eb66c10dL-1", + "lines": [ + { + "line": "if (req.body.identity && req.body.identity.length > 0) {\n", + "lineNumber": 51, + "lineChange": "removed" + }, + { + "line": "if (typeof req.body.identity == 'string' && req.body.identity.length > 0) {\n", + "lineNumber": 51, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Financial-Times/polyfill-service/commit/471ddf842dc4d672dbf3b09702d91b850d04e4b9?diff=split#diff-e4e457f4b65b990f84bd0649da30984786b38b197e0edcf3e01b168b682f5abeL-1", + "lines": [ + { + "line": "excludes: (req.query.excludes && req.query.excludes.split(',')) || [],\n", + "lineNumber": 58, + "lineChange": "removed" + }, + { + "line": "excludes: (typeof req.query.excludes === 'string' && req.query.excludes.split(',')) || [],\n", + "lineNumber": 58, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 39, + "cwe": [ + "CWE-1287" + ] + } + }, + { + "id": "python/UnsupportedLanguage/test", + "name": "UnsupportedLanguage/test", + "shortDescription": { + "text": "Python 2 source code" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "## Details\n\nThe Python 2 interpreter has been unsupported since January 2020 and does not receive security updates.\nThese source files appear to be in the Python 2 syntax, and therefore depend on unsupported 3rd party components for operation.\n\n## Best practices for prevention\n* If this code is still in use, port it to Python 3", + "text": "" + }, + "properties": { + "tags": [ + "python", + "UnsupportedLanguage", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 0, + "cwe": [ + "CWE-1104" + ] + } + }, + { + "id": "javascript/Sqli", + "name": "Sqli", + "shortDescription": { + "text": "SQL Injection" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nIn an SQL injection attack, the user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network. This is one of the most commonly exploited categories of vulnerability, but can largely be avoided through good coding practices.\n\n## Best practices for prevention\n* Avoid passing user-entered parameters directly to the SQL server.\n* Avoid using string concatenation to build SQL queries from user-entered parameters.\n* When coding, define SQL code first, then pass in parameters. Use prepared statements with parameterized queries. Examples include `SqlCommand()` in .NET and `bindParam()` in PHP.\n* Use strong typing for all parameters so unexpected user data will be rejected.\n* Where direct user input cannot be avoided for performance reasons, validate input against a very strict allowlist of permitted characters, avoiding special characters such as `? & / < > ; - ' \" \\` and spaces. Use a vendor-supplied escaping routine if possible.\n* Develop your application in an environment and/or using libraries that provide protection against SQL injection.\n* Harden your entire environment around a least-privilege model, ideally with isolated accounts with privileges only for particular tasks.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "Sqli", + "Security", + "SourceHttpParam", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/Urigo/WhatsApp-Clone-Server/commit/088088847265c4ea29791cdbdc98d21b4b7b3e7d?diff=split#diff-64fc2a1d7ebf96939c4047a39fc850f244454c0f3eff44c48d8249e29a6269e1L-1", + "lines": [ + { + "line": " const { rows } = await db.query(sql`\n", + "lineNumber": 134, + "lineChange": "removed" + }, + { + "line": " INSERT INTO messages(chat_id, sender_user_id, content)\n", + "lineNumber": 135, + "lineChange": "removed" + }, + { + "line": " VALUES(${chatId}, ${currentUser.id}, ${content})\n", + "lineNumber": 136, + "lineChange": "removed" + }, + { + "line": " RETURNING *\n", + "lineNumber": 137, + "lineChange": "removed" + }, + { + "line": " `);\n", + "lineNumber": 138, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 139, + "lineChange": "removed" + }, + { + "line": " const messageAdded = rows[0];\n", + "lineNumber": 140, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 141, + "lineChange": "removed" + }, + { + "line": " injector.get(PubSub).publish('messageAdded', {\n", + "lineNumber": 142, + "lineChange": "removed" + }, + { + "line": " messageAdded,\n", + "lineNumber": 143, + "lineChange": "removed" + }, + { + "line": " });\n", + "lineNumber": 144, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 145, + "lineChange": "removed" + }, + { + "line": " return messageAdded;\n", + "lineNumber": 146, + "lineChange": "removed" + }, + { + "line": " return injector\n", + "lineNumber": 134, + "lineChange": "added" + }, + { + "line": " .get(Chats)\n", + "lineNumber": 135, + "lineChange": "added" + }, + { + "line": " .addMessage({ chatId, content, userId: currentUser.id });\n", + "lineNumber": 136, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/vpdb/server/commit/25011eb029e72f51b0fc48259c8c0ea8b37b177d?diff=split#diff-dec1b2b754bba471fe0144e0960b50e5511aa6843c3fdd778a7e0e617938056bL-1", + "lines": [ + { + "line": "\t\t\t\tquery.or([\r\n", + "lineNumber": 124, + "lineChange": "removed" + }, + { + "line": "\t\t\t\tquery.push({ $or: [\r\n", + "lineNumber": 124, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t{ name: regex },\r\n", + "lineNumber": 125, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t{ username: regex }\r\n", + "lineNumber": 126, + "lineChange": "none" + }, + { + "line": "\t\t\t\t]);\r\n", + "lineNumber": 127, + "lineChange": "removed" + }, + { + "line": "\t\t\t\t]});\r\n", + "lineNumber": 127, + "lineChange": "added" + }, + { + "line": "\t\t\t}\r\n", + "lineNumber": 128, + "lineChange": "none" + }, + { + "line": "\t\t}\r\n", + "lineNumber": 129, + "lineChange": "none" + }, + { + "line": "\t\tif (req.query.name) {\r\n", + "lineNumber": 130, + "lineChange": "none" + }, + { + "line": "\t\t\tquery.where('name').equals(req.query.name);\r\n", + "lineNumber": 131, + "lineChange": "removed" + }, + { + "line": "\t\t\tquery.push({ name: new RegExp('^' + _.escapeRegExp(req.query.name) + '$', 'i') });\r\n", + "lineNumber": 131, + "lineChange": "added" + }, + { + "line": "\t\t}\r\n", + "lineNumber": 132, + "lineChange": "none" + }, + { + "line": "\r\n", + "lineNumber": 133, + "lineChange": "none" + }, + { + "line": "\t\t// filter by role\r\n", + "lineNumber": 134, + "lineChange": "none" + }, + { + "line": "\t\tif (canList && req.query.roles) {\r\n", + "lineNumber": 135, + "lineChange": "none" + }, + { + "line": "\t\t\t// sanitze and split\r\n", + "lineNumber": 136, + "lineChange": "none" + }, + { + "line": "\t\t\tlet roles = req.query.roles.trim().replace(/[^a-z0-9,-]+/gi, '').split(',');\r\n", + "lineNumber": 137, + "lineChange": "none" + }, + { + "line": "\t\t\tquery.where('roles').in(roles);\r\n", + "lineNumber": 138, + "lineChange": "removed" + }, + { + "line": "\t\t\tquery.push( { roles: { $in: roles }});\r\n", + "lineNumber": 138, + "lineChange": "added" + }, + { + "line": "\t\t}\r\n", + "lineNumber": 139, + "lineChange": "none" + }, + { + "line": "\r\n", + "lineNumber": 140, + "lineChange": "none" + }, + { + "line": "\t\treturn query.exec();\r\n", + "lineNumber": 141, + "lineChange": "removed" + }, + { + "line": "\t\tconsole.log(api.searchQuery(query));\r\n", + "lineNumber": 141, + "lineChange": "added" + }, + { + "line": "\t\treturn User.find(api.searchQuery(query)).exec();\r\n", + "lineNumber": 142, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/RedstoneDaedalus/verifybot/commit/b7d59d6b87e5eb4b5c8732969baca49466338c3d?diff=split#diff-913d641a0712b4b17eb483f777442426ecfc90bb4062492e9833586e5cbdea4aL-1", + "lines": [ + { + "line": "const data = await client.query(`SELECT * FROM linked_accounts WHERE secret_key = '${req.query.key ? req.query.key.replace(/[^a-z\\d]/ig, \"\") : \"\"}';`);\n", + "lineNumber": 125, + "lineChange": "removed" + }, + { + "line": "const data = await client.query(\"SELECT * FROM linked_accounts WHERE secret_key = ?;\", [cient.connection.escape(req.query.key || \"\")]);\n", + "lineNumber": 125, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 42, + "cwe": [ + "CWE-89" + ] + } + }, + { + "id": "javascript/HttpToHttps/test", + "name": "HttpToHttps/test", + "shortDescription": { + "text": "Cleartext Transmission of Sensitive Information" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\nThis weakness occurs when software transmits sensitive information, such as passwords or credit card numbers, in unencrypted form. This information may then be intercepted by threat actors using sniffer tools or interception techniques such as man-in-the-middle (MITM) attacks (often involving social engineering). Attackers can then use information gleaned to perform a variety of actions, depending on the information type. Possible actions include gaining unauthorized access, impersonating a user, moving laterally within the organization's network, or retrieving and potentially modifying files. This weakness is almost completely avoidable through intelligent architecture and design.\n\n## Best practices for prevention\n* Build web applications around a security mindset and the awareness that sniffers may be present at any time.\n* Ensure that all sensitive data transmission uses reliable encryption.\n* Implement security measures so that sensitive results are never returned in plain text.\n* Implement multiple-factor authentication methods to validate remote instances.\n* Use SSL not only at logon but throughout communications.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HttpToHttps", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/medic/couch2pg/commit/062eaa0f53d2cd2327232a695c60bf4c9fd589f6?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": "var httplib = require('http');\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "var httplib = require('https');\n", + "lineNumber": 1, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/dondi/GRNsight/commit/01e7d39d55ea9c18348a48aac5954183d825e834?diff=split#diff-65890f102baa526da3cc5d65e0528ea728fa9fa63659a7f2e1d523686240359cL-1", + "lines": [ + { + "line": "var https = require(\"http\");\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "var https = require(\"https\");\n", + "lineNumber": 2, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/watilde/npmbrew/commit/968a0cd04e732ede4552e60e86762ce77f7f0a5c?diff=split#diff-94469ba7812da76fe341041375403897426443f146321489331bb46bb45faf5bL-1", + "lines": [ + { + "line": "var http = require(\"http\")\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "var http = require(\"https\")\n", + "lineNumber": 2, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 4, + "cwe": [ + "CWE-319" + ] + } + }, + { + "id": "javascript/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PT", + "Security", + "SourceHttpParam", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/NodeBB/NodeBB/commit/cacc732015c64bba55a6ab45510086febccfb1b2?diff=split#diff-300f765b568b38163933bfcd40c75fe91709a35e9a7522bca2f8c5fe4b19195aL-1", + "lines": [ + { + "line": "\t\t\t\t\tuploadUserPicture(req.user.uid, req.files.userPhoto.name, req.files.userPhoto.path, res);\n", + "lineNumber": 101, + "lineChange": "removed" + }, + { + "line": "\t\t\t\t\tuploadUserPicture(req.user.uid, path.extname(req.files.userPhoto.name), req.files.userPhoto.path, res);\n", + "lineNumber": 101, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\treturn;\n", + "lineNumber": 102, + "lineChange": "none" + }, + { + "line": "\t\t\t\t}\n", + "lineNumber": 103, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\n", + "lineNumber": 104, + "lineChange": "none" + }, + { + "line": "\t\t\t\tvar absolutePath = path.join(global.configuration['ROOT_DIRECTORY'], global.nconf.get('upload_path'), path.basename(oldpicture));\n", + "lineNumber": 105, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\n", + "lineNumber": 106, + "lineChange": "none" + }, + { + "line": "\t\t\t\tfs.unlink(absolutePath, function(err) {\n", + "lineNumber": 107, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\tif(err) {\t\t\t\t\n", + "lineNumber": 108, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t\tconsole.error('[%d] %s', Date.now(), + err);\n", + "lineNumber": 109, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t}\n", + "lineNumber": 110, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t\n", + "lineNumber": 111, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\tuploadUserPicture(req.user.uid, path.extname(req.files.userPhoto.name), req.files.userPhoto.path, res);\n", + "lineNumber": 112, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t\n", + "lineNumber": 113, + "lineChange": "none" + }, + { + "line": "\t\t\t\t});\n", + "lineNumber": 114, + "lineChange": "none" + }, + { + "line": "\t\t\t});\n", + "lineNumber": 115, + "lineChange": "none" + }, + { + "line": "\t\t});\n", + "lineNumber": 116, + "lineChange": "none" + }, + { + "line": "\t\t\n", + "lineNumber": 117, + "lineChange": "none" + }, + { + "line": "\t\tfunction uploadUserPicture(uid, extension, tempPath, res) {\n", + "lineNumber": 118, + "lineChange": "none" + }, + { + "line": "\t\t\tif(!extension) {\n", + "lineNumber": 119, + "lineChange": "none" + }, + { + "line": "\t\t\t\tres.send({\n", + "lineNumber": 120, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\terror: 'Error uploading file! Error : Invalid extension!'\n", + "lineNumber": 121, + "lineChange": "none" + }, + { + "line": "\t\t\t\t});\n", + "lineNumber": 122, + "lineChange": "none" + }, + { + "line": "\t\t\t\treturn;\n", + "lineNumber": 123, + "lineChange": "none" + }, + { + "line": "\t\t\t}\n", + "lineNumber": 124, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 125, + "lineChange": "none" + }, + { + "line": "\t\t\tvar filename = uid + '-profileimg' + extension;\n", + "lineNumber": 126, + "lineChange": "none" + }, + { + "line": "\t\t\tvar uploadPath = path.join(global.configuration['ROOT_DIRECTORY'], global.nconf.get('upload_path'), filename);\n", + "lineNumber": 127, + "lineChange": "none" + }, + { + "line": "\t\t\t\n", + "lineNumber": 128, + "lineChange": "none" + }, + { + "line": "\t\t\t// @todo move to proper logging code - this should only be temporary\n", + "lineNumber": 129, + "lineChange": "none" + }, + { + "line": "\t\t\tconsole.log('Info: Attempting upload to: '+ uploadPath);\n", + "lineNumber": 130, + "lineChange": "none" + }, + { + "line": "\t\t\t\n", + "lineNumber": 131, + "lineChange": "none" + }, + { + "line": "\t\t\tvar is = fs.createReadStream(tempPath);\n", + "lineNumber": 132, + "lineChange": "none" + }, + { + "line": "\t\t\tvar os = fs.createWriteStream(uploadPath);\n", + "lineNumber": 133, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/vilmosioo/magma/commit/b13ae22e9cc3646444f949279c92dfa54fa2e882?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": "\tres.render(req.params.path || 'home');\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": "\tconsole.log(req.params.path);\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\tvar template = routes['/' + req.params.path] || routes['/'];\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\ttemplate = template.templateUrl;\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\tres.render(path.basename(template, path.extname(template)), {\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t\tconstants: {\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\t\t\tROUTES: JSON.stringify(routes)\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": "\t\t}\n", + "lineNumber": 49, + "lineChange": "added" + }, + { + "line": "\t});\n", + "lineNumber": 50, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/cube-js/cube.js/commit/256be019d9393daff7d8776be2c39bceafc49ce2?diff=split#diff-e3f9f2305d99d77628204eb1da6a6fd4695a3b3235274d4e7d8a65a150f0941fL-1", + "lines": [ + { + "line": "await Promise.all(files.map(file => fs.writeFile(path.join(file.fileName), file.content)));\n", + "lineNumber": 143, + "lineChange": "removed" + }, + { + "line": "await Promise.all(\n", + "lineNumber": 144, + "lineChange": "added" + }, + { + "line": " files.map(file => path.join(...[dashboardAppPath].concat(file.fileName.split('/'))))\n", + "lineNumber": 145, + "lineChange": "added" + }, + { + "line": ");\n", + "lineNumber": 146, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 42, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "javascript/UseCsurfForExpress", + "name": "UseCsurfForExpress", + "shortDescription": { + "text": "Cross-Site Request Forgery (CSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nCross-site request forgery is an attack in which a malicious third party takes advantage of a user's authenticated credentials (such as a browser cookie) to impersonate that trusted user and perform unauthorized actions. The web application server cannot tell the difference between legitimate and malicious requests. This type of attack generally begins by tricking the user with a social engineering attack, such as a link or popup that the user inadvertently clicks, causing an unauthorized request to be sent to the web server. Consequences vary: At a standard user level, attackers can change passwords, transfer funds, make purchases, or connect with contacts; from an administrator account, attackers can then make changes to or even take down the app itself.\n\n## Best practices for prevention\n* Use development frameworks that defend against CSRF, using a nonce, hash, or some other security device to the URL and/or to forms.\n* Implement secure, unique, hidden tokens that are checked by the server each time to validate state-change requests.\n* Never assume that authentication tokens and session identifiers mean a request is legitimate.\n* Understand and implement other safe-cookie techniques, such as double submit cookies.\n* Terminate user sessions when not in use, including automatic timeout.\n* Ensure rigorous coding practices and defenses against other commonly exploited CWEs, since cross-site scripting (XSS), for example, can be used to bypass defenses against CSRF.\n\n## References\n\n* [Express Documentation - Implement CSRF Protection](https://expressjs.com/en/resources/middleware/csurf.html)\n* [Node Security Checklist - CSRF](https://blog.risingstack.com/node-js-security-checklist/#csrf)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "UseCsurfForExpress", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/xiaoshan5733/cms/commit/cfa979899ffc5d7a1305571923ba6ae70548675b?diff=split#diff-e07d531ac040ce3f40e0ce632ac2a059d7cd60f20e61f78268ac3be015b3b28fL-1", + "lines": [ + { + "line": "var app = express();\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "//连接数据库\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "mongoose.connect(config.mongodb.uri);\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "var db = mongoose.connection;\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "db.on('error', console.error.bind(console, 'connection error:'));\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "db.once('open', function callback () {\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": " console.log('连接mongodb成功');\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "});\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "//引入数据模型\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "util.walk(appPath + '/server/models', null, function(path) {\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " require(path);\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "});\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "// view engine setup\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": "app.set('views', path.join(__dirname, 'views'));\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": "app.set('view engine', 'jade');\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": "//定义全局字段\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": "app.locals = {\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " title: 'CMS',\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " pretty: true,\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " moment: moment,\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " _: underscore,\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " util: util,\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " config: config,\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " adminDir: config.admin.dir ? ('/' + config.admin.dir) : ''\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": "};\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": "app.set('config', config);\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": "app.use(favicon());\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": "app.use(logger('dev'));\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.json());\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.urlencoded());\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser());\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": "app.use(session({\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " secret: 'ruoguan'/*,\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " store: new RedisStore*/\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "}));\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": "//app.use(csrf());\n", + "lineNumber": 58, + "lineChange": "removed" + }, + { + "line": "app.use(csrf());\n", + "lineNumber": 61, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Detry322/redisred/commit/57aeed9563c1020ca70093310634000d795ae3b4?diff=split#diff-e07d531ac040ce3f40e0ce632ac2a059d7cd60f20e61f78268ac3be015b3b28fL-1", + "lines": [ + { + "line": "var csrf = require('csurf');\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "//Initialize auth\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "authentication(passport, adminUsername, adminPassword);\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "//Initialize the app\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "var app = express();\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "app.set('views', './views');\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "app.set('view engine', 'jade');\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "app.use(favicon('./public/assets/favicon.png'));\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.urlencoded({ extended: false }));\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "app.use(expressSession({ secret: sessionSecret, resave: true, saveUninitialized: true }));\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "app.use(passport.initialize());\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "app.use(passport.session());\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "app.use(csrf());\n", + "lineNumber": 32, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/slidewiki/slidewiki-platform/commit/3e1fd3ff647826a1321f4272924da9bfbcc91383?diff=split#diff-a4c65ede64197e1a112899a68bf994485b889c4b143198bac4af53425b38406fL-1", + "lines": [ + { + "line": "import cookieParser from 'cookie-parser';\n", + "lineNumber": 10, + "lineChange": "added" + }, + { + "line": "import csrf from 'csurf';\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "import compression from 'compression';\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": "import debugLib from 'debug';\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "import path from 'path';\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "import serialize from 'serialize-javascript';\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "import {navigateAction} from 'fluxible-router';\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "import debugLib from 'debug';\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "import React from 'react';\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "import ReactDOM from 'react-dom/server';\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "import app from './app';\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "import HTMLComponent from './components/DefaultHTMLLayout';\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "import { createElementWithContext } from 'fluxible-addons-react';\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "import favicon from 'serve-favicon';\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "const env = process.env.NODE_ENV;\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "const debug = debugLib('slidewiki-platform');\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "const server = express();\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "server.use(favicon(path.join(__dirname, '/favicon.ico')));\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "server.use('/public', express['static'](path.join(__dirname, '/build')));\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "server.use('/bower_components', express['static'](path.join(__dirname, '/bower_components')));\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "server.use('/custom_modules', express['static'](path.join(__dirname, '/custom_modules')));\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "server.use('/assets', express['static'](path.join(__dirname, '/assets')));\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "server.use(compression());\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "server.use(bodyParser.json());\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "server.use(csrf({cookie: true}));\n", + "lineNumber": 35, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 66, + "cwe": [ + "CWE-352" + ] + } + }, + { + "id": "javascript/PrototypePollution", + "name": "PrototypePollution", + "shortDescription": { + "text": "Prototype Pollution" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n\n- Property definition by path\n\n\n### Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n### Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of \"path\", they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n## Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n## Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n\n- Web server\n\n\n## Best practices for prevention\n\n1. Freeze the prototype - use `Object.freeze (Object.prototype)`.\n\n2. Require schema validation of JSON input.\n\n3. Avoid using unsafe recursive merge functions.\n\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n\n5. As a best practice use `Map` instead of `Object`.\n\n### For more information on this vulnerability type:\n\n[Arteau, Oliver. \"JavaScript prototype pollution attack in NodeJS application.\" GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PrototypePollution", + "Security", + "SourceServer", + "SourceHttpParam", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/VincentLoy/tweetParser.js/commit/31ccbf365abbb6398fb78705074c11458421cec6?diff=split#diff-343e9403c50c367c18f841170513c764a80c01c26a0d9c2746a5fd632febe770L-1", + "lines": [ + { + "line": " for (var i in datas) {\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": " var i;\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 19, + "lineChange": "added" + }, + { + "line": " for (i = 0; i < datas.length; i += 1) {\n", + "lineNumber": 20, + "lineChange": "added" + }, + { + "line": " if (datas[i].contributions > 1) {\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " datas[i].wording = \"contributions\";\n", + "lineNumber": 22, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/wachunga/omega/commit/0ea594b103c957680b02e5b3d3e6763cf49d2c3a?diff=split#diff-a4c65ede64197e1a112899a68bf994485b889c4b143198bac4af53425b38406fL-1", + "lines": [ + { + "line": "issues[id].assignee = assignee; \n", + "lineNumber": 47, + "lineChange": "removed" + }, + { + "line": "issues[id-1].assignee = assignee; \n", + "lineNumber": 47, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/vampd/vampd/commit/edc7005b68e3e42f461249f8257ba16664983a79?diff=split#diff-8832eceed707e9acd023cc8a42587cb109d860d7272ff10950e3a01bb6f9be94L-1", + "lines": [ + { + "line": "site.override_attributes.drupal.sites[site_name].actions = actions;\n", + "lineNumber": 53, + "lineChange": "removed" + }, + { + "line": "site.override_attributes.drupal.sites[site_name].deploy.action = actions;\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 8, + "cwe": [ + "CWE-1321" + ] + } + }, + { + "id": "javascript/DOMXSS", + "name": "DOMXSS", + "shortDescription": { + "text": "Cross-site Scripting (XSS)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## Best practices for prevention\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "DOMXSS", + "Security", + "SourceResourceAccess", + "SourceNetworkRequest", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/quilime/dynamic-site/commit/0e64e840355d79a879f7eeab00d3b0f1bc33b484?diff=split#diff-3803a4142e90f0f59977727226f37112d7b946ccfeca5b47455aee1ae6dee97bL-1", + "lines": [ + { + "line": "codePre.innerHTML = prettyPrintOne(code);\n", + "lineNumber": 108, + "lineChange": "removed" + }, + { + "line": "codePre.innerText = code;\n", + "lineNumber": 111, + "lineChange": "added" + }, + { + "line": "prettyPrint();\n", + "lineNumber": 112, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/10up/distributor/commit/059a661149ceadc49f1093631cb4099f3ba4f2ac?diff=split#diff-d2e585d5738b595b24a722e974f1933e4ff11ee961254e6334a654d8927d7103L-1", + "lines": [ + { + "line": "endpointResult.innerHTML = dt.limited_connection;\n", + "lineNumber": 95, + "lineChange": "removed" + }, + { + "line": "endpointResult.innerText = dt.limited_connection;\n", + "lineNumber": 101, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/minj/foxtrick/commit/ada03f2d4d5e4ae9f7b2f4cfeb2eceaa5b4322d6?diff=split#diff-6e9376b3e13b333f7778db725b2e2b6ec79943d3752cb5e7104c47969c4bbd63L-1", + "lines": [ + { + "line": "a.innerHTML = Foxtrickl10n.getString('foxtrick.LeagueAndMatchChat.CupChat');\n", + "lineNumber": 96, + "lineChange": "removed" + }, + { + "line": "a.textContent = Foxtrickl10n.getString('foxtrick.LeagueAndMatchChat.CupChat');\n", + "lineNumber": 92, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 116, + "cwe": [ + "CWE-79" + ] + } + }, + { + "id": "javascript/InsecureHash", + "name": "InsecureHash", + "shortDescription": { + "text": "Use of Password Hash With Insufficient Computational Effort" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nSensitive information should never be stored in plain text, since this makes it very easy for unauthorized users, whether malicious insiders or outside attackers, to access. Hashing methods are used to make stored passwords and other sensitive data unreadable to users. For example, when a password is defined for the first time, it is hashed and then stored. The next time that user attempts to log on, the password they enter is hashed following the same procedure and compared with the stored value. In this way, the original password never needs to be stored in the system.\n\nHashing is a one-way scheme, meaning a hashed password cannot be reverse engineered. However, if an outdated or custom programmed hashing scheme is used, it becomes simple for an attacker with powerful modern computing power to gain access to the hashes used. This opens up access to all stored password information, leading to breached security. Therefore, it is essential for developers to understand modern, secure password hashing techniques.\n\n## Best practices for prevention\n* Use strong standard algorithms for hashing rather than simpler but outdated methods or DIY hashing schemes, which may have inherent weaknesses.\n* Use modular design for all code dealing with hashing so it can be swapped out as security standards change over time.\n* Use salting in combination with hashing (While this places more demands on resources, it is an essential step for tighter security.).\n* Implement zero-trust architecture to ensure that access to password data is granted only for legitimate business purposes.\n* Increase developer awareness of current standards in data security and cryptography.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "InsecureHash", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/emgram769/livechan-js/commit/99ecea722f7fc204ce3293ff2b0e315d0e61ccad?diff=split#diff-fdbfe737b6f8eaccddd46f57a79b5532942e1667c38ca880c32d89723af39857L-1", + "lines": [ + { + "line": "var hash_pass = crypto.createHash('sha1').update(password).digest('base64');\n", + "lineNumber": 88, + "lineChange": "removed" + }, + { + "line": "var hash_pass = crypto.createHash('sha512').update(config.admin_pw_salt, 'base64').update(password, 'utf8').digest('base64');\n", + "lineNumber": 88, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Synzvato/decentraleyes/commit/8855358381cff8156fe7a801d9201371034373a2?diff=split#diff-8e3adc8af301344e44c7efc3f4a24d375d02d285c617793db6d2eabe367b9d92L-1", + "lines": [ + { + "line": "hash = crypto.createHash('md5');\n", + "lineNumber": 139, + "lineChange": "removed" + }, + { + "line": "hash = crypto.createHash('sha512');\n", + "lineNumber": 139, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/openmrs/openmrs-contrib-id/commit/877c9a874b349a330b806414bfad82d03de39eb1?diff=split#diff-629444d01512e7f8fd688f67bf412d620053325ed416c34f940ffd52bb4420e2L-1", + "lines": [ + { + "line": "hash = crypto.createHash('md5');\n", + "lineNumber": 109, + "lineChange": "removed" + }, + { + "line": "hash = crypto.createHash('sha512');\n", + "lineNumber": 109, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 52, + "cwe": [ + "CWE-916" + ] + } + }, + { + "id": "javascript/ZipSlip", + "name": "ZipSlip", + "shortDescription": { + "text": "Arbitrary File Write via Archive Extraction (Zip Slip)" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nZip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.\n\n## Example\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "ZipSlip", + "Security", + "SourceArchive", + "", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 0, + "cwe": [ + "CWE-22" + ] + } + }, + { + "id": "javascript/NoHardcodedCredentials/test", + "name": "NoHardcodedCredentials/test", + "shortDescription": { + "text": "Use of Hardcoded Credentials" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nDevelopers may use hardcoded credentials for convenience when coding in order to simplify their workflow. While they are responsible for removing these before production, occasionally this task may fall through the cracks. This also becomes a maintenance challenge when credentials are re-used across multiple applications.\n\nOnce attackers gain access, they may take advantage of privilege level to remove or alter data, take down a site or app, or hold any of the above for ransom. The risk across multiple similar projects is even greater. If code containing the credentials is reused across multiple projects, they will all be compromised.\n\n## Best practices for prevention\n* Plan software architecture such that keys and passwords are always stored outside the code, wherever possible.\n* Plan encryption into software architecture for all credential information and ensure proper handling of keys, credentials, and passwords.\n* Prompt for a secure password on first login rather than hard-code a default password.\n* If a hardcoded password or credential must be used, limit its use, for example, to system console users rather than via the network.\n* Use strong hashes for inbound password authentication, ideally with randomly assigned salts to increase the difficulty level in case of brute-force attack.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoHardcodedCredentials", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/thallium205/BitcoinVisualizer/commit/3fd03f5ec7236a0602ea2960dc786b156601efc6?diff=split#diff-a0f6e6d9c44dcd75d4a33b841594a196ff2e74137919f62ac68935a991378528L-1", + "lines": [ + { + "line": "host : '10.0.0.1',\r\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "user : 'root',\r\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "password : 'webster',\r\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": "database : 'blockviewer'\r\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": "host : process.env.sqlhost,\r\n", + "lineNumber": 7, + "lineChange": "added" + }, + { + "line": "user : process.env.sqluser,\r\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": "password : process.env.sqlpass,\r\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": "database : process.env.sqldatabase\r\n", + "lineNumber": 10, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/azukiapp/azk/commit/f032902cd00ad2ed6dfb8d9f7d9f31e9db10b210?diff=split#diff-14c376258425dc4f37d3c24807f4b5ba8b060f4dd75d5e90f8d88396acacbf3bL-1", + "lines": [ + { + "line": "username: 'docker',\n", + "lineNumber": 298, + "lineChange": "removed" + }, + { + "line": "username: azk.cst.VM_USER,\n", + "lineNumber": 298, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/jedireza/aqua/commit/5c35c79f56ada04f4d2c565954ccf63f55b1f706?diff=split#diff-c85bcf94d1b915dac9d6da178bf7648fa1a910cbcdc14a82fef8a90cf9f62e21L-1", + "lines": [ + { + "line": "password : 'test',\n", + "lineNumber": 203, + "lineChange": "removed" + }, + { + "line": "email : 'test@test.com'\n", + "lineNumber": 204, + "lineChange": "removed" + }, + { + "line": "password : results.rootPassword,\n", + "lineNumber": 203, + "lineChange": "added" + }, + { + "line": "email : results.rootEmail\n", + "lineNumber": 204, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 30, + "cwe": [ + "CWE-798" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16)", + "[bypassSecurityTrustHtml](17)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 44, + "endColumn": 67 + } + } + } + ], + "fingerprints": { + "0": "041274fc0869f892f98d45c0bd6903f2cfad48bc93a806c69ccfdb2c86f32781", + "1": "7921a677.4773f344.607187b5.a517c54b.ef9f7d82.8020cfdf.df7e59ba.cde67692.72e8bf12.664e3b30.21371afe.dee12555.fbac9e17.787328db.83265159.de97a755" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 65, + "endColumn": 78 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 91 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 96 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 60, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 55, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 117, + "endLine": 117, + "startColumn": 29, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 117, + "endLine": 117, + "startColumn": 63, + "endColumn": 73 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 119, + "endLine": 119, + "startColumn": 29, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 120, + "endLine": 120, + "startColumn": 31, + "endColumn": 46 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 34, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 39, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 215, + "endLine": 215, + "startColumn": 25, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 68, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 68, + "endColumn": 99 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 44, + "endColumn": 67 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[bypassSecurityTrustHtml](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 37, + "endColumn": 60 + } + } + } + ], + "fingerprints": { + "0": "1ea030f297935ab7db59fe215a71ce9c51aacfc72938e77d615d828f87adc0e0", + "1": "3df95e84.4773f344.607187b5.74eb2808.ef9f7d82.8020cfdf.83265159.428468b6.a6348f37.70b638aa.8b3a84e3.c559ebce.4463c21f.51429c53.83265159.7f547f77" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 12, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 68, + "endColumn": 72 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 12, + "endColumn": 72 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 44, + "endLine": 44, + "startColumn": 30, + "endColumn": 40 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 44, + "endLine": 44, + "startColumn": 54, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 61, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 61, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 37, + "endColumn": 60 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13)", + "[bypassSecurityTrustHtml](14)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 37, + "endColumn": 60 + } + } + } + ], + "fingerprints": { + "0": "145bb7c088f3191c1b0d55120ac56ba0cbb22ea4b26198b225aee2f2b777e4ba", + "1": "839b1d0f.4773f344.607187b5.824d2503.ef9f7d82.8020cfdf.0b4f0b50.ae94f388.46b7c801.6b0b4bb5.81f55990.72a8f743.4463c21f.7312b3d3.83265159.a83217da" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 104, + "endColumn": 117 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 30, + "endLine": 30, + "startColumn": 7, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 30, + "endLine": 30, + "startColumn": 7, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 99, + "endColumn": 102 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 94, + "endColumn": 98 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 12, + "endColumn": 98 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 22, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 40, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 18, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 77, + "endColumn": 81 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 119, + "endColumn": 123 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 61, + "endColumn": 138 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 37, + "endColumn": 60 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12)", + "[bypassSecurityTrustHtml](13)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 43, + "endColumn": 66 + } + } + } + ], + "fingerprints": { + "0": "0b74757bb31439faf25f1dcf6062dd282cc8090d43b9d1b69fc44ac6b0c8a0fd", + "1": "7921a677.4773f344.607187b5.d7919eeb.ef9f7d82.81760a8a.566b8f28.cde67692.a6348f37.70b638aa.8b18f948.4a954e56.4463c21f.7312b3d3.83265159.a83217da" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 18, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 13, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 8, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 23, + "startColumn": 12, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 26, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 44, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 18, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 67, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 67, + "endColumn": 83 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 43, + "endColumn": 66 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12)", + "[bypassSecurityTrustHtml](13)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 45, + "endColumn": 68 + } + } + } + ], + "fingerprints": { + "0": "33df10f2aa9f160fc2b96996c33d9012491b8540f9ca56f7fdf4557d9edd621d", + "1": "cf7733e4.4773f344.ed5da594.a517c54b.ef9f7d82.32f843a3.0b4f0b50.116a0c7b.cf7733e4.eb7d1438.0a3df746.c8688b2b.ab9128a4.32f843a3.83265159.116a0c7b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 62, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 80, + "endColumn": 88 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 57, + "endColumn": 60 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 52, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 28, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 58, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 78, + "endColumn": 85 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 78, + "endColumn": 90 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 78, + "endColumn": 93 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 69, + "endColumn": 110 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 45, + "endColumn": 68 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16)", + "[bypassSecurityTrustHtml](17)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 47, + "endColumn": 70 + } + } + } + ], + "fingerprints": { + "0": "abd4e0bd5997a9d87e6687d628a4a73eccda02a164cbb4bcc2dfc5d0fb62b2ea", + "1": "7921a677.4773f344.607187b5.a517c54b.ef9f7d82.81760a8a.566b8f28.cde67692.cf7733e4.3635f48a.d7512ab0.e6336d2f.4463c21f.7312b3d3.83265159.9b5cefb9" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 18, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 13, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 8, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 23, + "startColumn": 12, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 26, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 44, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 81, + "endLine": 81, + "startColumn": 27, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 83, + "endLine": 83, + "startColumn": 76, + "endColumn": 85 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 83, + "endLine": 83, + "startColumn": 117, + "endColumn": 126 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 83, + "endLine": 83, + "startColumn": 9, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 71, + "endColumn": 80 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 71, + "endColumn": 83 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 71, + "endColumn": 91 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 47, + "endColumn": 70 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from browser storage flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[browser storage](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[bypassSecurityTrustHtml](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 36, + "endLine": 36, + "startColumn": 43, + "endColumn": 66 + } + } + } + ], + "fingerprints": { + "0": "046e16ab4dbfb48a4781c00cff82e58e29672069dc0a150e72aed4b8da04427a", + "1": "cf7733e4.4773f344.607187b5.400fd3fd.90100e46.8020cfdf.0b4f0b50.66506c4e.46b7c801.706318d0.86aa5c73.400fd3fd.4463c21f.8020cfdf.cebf5fac.5691ba88" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 32, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 32, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 11, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 32, + "endLine": 32, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 33, + "endLine": 33, + "startColumn": 27, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 33, + "endLine": 33, + "startColumn": 17, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 34, + "endLine": 34, + "startColumn": 11, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 34, + "endLine": 34, + "startColumn": 11, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 36, + "endLine": 36, + "startColumn": 67, + "endColumn": 111 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 36, + "endLine": 36, + "startColumn": 43, + "endColumn": 66 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Unsanitized input from cookies flows into send, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[cookies](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15)", + "[send](16)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 15, + "endColumn": 19 + } + } + } + ], + "fingerprints": { + "0": "00ca59a0355087ec9f0affdc8fd90a7dbbdf6f4a31f3c55a053e5028fc1fc577", + "1": "839b1d0f.4773f344.a32ed1a1.d7919eeb.ef9f7d82.8020cfdf.cd61fc56.2f05c567.dca15045.6b0b4bb5.81f55990.4ee3cf31.cca38dbc.34a4d81a.0334236c.2f05c567" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 64, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 64, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 60, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 56, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 11, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 28, + "endColumn": 40 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 28, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 19, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 56, + "endColumn": 78 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 28, + "endLine": 28, + "startColumn": 26, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 47, + "endLine": 47, + "startColumn": 69, + "endColumn": 73 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 41, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 82, + "endColumn": 86 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 23, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 15, + "endColumn": 19 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 804, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Unsanitized input from an HTTP parameter flows into send, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[an HTTP parameter](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10)", + "[send](11)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 20 + } + } + } + ], + "fingerprints": { + "0": "ca83cad0f9e3992c2cdcd287969b4fe89bf3906a312dc6b114fcfaead4419687", + "1": "716f11c4.4773f344.cae2544c.289fcdd5.d3562abd.8020cfdf.83265159.2f05c567.9dc2a0d3.706318d0.cae2544c.289fcdd5.79a7d027.f8890b3c.0334236c.e6930396" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 26, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 26, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 22, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 16, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 7, + "endColumn": 9 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 10 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 16, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 12, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 45, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 27, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 21, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 20 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 754, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Unsanitized input from an HTTP parameter flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[an HTTP parameter](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[bypassSecurityTrustHtml](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 151, + "endLine": 151, + "startColumn": 41, + "endColumn": 64 + } + } + } + ], + "fingerprints": { + "0": "22e73eee0efe2f75ab91d1b6197fcb36ca60a94dd923daf4398205d4bd5ac2f4", + "1": "b7602041.4773f344.607187b5.c484ae4b.ef9f7d82.8020cfdf.ea235696.cde67692.1f17e802.b6e32c83.72aa1700.c484ae4b.4463c21f.33e93315.ca2eca62.5b5a306a" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 144, + "endLine": 144, + "startColumn": 62, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 144, + "endLine": 144, + "startColumn": 62, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 144, + "endLine": 144, + "startColumn": 9, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 145, + "endLine": 145, + "startColumn": 9, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 146, + "endLine": 146, + "startColumn": 20, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 146, + "endLine": 146, + "startColumn": 31, + "endColumn": 35 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 148, + "endLine": 148, + "startColumn": 58, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 32, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 151, + "endLine": 151, + "startColumn": 65, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 151, + "endLine": 151, + "startColumn": 41, + "endColumn": 64 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 754, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "05062c87dc99cecece6ca2e0dcc2ca2534249be1f78e70af6121ef577079ec8c", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.c3f8dfad.b6e32c83.4937536e.4f83689a.fd1fa73f.cb9c4e89.83265159.b325124d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 8, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 19, + "endLine": 47, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "625211daf741757913e91df57456e491e76d32baae2aa31b7324a621e8720991", + "1": "4923bf76.9c6e2949.8b18f948.c559ebce.fd1fa73f.5eabb05b.83265159.be9bb487.1db69a21.b6e32c83.8b18f948.c559ebce.c2cde80a.2da1a176.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 19, + "endLine": 47, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 23, + "endColumn": 39 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 51, + "endLine": 72, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "9754d33d2c25b45e7b1d70df4c2aa0dac731bdf5e9908e2a58e5b5c245eb4d2d", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.c3f8dfad.b6e32c83.a32ed1a1.4f83689a.fd1fa73f.cb9c4e89.83265159.b325124d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 51, + "endLine": 72, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 8, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/easterEgg.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "b2a03956040ab16ee56bbb15c3048b7527a6ed4334dec2935c6ecff64499a1d1", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.87ba341e.b6e32c83.4937536e.c559ebce.fd1fa73f.cb9c4e89.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/easterEgg.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/easterEgg.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 15, + "endLine": 15, + "startColumn": 9, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 45, + "startColumn": 17, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "fa2757c8d403548a54f45a6bdca7867a0a28107f4bd2a9fcb9ecf18200f9053b", + "1": "92e26ef2.4773f344.8b18f948.c559ebce.fd1fa73f.5fce695c.83265159.89d75565.92e26ef2.b6e32c83.8b18f948.c559ebce.fd1fa73f.5fce695c.83265159.89d75565" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 45, + "startColumn": 17, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 9, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 94, + "startColumn": 18, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "d99bbb6f4fb9f46875c66e28d01504c628074d304504c645efae8ae129582793", + "1": "92e26ef2.4773f344.aa4dda5f.c559ebce.fd1fa73f.5fce695c.83265159.89d75565.92e26ef2.4773f344.782a8fc0.c559ebce.fd1fa73f.5fce695c.83265159.29e8dc3a" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 94, + "startColumn": 18, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 87, + "endLine": 87, + "startColumn": 11, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/privacyPolicyProof.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "520b030a888a2b60aae83aed160b919d30cba715196707e27f44902cde0ce139", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.87ba341e.b6e32c83.4937536e.c559ebce.0cc54b27.cb9c4e89.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/privacyPolicyProof.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/privacyPolicyProof.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 15, + "endLine": 15, + "startColumn": 9, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/languages.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 11, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "a915535c27c481c411594f05b4cc1789b3c7fd1aab9eb6ed7f5481f5f09819aa", + "1": "099c30d7.9c6e2949.8b18f948.c559ebce.fd1fa73f.5eabb05b.83265159.be9bb487.c3f8dfad.b6e32c83.eff3b32f.4f83689a.fd1fa73f.becd9ff1.83265159.b325124d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/languages.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 11, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/languages.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 8, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeSnippet.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 74, + "endLine": 120, + "startColumn": 32, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "1ebeb3f1c81c0895045bb35313f554f9bb3a4e401174286d3cea92b114b61390", + "1": "e7d2421a.9c6e2949.8b18f948.c559ebce.fd1fa73f.8020cfdf.83265159.33454e9d.e7d2421a.b6e32c83.7b031cb3.c559ebce.474b452e.becd9ff1.7b7de394.33454e9d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeSnippet.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 74, + "endLine": 120, + "startColumn": 32, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeSnippet.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 94, + "endLine": 94, + "startColumn": 47, + "endColumn": 59 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeFixes.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 69, + "endLine": 98, + "startColumn": 38, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "3dd9cd9cc4132d9c049a111fb70a9078126d4563e444f1183c14c11e44b6457d", + "1": "a5aeea87.9c6e2949.8b18f948.c559ebce.fd1fa73f.5eabb05b.83265159.67311e43.a05cdd83.b6e32c83.7b031cb3.c559ebce.3a08f0d2.becd9ff1.7b7de394.6de01bb2" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeFixes.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 69, + "endLine": 98, + "startColumn": 38, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeFixes.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 46, + "endColumn": 61 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/premiumReward.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "7c5bd04663f7f2d99a5b4a2306e5c5879f1dbb72ab7f55bd60d48380ef3b7d88", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.40bc0bae.b6e32c83.4937536e.c559ebce.fd1fa73f.cb9c4e89.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/premiumReward.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/premiumReward.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 15, + "endLine": 15, + "startColumn": 9, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/Ssrf", + "ruleIndex": 2, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into request.get, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5)", + "[request.get](6)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 23, + "startColumn": 30, + "endColumn": 15 + } + } + } + ], + "fingerprints": { + "0": "aac46065ef2da0fd582140907a91ceb700478885678eb2514bd6be88f423f1a6", + "1": "dca15045.70dd3b3b.568208f0.d7919eeb.79a7d027.98c7c24d.df7e59ba.377cd288.6849fe68.b6e32c83.568208f0.08906714.79a7d027.98c7c24d.83265159.a41fb358" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 13, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 19, + "endLine": 19, + "startColumn": 11, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 16, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 23, + "startColumn": 30, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 801, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 77, + "endColumn": 85 + } + } + } + ], + "fingerprints": { + "0": "16d5be7628d45f333c93c4c34719773cffc76c5cabb20bb1b6d24012894f7656", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 77, + "endColumn": 85 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 92, + "endLine": 92, + "startColumn": 78, + "endColumn": 86 + } + } + } + ], + "fingerprints": { + "0": "b203dbff1fae69efd59c7816d07b9e61017893371f623e6d5194e53e6182022a", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 92, + "endLine": 92, + "startColumn": 78, + "endColumn": 86 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 42, + "endColumn": 50 + } + } + } + ], + "fingerprints": { + "0": "053124f7de915c72b62680448fa0dae1376075b94155babf06de21d09e516311", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 42, + "endColumn": 50 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 42, + "endColumn": 50 + } + } + } + ], + "fingerprints": { + "0": "0ae497be512b556e109e19c0440dda3c97f83bc158078bfb8ffa858e573ce203", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 42, + "endColumn": 50 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in passwordRepeat.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[passwordRepeat](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 111, + "endColumn": 125 + } + } + } + ], + "fingerprints": { + "0": "16d5be7628d45f333c93c4c34719773cffc76c5cabb20bb1b6d24012894f7656", + "1": "12567ef6.4773f344.607187b5.e052b9a9.79a7d027.fcf3002d.52789fac.8030ba4b.12567ef6.4773f344.607187b5.e052b9a9.79a7d027.fcf3002d.52789fac.8030ba4b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 111, + "endColumn": 125 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into findOne, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[findOne](7)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 16, + "endColumn": 23 + } + } + } + ], + "fingerprints": { + "0": "d3e6d95802bfa65cdee1cc840eda6a7b8422f24962e436dd01730e6116e317ec", + "1": "93652555.4773f344.07efaa4d.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 24, + "endColumn": 35 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 16, + "endColumn": 23 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into findOne, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10)", + "[findOne](11)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 28, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "508ff7c452d0f0a821d3efbddf9c8ead6c964f813b9ead52ee2ebfe4882ee5f0", + "1": "93652555.4773f344.07efaa4d.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 43, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 38, + "endColumn": 41 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 36, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 28, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[update](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 22, + "endColumn": 28 + } + } + } + ], + "fingerprints": { + "0": "98c5e37129708b191ac56a1b1984e16a6f40c2e8df534ee7935629794fa5db85", + "1": "12567ef6.4773f344.607187b5.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 13, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 22, + "endColumn": 28 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12)", + "[update](13)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 30, + "endColumn": 36 + } + } + } + ], + "fingerprints": { + "0": "cd257a65b7a12c252af31b0293deb39e45738a460da8fd9dbaba89db52b4a305", + "1": "12567ef6.4773f344.607187b5.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 43, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 38, + "endColumn": 41 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 42, + "endLine": 42, + "startColumn": 28, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 42, + "endLine": 42, + "startColumn": 23, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 42, + "endLine": 42, + "startColumn": 21, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 30, + "endColumn": 36 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4)", + "[update](5)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 22 + } + } + } + ], + "fingerprints": { + "0": "403a9b0a3b2d6ed8a1f613645a03631613f8380c2f8e8a86d83422a2f70b66bf", + "1": "12567ef6.4773f344.607187b5.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.2d2c7aff.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 18, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 18, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 14, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 9, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 7, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 22 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 752, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedSecret/test", + "ruleIndex": 5, + "level": "note", + "message": { + "text": "Hardcoded value is used as a cipher key (in jsonwebtoken.#default.sign). Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "markdown": "Hardcoded {0} is used as a {1}. Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "arguments": [ + "[value](0)", + "[cipher key (in jsonwebtoken.#default.sign)](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 149, + "endLine": 149, + "startColumn": 8, + "endColumn": 39 + } + } + } + ], + "fingerprints": { + "0": "8927f4670c679414a5cdfb3bd6bff6b363ce47acae79bd92803aa7e46f9f21a7", + "1": "20326186.4773f344.8b18f948.d7919eeb.79a7d027.8020cfdf.df938d4d.45cbaa21.20326186.4773f344.8b18f948.d7919eeb.79a7d027.8020cfdf.df938d4d.45cbaa21" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 149, + "endLine": 149, + "startColumn": 8, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 146, + "endLine": 146, + "startColumn": 35, + "endColumn": 39 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 401, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/JwtDecodeMethod", + "ruleIndex": 6, + "level": "warning", + "message": { + "text": "A JWT decode() method is used that decodes the token but does not check its validity or integrity. If the JWT has originated from an untrusted source, decoded data could be crafted by an attacker and should not be considered safe to use or process within the application. Always use JWT verification methods to validate the structure and integrity of a token.", + "markdown": "A JWT decode() method is used that decodes the token but does not check its validity or integrity. If the JWT has originated from an untrusted source, decoded data could be crafted by an attacker and should not be considered safe to use or process within the application. Always use JWT verification methods to validate the structure and integrity of a token.", + "arguments": [] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/verify.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 41, + "endColumn": 51 + } + } + } + ], + "fingerprints": { + "0": "ba26f4ebc04a19051e00a5ec819e920845ad080a17d8b484b364ecce02b640bf", + "1": "46b7c801.4773f344.0f22609d.72a8f743.ef9f7d82.8020cfdf.ea4b1c47.ae94f388.46b7c801.4773f344.0f22609d.72a8f743.ef9f7d82.8020cfdf.ea4b1c47.ae94f388" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/verify.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 41, + "endColumn": 51 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 301, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileCodeFlow" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedNonCryptoSecret", + "ruleIndex": 7, + "level": "error", + "message": { + "text": "Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.", + "markdown": "Avoid hardcoding values that are meant to be secret. Found {0} used in {1}.", + "arguments": [ + "[a hardcoded string](0)", + "[here](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 54, + "startColumn": 49, + "endColumn": 55 + } + } + } + ], + "fingerprints": { + "0": "ce76473d8a0de12d7deba29848fec2332cc17798cae52436f64242dd341b6ba2", + "1": "46b7c801.4773f344.607187b5.72a8f743.79a7d027.a47a18e2.dd02ad61.ae94f388.46b7c801.dd1130f5.8b18f948.61d81d8d.79a7d027.a47a18e2.468bb5d4.ae94f388" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 107 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 54, + "startColumn": 49, + "endColumn": 55 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 801, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedSecret", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Hardcoded value is used as a cipher key (in jsonwebtoken.#default.verify). Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "markdown": "Hardcoded {0} is used as a {1}. Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "arguments": [ + "[value](0)", + "[cipher key (in jsonwebtoken.#default.verify)](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 107 + } + } + } + ], + "fingerprints": { + "0": "bd0cbcaad32d2a689a2b613cc191c8bd05eed93dbb3584632c7192475e3b7c61", + "1": "fc3065be.4773f344.8b18f948.61d81d8d.ef9f7d82.a47a18e2.468bb5d4.ae94f388.46b7c801.4773f344.8b18f948.61d81d8d.4c40509c.f30cf624.468bb5d4.ae94f388" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 107 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 197, + "endLine": 197, + "startColumn": 9, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedSecret", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Hardcoded value is used as a cipher key (in crypto.#default.createHmac). Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "markdown": "Hardcoded {0} is used as a {1}. Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "arguments": [ + "[value](0)", + "[cipher key (in crypto.#default.createHmac)](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 20, + "endColumn": 902 + } + } + } + ], + "fingerprints": { + "0": "505b93a244fdf2552034cc5341be6bf71983ed87f9dc70780fe2589154471256", + "1": "ae77ea27.4773f344.8b18f948.d7919eeb.feee7bcb.5fce695c.c8cd882a.89d75565.839b1d0f.4773f344.191eaf2b.3b7658bb.ac82cb7b.5fce695c.c8cd882a.71520ffe" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 20, + "endColumn": 902 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 23, + "endColumn": 33 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedCredentials/test", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Do not hardcode credentials in code. Found hardcoded credential used in register.", + "markdown": "Do not hardcode credentials in code. Found hardcoded credential used in {0}.", + "arguments": [ + "[register](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 396, + "endLine": 396, + "startColumn": 22, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "0df952e0c180c52854d6919b014e50ddb8fb548cc6cc101fcee86385a5618e7b", + "1": "306348b3.4773f344.607187b5.d7919eeb.79a7d027.f7edcf51.d79c4c07.382555c6.6bb676bb.4773f344.c9330245.d7919eeb.ff08c1e7.5fce695c.d79c4c07.d85bc50f" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 396, + "endLine": 396, + "startColumn": 11, + "endColumn": 19 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 417, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedCredentials/test", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Do not hardcode credentials in code. Found hardcoded credential used in register.", + "markdown": "Do not hardcode credentials in code. Found hardcoded credential used in {0}.", + "arguments": [ + "[register](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 433, + "endLine": 433, + "startColumn": 22, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "406af9b904e9b91700eb515b87979a86e7495640b3957ab2b0782b44aa4fbc0e", + "1": "306348b3.4773f344.607187b5.d7919eeb.79a7d027.f7edcf51.d79c4c07.382555c6.6bb676bb.4773f344.c9330245.d7919eeb.ff08c1e7.5fce695c.d79c4c07.d85bc50f" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 433, + "endLine": 433, + "startColumn": 11, + "endColumn": 19 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 417, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + } + ], + "properties": { + "coverage": [ + { + "isSupported": true, + "lang": "JavaScript", + "files": 15, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "TypeScript", + "files": 536, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "XML", + "files": 5, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "HTML", + "files": 75, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "Python", + "files": 3, + "type": "SUPPORTED" + }, + { + "isSupported": false, + "lang": "TypeScript", + "files": 35, + "type": "FAILED_PARSING" + }, + { + "isSupported": false, + "lang": "XML", + "files": 2, + "type": "FAILED_PARSING" + } + ] + } + } + ] + } + \ No newline at end of file diff --git a/unittests/scans/snyk/snykcontainer_issue_9270.json b/unittests/scans/snyk/snykcontainer_issue_9270.json new file mode 100644 index 00000000000..0cc8316fbab --- /dev/null +++ b/unittests/scans/snyk/snykcontainer_issue_9270.json @@ -0,0 +1,4041 @@ +{ + "vulnerabilities": [ + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libgcc-s1@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libgcc-s1", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libstdc++6@10.2.1-6", + "gcc-10/libgcc-s1@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libgcc-s1", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libgomp1@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libgomp1", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libstdc++6@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libstdc++6", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-532215", + "cpes": [], + "title": "Resource Management Errors", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-4756", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-4756" + }, + { + "url": "http://cxib.net/stuff/glob-0day.c", + "title": "http://cxib.net/stuff/glob-0day.c" + }, + { + "url": "http://securityreason.com/achievement_securityalert/89", + "title": "http://securityreason.com/achievement_securityalert/89" + }, + { + "url": "http://securityreason.com/exploitalert/9223", + "title": "http://securityreason.com/exploitalert/9223" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=681681" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 4.3, + "modificationTime": "2023-02-09T11:23:31.120244Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:21.515733Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=681681)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756)\n", + "epssDetails": { + "percentile": "0.79904", + "probability": "0.00824", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-4756" + ], + "CWE": [ + "CWE-399" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:32:45.970155Z", + "disclosureTime": "2011-03-02T20:00:00Z", + "packageManager": "debian:11", + "publicationTime": "2011-03-02T20:00:00Z", + "modificationTime": "2023-11-08T09:41:21.515733Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894105", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4806", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4806" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4806", + "title": "https://access.redhat.com/security/cve/CVE-2023-4806" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/4", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/5", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/6", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/6" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://security.gentoo.org/glsa/202310-03", + "title": "https://security.gentoo.org/glsa/202310-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-27T01:10:58.963846Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286569Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4806)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4806)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237782)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/4)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/5)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/6)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://security.gentoo.org/glsa/202310-03)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.40141", + "probability": "0.00097", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4806" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:01.946655Z", + "disclosureTime": "2023-09-18T17:15:55.813000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:01.926030Z", + "modificationTime": "2023-11-08T09:44:04.286569Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894112", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4813", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4813" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4813", + "title": "https://access.redhat.com/security/cve/CVE-2023-4813" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231110-0003/", + "title": "https://security.netapp.com/advisory/ntap-20231110-0003/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-21T01:10:58.024645Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-10-12T11:02:48.940818Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286614Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4813)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4813)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237798)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0003/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.41335", + "probability": "0.00102", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4813" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:46.841726Z", + "disclosureTime": "2023-09-12T22:15:08.277000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:32.099229Z", + "modificationTime": "2023-11-08T09:44:04.286614Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-521063", + "cpes": [], + "title": "Out-of-Bounds", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 9.8, + "malicious": false, + "isDisputed": true, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010022" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850%23c3", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850%23c3" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010022", + "title": "https://ubuntu.com/security/CVE-2019-1010022" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-01-03T17:53:20.558676Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010022)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010022)\n", + "epssDetails": { + "percentile": "0.68021", + "probability": "0.00335", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010022" + ], + "CWE": [ + "CWE-119" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "critical", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:26.761208Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:33:32.251091Z", + "modificationTime": "2022-10-26T02:04:58.132579Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-521199", + "cpes": [], + "title": "Uncontrolled Recursion", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 7.5, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-9192", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-9192" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + }, + { + "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192", + "title": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-01-03T18:01:31.673539Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-9192)\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24269)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192)\n- [cve@mitre.org](https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.43326", + "probability": "0.00108", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-9192" + ], + "CWE": [ + "CWE-674" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "high", + "packageName": "glibc", + "creationTime": "2020-08-19T09:34:51.325920Z", + "disclosureTime": "2019-02-26T18:29:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-02-26T18:29:00Z", + "modificationTime": "2022-10-26T02:05:07.667771Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-522385", + "cpes": [], + "title": "Use of Insufficiently Random Values", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010025" + }, + { + "url": "https://support.f5.com/csp/article/K06046097", + "title": "https://support.f5.com/csp/article/K06046097" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010025", + "title": "https://ubuntu.com/security/CVE-2019-1010025" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-01-03T17:53:25.533412Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 2.9, + "modificationTime": "2023-11-08T09:41:53.285202Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010025)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22853)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010025)\n- [josh@bress.net](https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.63157", + "probability": "0.00255", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010025" + ], + "CWE": [ + "CWE-330" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:27.035439Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:33:59.230537Z", + "modificationTime": "2023-11-08T09:41:53.285202Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-529848", + "cpes": [], + "title": "Information Exposure", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010024" + }, + { + "url": "https://support.f5.com/csp/article/K06046097", + "title": "https://support.f5.com/csp/article/K06046097" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852" + }, + { + "url": "http://www.securityfocus.com/bid/109162", + "title": "http://www.securityfocus.com/bid/109162" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010024", + "title": "https://ubuntu.com/security/CVE-2019-1010024" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-01-03T17:53:36.633029Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:53.283850Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010024)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22852)\n- [Security Focus](http://www.securityfocus.com/bid/109162)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010024)\n- [josh@bress.net](https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.88369", + "probability": "0.02258", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010024" + ], + "CWE": [ + "CWE-200" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:29.535158Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:44:44.882448Z", + "modificationTime": "2023-11-08T09:41:53.283850Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-531451", + "cpes": [], + "title": "CVE-2019-1010023", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 8.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010023" + }, + { + "url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851" + }, + { + "url": "http://www.securityfocus.com/bid/109167", + "title": "http://www.securityfocus.com/bid/109167" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010023", + "title": "https://ubuntu.com/security/CVE-2019-1010023" + }, + { + "url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-01-03T17:53:36.820375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.8, + "modificationTime": "2023-11-08T09:41:53.271238Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nGNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010023)\n- [CONFIRM](https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22851)\n- [Security Focus](http://www.securityfocus.com/bid/109167)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010023)\n- [josh@bress.net](https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.82602", + "probability": "0.01081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010023" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "high", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:27.642271Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:36:38.241516Z", + "modificationTime": "2023-11-08T09:41:53.271238Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-531492", + "cpes": [], + "title": "Uncontrolled Recursion", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 7.5, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2018-20796", + "title": "https://security-tracker.debian.org/tracker/CVE-2018-20796" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "title": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "title": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20190315-0002/", + "title": "https://security.netapp.com/advisory/ntap-20190315-0002/" + }, + { + "url": "http://www.securityfocus.com/bid/107160", + "title": "http://www.securityfocus.com/bid/107160" + }, + { + "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796", + "title": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-01-03T16:26:27.939810Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:53.328123Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2018-20796)\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141)\n- [MISC](https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796)\n- [cve@mitre.org](https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.77618", + "probability": "0.00678", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20796" + ], + "CWE": [ + "CWE-674" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "high", + "packageName": "glibc", + "creationTime": "2020-08-19T09:34:51.493703Z", + "disclosureTime": "2019-02-26T02:29:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-02-26T02:29:00Z", + "modificationTime": "2023-11-08T09:41:53.328123Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-532215", + "cpes": [], + "title": "Resource Management Errors", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-4756", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-4756" + }, + { + "url": "http://cxib.net/stuff/glob-0day.c", + "title": "http://cxib.net/stuff/glob-0day.c" + }, + { + "url": "http://securityreason.com/achievement_securityalert/89", + "title": "http://securityreason.com/achievement_securityalert/89" + }, + { + "url": "http://securityreason.com/exploitalert/9223", + "title": "http://securityreason.com/exploitalert/9223" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=681681" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 4.3, + "modificationTime": "2023-02-09T11:23:31.120244Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:21.515733Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=681681)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756)\n", + "epssDetails": { + "percentile": "0.79904", + "probability": "0.00824", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-4756" + ], + "CWE": [ + "CWE-399" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:32:45.970155Z", + "disclosureTime": "2011-03-02T20:00:00Z", + "packageManager": "debian:11", + "publicationTime": "2011-03-02T20:00:00Z", + "modificationTime": "2023-11-08T09:41:21.515733Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894105", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4806", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4806" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4806", + "title": "https://access.redhat.com/security/cve/CVE-2023-4806" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/4", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/5", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/6", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/6" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://security.gentoo.org/glsa/202310-03", + "title": "https://security.gentoo.org/glsa/202310-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-27T01:10:58.963846Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286569Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4806)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4806)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237782)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/4)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/5)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/6)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://security.gentoo.org/glsa/202310-03)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.40141", + "probability": "0.00097", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4806" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:01.946655Z", + "disclosureTime": "2023-09-18T17:15:55.813000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:01.926030Z", + "modificationTime": "2023-11-08T09:44:04.286569Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894112", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4813", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4813" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4813", + "title": "https://access.redhat.com/security/cve/CVE-2023-4813" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231110-0003/", + "title": "https://security.netapp.com/advisory/ntap-20231110-0003/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-21T01:10:58.024645Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-10-12T11:02:48.940818Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286614Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4813)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4813)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237798)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0003/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.41335", + "probability": "0.00102", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4813" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:46.841726Z", + "disclosureTime": "2023-09-12T22:15:08.277000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:32.099229Z", + "modificationTime": "2023-11-08T09:44:04.286614Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-518334", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.4, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2007-6755", + "title": "https://security-tracker.debian.org/tracker/CVE-2007-6755" + }, + { + "url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" + }, + { + "url": "http://rump2007.cr.yp.to/15-shumow.pdf", + "title": "http://rump2007.cr.yp.to/15-shumow.pdf" + }, + { + "url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/" + }, + { + "url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", + "title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + }, + { + "url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect" + }, + { + "url": "http://www.securityfocus.com/bid/63657", + "title": "http://www.securityfocus.com/bid/63657" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:25:00.865086Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-11-08T09:41:50.005364Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n", + "epssDetails": { + "percentile": "0.76307", + "probability": "0.00614", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2007-6755" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:23:31.735743Z", + "disclosureTime": "2013-10-11T22:55:00Z", + "packageManager": "debian:11", + "publicationTime": "2013-10-11T22:55:00Z", + "modificationTime": "2023-11-08T09:41:50.005364Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-525332", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.1, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-0928" + }, + { + "url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" + }, + { + "url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" + }, + { + "url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" + }, + { + "url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" + }, + { + "url": "http://xforce.iss.net/xforce/xfdb/56750", + "title": "http://xforce.iss.net/xforce/xfdb/56750" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "title": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" + }, + { + "url": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.1, + "modificationTime": "2023-02-09T11:22:59.868606Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [cve@mitre.org](http://www.osvdb.org/62808)\n- [cve@mitre.org](http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)\n", + "epssDetails": { + "percentile": "0.27307", + "probability": "0.00066", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-0928" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:30:53.411236Z", + "disclosureTime": "2010-03-05T19:30:00Z", + "packageManager": "debian:11", + "publicationTime": "2010-03-05T19:30:00Z", + "modificationTime": "2023-02-10T13:11:38.644692Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-6048819", + "cpes": [], + "title": "Improper Check for Unusual or Exceptional Conditions", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-5678", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-5678" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/", + "title": "https://security.netapp.com/advisory/ntap-20231130-0010/" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-5678)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231130-0010/)\n", + "epssDetails": { + "percentile": "0.33119", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-754" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2023-11-07T02:36:49.140701Z", + "disclosureTime": "2023-11-06T16:15:42.670000Z", + "packageManager": "debian:11", + "publicationTime": "2023-11-07T02:33:36.224937Z", + "modificationTime": "2023-11-22T11:02:51.571843Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-518334", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.4, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2007-6755", + "title": "https://security-tracker.debian.org/tracker/CVE-2007-6755" + }, + { + "url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" + }, + { + "url": "http://rump2007.cr.yp.to/15-shumow.pdf", + "title": "http://rump2007.cr.yp.to/15-shumow.pdf" + }, + { + "url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/" + }, + { + "url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", + "title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + }, + { + "url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect" + }, + { + "url": "http://www.securityfocus.com/bid/63657", + "title": "http://www.securityfocus.com/bid/63657" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:25:00.865086Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-11-08T09:41:50.005364Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n", + "epssDetails": { + "percentile": "0.76307", + "probability": "0.00614", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2007-6755" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:23:31.735743Z", + "disclosureTime": "2013-10-11T22:55:00Z", + "packageManager": "debian:11", + "publicationTime": "2013-10-11T22:55:00Z", + "modificationTime": "2023-11-08T09:41:50.005364Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-525332", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.1, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-0928" + }, + { + "url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" + }, + { + "url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" + }, + { + "url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" + }, + { + "url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" + }, + { + "url": "http://xforce.iss.net/xforce/xfdb/56750", + "title": "http://xforce.iss.net/xforce/xfdb/56750" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "title": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" + }, + { + "url": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.1, + "modificationTime": "2023-02-09T11:22:59.868606Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [cve@mitre.org](http://www.osvdb.org/62808)\n- [cve@mitre.org](http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)\n", + "epssDetails": { + "percentile": "0.27307", + "probability": "0.00066", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-0928" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:30:53.411236Z", + "disclosureTime": "2010-03-05T19:30:00Z", + "packageManager": "debian:11", + "publicationTime": "2010-03-05T19:30:00Z", + "modificationTime": "2023-02-10T13:11:38.644692Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-6048819", + "cpes": [], + "title": "Improper Check for Unusual or Exceptional Conditions", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-5678", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-5678" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/", + "title": "https://security.netapp.com/advisory/ntap-20231130-0010/" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-5678)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231130-0010/)\n", + "epssDetails": { + "percentile": "0.33119", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-754" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2023-11-07T02:36:49.140701Z", + "disclosureTime": "2023-11-06T16:15:42.670000Z", + "packageManager": "debian:11", + "publicationTime": "2023-11-07T02:33:36.224937Z", + "modificationTime": "2023-11-22T11:02:51.571843Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-518334", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.4, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2007-6755", + "title": "https://security-tracker.debian.org/tracker/CVE-2007-6755" + }, + { + "url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" + }, + { + "url": "http://rump2007.cr.yp.to/15-shumow.pdf", + "title": "http://rump2007.cr.yp.to/15-shumow.pdf" + }, + { + "url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/" + }, + { + "url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", + "title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + }, + { + "url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect" + }, + { + "url": "http://www.securityfocus.com/bid/63657", + "title": "http://www.securityfocus.com/bid/63657" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:25:00.865086Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-11-08T09:41:50.005364Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n", + "epssDetails": { + "percentile": "0.76307", + "probability": "0.00614", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2007-6755" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:23:31.735743Z", + "disclosureTime": "2013-10-11T22:55:00Z", + "packageManager": "debian:11", + "publicationTime": "2013-10-11T22:55:00Z", + "modificationTime": "2023-11-08T09:41:50.005364Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-525332", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.1, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-0928" + }, + { + "url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" + }, + { + "url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" + }, + { + "url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" + }, + { + "url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" + }, + { + "url": "http://xforce.iss.net/xforce/xfdb/56750", + "title": "http://xforce.iss.net/xforce/xfdb/56750" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "title": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" + }, + { + "url": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.1, + "modificationTime": "2023-02-09T11:22:59.868606Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [cve@mitre.org](http://www.osvdb.org/62808)\n- [cve@mitre.org](http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)\n", + "epssDetails": { + "percentile": "0.27307", + "probability": "0.00066", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-0928" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:30:53.411236Z", + "disclosureTime": "2010-03-05T19:30:00Z", + "packageManager": "debian:11", + "publicationTime": "2010-03-05T19:30:00Z", + "modificationTime": "2023-02-10T13:11:38.644692Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-6048819", + "cpes": [], + "title": "Improper Check for Unusual or Exceptional Conditions", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-5678", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-5678" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/", + "title": "https://security.netapp.com/advisory/ntap-20231130-0010/" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-5678)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231130-0010/)\n", + "epssDetails": { + "percentile": "0.33119", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-754" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2023-11-07T02:36:49.140701Z", + "disclosureTime": "2023-11-06T16:15:42.670000Z", + "packageManager": "debian:11", + "publicationTime": "2023-11-07T02:33:36.224937Z", + "modificationTime": "2023-11-22T11:02:51.571843Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl", + "version": "1.1.1w-0+deb11u1" + } + ], + "ok": false, + "dependencyCount": 9, + "org": "sarim04", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "deb", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "docker": { + "binariesVulns": { + "issuesData": {}, + "affectedPkgs": {} + } + }, + "summary": "67 vulnerable dependency paths", + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 13, + "projectName": "docker-image|sarim04/juiceshop", + "platform": "linux/amd64", + "hasUnknownVersions": false, + "path": "sarim04/juiceshop:latest/juiceshop", + "applications": [ + { + "vulnerabilities": [ + { + "id": "SNYK-JS-EXPRESSJWT-575022", + "title": "Authorization Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "credit": [ + "IST Group" + ], + "semver": { + "vulnerable": [ + "<6.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "express-jwt", + "references": [ + { + "url": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 9.1, + "modificationTime": "2022-10-22T01:10:30.246806Z" + } + ], + "description": "## Overview\n[express-jwt](https://www.npmjs.com/package/express-jwt) is a JWT authentication middleware.\n\nAffected versions of this package are vulnerable to Authorization Bypass. The `algorithms` entry to be specified in the configuration is not being enforced. When `algorithms` is not specified in the configuration, with the combination of `jwks-rsa`, it may lead to authorization bypass.\n## Remediation\nUpgrade `express-jwt` to version 6.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef)\n", + "epssDetails": { + "percentile": "0.57214", + "probability": "0.00197", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-15084" + ], + "CWE": [ + "CWE-285" + ], + "GHSA": [ + "GHSA-6g6m-m6h5-w9gf" + ] + }, + "packageName": "express-jwt", + "proprietary": false, + "creationTime": "2020-07-01T09:33:11.790635Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-07-01T09:30:03Z", + "packageManager": "npm", + "publicationTime": "2020-07-01T15:32:36Z", + "modificationTime": "2022-10-22T01:10:30.246806Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "juice-shop@15.3.0", + "express-jwt@0.1.3" + ], + "upgradePath": [ + false, + "express-jwt@6.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "express-jwt", + "version": "0.1.3" + }, + { + "id": "SNYK-JS-JSONWEBTOKEN-3180022", + "title": "Improper Authentication", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<9.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "9.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2023-02-28T01:10:17.504751Z" + } + ], + "description": "## Overview\n[jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) is a JSON Web Token implementation (symmetric and asymmetric)\n\nAffected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. \r\n\r\n## Exploitability\r\nUsers are affected only if all of the following conditions are true for the `jwt.verify()` function:\r\n\r\n1) A token with no signature is received.\r\n\r\n2) No algorithms are specified.\r\n\r\n3) A falsy (e.g., `null`, `false`, `undefined`) secret or key is passed.\n## Remediation\nUpgrade `jsonwebtoken` to version 9.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3)\n- [GitHub Release](https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0)\n", + "epssDetails": { + "percentile": "0.13102", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23540" + ], + "CWE": [ + "CWE-287" + ], + "GHSA": [ + "GHSA-qwph-4952-7xr6" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2022-12-22T09:09:36.072853Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-12-22T03:32:59Z", + "packageManager": "npm", + "publicationTime": "2022-12-22T09:13:25.290846Z", + "modificationTime": "2023-02-28T01:10:17.504751Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@9.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "SNYK-JS-JSONWEBTOKEN-3180024", + "title": "Improper Restriction of Security Token Assignment", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<9.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "9.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 6.3, + "modificationTime": "2023-02-28T01:10:17.572355Z" + } + ], + "description": "## Overview\n[jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) is a JSON Web Token implementation (symmetric and asymmetric)\n\nAffected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the `secretOrPublicKey ` argument due to misconfigurations of the key retrieval function `jwt.verify()`. Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.\r\n\r\n**Note:**\r\nThis vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in `jwt.verify()` implementation with the same key retrieval function.\n## Remediation\nUpgrade `jsonwebtoken` to version 9.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3)\n- [GitHub Release](https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0)\n", + "epssDetails": { + "percentile": "0.19014", + "probability": "0.00053", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23541" + ], + "CWE": [ + "CWE-1259" + ], + "GHSA": [ + "GHSA-hjrf-2m68-5959" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2022-12-22T09:14:27.155728Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-12-22T03:33:19Z", + "packageManager": "npm", + "publicationTime": "2022-12-22T09:16:03.621406Z", + "modificationTime": "2023-02-28T01:10:17.572355Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@9.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "SNYK-JS-JSONWEBTOKEN-3180026", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<9.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "9.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 8.1, + "modificationTime": "2022-12-31T01:11:45.823807Z" + } + ], + "description": "## Overview\n[jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) is a JSON Web Token implementation (symmetric and asymmetric)\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm. \r\n\r\n## Exploitability\r\n\r\nUsers are affected when using an algorithm and a key type _other_ than the combinations mentioned below:\r\n\r\nEC: ES256, ES384, ES512\r\n \r\nRSA: RS256, RS384, RS512, PS256, PS384, PS512 \r\n\r\nRSA-PSS: PS256, PS384, PS512 \r\n\r\nAnd for Elliptic Curve algorithms:\r\n\r\nES256: prime256v1\r\n\r\nES384: secp384r1\r\n\r\nES512: secp521r1 \r\n\r\n## Workaround \r\n\r\nUsers who are unable to upgrade to the fixed version can use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.\n## Remediation\nUpgrade `jsonwebtoken` to version 9.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3)\n- [GitHub Release](https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0)\n", + "epssDetails": { + "percentile": "0.17011", + "probability": "0.00050", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23539" + ], + "CWE": [ + "CWE-327" + ], + "GHSA": [ + "GHSA-8cf7-32gw-wr33" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2022-12-22T09:19:03.430735Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-12-22T03:32:22Z", + "packageManager": "npm", + "publicationTime": "2022-12-22T10:32:50.173080Z", + "modificationTime": "2023-01-01T13:30:43.098324Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@9.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "npm:jsonwebtoken:20150331", + "title": "Authentication Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Tim McLean" + ], + "semver": { + "vulnerable": [ + "<4.2.2" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "4.2.2" + ], + "patches": [ + { + "id": "patch:npm:jsonwebtoken:20150331:0", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/jsonwebtoken/20150331/jsonwebtoken_20150331_0_0_1bb584bc382295eeb7ee8c4452a673a77a68b687_snyk.patch" + ], + "version": "=4.0.0 || =4.1.0 || =4.2.1", + "comments": [], + "modificationTime": "2019-12-03T11:40:45.753281Z" + } + ], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "title": "Auth0 Blog" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion", + "title": "PoC" + }, + { + "url": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "title": "Tim McLean Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-01-03T17:48:53.018995Z" + } + ], + "description": "## Overview\r\n[`jsonwebtoken`](https://www.npmjs.com/package/jsonwebtoken) is a JSON Web token implementation for symmetric and asymmetric keys.\r\nAffected versions of this package are vulnerable to an Authentication Bypass attack, due to the \"algorithm\" not being enforced. Attackers are given the opportunity to choose the algorithm sent to the server and generate signatures with arbitrary contents. The server expects an asymmetric key (RSA) but is sent a symmetric key (HMAC-SHA) with RSA's public key, so instead of going through a key validation process, the server will think the public key is actually an HMAC private key.\r\n\r\n## Remediation\r\nUpgrade `jsonwebtoken` to version 4.2.2 or greater.\r\n\r\n## References\r\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687)\r\n- [Tim McLean Blog](https://www.timmclean.net/2015/02/25/jwt-alg-none.html)\r\n- [Auth0 Blog](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/)", + "epssDetails": { + "percentile": "0.75071", + "probability": "0.00559", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-9235" + ], + "CWE": [ + "CWE-592" + ], + "NSP": [ + "17" + ], + "GHSA": [ + "GHSA-c7hr-j4mj-j2w6" + ], + "ALTERNATIVE": [ + "SNYK-JS-JSONWEBTOKEN-10037" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2015-03-31T16:00:00Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-JSONWEBTOKEN-10037" + ], + "disclosureTime": "2015-03-31T16:00:00Z", + "packageManager": "npm", + "publicationTime": "2015-03-31T16:00:00Z", + "modificationTime": "2023-09-29T09:15:01.983455Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "SNYK-JS-SANITIZEHTML-1070780", + "title": "Validation Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", + "credit": [ + "Ron Masas", + "Checkmarx" + ], + "semver": { + "vulnerable": [ + "<2.3.2" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/commit/6012524e7824a2c8f6782b2bc5f93b1261723403", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/460", + "title": "GitHub PR" + }, + { + "url": "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "title": "POC: Potential Exploit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-01-03T16:36:59.234021Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:37:50.578095Z" + } + ], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Validation Bypass. There is no proper validation of the hostnames set by the `allowedIframeHostnames` option when the `allowIframeRelativeUrls` is set to `true`. This allows attackers to bypass the hostname whitelist for the iframe element.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `sanitize-html` to version 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/apostrophecms/sanitize-html/commit/6012524e7824a2c8f6782b2bc5f93b1261723403)\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/460)\n- [POC: Potential Exploit](https://advisory.checkmarx.net/advisory/CX-2021-4309)\n", + "epssDetails": { + "percentile": "0.48819", + "probability": "0.00137", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-26540" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-mjxr-4v3x-q3m4" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2021-02-09T08:21:52.232749Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-02-09T08:07:33Z", + "packageManager": "npm", + "publicationTime": "2021-02-09T16:34:45.881363Z", + "modificationTime": "2023-11-08T09:37:50.578095Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "SNYK-JS-SANITIZEHTML-1070786", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Ron Masas", + "Checkmarx" + ], + "semver": { + "vulnerable": [ + "<2.3.1" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/458", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-04-27T01:10:36.338203Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:37:50.738101Z" + } + ], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. Internationalized domain name (IDN) is not properly handled. This allows attackers to bypass hostname whitelist validation set by the `allowedIframeHostnames` option.\n## Remediation\nUpgrade `sanitize-html` to version 2.3.1 or higher.\n## References\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/458)\n", + "epssDetails": { + "percentile": "0.48819", + "probability": "0.00137", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-26539" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rjqq-98f6-6j3r" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2021-02-09T08:37:16.368073Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-02-09T08:21:55Z", + "packageManager": "npm", + "publicationTime": "2021-02-09T16:34:49Z", + "modificationTime": "2023-11-08T09:37:50.738101Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "SNYK-JS-SANITIZEHTML-2957526", + "title": "Regular Expression Denial of Service (ReDoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Nariyoshi Chida of NTT Security Japan" + ], + "semver": { + "vulnerable": [ + "<2.7.1" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/557", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-09-02T01:11:51.670814Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:37:50.786715Z" + } + ], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `sanitize-html` to version 2.7.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c)\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/557)\n", + "epssDetails": { + "percentile": "0.44428", + "probability": "0.00112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-25887" + ], + "CWE": [ + "CWE-1333" + ] + }, + "packageName": "sanitize-html", + "proprietary": true, + "creationTime": "2022-07-21T08:00:56.827849Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-07-21T07:37:40Z", + "packageManager": "npm", + "publicationTime": "2022-08-29T13:28:12.439235Z", + "modificationTime": "2023-11-08T09:37:50.786715Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "SNYK-JS-SANITIZEHTML-585892", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "credit": [ + "mikesamuel" + ], + "semver": { + "vulnerable": [ + "<2.0.0-beta" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.0.0-beta" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "critical", + "cvssScore": 9.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/156", + "title": "GitHub PR" + } + ], + "cvssDetails": [], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using `transformTags` could be vulnerable to code execution.\n## Remediation\nUpgrade `sanitize-html` to version 2.0.0-beta or higher.\n## References\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/156)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2020-07-17T15:02:43.082824Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-09-07T09:46:18Z", + "packageManager": "npm", + "publicationTime": "2020-09-07T09:46:10Z", + "modificationTime": "2020-09-07T15:37:06.961614Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "npm:sanitize-html:20141024", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<1.4.3" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.4.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "title": "CVE" + }, + { + "url": "https://github.com/punkave/sanitize-html/issues/29", + "title": "GitHub Issue" + }, + { + "url": "https://nodesecurity.io/advisories/135", + "title": "Node Security Advisories" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-01-03T17:40:52.414772Z" + } + ], + "description": "## Overview\r\n\r\nSince the sanitize-html module trusts 'text' coming from htmlparser2, and outputs it without further escaping (because htmlparser2 does not decode entities in text before delivering it), this results in an XSS attack vector if sanitize-html ignores the img tag (according to user-configured filter rules) but passes the text intact, as it must do to keep any text in documents.\r\n\r\n\r\n## References\r\n- https://github.com/punkave/sanitize-html/issues/29", + "epssDetails": { + "percentile": "0.47924", + "probability": "0.00132", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-1000237" + ], + "CWE": [ + "CWE-79" + ], + "GHSA": [ + "GHSA-3j7m-hmh3-9jmp" + ], + "ALTERNATIVE": [ + "SNYK-JS-SANITIZEHTML-10048" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2015-11-06T02:09:36.180000Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-SANITIZEHTML-10048" + ], + "disclosureTime": "2015-11-06T02:09:36Z", + "packageManager": "npm", + "publicationTime": "2015-11-06T02:09:36Z", + "modificationTime": "2022-01-03T17:40:52.414772Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@1.4.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "npm:sanitize-html:20160801", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "credit": [ + "Björn Kimminich" + ], + "semver": { + "vulnerable": [ + "<=1.4.2" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 4.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/punkave/sanitize-html/issues/29", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "description": "## Overview\nSanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.\n\nSource: _Node Security Project_\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `sanitize-html` to `1.4.3` or later\n\n## References\n- https://github.com/punkave/sanitize-html/issues/29\n- https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf\n\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-79" + ], + "NSP": [ + "135" + ], + "ALTERNATIVE": [ + "SNYK-JS-SANITIZEHTML-10127" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2016-08-02T08:28:08.097000Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-SANITIZEHTML-10127" + ], + "disclosureTime": "2016-08-01T18:02:31Z", + "packageManager": "npm", + "publicationTime": "2016-08-01T18:02:31Z", + "modificationTime": "2020-12-14T14:41:17.951016Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@1.4.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "npm:sanitize-html:20161026", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C", + "credit": [ + "Andrew Krasichkov" + ], + "semver": { + "vulnerable": [ + "<1.11.4" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "1.11.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/punkave/sanitize-html/issues/100", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-01-03T16:21:19.197646Z" + } + ], + "description": "## Overview\n[`sanitize-html`](https://www.npmjs.com/package/sanitize-html) is a library for scrubbing html input of malicious values.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. If at least one `nonTextTags` tag is allowed, a malicious user may potentially conduct an XSS attack.\n\n**PoC:**\n```js\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !!\n```\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `sanitize-html` to version 1.11.4 or later.\n\n## References\n- [GitHub Issue](https://github.com/punkave/sanitize-html/issues/100)\n- [GitHub Commit](https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)\n", + "epssDetails": { + "percentile": "0.35000", + "probability": "0.00084", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-16016" + ], + "CWE": [ + "CWE-79" + ], + "NSP": [ + "154" + ], + "GHSA": [ + "GHSA-xc6g-ggrc-qq4r" + ], + "ALTERNATIVE": [ + "SNYK-JS-SANITIZEHTML-10461" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2017-04-12T10:49:58.283000Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-SANITIZEHTML-10461" + ], + "disclosureTime": "2016-03-26T23:49:58.283000Z", + "packageManager": "npm", + "publicationTime": "2017-04-12T11:00:58.283000Z", + "modificationTime": "2022-01-03T16:21:19.197646Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@1.11.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + } + ], + "ok": false, + "dependencyCount": 71, + "org": "sarim04", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "docker": {}, + "summary": "12 vulnerable dependency paths", + "remediation": { + "unresolved": [], + "upgrade": { + "express-jwt@0.1.3": { + "upgradeTo": "express-jwt@6.0.0", + "upgrades": [ + "express-jwt@0.1.3" + ], + "vulns": [ + "SNYK-JS-EXPRESSJWT-575022" + ] + }, + "jsonwebtoken@0.4.0": { + "upgradeTo": "jsonwebtoken@9.0.0", + "upgrades": [ + "jsonwebtoken@0.4.0", + "jsonwebtoken@0.4.0", + "jsonwebtoken@0.4.0", + "jsonwebtoken@0.4.0" + ], + "vulns": [ + "SNYK-JS-JSONWEBTOKEN-3180022", + "SNYK-JS-JSONWEBTOKEN-3180024", + "SNYK-JS-JSONWEBTOKEN-3180026", + "npm:jsonwebtoken:20150331" + ] + }, + "sanitize-html@1.4.2": { + "upgradeTo": "sanitize-html@2.7.1", + "upgrades": [ + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2" + ], + "vulns": [ + "SNYK-JS-SANITIZEHTML-2957526", + "SNYK-JS-SANITIZEHTML-1070780", + "SNYK-JS-SANITIZEHTML-1070786", + "SNYK-JS-SANITIZEHTML-585892", + "npm:sanitize-html:20161026", + "npm:sanitize-html:20141024", + "npm:sanitize-html:20160801" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 12, + "targetFile": "/juice-shop/package.json", + "projectName": "juice-shop", + "displayTargetFile": "/juice-shop/package.json", + "hasUnknownVersions": false, + "path": "sarim04/juiceshop:latest" + } + ] + } + \ No newline at end of file diff --git a/unittests/scans/trivy/issue_9263.json b/unittests/scans/trivy/issue_9263.json new file mode 100644 index 00000000000..daf5241a566 --- /dev/null +++ b/unittests/scans/trivy/issue_9263.json @@ -0,0 +1,75 @@ +{ + "SchemaVersion": 2, + "ArtifactName": "sbom.json", + "ArtifactType": "cyclonedx", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "requirements.txt", + "Class": "lang-pkgs", + "Type": "pip", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2013-7445", + "PkgID": "linux-libc-dev@6.1.55-1", + "PkgName": "linux-libc-dev", + "InstalledVersion": "6.1.55-1", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:938cae48a646a95127345a544f75f4e0b83f5fa612858e524aedea6981af4a1e", + "DiffID": "sha256:dfe25755ef07309fcb76dd47b2bb21e6dd92adedce8d9aa7f5bbceaf7fc726c9" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2013-7445", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "kernel: memory exhaustion via crafted Graphics Execution Manager (GEM) objects", + "Description": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V2Score": 7.8 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V2Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2013-7445", + "https://bugzilla.kernel.org/show_bug.cgi?id=60533", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7445", + "https://lists.freedesktop.org/archives/dri-devel/2015-September/089778.html (potential start towards fixing)", + "https://nvd.nist.gov/vuln/detail/CVE-2013-7445", + "https://www.cve.org/CVERecord?id=CVE-2013-7445" + ], + "PublishedDate": "2015-10-16T01:59:00.12Z", + "LastModifiedDate": "2015-10-16T16:22:25.587Z" + } + ] + } + ] +} \ No newline at end of file diff --git a/unittests/test_finding_model.py b/unittests/test_finding_model.py index d6efb450668..ca7494142e5 100644 --- a/unittests/test_finding_model.py +++ b/unittests/test_finding_model.py @@ -1,5 +1,5 @@ from .dojo_test_case import DojoTestCase -from dojo.models import Finding, Test, Engagement +from dojo.models import Finding, Test, Engagement, DojoMeta class TestFindingModel(DojoTestCase): @@ -50,6 +50,165 @@ def test_get_file_path_with_link_and_source_code_management_uri(self): engagement.source_code_management_uri = 'URL' self.assertEqual('FilePath', finding.get_file_path_with_link()) + def test_get_file_path_with_link_and_source_code_management_uri_github_no_scm_type_with_details_and_line(self): + # checks that for github.com in uri dojo makes correct url to browse on github + + test = Test() + engagement = Engagement() + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + engagement.source_code_management_uri = 'https://github.com/some-test-account/some-test-repo' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_github_with_scm_type_with_details_and_line(self): + # checks that for github in custom field dojo makes correct url to browse on github + + # create scm-type custom field with value "github" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="github") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://github.com/some-test-account/some-test-repo' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public_project_with_no_details_and_line(self): + # checks that for public bitbucket (bitbucket.org) in custom field + # dojo makes correct url to browse on public bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket") + product_metadata.save() + + # create finding with scm uri line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/some-test-user/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public_project_with_commithash_and_line(self): + # checks that for public bitbucket (bitbucket.org) in custom field and existing commit hash in finding + # dojo makes correct url to browse on public bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/some-test-user/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_project_with_commithash_and_line(self): + # checks that for standalone bitbucket in custom field and existing commit hash in finding + # dojo makes correct url to browse on standalone/onpremise bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket-standalone" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket-standalone") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/scm/some-test-project/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_project_with_branchtag_and_line(self): + # checks that for standalone bitbucket in custom field and existing branch/tag in finding + # dojo makes correct url to browse on standalone/onpremise bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket-standalone" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket-standalone") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/scm/some-test-project/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_user_with_branchtag_and_line(self): + # checks that for standalone bitbucket in custom field and existing branch/tag in finding + # dojo makes correct url to browse on standalone/onpremise bitbucket (for user uri) + + # create scm-type custom field with value "bitbucket-standalone" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket-standalone") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/scm/~some-user/some-test-repo.git' + + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + def test_get_file_path_with_xss_attack(self): test = Test() engagement = Engagement() diff --git a/unittests/test_flush_auditlog.py b/unittests/test_flush_auditlog.py new file mode 100644 index 00000000000..ffaeb538baa --- /dev/null +++ b/unittests/test_flush_auditlog.py @@ -0,0 +1,45 @@ +from dojo.tasks import flush_auditlog +from .dojo_test_case import DojoTestCase +from django.test import override_settings +from auditlog.models import LogEntry +from datetime import date, datetime +from dojo.models import Finding +from dateutil.relativedelta import relativedelta +import logging +logger = logging.getLogger(__name__) + + +class TestFlushAuditlog(DojoTestCase): + fixtures = ['dojo_testdata.json'] + + @override_settings(AUDITLOG_FLUSH_RETENTION_PERIOD=-1) + def test_flush_auditlog_disabled(self): + entries_before = LogEntry.objects.all().count() + flush_auditlog() + entries_after = LogEntry.objects.all().count() + self.assertEqual(entries_before, entries_after) + + @override_settings(AUDITLOG_FLUSH_RETENTION_PERIOD=0) + def test_delete_all_entries(self): + entries_before = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + flush_auditlog() + entries_after = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + # we have three old log entries in our testdata + self.assertEqual(entries_before - 3, entries_after) + + @override_settings(AUDITLOG_FLUSH_RETENTION_PERIOD=1) + def test_delete_entries_with_retention_period(self): + entries_before = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + two_weeks_ago = datetime.today() - relativedelta(weeks=2) + log_entry = LogEntry.objects.log_create( + instance=Finding.objects.all()[0], + timestamp=two_weeks_ago, + changes="foo", + action=LogEntry.Action.UPDATE, + ) + log_entry.timestamp = two_weeks_ago + log_entry.save() + flush_auditlog() + entries_after = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + # we have three old log entries in our testdata and added a new one + self.assertEqual(entries_before - 3 + 1, entries_after) diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 69f318ec3a9..c5e10179cb0 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -12,7 +12,7 @@ Product_Group, Global_Role, Dojo_Group_Member, Language_Type, Languages, \ Notifications, UserContactInfo, Cred_Mapping, Cred_User, \ TextQuestion, ChoiceQuestion, TextAnswer, ChoiceAnswer, Engagement_Survey, \ - Answered_Survey, General_Survey + Answered_Survey, General_Survey, Announcement from dojo.api_v2.views import DevelopmentEnvironmentViewSet, EndPointViewSet, EngagementViewSet, \ FindingTemplatesViewSet, FindingViewSet, JiraInstanceViewSet, \ JiraIssuesViewSet, JiraProjectViewSet, ProductViewSet, \ @@ -26,7 +26,8 @@ NotificationsViewSet, UserContactInfoViewSet, ProductAPIScanConfigurationViewSet, \ ConfigurationPermissionViewSet, CredentialsMappingViewSet, \ CredentialsViewSet, QuestionnaireQuestionViewSet, QuestionnaireAnswerViewSet, \ - QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet + QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet, \ + AnnouncementViewSet from json import dumps from enum import Enum from django.urls import reverse @@ -1585,7 +1586,7 @@ def __init__(self, *args, **kwargs): } self.update_fields = {"first_name": "test changed", "configuration_permissions": [219, 220]} self.test_type = TestType.CONFIGURATION_PERMISSIONS - self.deleted_objects = 18 + self.deleted_objects = 19 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) def test_create_user_with_non_configuration_permissions(self): @@ -2835,3 +2836,25 @@ def __init__(self, *args, **kwargs): self.test_type = TestType.STANDARD self.deleted_objects = 5 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) + + +class AnnouncementTest(BaseClass.RESTEndpointTest): + fixtures = ['dojo_testdata.json'] + + def __init__(self, *args, **kwargs): + self.endpoint_model = Announcement + self.endpoint_path = 'announcements' + self.viewname = 'announcement' + self.viewset = AnnouncementViewSet + self.payload = { + "message": "Test template", + "style": "info", + "dismissable": True, + } + self.update_fields = {'style': 'warning'} + self.test_type = TestType.CONFIGURATION_PERMISSIONS + self.deleted_objects = 7 + BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) + + def test_create(self): + self.skipTest('Only one Announcement can exists') diff --git a/unittests/test_swagger_schema.py b/unittests/test_swagger_schema.py index af992916aeb..9f1316b4d2e 100644 --- a/unittests/test_swagger_schema.py +++ b/unittests/test_swagger_schema.py @@ -20,14 +20,14 @@ SonarqubeIssueTransitionViewSet, StubFindingsViewSet, SystemSettingsViewSet, \ TestTypesViewSet, TestsViewSet, ToolConfigurationsViewSet, ToolProductSettingsViewSet, \ ToolTypesViewSet, UsersViewSet, JiraIssuesViewSet, JiraProjectViewSet, AppAnalysisViewSet, \ - LanguageTypeViewSet, LanguageViewSet + LanguageTypeViewSet, LanguageViewSet, AnnouncementViewSet from dojo.models import \ Development_Environment, Endpoint_Status, Endpoint, Engagement, Finding_Template, \ Finding, JIRA_Instance, JIRA_Issue, DojoMeta, Note_Type, Notes, Product_Type, Product, Regulation, \ Sonarqube_Issue, Product_API_Scan_Configuration, Sonarqube_Issue_Transition, \ Stub_Finding, System_Settings, Test_Type, Test, Tool_Configuration, Tool_Product_Settings, \ - Tool_Type, Dojo_User, JIRA_Project, App_Analysis, Language_Type, Languages + Tool_Type, Dojo_User, JIRA_Project, App_Analysis, Language_Type, Languages, Announcement from dojo.api_v2.serializers import \ DevelopmentEnvironmentSerializer, EndpointStatusSerializer, EndpointSerializer, \ @@ -37,7 +37,7 @@ SonarqubeIssueSerializer, ProductAPIScanConfigurationSerializer, SonarqubeIssueTransitionSerializer, \ StubFindingSerializer, SystemSettingsSerializer, TestTypeSerializer, TestSerializer, ToolConfigurationSerializer, \ ToolProductSettingsSerializer, ToolTypeSerializer, UserSerializer, NoteSerializer, ProductTypeSerializer, \ - AppAnalysisSerializer, LanguageTypeSerializer, LanguageSerializer + AppAnalysisSerializer, LanguageTypeSerializer, LanguageSerializer, AnnouncementSerializer SWAGGER_SCHEMA_GENERATOR = OpenAPISchemaGenerator(Info("defectdojo", "v2")) BASE_API_URL = "/api/v2" @@ -818,3 +818,15 @@ def __init__(self, *args, **kwargs): def test_post_endpoint(self): super().test_post_endpoint(extra_data={"language": 2}) + + +class AnnouncementTest(BaseClass.SchemaTest): + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.viewname = "announcements" + self.viewset = AnnouncementViewSet + self.model = Announcement + self.serializer = AnnouncementSerializer + + def test_post_endpoint(self, extra_data=[], extra_args=None): + self.skipTest('Only one Announcement can exists') diff --git a/unittests/tools/test_cyclonedx_parser.py b/unittests/tools/test_cyclonedx_parser.py index cb740ebe3dc..272868cc5d6 100644 --- a/unittests/tools/test_cyclonedx_parser.py +++ b/unittests/tools/test_cyclonedx_parser.py @@ -5,7 +5,7 @@ from dojo.tools.cyclonedx.parser import CycloneDXParser -class TestParser(DojoTestCase): +class TestCyclonedxParser(DojoTestCase): def test_grype_report(self): with open("unittests/scans/cyclonedx/grype_dd_1_14_1.xml") as file: parser = CycloneDXParser() @@ -349,3 +349,16 @@ def test_cyclonedx_1_4_json_nested_cvssv31(self): self.assertEqual("log4j-core", finding.component_name) self.assertEqual("2.13.2", finding.component_version) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", finding.cvssv3) + + def test_cyclonedx_issue_9277(self): + """CycloneDX version 1.5 JSON format""" + with open("unittests/scans/cyclonedx/issue_9277.json") as file: + parser = CycloneDXParser() + findings = parser.get_findings(file, Test()) + for finding in findings: + self.assertIn(finding.severity, Finding.SEVERITIES) + finding.clean() + self.assertEqual(14, len(findings)) + with self.subTest(i=0): + finding = findings[1] + self.assertEqual("Description was not provided.", finding.description) diff --git a/unittests/tools/test_kiuwan_parser.py b/unittests/tools/test_kiuwan_parser.py index 7e856ef9e68..340868c0181 100644 --- a/unittests/tools/test_kiuwan_parser.py +++ b/unittests/tools/test_kiuwan_parser.py @@ -23,3 +23,9 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): parser = KiuwanParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(131, len(findings)) + + def test_parse_file_issue_9308(self): + testfile = open("unittests/scans/kiuwan/issue_9308.csv") + parser = KiuwanParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(2, len(findings)) diff --git a/unittests/tools/test_nikto_parser.py b/unittests/tools/test_nikto_parser.py index ae8612dc082..6fba5a6fd72 100644 --- a/unittests/tools/test_nikto_parser.py +++ b/unittests/tools/test_nikto_parser.py @@ -176,3 +176,12 @@ def test_parse_file_xml_another(self): self.assertEqual(443, endpoint.port) self.assertEqual("64.220.43.153", endpoint.host) self.assertIsNone(endpoint.path) + + def test_parse_file_issue_9274(self): + testfile = open("unittests/scans/nikto/issue_9274.json") + parser = NiktoParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(8, len(findings)) diff --git a/unittests/tools/test_qualys_parser.py b/unittests/tools/test_qualys_parser.py index d3603b62b12..498c66c235a 100644 --- a/unittests/tools/test_qualys_parser.py +++ b/unittests/tools/test_qualys_parser.py @@ -13,6 +13,42 @@ def test_parse_file_with_no_vuln_has_no_findings(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) + def test_parse_file_with_cvss_values_and_scores(self): + testfile = open( + get_unit_tests_path() + "/scans/qualys/Qualys_Sample_Report.xml" + ) + parser = QualysParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)": + finding_cvssv3_score = finding + if finding.unsaved_endpoints[0].host == "demo13.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)": + finding_no_cvssv3_at_detection = finding + if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == "QID-121695 | NTP \"monlist\" Feature Denial of Service Vulnerability": + finding_no_cvssv3 = finding + # The CVSS Vector is not used from the Knowledgebase + self.assertEqual( + # CVSS_FINAL is defined without a cvssv3 vector + finding_cvssv3_score.cvssv3, None + ) + # Nevertheless the CVSSv3 Score should be set + self.assertEqual( + finding_cvssv3_score.cvssv3_score, 8.2 + ) + # If no cvss information is present in detection and not in knowledgebase values should be empty + self.assertEqual( + finding_no_cvssv3.cvssv3, None + ) + self.assertEqual( + finding_no_cvssv3.cvssv3_score, None + ) + # No CVSS Values available in detection and it uses the knowledgebase then + self.assertEqual(finding_no_cvssv3_at_detection.cvssv3, + "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H") + self.assertEqual( + finding_no_cvssv3_at_detection.cvssv3_score, 9.0 + ) + def test_parse_file_with_multiple_vuln_has_multiple_findings(self): testfile = open( get_unit_tests_path() + "/scans/qualys/Qualys_Sample_Report.xml" diff --git a/unittests/tools/test_snyk_parser.py b/unittests/tools/test_snyk_parser.py index 6eb9e04de89..18018c95582 100644 --- a/unittests/tools/test_snyk_parser.py +++ b/unittests/tools/test_snyk_parser.py @@ -163,13 +163,22 @@ def test_snykParser_update_libs_tag(self): with open("unittests/scans/snyk/single_project_upgrade_libs.json") as testfile: parser = SnykParser() findings = parser.get_findings(testfile, Test()) - for index in range(len(findings)): - print(index, findings[index], findings[index].unsaved_tags) self.assertEqual(254, len(findings)) # acme-review@1.0.0: Remote Code Execution (RCE) finding = findings[227] - print(finding, finding.severity, finding.unsaved_tags) self.assertEqual("High", finding.severity) self.assertIn('target_file:package-lock.json', finding.unsaved_tags) self.assertIn('upgrade_to:react-scripts@5.0.0', finding.unsaved_tags) self.assertIn('shell-quote@1.7.2', finding.mitigation) + + def test_snykcontainer_issue_9270(self): + with open("unittests/scans/snyk/snykcontainer_issue_9270.json") as testfile: + parser = SnykParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(25, len(findings)) + + def test_snykcode_issue_9270(self): + with open("unittests/scans/snyk/snykcode_issue_9270.json") as testfile: + parser = SnykParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(39, len(findings)) diff --git a/unittests/tools/test_trivy_parser.py b/unittests/tools/test_trivy_parser.py index 17d59c6f1e9..1c38f3c2104 100644 --- a/unittests/tools/test_trivy_parser.py +++ b/unittests/tools/test_trivy_parser.py @@ -209,3 +209,11 @@ def test_issue_9170(self): finding = findings[0] self.assertEqual("Low", finding.severity) self.assertEqual("KSV116 - Runs with a root primary or supplementary GID", finding.title) + + def test_issue_9263(self): + test_file = open(sample_path("issue_9263.json")) + parser = TrivyParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(len(findings), 1) + finding = findings[0] + self.assertEqual("High", finding.severity)