From 3dba30427a5ba7816de9153a2145a321b00097e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 11:55:05 -0600 Subject: [PATCH 01/46] Bump boto3 from 1.34.9 to 1.34.11 (#9254) Bumps [boto3](https://github.com/boto/boto3) from 1.34.9 to 1.34.11. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.9...1.34.11) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 43225bd929f..ec1ad606fb5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.9 # Required for Celery Broker AWS (SQS) support +boto3==1.34.11 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.1 From b4739ce36cf9bcd1f4ba2d14e07dafa58a111b8d Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 2 Jan 2024 18:31:08 +0000 Subject: [PATCH 02/46] Update versions in application files --- components/package.json | 2 +- docs/content/en/getting_started/upgrading/2.31.md | 7 +++++++ dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 4 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 docs/content/en/getting_started/upgrading/2.31.md diff --git a/components/package.json b/components/package.json index 2d6cc4e9cb4..262ef7e6f3b 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.30.0", + "version": "2.31.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/docs/content/en/getting_started/upgrading/2.31.md b/docs/content/en/getting_started/upgrading/2.31.md new file mode 100644 index 00000000000..c07494e8174 --- /dev/null +++ b/docs/content/en/getting_started/upgrading/2.31.md @@ -0,0 +1,7 @@ +--- +title: 'Upgrading to DefectDojo Version 2.31.x' +toc_hide: true +weight: -20240102 +description: No special instructions. +--- +There are no special instructions for upgrading to 2.31.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.31.0) for the contents of the release. diff --git a/dojo/__init__.py b/dojo/__init__.py index 401210d004f..9406e56f475 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa -__version__ = '2.30.0' +__version__ = '2.31.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 7cfe0cdda77..d69a469198c 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.30.0" +appVersion: "2.31.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.103 +version: 1.6.104-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From af66030e99db0f9b3287e58fbfc5efb0b074bb8c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:33:12 -0600 Subject: [PATCH 03/46] Bump lxml from 4.9.4 to 5.0.0 (#9251) Bumps [lxml](https://github.com/lxml/lxml) from 4.9.4 to 5.0.0. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](https://github.com/lxml/lxml/compare/lxml-4.9.4...lxml-5.0.0) --- updated-dependencies: - dependency-name: lxml dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index ec1ad606fb5..df1ea857c4f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,7 +31,7 @@ html2text==2020.1.16 humanize==4.9.0 jira==3.5.2 PyGithub==1.58.2 -lxml==4.9.4 +lxml==5.0.0 Markdown==3.5.1 mysqlclient==2.1.1 openpyxl==3.1.2 From 5cd53bcc36de3ba3d4a2ad46ec16df2b2d0d7cad Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:34:05 -0600 Subject: [PATCH 04/46] Update rabbitmq:3.12.11-alpine Docker digest from 3.12.11 to 3.12.11-alpine (docker-compose.yml) (#9240) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index da4bedd3b7f..df5a750985e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,7 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.11-alpine@sha256:382561a75b70c00e4ae0f1788a1a6b032eace5073abadb25547496879c65c7c2 + image: rabbitmq:3.12.11-alpine@sha256:8fa94d239594edc46213a31461028c0b33308411d1d8ed541cf568eb6c4843b7 profiles: - mysql-rabbitmq - postgres-rabbitmq From 960859ffad2d3132f66a875cba80457110b49506 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:35:03 -0600 Subject: [PATCH 05/46] Bump sqlalchemy from 2.0.23 to 2.0.24 (#9244) Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.23 to 2.0.24. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index df1ea857c4f..2402fb5a8c0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ python-dateutil==2.8.2 pytz==2023.3.post1 redis==5.0.1 requests==2.31.0 -sqlalchemy==2.0.23 # Required by Celery broker transport +sqlalchemy==2.0.24 # Required by Celery broker transport supervisor==4.2.5 urllib3==1.26.18 uWSGI==2.0.23 From b329ee640c3ade7990c034d95ca6ded4eb7a9430 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:35:27 -0600 Subject: [PATCH 06/46] Bump drf-spectacular-sidecar from 2023.12.1 to 2024.1.1 (#9252) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2023.12.1 to 2024.1.1. - [Commits](https://github.com/tfranzel/drf-spectacular-sidecar/compare/2023.12.1...2024.1.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2402fb5a8c0..f851dbaf7d5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -74,7 +74,7 @@ hyperlink==21.0.0 django-test-migrations==1.3.0 djangosaml2==1.9.0 drf-spectacular==0.27.0 -drf-spectacular-sidecar==2023.12.1 +drf-spectacular-sidecar==2024.1.1 django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 From 007689424c5516dfbd4986d256c6b3353802e02f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:36:11 -0600 Subject: [PATCH 07/46] Update manusa/actions-setup-minikube action from v2.9.0 to v2.10.0 (.github/workflows/k8s-tests.yml) (#9257) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/k8s-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 8f42ec29053..f5ec107d83f 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -78,7 +78,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Minikube - uses: manusa/actions-setup-minikube@v2.9.0 + uses: manusa/actions-setup-minikube@v2.10.0 with: minikube version: 'v1.24.0' kubernetes version: ${{ matrix.k8s }} From 9a98df708ba5ffac97f01155fb8e04ab3a9dc5c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 10:39:53 -0600 Subject: [PATCH 08/46] Bump sqlalchemy from 2.0.24 to 2.0.25 (#9266) Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.24 to 2.0.25. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f851dbaf7d5..3436894f117 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ python-dateutil==2.8.2 pytz==2023.3.post1 redis==5.0.1 requests==2.31.0 -sqlalchemy==2.0.24 # Required by Celery broker transport +sqlalchemy==2.0.25 # Required by Celery broker transport supervisor==4.2.5 urllib3==1.26.18 uWSGI==2.0.23 From b5c6b2b8b84949b652f8a3c8170a8855650a13d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 10:40:19 -0600 Subject: [PATCH 09/46] Bump pillow from 10.1.0 to 10.2.0 (#9265) Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.1.0 to 10.2.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](https://github.com/python-pillow/Pillow/compare/10.1.0...10.2.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3436894f117..5b2d1620228 100644 --- a/requirements.txt +++ b/requirements.txt @@ -36,7 +36,7 @@ Markdown==3.5.1 mysqlclient==2.1.1 openpyxl==3.1.2 xlrd==1.2.0 -Pillow==10.1.0 # required by django-imagekit +Pillow==10.2.0 # required by django-imagekit psycopg2-binary==2.9.9 cryptography==41.0.7 python-dateutil==2.8.2 From 59fab10c3a58aabc704b164434d0a662d86ed933 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:46:35 +0100 Subject: [PATCH 10/46] :bug: fix zap, issue #9242 (#9243) * :bug: fix zap, issue #9242 * adapt identiation --- dojo/tools/zap/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/zap/parser.py b/dojo/tools/zap/parser.py index c62362cab53..f7411daea21 100755 --- a/dojo/tools/zap/parser.py +++ b/dojo/tools/zap/parser.py @@ -71,7 +71,7 @@ def get_findings(self, file, test): # The report is in the regular XML format, without requests and responses. # Use the default settings for constructing the request # and response fields. - request = f"{instance.findtext('method')} {endpoint.query}#{endpoint.fragment}" + request = f"Method: {instance.findtext('method')} \nParam: {instance.findtext('param')} \nAttack: {instance.findtext('attack')} \nEndpointQuery: {endpoint.query} \nEndpointFragment: {endpoint.fragment}" response = f"{instance.findtext('evidence')}" # we remove query and fragment because with some configuration From 38f4d228d96f20b3e582e5fa33d7eaaab80ac460 Mon Sep 17 00:00:00 2001 From: kiblik Date: Wed, 3 Jan 2024 17:47:12 +0100 Subject: [PATCH 11/46] API: Add Announcements (#9112) * Add Announcement to API * Add test_rest_framework * Add test_swagger_schema * Flake8 * Fix count * Skip test * Inc db_mig * Use DojoModelViewSet * inc db_mig --- dojo/announcement/signals.py | 13 +++++++++ dojo/announcement/views.py | 11 +------ dojo/api_v2/serializers.py | 18 ++++++++++++ dojo/api_v2/views.py | 12 ++++++++ .../0195_alter_announcement_dismissable.py | 18 ++++++++++++ dojo/fixtures/dojo_testdata.json | 9 ++++++ dojo/forms.py | 9 +----- dojo/models.py | 7 ++++- dojo/urls.py | 4 ++- unittests/test_rest_framework.py | 29 +++++++++++++++++-- unittests/test_swagger_schema.py | 18 ++++++++++-- 11 files changed, 122 insertions(+), 26 deletions(-) create mode 100644 dojo/db_migrations/0195_alter_announcement_dismissable.py diff --git a/dojo/announcement/signals.py b/dojo/announcement/signals.py index 8c61d4f4ad9..5b89d71d780 100644 --- a/dojo/announcement/signals.py +++ b/dojo/announcement/signals.py @@ -22,3 +22,16 @@ def add_announcement_to_new_user(sender, instance, **kwargs): UserAnnouncement.objects.get_or_create( user=dojo_user, announcement=announcement ) + + +@receiver(post_save, sender=Announcement) +def announcement_post_save(sender, instance, created, **kwargs): + if created: + UserAnnouncement.objects.bulk_create( + [ + UserAnnouncement( + user=user_id, announcement=instance + ) + for user_id in Dojo_User.objects.all() + ] + ) diff --git a/dojo/announcement/views.py b/dojo/announcement/views.py index 8e9c155398a..2544dba3539 100644 --- a/dojo/announcement/views.py +++ b/dojo/announcement/views.py @@ -9,7 +9,7 @@ from dojo.utils import add_breadcrumb from dojo.forms import AnnouncementCreateForm, AnnouncementRemoveForm -from dojo.models import Announcement, UserAnnouncement, Dojo_User +from dojo.models import Announcement, UserAnnouncement from dojo.authorization.authorization_decorators import ( user_is_configuration_authorized, ) @@ -50,15 +50,6 @@ def configure_announcement(request): announcement.style = form.cleaned_data["style"] announcement.dismissable = form.cleaned_data["dismissable"] announcement.save() - if created: - UserAnnouncement.objects.bulk_create( - [ - UserAnnouncement( - user=user_id, announcement=announcement - ) - for user_id in Dojo_User.objects.all() - ] - ) messages.add_message( request, messages.SUCCESS, diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 4801e8038e9..e1c2a2dafe7 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -86,6 +86,7 @@ Answered_Survey, General_Survey, Check_List, + Announcement, ) from dojo.tools.factory import ( @@ -3147,3 +3148,20 @@ class QuestionnaireGeneralSurveySerializer(serializers.ModelSerializer): class Meta: model = General_Survey fields = "__all__" + + +class AnnouncementSerializer(serializers.ModelSerializer): + + class Meta: + model = Announcement + fields = "__all__" + + def create(self, validated_data): + validated_data["id"] = 1 + try: + return super().create(validated_data) + except IntegrityError as e: + if 'duplicate key value violates unique constraint "dojo_announcement_pkey"' in str(e): + raise serializers.ValidationError("No more than one Announcement is allowed") + else: + raise diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 5f1d662e4e2..47415125c24 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -82,6 +82,7 @@ Answered_Survey, General_Survey, Check_List, + Announcement, ) from dojo.endpoint.views import get_endpoint_ids from dojo.reports.views import ( @@ -3777,3 +3778,14 @@ class QuestionnaireAnsweredSurveyViewSet( ], serializers.QuestionnaireAnsweredSurveySerializer, ).to_schema() + + +# Authorization: configuration +class AnnouncementViewSet( + DojoModelViewSet +): + serializer_class = serializers.AnnouncementSerializer + queryset = Announcement.objects.all() + filter_backends = (DjangoFilterBackend,) + filterset_fields = "__all__" + permission_classes = (permissions.UserHasConfigurationPermissionStaff,) diff --git a/dojo/db_migrations/0195_alter_announcement_dismissable.py b/dojo/db_migrations/0195_alter_announcement_dismissable.py new file mode 100644 index 00000000000..0896390bae2 --- /dev/null +++ b/dojo/db_migrations/0195_alter_announcement_dismissable.py @@ -0,0 +1,18 @@ +# Generated by Django 4.1.13 on 2023-12-05 12:53 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0194_alter_finding_component_name'), + ] + + operations = [ + migrations.AlterField( + model_name='announcement', + name='dismissable', + field=models.BooleanField(blank=True, default=False, help_text='Ticking this box allows users to dismiss the current announcement', verbose_name='Dismissable?'), + ), + ] diff --git a/dojo/fixtures/dojo_testdata.json b/dojo/fixtures/dojo_testdata.json index 6faa265e73e..42833a1e347 100644 --- a/dojo/fixtures/dojo_testdata.json +++ b/dojo/fixtures/dojo_testdata.json @@ -2988,5 +2988,14 @@ "is_authn_provider": false, "url": "https://google.com" } + }, + { + "model": "dojo.announcement", + "pk": 1, + "fields": { + "message": "test message", + "dismissable": true, + "style": "danger" + } } ] \ No newline at end of file diff --git a/dojo/forms.py b/dojo/forms.py index e2d31684fca..94c1e6ee9df 100755 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -2932,16 +2932,9 @@ def clean(self): class AnnouncementCreateForm(forms.ModelForm): - dismissable = forms.BooleanField( - label=_('Dismissable?'), - initial=False, - required=False, - help_text=_('Ticking this box allows users to dismiss the current announcement') - ) - class Meta: model = Announcement - fields = ['message', 'style'] + fields = "__all__" class AnnouncementRemoveForm(AnnouncementCreateForm): diff --git a/dojo/models.py b/dojo/models.py index 777016979e3..07f26c6bb57 100755 --- a/dojo/models.py +++ b/dojo/models.py @@ -3502,9 +3502,14 @@ class Announcement(models.Model): message = models.CharField(max_length=500, help_text=_("This dismissable message will be displayed on all pages for authenticated users. It can contain basic html tags, for example https://example.com"), default='') - dismissable = models.BooleanField(default=False, null=True, blank=True) style = models.CharField(max_length=64, choices=ANNOUNCEMENT_STYLE_CHOICES, default='info', help_text=_("The style of banner to display. (info, success, warning, danger)")) + dismissable = models.BooleanField(default=False, + null=False, + blank=True, + verbose_name=_('Dismissable?'), + help_text=_('Ticking this box allows users to dismiss the current announcement'), + ) class UserAnnouncement(models.Model): diff --git a/dojo/urls.py b/dojo/urls.py index cde14708936..fa15f977da9 100755 --- a/dojo/urls.py +++ b/dojo/urls.py @@ -23,7 +23,8 @@ NotificationsViewSet, EngagementPresetsViewset, NetworkLocationsViewset, UserContactInfoViewSet, \ ProductAPIScanConfigurationViewSet, UserProfileView, EndpointMetaImporterView, \ ConfigurationPermissionViewSet, QuestionnaireQuestionViewSet, QuestionnaireAnswerViewSet, \ - QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet + QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet, \ + AnnouncementViewSet from dojo.utils import get_system_setting from dojo.development_environment.urls import urlpatterns as dev_env_urls @@ -131,6 +132,7 @@ v2_api.register(r'questionnaire_engagement_questionnaires', QuestionnaireEngagementSurveyViewSet) v2_api.register(r'questionnaire_general_questionnaires', QuestionnaireGeneralSurveyViewSet) v2_api.register(r'questionnaire_questions', QuestionnaireQuestionViewSet) +v2_api.register(r'announcements', AnnouncementViewSet) ur = [] ur += dev_env_urls ur += endpoint_urls diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 69f318ec3a9..c5e10179cb0 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -12,7 +12,7 @@ Product_Group, Global_Role, Dojo_Group_Member, Language_Type, Languages, \ Notifications, UserContactInfo, Cred_Mapping, Cred_User, \ TextQuestion, ChoiceQuestion, TextAnswer, ChoiceAnswer, Engagement_Survey, \ - Answered_Survey, General_Survey + Answered_Survey, General_Survey, Announcement from dojo.api_v2.views import DevelopmentEnvironmentViewSet, EndPointViewSet, EngagementViewSet, \ FindingTemplatesViewSet, FindingViewSet, JiraInstanceViewSet, \ JiraIssuesViewSet, JiraProjectViewSet, ProductViewSet, \ @@ -26,7 +26,8 @@ NotificationsViewSet, UserContactInfoViewSet, ProductAPIScanConfigurationViewSet, \ ConfigurationPermissionViewSet, CredentialsMappingViewSet, \ CredentialsViewSet, QuestionnaireQuestionViewSet, QuestionnaireAnswerViewSet, \ - QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet + QuestionnaireGeneralSurveyViewSet, QuestionnaireEngagementSurveyViewSet, QuestionnaireAnsweredSurveyViewSet, \ + AnnouncementViewSet from json import dumps from enum import Enum from django.urls import reverse @@ -1585,7 +1586,7 @@ def __init__(self, *args, **kwargs): } self.update_fields = {"first_name": "test changed", "configuration_permissions": [219, 220]} self.test_type = TestType.CONFIGURATION_PERMISSIONS - self.deleted_objects = 18 + self.deleted_objects = 19 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) def test_create_user_with_non_configuration_permissions(self): @@ -2835,3 +2836,25 @@ def __init__(self, *args, **kwargs): self.test_type = TestType.STANDARD self.deleted_objects = 5 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) + + +class AnnouncementTest(BaseClass.RESTEndpointTest): + fixtures = ['dojo_testdata.json'] + + def __init__(self, *args, **kwargs): + self.endpoint_model = Announcement + self.endpoint_path = 'announcements' + self.viewname = 'announcement' + self.viewset = AnnouncementViewSet + self.payload = { + "message": "Test template", + "style": "info", + "dismissable": True, + } + self.update_fields = {'style': 'warning'} + self.test_type = TestType.CONFIGURATION_PERMISSIONS + self.deleted_objects = 7 + BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) + + def test_create(self): + self.skipTest('Only one Announcement can exists') diff --git a/unittests/test_swagger_schema.py b/unittests/test_swagger_schema.py index af992916aeb..9f1316b4d2e 100644 --- a/unittests/test_swagger_schema.py +++ b/unittests/test_swagger_schema.py @@ -20,14 +20,14 @@ SonarqubeIssueTransitionViewSet, StubFindingsViewSet, SystemSettingsViewSet, \ TestTypesViewSet, TestsViewSet, ToolConfigurationsViewSet, ToolProductSettingsViewSet, \ ToolTypesViewSet, UsersViewSet, JiraIssuesViewSet, JiraProjectViewSet, AppAnalysisViewSet, \ - LanguageTypeViewSet, LanguageViewSet + LanguageTypeViewSet, LanguageViewSet, AnnouncementViewSet from dojo.models import \ Development_Environment, Endpoint_Status, Endpoint, Engagement, Finding_Template, \ Finding, JIRA_Instance, JIRA_Issue, DojoMeta, Note_Type, Notes, Product_Type, Product, Regulation, \ Sonarqube_Issue, Product_API_Scan_Configuration, Sonarqube_Issue_Transition, \ Stub_Finding, System_Settings, Test_Type, Test, Tool_Configuration, Tool_Product_Settings, \ - Tool_Type, Dojo_User, JIRA_Project, App_Analysis, Language_Type, Languages + Tool_Type, Dojo_User, JIRA_Project, App_Analysis, Language_Type, Languages, Announcement from dojo.api_v2.serializers import \ DevelopmentEnvironmentSerializer, EndpointStatusSerializer, EndpointSerializer, \ @@ -37,7 +37,7 @@ SonarqubeIssueSerializer, ProductAPIScanConfigurationSerializer, SonarqubeIssueTransitionSerializer, \ StubFindingSerializer, SystemSettingsSerializer, TestTypeSerializer, TestSerializer, ToolConfigurationSerializer, \ ToolProductSettingsSerializer, ToolTypeSerializer, UserSerializer, NoteSerializer, ProductTypeSerializer, \ - AppAnalysisSerializer, LanguageTypeSerializer, LanguageSerializer + AppAnalysisSerializer, LanguageTypeSerializer, LanguageSerializer, AnnouncementSerializer SWAGGER_SCHEMA_GENERATOR = OpenAPISchemaGenerator(Info("defectdojo", "v2")) BASE_API_URL = "/api/v2" @@ -818,3 +818,15 @@ def __init__(self, *args, **kwargs): def test_post_endpoint(self): super().test_post_endpoint(extra_data={"language": 2}) + + +class AnnouncementTest(BaseClass.SchemaTest): + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.viewname = "announcements" + self.viewset = AnnouncementViewSet + self.model = Announcement + self.serializer = AnnouncementSerializer + + def test_post_endpoint(self, extra_data=[], extra_args=None): + self.skipTest('Only one Announcement can exists') From c0948bba300e89dfc35a620b2e5767c4ee68ce1e Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:26:13 +0100 Subject: [PATCH 12/46] :bug: None Type in cvss score in Trivy #9263e (#9268) --- dojo/tools/trivy/parser.py | 30 +++++++---- unittests/scans/trivy/issue_9263.json | 75 +++++++++++++++++++++++++++ unittests/tools/test_trivy_parser.py | 8 +++ 3 files changed, 102 insertions(+), 11 deletions(-) create mode 100644 unittests/scans/trivy/issue_9263.json diff --git a/dojo/tools/trivy/parser.py b/dojo/tools/trivy/parser.py index 22f8310251d..f07a4b34bee 100644 --- a/dojo/tools/trivy/parser.py +++ b/dojo/tools/trivy/parser.py @@ -55,17 +55,20 @@ def get_description_for_scan_types(self, scan_type): return "Import trivy JSON scan report." def convert_cvss_score(self, raw_value): - val = float(raw_value) - if val == 0.0: + if raw_value is None: return "Info" - elif val < 4.0: - return "Low" - elif val < 7.0: - return "Medium" - elif val < 9.0: - return "High" else: - return "Critical" + val = float(raw_value) + if val == 0.0: + return "Info" + elif val < 4.0: + return "Low" + elif val < 7.0: + return "Medium" + elif val < 9.0: + return "High" + else: + return "Critical" def get_findings(self, scan_file, test): scan_data = scan_file.read() @@ -173,8 +176,13 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""): if severity_source is not None and cvss is not None: cvssclass = cvss.get(severity_source, None) if cvssclass is not None: - severity = self.convert_cvss_score(cvssclass.get("V3Score", None)) - cvssv3 = dict(cvssclass).get("V3Vector", None) + if cvssclass.get("V3Score") is not None: + severity = self.convert_cvss_score(cvssclass.get("V3Score")) + cvssv3 = dict(cvssclass).get("V3Vector") + elif cvssclass.get("V2Score") is not None: + severity = self.convert_cvss_score(cvssclass.get("V2Score")) + else: + severity = self.convert_cvss_score(None) else: severity = TRIVY_SEVERITIES[vuln["Severity"]] else: diff --git a/unittests/scans/trivy/issue_9263.json b/unittests/scans/trivy/issue_9263.json new file mode 100644 index 00000000000..daf5241a566 --- /dev/null +++ b/unittests/scans/trivy/issue_9263.json @@ -0,0 +1,75 @@ +{ + "SchemaVersion": 2, + "ArtifactName": "sbom.json", + "ArtifactType": "cyclonedx", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "requirements.txt", + "Class": "lang-pkgs", + "Type": "pip", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2013-7445", + "PkgID": "linux-libc-dev@6.1.55-1", + "PkgName": "linux-libc-dev", + "InstalledVersion": "6.1.55-1", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:938cae48a646a95127345a544f75f4e0b83f5fa612858e524aedea6981af4a1e", + "DiffID": "sha256:dfe25755ef07309fcb76dd47b2bb21e6dd92adedce8d9aa7f5bbceaf7fc726c9" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2013-7445", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "kernel: memory exhaustion via crafted Graphics Execution Manager (GEM) objects", + "Description": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V2Score": 7.8 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V2Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2013-7445", + "https://bugzilla.kernel.org/show_bug.cgi?id=60533", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7445", + "https://lists.freedesktop.org/archives/dri-devel/2015-September/089778.html (potential start towards fixing)", + "https://nvd.nist.gov/vuln/detail/CVE-2013-7445", + "https://www.cve.org/CVERecord?id=CVE-2013-7445" + ], + "PublishedDate": "2015-10-16T01:59:00.12Z", + "LastModifiedDate": "2015-10-16T16:22:25.587Z" + } + ] + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_trivy_parser.py b/unittests/tools/test_trivy_parser.py index 17d59c6f1e9..1c38f3c2104 100644 --- a/unittests/tools/test_trivy_parser.py +++ b/unittests/tools/test_trivy_parser.py @@ -209,3 +209,11 @@ def test_issue_9170(self): finding = findings[0] self.assertEqual("Low", finding.severity) self.assertEqual("KSV116 - Runs with a root primary or supplementary GID", finding.title) + + def test_issue_9263(self): + test_file = open(sample_path("issue_9263.json")) + parser = TrivyParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(len(findings), 1) + finding = findings[0] + self.assertEqual("High", finding.severity) From 4a3f333950ac97f54fb46da86e198209a634d066 Mon Sep 17 00:00:00 2001 From: MarianG Date: Wed, 3 Jan 2024 18:28:19 +0100 Subject: [PATCH 13/46] Feature: Add Auditlog Retention and Cleanup (#9208) * feat: add auditlog retention * linting: satisfy flake8 * fix: forgot imports in tasks.py * fix: add necessary test-data * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update dojo/tasks.py Co-authored-by: kiblik * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update test_flush_auditlog.py removed spaces * fix: change default value for the retetion period to disable log recycling and mimic the default behavior. Then no change will happen until a user actively sets/ changes this parameter --------- Co-authored-by: MarianG Co-authored-by: kiblik --- dojo/fixtures/dojo_testdata.json | 48 ++++++++++++++++++++++++++++++++ dojo/settings/settings.dist.py | 11 +++++++- dojo/tasks.py | 24 +++++++++++++++- unittests/test_flush_auditlog.py | 45 ++++++++++++++++++++++++++++++ 4 files changed, 126 insertions(+), 2 deletions(-) create mode 100644 unittests/test_flush_auditlog.py diff --git a/dojo/fixtures/dojo_testdata.json b/dojo/fixtures/dojo_testdata.json index 42833a1e347..62486cb90cf 100644 --- a/dojo/fixtures/dojo_testdata.json +++ b/dojo/fixtures/dojo_testdata.json @@ -170,6 +170,54 @@ "content_type": 3 } }, + { + "model": "auditlog.logentry", + "pk": 803, + "fields": { + "content_type": 28, + "object_pk": "1", + "object_id": 1, + "object_repr": "BodgeIt", + "action": 0, + "changes": "{\"product\": [\"None\", \"dojo.Cred_Mapping.None\"], \"product_meta\": [\"None\", \"dojo.DojoMeta.None\"], \"name\": [\"None\", \"BodgeIt\"], \"description\": [\"None\", \"[Features](https://github.com/psiinon/bodgeit) and characteristics:\\r\\n\\r\\n* Easy to install - just requires java and a servlet engine, e.g. Tomcat\\r\\n* Self contained (no additional dependencies other than to 2 in the above line)\\r\\n* Easy to change on the fly - all the functionality is implemented in JSPs, so no IDE required\\r\\n* Cross platform\\r\\n* Open source\\r\\n* No separate db to install and configure - it uses an 'in memory' db that is automatically (re)initialized on start up\"], \"product_manager\": [\"None\", \"(admin)\"], \"technical_contact\": [\"None\", \"(user2)\"], \"team_manager\": [\"None\", \"(product_manager)\"], \"prod_type\": [\"None\", \"Commerce\"], \"id\": [\"None\", \"1\"], \"tid\": [\"None\", \"0\"], \"prod_numeric_grade\": [\"None\", \"5\"], \"business_criticality\": [\"None\", \"high\"], \"platform\": [\"None\", \"web\"], \"lifecycle\": [\"None\", \"production\"], \"origin\": [\"None\", \"internal\"], \"user_records\": [\"None\", \"1000000000\"], \"revenue\": [\"None\", \"1000.00\"], \"external_audience\": [\"None\", \"True\"], \"internet_accessible\": [\"None\", \"True\"], \"enable_simple_risk_acceptance\": [\"None\", \"False\"], \"enable_full_risk_acceptance\": [\"None\", \"True\"]}", + "actor": null, + "remote_addr": null, + "timestamp": "2021-10-22T01:24:54.921Z", + "additional_data": null + } + }, + { + "model": "auditlog.logentry", + "pk": 804, + "fields": { + "content_type": 28, + "object_pk": "2", + "object_id": 2, + "object_repr": "Internal CRM App", + "action": 0, + "changes": "{\"product\": [\"None\", \"dojo.Cred_Mapping.None\"], \"product_meta\": [\"None\", \"dojo.DojoMeta.None\"], \"name\": [\"None\", \"Internal CRM App\"], \"description\": [\"None\", \"* New product in development that attempts to follow all best practices\"], \"product_manager\": [\"None\", \"(product_manager)\"], \"technical_contact\": [\"None\", \"(product_manager)\"], \"team_manager\": [\"None\", \"(user2)\"], \"prod_type\": [\"None\", \"Commerce\"], \"id\": [\"None\", \"2\"], \"tid\": [\"None\", \"0\"], \"business_criticality\": [\"None\", \"medium\"], \"platform\": [\"None\", \"web\"], \"lifecycle\": [\"None\", \"construction\"], \"origin\": [\"None\", \"internal\"], \"external_audience\": [\"None\", \"False\"], \"internet_accessible\": [\"None\", \"False\"], \"enable_simple_risk_acceptance\": [\"None\", \"False\"], \"enable_full_risk_acceptance\": [\"None\", \"True\"]}", + "actor": null, + "remote_addr": null, + "timestamp": "2021-10-22T01:24:55.044Z", + "additional_data": null + } + }, + { + "model": "auditlog.logentry", + "pk": 805, + "fields": { + "content_type": 28, + "object_pk": "3", + "object_id": 3, + "object_repr": "Apple Accounting Software", + "action": 0, + "changes": "{\"product\": [\"None\", \"dojo.Cred_Mapping.None\"], \"product_meta\": [\"None\", \"dojo.DojoMeta.None\"], \"name\": [\"None\", \"Apple Accounting Software\"], \"description\": [\"None\", \"Accounting software is typically composed of various modules, different sections dealing with particular areas of accounting. Among the most common are:\\r\\n\\r\\n**Core modules**\\r\\n\\r\\n* Accounts receivable\\u2014where the company enters money received\\r\\n* Accounts payable\\u2014where the company enters its bills and pays money it owes\\r\\n* General ledger\\u2014the company's \\\"books\\\"\\r\\n* Billing\\u2014where the company produces invoices to clients/customers\"], \"product_manager\": [\"None\", \"(admin)\"], \"technical_contact\": [\"None\", \"(user2)\"], \"team_manager\": [\"None\", \"(user2)\"], \"prod_type\": [\"None\", \"Billing\"], \"id\": [\"None\", \"3\"], \"tid\": [\"None\", \"0\"], \"business_criticality\": [\"None\", \"high\"], \"platform\": [\"None\", \"web\"], \"lifecycle\": [\"None\", \"production\"], \"origin\": [\"None\", \"purchased\"], \"user_records\": [\"None\", \"5000\"], \"external_audience\": [\"None\", \"True\"], \"internet_accessible\": [\"None\", \"False\"], \"enable_simple_risk_acceptance\": [\"None\", \"False\"], \"enable_full_risk_acceptance\": [\"None\", \"True\"]}", + "actor": null, + "remote_addr": null, + "timestamp": "2021-10-22T01:24:55.071Z", + "additional_data": null + } + }, { "pk": 1, "model": "dojo.system_settings", diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 33f0f0c12bf..31f8d4f8f9e 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -223,7 +223,8 @@ DD_EDITABLE_MITIGATED_DATA=(bool, False), # new feature that tracks history across multiple reimports for the same test DD_TRACK_IMPORT_HISTORY=(bool, True), - + # Delete Auditlogs older than x month; -1 to keep all logs + DD_AUDITLOG_FLUSH_RETENTION_PERIOD=(int, -1), # Allow grouping of findings in the same test, for example to group findings per dependency # DD_FEATURE_FINDING_GROUPS feature is moved to system_settings, will be removed from settings file DD_FEATURE_FINDING_GROUPS=(bool, True), @@ -1131,6 +1132,10 @@ def saml2_attrib_map_format(dict): 'schedule': timedelta(minutes=1), 'args': [timedelta(minutes=1)] }, + 'flush_auditlog': { + 'task': 'dojo.tasks.flush_auditlog', + 'schedule': timedelta(hours=8), + }, 'update-findings-from-source-issues': { 'task': 'dojo.tools.tool_issue_updater.update_findings_from_source_issues', 'schedule': timedelta(hours=3), @@ -1699,4 +1704,8 @@ def saml2_attrib_map_format(dict): # Dictates whether cloud banner is created or not CREATE_CLOUD_BANNER = env('DD_CREATE_CLOUD_BANNER') +# ------------------------------------------------------------------------------ +# Auditlog +# ------------------------------------------------------------------------------ +AUDITLOG_FLUSH_RETENTION_PERIOD = env('DD_AUDITLOG_FLUSH_RETENTION_PERIOD') ENABLE_AUDITLOG = env('DD_ENABLE_AUDITLOG') diff --git a/dojo/tasks.py b/dojo/tasks.py index eaf47986807..50d48049a80 100644 --- a/dojo/tasks.py +++ b/dojo/tasks.py @@ -1,5 +1,7 @@ import logging -from datetime import timedelta +from auditlog.models import LogEntry +from datetime import timedelta, date +from dateutil.relativedelta import relativedelta from django.db.models import Count, Prefetch from django.conf import settings from django.urls import reverse @@ -86,6 +88,26 @@ def cleanup_alerts(*args, **kwargs): logger.info('total number of alerts deleted: %s', total_deleted_count) +@app.task(bind=True) +def flush_auditlog(*args, **kwargs): + retention_period = settings.AUDITLOG_FLUSH_RETENTION_PERIOD + + if retention_period < 0: + logger.info("Flushing auditlog is disabled") + return + + logger.info("Running Cleanup Task for Logentries with %d Months retention", retention_period) + retention_date = date.today() - relativedelta(months=retention_period) + subset = LogEntry.objects.filter(timestamp__date__lt=retention_date) + event_count = subset.count() + logger.debug("Initially received %d Logentries", event_count) + if event_count > 0: + subset._raw_delete(subset.db) + logger.debug('Total number of audit log entries deleted: %s', event_count) + else: + logger.debug('No outdated Logentries found') + + @app.task(bind=True) def async_dupe_delete(*args, **kwargs): try: diff --git a/unittests/test_flush_auditlog.py b/unittests/test_flush_auditlog.py new file mode 100644 index 00000000000..ffaeb538baa --- /dev/null +++ b/unittests/test_flush_auditlog.py @@ -0,0 +1,45 @@ +from dojo.tasks import flush_auditlog +from .dojo_test_case import DojoTestCase +from django.test import override_settings +from auditlog.models import LogEntry +from datetime import date, datetime +from dojo.models import Finding +from dateutil.relativedelta import relativedelta +import logging +logger = logging.getLogger(__name__) + + +class TestFlushAuditlog(DojoTestCase): + fixtures = ['dojo_testdata.json'] + + @override_settings(AUDITLOG_FLUSH_RETENTION_PERIOD=-1) + def test_flush_auditlog_disabled(self): + entries_before = LogEntry.objects.all().count() + flush_auditlog() + entries_after = LogEntry.objects.all().count() + self.assertEqual(entries_before, entries_after) + + @override_settings(AUDITLOG_FLUSH_RETENTION_PERIOD=0) + def test_delete_all_entries(self): + entries_before = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + flush_auditlog() + entries_after = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + # we have three old log entries in our testdata + self.assertEqual(entries_before - 3, entries_after) + + @override_settings(AUDITLOG_FLUSH_RETENTION_PERIOD=1) + def test_delete_entries_with_retention_period(self): + entries_before = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + two_weeks_ago = datetime.today() - relativedelta(weeks=2) + log_entry = LogEntry.objects.log_create( + instance=Finding.objects.all()[0], + timestamp=two_weeks_ago, + changes="foo", + action=LogEntry.Action.UPDATE, + ) + log_entry.timestamp = two_weeks_ago + log_entry.save() + flush_auditlog() + entries_after = LogEntry.objects.filter(timestamp__date__lt=date.today()).count() + # we have three old log entries in our testdata and added a new one + self.assertEqual(entries_before - 3 + 1, entries_after) From 8e03ac2ae5e2de8c34b7ca828c4b2b64328fc2b2 Mon Sep 17 00:00:00 2001 From: MarianG Date: Thu, 4 Jan 2024 18:10:44 +0100 Subject: [PATCH 14/46] QualysParser: add cvss value to finding (#9256) * feat: add cvss value to finding and only overwrite values if not already set This is because of XML Report Layout of Qualys. It has CVSS Values on concrete Finding and in the Knowledgebase. The values in the concrete Finding are more accurate and are parsed at first. It would be much better to stick with those values and only use the ones from the Knowledgebase if CVSS values from concrete finding are missing * linting: flake8 * feat: add unit-test for cvss_score field * remove unnecessary loop Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update test_qualys_parser.py for linting --------- Co-authored-by: MarianG Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/qualys/parser.py | 17 ++++++++----- unittests/tools/test_qualys_parser.py | 36 +++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 6 deletions(-) diff --git a/dojo/tools/qualys/parser.py b/dojo/tools/qualys/parser.py index 14ecbe564d2..567233b0f61 100644 --- a/dojo/tools/qualys/parser.py +++ b/dojo/tools/qualys/parser.py @@ -67,13 +67,16 @@ def split_cvss(value, _temp): return if len(value) > 4: split = value.split(" (") - _temp["CVSS_value"] = float(split[0]) - # remove ")" at the end - _temp["CVSS_vector"] = CVSS3( - "CVSS:3.0/" + split[1][:-1] - ).clean_vector() + if _temp.get("CVSS_value") is None: + _temp["CVSS_value"] = float(split[0]) + # remove ")" at the end + if _temp.get("CVSS_vector") is None: + _temp["CVSS_vector"] = CVSS3( + "CVSS:3.0/" + split[1][:-1] + ).clean_vector() else: - _temp["CVSS_value"] = float(value) + if _temp.get("CVSS_value") is None: + _temp["CVSS_value"] = float(value) def parse_finding(host, tree): @@ -252,6 +255,8 @@ def parse_finding(host, tree): finding.active = _temp["active"] if _temp.get("CVSS_vector") is not None: finding.cvssv3 = _temp.get("CVSS_vector") + if _temp.get("CVSS_value") is not None: + finding.cvssv3_score = _temp.get("CVSS_value") finding.verified = True finding.unsaved_endpoints = list() finding.unsaved_endpoints.append(ep) diff --git a/unittests/tools/test_qualys_parser.py b/unittests/tools/test_qualys_parser.py index d3603b62b12..498c66c235a 100644 --- a/unittests/tools/test_qualys_parser.py +++ b/unittests/tools/test_qualys_parser.py @@ -13,6 +13,42 @@ def test_parse_file_with_no_vuln_has_no_findings(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) + def test_parse_file_with_cvss_values_and_scores(self): + testfile = open( + get_unit_tests_path() + "/scans/qualys/Qualys_Sample_Report.xml" + ) + parser = QualysParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)": + finding_cvssv3_score = finding + if finding.unsaved_endpoints[0].host == "demo13.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)": + finding_no_cvssv3_at_detection = finding + if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == "QID-121695 | NTP \"monlist\" Feature Denial of Service Vulnerability": + finding_no_cvssv3 = finding + # The CVSS Vector is not used from the Knowledgebase + self.assertEqual( + # CVSS_FINAL is defined without a cvssv3 vector + finding_cvssv3_score.cvssv3, None + ) + # Nevertheless the CVSSv3 Score should be set + self.assertEqual( + finding_cvssv3_score.cvssv3_score, 8.2 + ) + # If no cvss information is present in detection and not in knowledgebase values should be empty + self.assertEqual( + finding_no_cvssv3.cvssv3, None + ) + self.assertEqual( + finding_no_cvssv3.cvssv3_score, None + ) + # No CVSS Values available in detection and it uses the knowledgebase then + self.assertEqual(finding_no_cvssv3_at_detection.cvssv3, + "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H") + self.assertEqual( + finding_no_cvssv3_at_detection.cvssv3_score, 9.0 + ) + def test_parse_file_with_multiple_vuln_has_multiple_findings(self): testfile = open( get_unit_tests_path() + "/scans/qualys/Qualys_Sample_Report.xml" From 94302e60ba04c699a5a3efe054a6a19a70bd602c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jan 2024 12:04:14 -0600 Subject: [PATCH 15/46] Bump boto3 from 1.34.11 to 1.34.12 (#9276) Bumps [boto3](https://github.com/boto/boto3) from 1.34.11 to 1.34.12. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.11...1.34.12) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 5b2d1620228..5cfb2a0895e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.11 # Required for Celery Broker AWS (SQS) support +boto3==1.34.12 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.1 From dcd1eb427744966402285f0ca7c0db002490ce66 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 4 Jan 2024 19:43:39 -0600 Subject: [PATCH 16/46] Update dependency postcss from 8.4.32 to v8.4.33 (docs/package.json) (#9281) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docs/package-lock.json | 14 +++++++------- docs/package.json | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/package-lock.json b/docs/package-lock.json index 5f9df412924..3da14d5d770 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -6,7 +6,7 @@ "": { "devDependencies": { "autoprefixer": "10.4.16", - "postcss": "8.4.32", + "postcss": "8.4.33", "postcss-cli": "10.1.0" } }, @@ -608,9 +608,9 @@ } }, "node_modules/postcss": { - "version": "8.4.32", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.32.tgz", - "integrity": "sha512-D/kj5JNu6oo2EIy+XL/26JEDTlIbB8hw85G8StOE6L74RQAVVP5rej6wxCNqyMbR4RkPfqvezVbPw81Ngd6Kcw==", + "version": "8.4.33", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.33.tgz", + "integrity": "sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==", "dev": true, "funding": [ { @@ -1382,9 +1382,9 @@ "dev": true }, "postcss": { - "version": "8.4.32", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.32.tgz", - "integrity": "sha512-D/kj5JNu6oo2EIy+XL/26JEDTlIbB8hw85G8StOE6L74RQAVVP5rej6wxCNqyMbR4RkPfqvezVbPw81Ngd6Kcw==", + "version": "8.4.33", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.33.tgz", + "integrity": "sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==", "dev": true, "requires": { "nanoid": "^3.3.7", diff --git a/docs/package.json b/docs/package.json index b3a5cc626a5..b457069379a 100644 --- a/docs/package.json +++ b/docs/package.json @@ -1,6 +1,6 @@ { "devDependencies": { - "postcss": "8.4.32", + "postcss": "8.4.33", "autoprefixer": "10.4.16", "postcss-cli": "10.1.0" } From 154b343c6e0fb4c16d215dc8adad2bc39458fa74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Jan 2024 13:11:24 -0600 Subject: [PATCH 17/46] Bump packageurl-python from 0.13.1 to 0.13.2 (#9284) Bumps [packageurl-python](https://github.com/package-url/packageurl-python) from 0.13.1 to 0.13.2. - [Release notes](https://github.com/package-url/packageurl-python/releases) - [Changelog](https://github.com/package-url/packageurl-python/blob/main/CHANGELOG.rst) - [Commits](https://github.com/package-url/packageurl-python/compare/v0.13.1...v0.13.2) --- updated-dependencies: - dependency-name: packageurl-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 5cfb2a0895e..0161bb40672 100644 --- a/requirements.txt +++ b/requirements.txt @@ -58,7 +58,7 @@ debugpy==1.8.0 python-gitlab==4.3.0 drf_yasg==1.21.5 cpe==1.2.1 -packageurl-python==0.13.1 +packageurl-python==0.13.2 django-crum==0.7.9 JSON-log-formatter==0.5.2 django-split-settings==1.2.0 From 13abca16f9f2de85d24ce7820abd2b0f9ccd46f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Jan 2024 13:21:45 -0600 Subject: [PATCH 18/46] Bump boto3 from 1.34.12 to 1.34.13 (#9285) Bumps [boto3](https://github.com/boto/boto3) from 1.34.12 to 1.34.13. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.12...1.34.13) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0161bb40672..ec4de822796 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.12 # Required for Celery Broker AWS (SQS) support +boto3==1.34.13 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.1 From 39414ae8cf785d02d49fb22ffd008a71f1014cf0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 5 Jan 2024 13:22:29 -0600 Subject: [PATCH 19/46] Update postgres:16.1-alpine Docker digest from 16.1 to 16.1-alpine (docker-compose.yml) (#9283) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index df5a750985e..9e9536733f3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -138,7 +138,7 @@ services: volumes: - defectdojo_data:/var/lib/mysql postgres: - image: postgres:16.1-alpine@sha256:a1b267d05ee39210d162185f52645687c7e63fbe25b8c58ccd7f81f0a7e2ad97 + image: postgres:16.1-alpine@sha256:f35615ee44b870868cb5912cb36f2b03938137ffd857d3cb3542240035a71fcc profiles: - postgres-rabbitmq - postgres-redis From 30b2d49bb51ae9b14f50af2c7b316b1c028c24d4 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 5 Jan 2024 14:47:32 -0600 Subject: [PATCH 20/46] Add a "tag findings" parameter to the import-scan and reimport-scan API endpoints (#8707) * Set Development default environment (new import) * fix flake8 issue * Trivy parser includes causeMetadata in findings description * Fix System Settings Required Fields Jira * remove print * flake code * merge * merge * Add apply tags to findings to importer and reimporter functions * fix changes * Addedd to import scan and reimport scan functions the apply tags parameter * fix validations * remove default true in importscan serializer * fix error in testing tags * added apply tag to findings parameter to UI * removed unnecessary lines --------- Co-authored-by: Felix Hernandez --- dojo/api_v2/serializers.py | 12 ++++++++++++ dojo/engagement/views.py | 3 ++- dojo/forms.py | 12 ++++++++++++ dojo/importers/importer/importer.py | 6 +++++- dojo/importers/reimporter/reimporter.py | 8 ++++++-- 5 files changed, 37 insertions(+), 4 deletions(-) diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index e1c2a2dafe7..a7e317210ff 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -2131,6 +2131,10 @@ class ImportScanSerializer(serializers.Serializer): product_type_id = serializers.IntegerField(read_only=True) statistics = ImportStatisticsSerializer(read_only=True, required=False) + apply_tags_to_findings = serializers.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + required=False, + ) def save(self, push_to_jira=False): data = self.validated_data @@ -2149,6 +2153,7 @@ def save(self, push_to_jira=False): commit_hash = data.get("commit_hash", None) api_scan_configuration = data.get("api_scan_configuration", None) service = data.get("service", None) + apply_tags_to_findings = data.get("apply_tags_to_findings", False) source_code_management_uri = data.get( "source_code_management_uri", None ) @@ -2241,6 +2246,7 @@ def save(self, push_to_jira=False): service=service, title=test_title, create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, + apply_tags_to_findings=apply_tags_to_findings, ) if test: @@ -2409,6 +2415,10 @@ class ReImportScanSerializer(TaggitSerializer, serializers.Serializer): product_type_id = serializers.IntegerField(read_only=True) statistics = ImportStatisticsSerializer(read_only=True, required=False) + apply_tags_to_findings = serializers.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + required=False + ) def save(self, push_to_jira=False): logger.debug("push_to_jira: %s", push_to_jira) @@ -2421,6 +2431,7 @@ def save(self, push_to_jira=False): close_old_findings_product_scope = data.get( "close_old_findings_product_scope" ) + apply_tags_to_findings = data.get("apply_tags_to_findings", False) do_not_reactivate = data.get("do_not_reactivate", False) version = data.get("version", None) build_id = data.get("build_id", None) @@ -2521,6 +2532,7 @@ def save(self, push_to_jira=False): service=service, do_not_reactivate=do_not_reactivate, create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, + apply_tags_to_findings=apply_tags_to_findings, ) if test_import: diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index 635248f0f2e..45b45833e0b 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -670,6 +670,7 @@ def post(self, request, eid=None, pid=None): api_scan_configuration = form.cleaned_data.get('api_scan_configuration', None) service = form.cleaned_data.get('service', None) close_old_findings = form.cleaned_data.get('close_old_findings', None) + apply_tags_to_findings = form.cleaned_data.get('apply_tags_to_findings', False) # close_old_findings_prodct_scope is a modifier of close_old_findings. # If it is selected, close_old_findings should also be selected. close_old_findings_product_scope = form.cleaned_data.get('close_old_findings_product_scope', None) @@ -736,7 +737,7 @@ def post(self, request, eid=None, pid=None): minimum_severity=minimum_severity, endpoints_to_add=list(form.cleaned_data['endpoints']) + added_endpoints, scan_date=scan_date, version=version, branch_tag=branch_tag, build_id=build_id, commit_hash=commit_hash, push_to_jira=push_to_jira, close_old_findings=close_old_findings, close_old_findings_product_scope=close_old_findings_product_scope, group_by=group_by, api_scan_configuration=api_scan_configuration, service=service, - create_finding_groups_for_all_findings=create_finding_groups_for_all_findings) + create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, apply_tags_to_findings=apply_tags_to_findings) message = f'{scan_type} processed a total of {finding_count} findings' diff --git a/dojo/forms.py b/dojo/forms.py index 94c1e6ee9df..508c24df4ab 100755 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -471,6 +471,12 @@ class ImportScanForm(forms.Form): label="Close old findings within this product", required=False, initial=False) + apply_tags_to_findings = forms.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + label="Apply Tags to Findings", + required=False, + initial=False + ) if is_finding_groups_enabled(): group_by = forms.ChoiceField(required=False, choices=Finding_Group.GROUP_BY_OPTIONS, help_text='Choose an option to automatically group new findings by the chosen option.') @@ -557,6 +563,12 @@ class ReImportScanForm(forms.Form): api_scan_configuration = forms.ModelChoiceField(Product_API_Scan_Configuration.objects, required=False, label='API Scan Configuration') service = forms.CharField(max_length=200, required=False, help_text="A service is a self-contained piece of functionality within a Product. This is an optional field which is used in deduplication of findings when set.") source_code_management_uri = forms.URLField(max_length=600, required=False, help_text="Resource link to source code") + apply_tags_to_findings = forms.BooleanField( + help_text="If set to True, the tags will be applied to the findings", + label="Apply Tags to Findings", + required=False, + initial=False + ) if is_finding_groups_enabled(): group_by = forms.ChoiceField(required=False, choices=Finding_Group.GROUP_BY_OPTIONS, help_text='Choose an option to automatically group new findings by the chosen option') diff --git a/dojo/importers/importer/importer.py b/dojo/importers/importer/importer.py index e9508d5ec18..baed2c8d421 100644 --- a/dojo/importers/importer/importer.py +++ b/dojo/importers/importer/importer.py @@ -244,7 +244,7 @@ def close_old_findings(self, test, scan_date_time, user, push_to_jira=None, serv def import_scan(self, scan, scan_type, engagement, lead, environment, active=None, verified=None, tags=None, minimum_severity=None, user=None, endpoints_to_add=None, scan_date=None, version=None, branch_tag=None, build_id=None, commit_hash=None, push_to_jira=None, close_old_findings=False, close_old_findings_product_scope=False, - group_by=None, api_scan_configuration=None, service=None, title=None, create_finding_groups_for_all_findings=True): + group_by=None, api_scan_configuration=None, service=None, title=None, create_finding_groups_for_all_findings=True, apply_tags_to_findings=False): logger.debug(f'IMPORT_SCAN: parameters: {locals()}') @@ -363,6 +363,10 @@ def import_scan(self, scan, scan_type, engagement, lead, environment, active=Non test_import = importer_utils.update_import_history(Test_Import.IMPORT_TYPE, active, verified, tags, minimum_severity, endpoints_to_add, version, branch_tag, build_id, commit_hash, push_to_jira, close_old_findings, test, new_findings, closed_findings) + if apply_tags_to_findings and tags: + for finding in test_import.findings_affected.all(): + for tag in tags: + finding.tags.add(tag) logger.debug('IMPORT_SCAN: Generating notifications') notifications_helper.notify_test_created(test) diff --git a/dojo/importers/reimporter/reimporter.py b/dojo/importers/reimporter/reimporter.py index a31d3673c7d..39db0d7e3e0 100644 --- a/dojo/importers/reimporter/reimporter.py +++ b/dojo/importers/reimporter/reimporter.py @@ -42,6 +42,7 @@ def process_parsed_findings( scan_date=None, do_not_reactivate=False, create_finding_groups_for_all_findings=True, + apply_tags_to_findings=False, **kwargs, ): @@ -111,7 +112,6 @@ def process_parsed_findings( findings = reimporter_utils.match_new_finding_to_existing_finding( item, test, deduplication_algorithm ) - deduplicationLogger.debug( "found %i findings matching with current new finding", len(findings) ) @@ -571,6 +571,7 @@ def reimport_scan( service=None, do_not_reactivate=False, create_finding_groups_for_all_findings=True, + apply_tags_to_findings=False, ): logger.debug(f"REIMPORT_SCAN: parameters: {locals()}") @@ -741,7 +742,10 @@ def reimport_scan( reactivated_findings, untouched_findings, ) - + if apply_tags_to_findings and tags: + for finding in test_import.findings_affected.all(): + for tag in tags: + finding.tags.add(tag) logger.debug("REIMPORT_SCAN: Generating notifications") updated_count = ( From ee02a671d829a7fdfc676d8ba2a04d7b60030f02 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 8 Jan 2024 17:22:21 +0000 Subject: [PATCH 21/46] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 44e6547597f..262ef7e6f3b 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.30.1", + "version": "2.31.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 2371e94834f..9406e56f475 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa -__version__ = '2.30.1' +__version__ = '2.31.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index e9c97b973a1..a6478650057 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.30.1" +appVersion: "2.31.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.104 +version: 1.6.105-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 8bcf0909517b6b70daba9c48df9e0a9b43762a88 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 20:31:00 -0600 Subject: [PATCH 22/46] Update rabbitmq Docker tag from 3.12.11 to v3.12.12 (docker-compose.yml) (#9288) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 9e9536733f3..098acf40d20 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,7 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.11-alpine@sha256:8fa94d239594edc46213a31461028c0b33308411d1d8ed541cf568eb6c4843b7 + image: rabbitmq:3.12.12-alpine@sha256:fc97d1952a54cc28e7916e9d18c8f6970d861c9282f06555c2f81e49bbad182b profiles: - mysql-rabbitmq - postgres-rabbitmq From 47a6fe4b5a30f054ce8c17f18d1101c26a848170 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 20:31:21 -0600 Subject: [PATCH 23/46] Bump packageurl-python from 0.13.2 to 0.13.3 (#9295) Bumps [packageurl-python](https://github.com/package-url/packageurl-python) from 0.13.2 to 0.13.3. - [Release notes](https://github.com/package-url/packageurl-python/releases) - [Changelog](https://github.com/package-url/packageurl-python/blob/main/CHANGELOG.rst) - [Commits](https://github.com/package-url/packageurl-python/compare/v0.13.2...v0.13.3) --- updated-dependencies: - dependency-name: packageurl-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index ec4de822796..0546938c4c7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -58,7 +58,7 @@ debugpy==1.8.0 python-gitlab==4.3.0 drf_yasg==1.21.5 cpe==1.2.1 -packageurl-python==0.13.2 +packageurl-python==0.13.3 django-crum==0.7.9 JSON-log-formatter==0.5.2 django-split-settings==1.2.0 From 481c83bb785976842a1c19c6d90d0fb4f6df367f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 20:31:56 -0600 Subject: [PATCH 24/46] Bump jira from 3.5.2 to 3.6.0 (#9296) Bumps [jira](https://github.com/pycontribs/jira) from 3.5.2 to 3.6.0. - [Release notes](https://github.com/pycontribs/jira/releases) - [Changelog](https://github.com/pycontribs/jira/blob/main/RELEASE.md) - [Commits](https://github.com/pycontribs/jira/compare/3.5.2...3.6.0) --- updated-dependencies: - dependency-name: jira dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0546938c4c7..d2f34fc4d1c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -29,7 +29,7 @@ djangorestframework==3.14.0 gunicorn==21.2.0 html2text==2020.1.16 humanize==4.9.0 -jira==3.5.2 +jira==3.6.0 PyGithub==1.58.2 lxml==5.0.0 Markdown==3.5.1 From 6882984f68ea1bf82e13b961f90eac97125d4604 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 20:32:35 -0600 Subject: [PATCH 25/46] Bump boto3 from 1.34.13 to 1.34.14 (#9294) Bumps [boto3](https://github.com/boto/boto3) from 1.34.13 to 1.34.14. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.13...1.34.14) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d2f34fc4d1c..f9543906dbe 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.13 # Required for Celery Broker AWS (SQS) support +boto3==1.34.14 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.1 From 1f9b34a10be0b6de54d6f3b3121f66d53e557810 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 20:33:08 -0600 Subject: [PATCH 26/46] Update postgres:16.1-alpine Docker digest from 16.1 to 16.1-alpine (docker-compose.yml) (#9291) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 098acf40d20..a36dbcc8bf4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -138,7 +138,7 @@ services: volumes: - defectdojo_data:/var/lib/mysql postgres: - image: postgres:16.1-alpine@sha256:f35615ee44b870868cb5912cb36f2b03938137ffd857d3cb3542240035a71fcc + image: postgres:16.1-alpine@sha256:884718395ee967fc70374563f3b4d72f0c61f48f81868decb9fa452915fe070e profiles: - postgres-rabbitmq - postgres-redis From a5305428ea5f681e88c86e15da08a8f2d8ce23f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 22:05:24 -0600 Subject: [PATCH 27/46] Bump lxml from 5.0.0 to 5.1.0 (#9293) Bumps [lxml](https://github.com/lxml/lxml) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](https://github.com/lxml/lxml/compare/lxml-5.0.0...lxml-5.1.0) --- updated-dependencies: - dependency-name: lxml dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f9543906dbe..126f7bb8b32 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,7 +31,7 @@ html2text==2020.1.16 humanize==4.9.0 jira==3.6.0 PyGithub==1.58.2 -lxml==5.0.0 +lxml==5.1.0 Markdown==3.5.1 mysqlclient==2.1.1 openpyxl==3.1.2 From cd2fcd6c422f313d78dd9b143232c9a11e22b622 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 12:17:51 -0600 Subject: [PATCH 28/46] Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (#9301) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index a36dbcc8bf4..a2cb1602bef 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,7 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.12-alpine@sha256:fc97d1952a54cc28e7916e9d18c8f6970d861c9282f06555c2f81e49bbad182b + image: rabbitmq:3.12.12-alpine@sha256:9ab2478b7f459334d0afb70fb5dfce2d3e74152cfa3c82913843798f03b40f72 profiles: - mysql-rabbitmq - postgres-rabbitmq From b98f261aba32fc30f595f544939acc5b9d41df80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 12:18:10 -0600 Subject: [PATCH 29/46] Bump boto3 from 1.34.14 to 1.34.15 (#9302) Bumps [boto3](https://github.com/boto/boto3) from 1.34.14 to 1.34.15. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.14...1.34.15) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 126f7bb8b32..804e0f317c3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.14 # Required for Celery Broker AWS (SQS) support +boto3==1.34.15 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.1 From bd1f0ea6d12abf859b99cca9a0992de21d174405 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 12:19:00 -0600 Subject: [PATCH 30/46] Bump packageurl-python from 0.13.3 to 0.13.4 (#9303) Bumps [packageurl-python](https://github.com/package-url/packageurl-python) from 0.13.3 to 0.13.4. - [Release notes](https://github.com/package-url/packageurl-python/releases) - [Changelog](https://github.com/package-url/packageurl-python/blob/main/CHANGELOG.rst) - [Commits](https://github.com/package-url/packageurl-python/compare/v0.13.3...v0.13.4) --- updated-dependencies: - dependency-name: packageurl-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 804e0f317c3..660cd7f6641 100644 --- a/requirements.txt +++ b/requirements.txt @@ -58,7 +58,7 @@ debugpy==1.8.0 python-gitlab==4.3.0 drf_yasg==1.21.5 cpe==1.2.1 -packageurl-python==0.13.3 +packageurl-python==0.13.4 django-crum==0.7.9 JSON-log-formatter==0.5.2 django-split-settings==1.2.0 From 1313670333c2a5adc38edb9bae2f0b6e367dc27f Mon Sep 17 00:00:00 2001 From: Benjamin Date: Wed, 10 Jan 2024 15:55:48 +0100 Subject: [PATCH 31/46] :sparkles: Add option for additional labels on initializer (#9273) --- helm/defectdojo/templates/initializer-job.yaml | 3 +++ helm/defectdojo/values.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 5d041652207..e90015e8756 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -22,6 +22,9 @@ spec: defectdojo.org/component: initializer app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.initializer.labels }} + {{- toYaml .Values.initializer.labels | nindent 8 }} + {{- end }} annotations: {{- with .Values.initializer.annotations }} {{- toYaml . | nindent 8 }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index c54c036066f..0f29fb23b33 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -304,6 +304,7 @@ initializer: helm.sh/hook: "post-install,post-upgrade" } annotations: {} + labels: {} keepSeconds: 60 affinity: {} nodeSelector: {} From a91fc9b3c119e9b436a62e32e7222d8d1f536914 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 12:39:01 -0600 Subject: [PATCH 32/46] Update redis Docker tag from 7.2.3 to v7.2.4 (docker-compose.yml) (#9305) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index a2cb1602bef..1a603f13669 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -156,7 +156,7 @@ services: volumes: - defectdojo_rabbitmq:/var/lib/rabbitmq redis: - image: redis:7.2.3-alpine@sha256:090276da2603db19b154602c374f505d94c10ea57e9749fc3e68e955284bf0fd + image: redis:7.2.4-alpine@sha256:995e6eaab954e92cadf1a0bb1eab71ae3baae8e02ea4354fd8aa136a61e42247 profiles: - mysql-redis - postgres-redis From 347eee6e6771fbb61e769e8317b23a610eafa0b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 12:39:52 -0600 Subject: [PATCH 33/46] Bump gitpython from 3.1.40 to 3.1.41 (#9310) Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.40 to 3.1.41. - [Release notes](https://github.com/gitpython-developers/GitPython/releases) - [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES) - [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.40...3.1.41) --- updated-dependencies: - dependency-name: gitpython dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 660cd7f6641..fd0f5308626 100644 --- a/requirements.txt +++ b/requirements.txt @@ -53,7 +53,7 @@ titlecase==2.4.1 social-auth-app-django==5.4.0 social-auth-core==4.5.1 Python-jose==3.3.0 -gitpython==3.1.40 +gitpython==3.1.41 debugpy==1.8.0 python-gitlab==4.3.0 drf_yasg==1.21.5 From 4d39bcfa1b4b32698331b167ad877a33a132063a Mon Sep 17 00:00:00 2001 From: Pavel <107552671+pna-nca@users.noreply.github.com> Date: Wed, 10 Jan 2024 20:52:48 +0100 Subject: [PATCH 34/46] new notifications type: SLA breach combined (per product) (#8659) This commit introduces a new type of notifications: SLA breach combined. The main difference is that notification is produced per product. Original SLA breach notifications are generated for each applicable findings. This may result in hundreds of messages (e-mail, slack or teams messages) for large products. Such alerts are hardly manageable and in the end not of much use. With SLA breach combined notifications being enabled a user receives a message per product with a list of findings which breach their SLA. It can be summarized in the following manner: subject: body: --- dojo/api_v2/serializers.py | 3 + .../0195_notifications_sla_breach_combined.py | 19 +++ dojo/forms.py | 3 +- dojo/models.py | 4 + .../mail/sla_breach_combined.tpl | 72 ++++++++++++ dojo/utils.py | 110 ++++++++++++++---- 6 files changed, 190 insertions(+), 21 deletions(-) create mode 100644 dojo/db_migrations/0195_notifications_sla_breach_combined.py create mode 100644 dojo/templates/notifications/mail/sla_breach_combined.tpl diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index a7e317210ff..49e3486fe2c 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -2970,6 +2970,9 @@ class NotificationsSerializer(serializers.ModelSerializer): sla_breach = MultipleChoiceField( choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION ) + sla_breach_combined = MultipleChoiceField( + choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION + ) risk_acceptance_expiration = MultipleChoiceField( choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION ) diff --git a/dojo/db_migrations/0195_notifications_sla_breach_combined.py b/dojo/db_migrations/0195_notifications_sla_breach_combined.py new file mode 100644 index 00000000000..ea818bb5b34 --- /dev/null +++ b/dojo/db_migrations/0195_notifications_sla_breach_combined.py @@ -0,0 +1,19 @@ +# Generated by Django 4.1.10 on 2023-09-12 11:29 + +from django.db import migrations +import multiselectfield.db.fields + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0194_alter_finding_component_name'), + ] + + operations = [ + migrations.AddField( + model_name='notifications', + name='sla_breach_combined', + field=multiselectfield.db.fields.MultiSelectField(blank=True, choices=[('slack', 'slack'), ('msteams', 'msteams'), ('mail', 'mail'), ('alert', 'alert')], default=('alert', 'alert'), help_text='Get notified of (upcoming) SLA breaches (a message per project)', max_length=24, verbose_name='SLA breach (combined)'), + ), + ] diff --git a/dojo/forms.py b/dojo/forms.py index 508c24df4ab..fd2b6844ec3 100755 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -2604,11 +2604,12 @@ def __init__(self, *args, **kwargs): self.initial['test_added'] = '' self.initial['scan_added'] = '' self.initial['sla_breach'] = '' + self.initial['sla_breach_combined'] = '' self.initial['risk_acceptance_expiration'] = '' class Meta: model = Notifications - fields = ['engagement_added', 'close_engagement', 'test_added', 'scan_added', 'sla_breach', 'risk_acceptance_expiration'] + fields = ['engagement_added', 'close_engagement', 'test_added', 'scan_added', 'sla_breach', 'sla_breach_combined', 'risk_acceptance_expiration'] class AjaxChoiceField(forms.ChoiceField): diff --git a/dojo/models.py b/dojo/models.py index 07f26c6bb57..556479184db 100755 --- a/dojo/models.py +++ b/dojo/models.py @@ -3793,6 +3793,9 @@ class Notifications(models.Model): risk_acceptance_expiration = MultiSelectField(choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION, blank=True, verbose_name=_('Risk Acceptance Expiration'), help_text=_('Get notified of (upcoming) Risk Acceptance expiries')) + sla_breach_combined = MultiSelectField(choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION, blank=True, + verbose_name=_('SLA breach (combined)'), + help_text=_('Get notified of (upcoming) SLA breaches (a message per project)')) class Meta: constraints = [ @@ -3832,6 +3835,7 @@ def merge_notifications_list(cls, notifications_list): result.review_requested = merge_sets_safe(result.review_requested, notifications.review_requested) result.other = merge_sets_safe(result.other, notifications.other) result.sla_breach = merge_sets_safe(result.sla_breach, notifications.sla_breach) + result.sla_breach_combined = merge_sets_safe(result.sla_breach_combined, notifications.sla_breach_combined) result.risk_acceptance_expiration = merge_sets_safe(result.risk_acceptance_expiration, notifications.risk_acceptance_expiration) return result diff --git a/dojo/templates/notifications/mail/sla_breach_combined.tpl b/dojo/templates/notifications/mail/sla_breach_combined.tpl new file mode 100644 index 00000000000..5b88a656e27 --- /dev/null +++ b/dojo/templates/notifications/mail/sla_breach_combined.tpl @@ -0,0 +1,72 @@ +{% load i18n %} +{% load navigation_tags %} +{% load display_tags %} + + + {% autoescape on %} +

{% trans "Hello" %} {{ user.get_full_name }},

+

+ {% trans "Product summary" %}: +

    +
  • {% trans "name" %}: {{ product.name }}
    • +
  • {% trans "product type" %}: {{ product.prod_type }}
    • +
  • {% trans "team manager" %}: {{ product.team_manager }}
    • +
  • {% trans "product manager" %}: {{ product.product_manager }}
    • +
  • {% trans "technical contact" %}: {{ product.technical_contact }}
    • +
+

+

+ {% if breach_kind == 'breached' %} + {% blocktranslate trimmed %} + These security findings have breached their SLA: + {% endblocktranslate %} + {% elif breach_kind == 'prebreach' %} + {% blocktranslate trimmed %} + These security findings are about to breach their SLA: + {% endblocktranslate %} + {% elif breach_kind == 'breaching' %} + {% blocktranslate trimmed %} + These security findings breaching their SLA today: + {% endblocktranslate %} + {% else %} + This should not happen, check 'breach_kind' and 'kind' properties value in the source code. + {% endif %} +
+

    + {% for f in findings %} + {% url 'view_finding' f.id as finding_url %} +
  • + "{{ f.title }}" ({{ f.severity }} {% trans "severity" %}), {% trans "SLA age" %}: {{ f.sla_age }} +
    • + {% endfor %} +
+
+ {% trans "Please refer to your SLA documentation for further guidance" %} +

+ {% trans "Kind regards" %}, +
+ {% if system_settings.team_name %} + {{ system_settings.team_name }} + {% else %} + Defect Dojo + {% endif %} +
+

+ {% url 'notifications' as notification_url %} + {% trans "You can manage your notification settings here" %}: {{ notification_url|full_url }} +

+ {% if system_settings.disclaimer and system_settings.disclaimer.strip %} +
+
+ {% trans "Disclaimer" %} +
+

{{ system_settings.disclaimer }}

+
+ {% endif %} + {% endautoescape %} + + diff --git a/dojo/utils.py b/dojo/utils.py index 40cc68f192d..4d32d416c13 100644 --- a/dojo/utils.py +++ b/dojo/utils.py @@ -17,7 +17,7 @@ from django.conf import settings from django.core.mail import send_mail from django.core.paginator import Paginator -from django.urls import get_resolver, reverse +from django.urls import get_resolver, reverse, get_script_prefix from django.db.models import Q, Sum, Case, When, IntegerField, Value, Count from django.utils import timezone from django.utils.translation import gettext as _ @@ -1860,19 +1860,89 @@ def sla_compute_and_notify(*args, **kwargs): """ import dojo.jira_link.helper as jira_helper - def _notify(finding, title): - if not finding.test.engagement.product.disable_sla_breach_notifications: - create_notification( - event='sla_breach', - title=title, - finding=finding, - url=reverse('view_finding', args=(finding.id,)), - sla_age=sla_age - ) - - if do_jira_sla_comment: - logger.info("Creating JIRA comment to notify of SLA breach information.") - jira_helper.add_simple_jira_comment(jira_instance, jira_issue, title) + class NotificationEntry: + def __init__(self, finding=None, jira_issue=None, do_jira_sla_comment=False): + self.finding = finding + self.jira_issue = jira_issue + self.do_jira_sla_comment = do_jira_sla_comment + + def _add_notification(finding, kind): + # jira_issue, do_jira_sla_comment are taken from the context + # kind can be one of: breached, prebreach, breaching + if finding.test.engagement.product.disable_sla_breach_notifications: + return + + notification = NotificationEntry(finding=finding, + jira_issue=jira_issue, + do_jira_sla_comment=do_jira_sla_comment) + + pt = finding.test.engagement.product.prod_type.name + p = finding.test.engagement.product.name + + if pt in combined_notifications: + if p in combined_notifications[pt]: + if kind in combined_notifications[pt][p]: + combined_notifications[pt][p][kind].append(notification) + else: + combined_notifications[pt][p][kind] = [notification] + else: + combined_notifications[pt][p] = {kind: [notification]} + else: + combined_notifications[pt] = {p: {kind: [notification]}} + + def _notification_title_for_finding(finding, kind, sla_age): + title = "Finding %s - " % (finding.id) + if kind == 'breached': + abs_sla_age = abs(sla_age) + period = "day" + if abs_sla_age > 1: + period = "days" + title += "SLA breached by %d %s! Overdue notice" % (abs_sla_age, period) + elif kind == 'prebreach': + title += "SLA pre-breach warning - %d day(s) left" % (sla_age) + elif kind == 'breaching': + title += "SLA is breaching today" + + return title + + def _create_notifications(): + for pt in combined_notifications: + for p in combined_notifications[pt]: + for kind in combined_notifications[pt][p]: + # creating notifications on per-finding basis + + # we need this list for combined notification feature as we + # can not supply references to local objects as + # create_notification() arguments + findings_list = [] + + for n in combined_notifications[pt][p][kind]: + title = _notification_title_for_finding(n.finding, kind, n.finding.sla_days_remaining()) + + create_notification( + event='sla_breach', + title=title, + finding=n.finding, + url=reverse('view_finding', args=(n.finding.id,)), + ) + + if n.do_jira_sla_comment: + logger.info("Creating JIRA comment to notify of SLA breach information.") + jira_helper.add_simple_jira_comment(jira_instance, n.jira_issue, title) + + findings_list.append(n.finding) + + # producing a "combined" SLA breach notification + title_combined = "SLA alert (%s): product type '%s', product '%s'" % (kind, pt, p) + product = combined_notifications[pt][p][kind][0].finding.test.engagement.product + create_notification( + event='sla_breach_combined', + title=title_combined, + product=product, + findings=findings_list, + breach_kind=kind, + base_url=get_script_prefix(), + ) # exit early on flags system_settings = System_Settings.objects.get() @@ -1882,6 +1952,8 @@ def _notify(finding, title): jira_issue = None jira_instance = None + # notifications list per product per product type + combined_notifications = {} try: if system_settings.enable_finding_sla: logger.info("About to process findings for SLA notifications.") @@ -1970,23 +2042,21 @@ def _notify(finding, title): logger.info("Finding {} has breached by {} days.".format(finding.id, abs(sla_age))) abs_sla_age = abs(sla_age) if not system_settings.enable_notify_sla_exponential_backoff or abs_sla_age == 1 or (abs_sla_age & (abs_sla_age - 1) == 0): - period = "day" - if abs_sla_age > 1: - period = "days" - _notify(finding, 'Finding {} - SLA breached by {} {}! Overdue notice'.format(finding.id, abs_sla_age, period)) + _add_notification(finding, 'breached') else: logger.info("Skipping notification as exponential backoff is enabled and the SLA is not a power of two") # The finding is within the pre-breach period elif (sla_age > 0) and (sla_age <= settings.SLA_NOTIFY_PRE_BREACH): pre_breach_count += 1 logger.info("Security SLA pre-breach warning for finding ID {}. Days remaining: {}".format(finding.id, sla_age)) - _notify(finding, 'Finding {} - SLA pre-breach warning - {} day(s) left'.format(finding.id, sla_age)) + _add_notification(finding, 'prebreach') # The finding breaches the SLA today elif (sla_age == 0): at_breach_count += 1 logger.info("Security SLA breach warning. Finding ID {} breaching today ({})".format(finding.id, sla_age)) - _notify(finding, "Finding {} - SLA is breaching today".format(finding.id)) + _add_notification(finding, 'breaching') + _create_notifications() logger.info("SLA run results: Pre-breach: {}, at-breach: {}, post-breach: {}, post-breach-no-notify: {}, with-jira: {}, TOTAL: {}".format( pre_breach_count, at_breach_count, From 3fe99540d4462d35766b3c7de47ddcb7c25a8c85 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 10 Jan 2024 20:55:29 +0100 Subject: [PATCH 35/46] =?UTF-8?q?=F0=9F=90=9B=20Nikto:=20Support=20v2.5.0?= =?UTF-8?q?=20format=20(#9275)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * :bug: fix nikto new parser format #9274 * :bug: fix according to comment * Update dojo/tools/nikto/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/nikto/parser.py Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- dojo/tools/nikto/parser.py | 20 +++++---- unittests/scans/nikto/issue_9274.json | 62 +++++++++++++++++++++++++++ unittests/tools/test_nikto_parser.py | 9 ++++ 3 files changed, 82 insertions(+), 9 deletions(-) create mode 100644 unittests/scans/nikto/issue_9274.json diff --git a/dojo/tools/nikto/parser.py b/dojo/tools/nikto/parser.py index 5092ba44d3d..b5c9cafe4b9 100644 --- a/dojo/tools/nikto/parser.py +++ b/dojo/tools/nikto/parser.py @@ -43,26 +43,28 @@ def get_findings(self, filename, test): def process_json(self, file, test): data = json.load(file) - + if len(data) == 1 and type(data) is list: + data = data[0] dupes = dict() host = data.get("host") port = data.get("port") if port is not None: port = int(port) for vulnerability in data.get("vulnerabilities", []): + description = "\n".join([ + f"**id:** `{vulnerability.get('id')}`", + f"**msg:** `{vulnerability.get('msg')}`", + f"**HTTP Method:** `{vulnerability.get('method')}`", + ]) + if vulnerability.get('OSVDB') is not None: + description += "\n" + f"**OSVDB:** `{vulnerability.get('OSVDB')}`" finding = Finding( title=vulnerability.get("msg"), severity="Info", # Nikto doesn't assign severity, default to Info - description="\n".join( - [ - f"**id:** `{vulnerability.get('id')}`", - f"**msg:** `{vulnerability.get('msg')}`", - f"**HTTP Method:** `{vulnerability.get('method')}`", - f"**OSVDB:** `{vulnerability.get('OSVDB')}`", - ] - ), + description=description, vuln_id_from_tool=vulnerability.get("id"), nb_occurences=1, + references=vulnerability.get("references") ) # manage if we have an ID from OSVDB if "OSVDB" in vulnerability and "0" != vulnerability.get("OSVDB"): diff --git a/unittests/scans/nikto/issue_9274.json b/unittests/scans/nikto/issue_9274.json new file mode 100644 index 00000000000..fa014208196 --- /dev/null +++ b/unittests/scans/nikto/issue_9274.json @@ -0,0 +1,62 @@ +[ + { + "host": "example.com", + "ip": "203.0.113.37", + "port": "443", + "banner": "", + "vulnerabilities": [ + { + "id": "999986", + "method": "GET", + "url": "/", + "msg": "Retrieved via header: 1.1 google." + }, + { + "id": "999978", + "references": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options", + "method": "GET", + "url": "/", + "msg": "/:X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead." + }, + { + "id": "999103", + "references": "https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/", + "method": "GET", + "url": "/robots.txt", + "msg": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type." + }, + { + "id": "999996", + "references": "https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt", + "method": "GET", + "url": "/robots.txt", + "msg": "contains 1 entry which should be manually viewed." + }, + { + "id": "999962", + "method": "GET", + "url": "/images/8f7c0a6.ico", + "msg": ": Server banner changed from 'nginx' to 'ghs'." + }, + { + "id": "999966", + "references": "http://breachattack.com/", + "method": "GET", + "url": "/", + "msg": "The Content-Encoding header is set to \\\"deflate\\\" which may mean that the server is vulnerable to the BREACH attack." + }, + { + "id": "999100", + "method": "GET", + "url": "/", + "msg": "Uncommon header 'x-google-gfe-load-report' found, with contents: utilization_percent: 51.177505 queries_per_second: 20382 errors_per_second: 0." + }, + { + "id": "999100", + "method": "GET", + "url": "/", + "msg": "Uncommon header 'x-google-gfe-backend-request-cost' found, with contents: 51.177506531784765." + } + ] + } + ] \ No newline at end of file diff --git a/unittests/tools/test_nikto_parser.py b/unittests/tools/test_nikto_parser.py index ae8612dc082..6fba5a6fd72 100644 --- a/unittests/tools/test_nikto_parser.py +++ b/unittests/tools/test_nikto_parser.py @@ -176,3 +176,12 @@ def test_parse_file_xml_another(self): self.assertEqual(443, endpoint.port) self.assertEqual("64.220.43.153", endpoint.host) self.assertIsNone(endpoint.path) + + def test_parse_file_issue_9274(self): + testfile = open("unittests/scans/nikto/issue_9274.json") + parser = NiktoParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(8, len(findings)) From 9924957f0cc63aff942230a76416bc85614bd44d Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 10 Jan 2024 20:55:55 +0100 Subject: [PATCH 36/46] =?UTF-8?q?=F0=9F=90=9BCycloneDX:=20Add=20default=20?= =?UTF-8?q?for=20description=20(#9280)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * :Bug: fix cyclonedx parser, issue #9277 * advanced unittest --- dojo/tools/cyclonedx/parser.py | 2 + unittests/scans/cyclonedx/issue_9277.json | 8026 +++++++++++++++++++++ unittests/tools/test_cyclonedx_parser.py | 15 +- 3 files changed, 8042 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/cyclonedx/issue_9277.json diff --git a/dojo/tools/cyclonedx/parser.py b/dojo/tools/cyclonedx/parser.py index b174d7ab878..608a1f8aa51 100644 --- a/dojo/tools/cyclonedx/parser.py +++ b/dojo/tools/cyclonedx/parser.py @@ -418,6 +418,8 @@ def _get_findings_json(self, file, test): component_name, component_version = self._get_component( components, reference ) + if not description: + description = "Description was not provided." finding = Finding( title=f"{component_name}:{component_version} | {vulnerability.get('id')}", test=test, diff --git a/unittests/scans/cyclonedx/issue_9277.json b/unittests/scans/cyclonedx/issue_9277.json new file mode 100644 index 00000000000..c415dbbf6d6 --- /dev/null +++ b/unittests/scans/cyclonedx/issue_9277.json @@ -0,0 +1,8026 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:0a6ed783-9138-4492-8d51-a4d02937ca69", + "version": 1, + "metadata": { + "timestamp": "2024-01-04T15:25:30+00:00", + "tools": [ + { + "vendor": "aquasecurity", + "name": "trivy", + "version": "0.48.1" + } + ], + "component": { + "bom-ref": "pkg:oci/ubuntu@sha256%3A6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fubuntu", + "type": "container", + "name": "ubuntu:latest", + "purl": "pkg:oci/ubuntu@sha256%3A6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fubuntu", + "properties": [ + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:ImageID", + "value": "sha256:174c8c134b2a94b5bb0b37d9a2b6ba0663d82d23ebf62bd51f74a2fd457333da" + }, + { + "name": "aquasecurity:trivy:RepoDigest", + "value": "ubuntu@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b" + }, + { + "name": "aquasecurity:trivy:RepoTag", + "value": "ubuntu:latest" + }, + { + "name": "aquasecurity:trivy:SchemaVersion", + "value": "2" + } + ] + } + }, + "components": [ + { + "bom-ref": "5303f1e6-739c-497b-8ad9-01b5318e8266", + "type": "operating-system", + "name": "ubuntu", + "version": "22.04", + "properties": [ + { + "name": "aquasecurity:trivy:Class", + "value": "os-pkgs" + }, + { + "name": "aquasecurity:trivy:Type", + "value": "ubuntu" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "adduser", + "version": "3.118ubuntu5", + "hashes": [ + { + "alg": "SHA-256", + "content": "53c30389227d4d16f1108a1df7ae1540c890378318335d1dc7ee95b7257f1f17" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "adduser@3.118ubuntu5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "adduser" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.118ubuntu5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "apt", + "version": "2.4.11", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "apt@2.4.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apt" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.4.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "base-files", + "version": "12ubuntu4.4", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "base-files@12ubuntu4.4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "base-files" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12ubuntu4.4" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Colin Watson " + }, + "name": "base-passwd", + "version": "3.5.52build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "b82ef485b59eb330ed56bc4afc54c6bd809e158da0019788ff0ba3cbab9d7bf9" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "base-passwd@3.5.52build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "base-passwd" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.5.52build1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "bash", + "version": "5.1-6ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "543fc0be88d2cf33ada88fe0cf82e1ec3fdcdd56e411dd2958eb3ef6e1a3d2fa" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "bash@5.1-6ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "bash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "bsdutils", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "8e863dcd6b6efbdccb83ef32fea9d80a051e48ae2311e718ea46d18bf1a4eab8" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "bsdutils@1:2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "coreutils", + "version": "8.32-4.1ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "b4bef42afe93036b1010a8b4cb03f0d3e715eed64d0cd88f7a945be40d0316f6" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "coreutils@8.32-4.1ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "coreutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4.1ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "8.32" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "dash", + "version": "0.5.11+git20210903+057cd650a4ed-3build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "a539a1fc715f9f52cf9159e1f2c8d254a611d1f2c176a25ca7d99372fa76f4b8" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "FSFUL" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "dash@0.5.11+git20210903+057cd650a4ed-3build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.5.11+git20210903+057cd650a4ed" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "debconf", + "version": "1.5.79ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "395a65b3a9539304391456d4d0e5531f4249f297b6e67eb0fcaf2ff77ddc3dc3" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debconf@1.5.79ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debconf" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.79ubuntu1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "debianutils", + "version": "5.5-1ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "a285df5a72f6eadd75a042c148f4a26c6bead543e73077f12d8d0069b315082d" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debianutils@5.5-1ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debianutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "diffutils", + "version": "3.8-0ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "521bdc309168c15662347d4a861ece04d85745dbf9237b1e166d4f90f35c1bb5" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL" + } + } + ], + "purl": "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "diffutils@1:3.8-0ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "diffutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.8" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "dpkg", + "version": "1.21.1ubuntu2.2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "public-domain-s-s-d" + } + }, + { + "license": { + "name": "public-domain-md5" + } + } + ], + "purl": "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "dpkg@1.21.1ubuntu2.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dpkg" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.21.1ubuntu2.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "e2fsprogs", + "version": "1.46.5-2ubuntu1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "e2fsprogs@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "findutils", + "version": "4.8.0-1ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "36b82c9455c45b4f1b88d07bdf30a1b62a4ad6164595b55254c0def2265ff4d6" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "findutils@4.8.0-1ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "findutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Core developers " + }, + "name": "gcc-12-base", + "version": "12.3.0-1ubuntu1~22.04", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.2" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gcc-12-base@12.3.0-1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "gpgv", + "version": "2.2.27-3ubuntu2.1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "permissive" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "RFC-Reference" + } + }, + { + "license": { + "name": "TinySCHEME" + } + }, + { + "license": { + "name": "CC0-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gpgv@2.2.27-3ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gnupg2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.2.27" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "grep", + "version": "3.7-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "26d08b9c96962528c73c13b5c11f245b91e49edab15f73bf8705bad1472a0113" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "grep@3.7-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "grep" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "gzip", + "version": "1.10-4ubuntu4.1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3+-no-invariant" + } + }, + { + "license": { + "name": "FSF-manpages" + } + }, + { + "license": { + "name": "GFDL-3" + } + } + ], + "purl": "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gzip@1.10-4ubuntu4.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gzip" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu4.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.10" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "hostname", + "version": "3.23ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "cec0448fef88a43a3c232fd9df555ca4c468cf5e16ddf3a1b0a5f7b7f076e413" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "hostname@3.23ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "hostname" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.23ubuntu2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "init-system-helpers", + "version": "1.62", + "hashes": [ + { + "alg": "SHA-256", + "content": "810bc27b9b3cecab056d80d726de535ca68f00fcd955683bf46674d779f4e710" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "init-system-helpers@1.62" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "init-system-helpers" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.62" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libacl1", + "version": "2.3.1-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "4db2c64ec74f673ed022e92cce7b83d0cbe0b779e02ca60a56ba59ae07754e05" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libacl1@2.3.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "acl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libapt-pkg6.0", + "version": "2.4.11", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libapt-pkg6.0@2.4.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apt" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.4.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libattr1", + "version": "2.5.1-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "bb4448dcade4f169846d6e3dc00b768f39afd16db07877f595a1d3d92d191050" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libattr1@1:2.5.1-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "attr" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libaudit-common", + "version": "3.0.7-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "86697036d05c956b5b42339bf61ecf3743f7c6fd4d59a67ab16add9a2cd7802a" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaudit-common@1:3.0.7-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "audit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.7" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libaudit1", + "version": "3.0.7-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "36710fbc49150a13f14f1f9c2c8288ee840cf9425f8a609c22fefa6b64eb51c1" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaudit1@1:3.0.7-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "audit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.7" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libblkid1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "f5ce929bf28632d227588fcc58b1aa6ec609dc89420161347a758f16efcdb34f" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libblkid1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libbz2-1.0", + "version": "1.0.8-5build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "3bfeaf4259eadbb7faa09feee86cd6cad172cd95907d7465afd0eb5aebb5433f" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-variant" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libbz2-1.0@1.0.8-5build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "bzip2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.8" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libc-bin", + "version": "2.35-0ubuntu3.5", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc-bin@2.35-0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "glibc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.35" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libc6", + "version": "2.35-0ubuntu3.5", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc6@2.35-0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "glibc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.35" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcap-ng0", + "version": "0.7.9-2.2build3", + "hashes": [ + { + "alg": "SHA-256", + "content": "124d0c8748a841f279e996298ef8aac69a249e294792f4b5e16dc00496f1d3ac" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcap-ng0@0.7.9-2.2build3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libcap-ng" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2.2build3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.7.9" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcap2", + "version": "2.44-1ubuntu0.22.04.1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcap2@1:2.44-1ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libcap2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.44" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcom-err2", + "version": "1.46.5-2ubuntu1.1", + "purl": "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcom-err2@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libcrypt1", + "version": "4.4.27-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "3fa566e9f861a08736cbc5a97562d9d6e4f0c00450fbeafcb6d7583423b04a98" + } + ], + "purl": "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcrypt1@1:4.4.27-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxcrypt" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.4.27" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libdb5.3", + "version": "5.3.28+dfsg1-0.8ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "ce60e446c9cb0e94bb4b4d0fe4f969e772edec250deb186bacf955e4d196548b" + } + ], + "purl": "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdb5.3@5.3.28+dfsg1-0.8ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "db5.3" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0.8ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.3.28+dfsg1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libdebconfclient0", + "version": "0.261ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "508d09720201f533ee98fa139dbf49d7d980a053693809be11609559f81eb2c0" + } + ], + "purl": "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdebconfclient0@0.261ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "cdebconf" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.261ubuntu1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libext2fs2", + "version": "1.46.5-2ubuntu1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libext2fs2@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libffi8", + "version": "3.4.2-4", + "hashes": [ + { + "alg": "SHA-256", + "content": "b4f88c91fa6f4c942097be6abfc365fb133c5e147640168cbb7704fd855eac10" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libffi8@3.4.2-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libffi" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Core developers " + }, + "name": "libgcc-s1", + "version": "12.3.0-1ubuntu1~22.04", + "purl": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgcc-s1@12.3.0-1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgcrypt20", + "version": "1.9.4-3ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "fe7d7e9f83b280f4fafaaa3852e462f43a9e854bc268e06667da2bf1b3e9d658" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgcrypt20@1.9.4-3ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgcrypt20" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.9.4" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgmp10", + "version": "6.2.1+dfsg-3ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "d199a77e11701d4d620dd4f62e05740e3072dce893856ea3bbaa6ae9fa19fef1" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgmp10@2:6.2.1+dfsg-3ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gmp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.2.1+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgnutls30", + "version": "3.7.3-4ubuntu1.3", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + }, + { + "license": { + "name": "CC0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "LGPLv3+" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgnutls30@3.7.3-4ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gnutls28" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgpg-error0", + "version": "1.43-3", + "hashes": [ + { + "alg": "SHA-256", + "content": "1fbacdf9bd1e431cee874a697b339f6f925182bc79bba5a112b53669b33265c5" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "g10-permissive" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgpg-error0@1.43-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgpg-error" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.43" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgssapi-krb5-2@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libhogweed6", + "version": "3.7.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "2402ac51ebc760799b01f3fd4933126c5eb446e5b043832601fb589f5e50c363" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GAP" + } + } + ], + "purl": "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libhogweed6@3.7.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nettle" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libidn2-0", + "version": "2.3.2-2build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "bc935e1871aa4a75d3f4ff549af32b7316aecfbea2200d85055878767b8398c8" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Unicode" + } + } + ], + "purl": "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libidn2-0@2.3.2-2build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libidn2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libk5crypto3@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libkeyutils1", + "version": "1.6.1-2ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "940daf78ee0229549b4eabc92ffd79dd038ed96a44e2e912305a23540cf22a0a" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkeyutils1@1.6.1-2ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "keyutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.6.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkrb5-3@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkrb5support0@1.19.2-2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.19.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "liblz4-1", + "version": "1.9.3-2build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "ac9b54d0feb840345060c74fb687675c5e1eb2b195effafae38c5f9991041e98" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblz4-1@1.9.3-2build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "lz4" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.9.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "liblzma5", + "version": "5.2.5-2ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "8f1c46e7d3f5102a5e4fdca7c949728a343ba71c2a7c124118df2c13d4c444f7" + } + ], + "licenses": [ + { + "license": { + "name": "PD" + } + }, + { + "license": { + "name": "probably-PD" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "permissive-fsf" + } + }, + { + "license": { + "name": "Autoconf" + } + }, + { + "license": { + "name": "permissive-nowarranty" + } + }, + { + "license": { + "name": "none" + } + }, + { + "license": { + "name": "config-h" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "noderivs" + } + }, + { + "license": { + "name": "PD-debian" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblzma5@5.2.5-2ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "xz-utils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.2.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libmount1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "d38fb72ed15461ac652215fa488c5fc3b4e6c86dcc6341eb833aef8dc8ad6e0f" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libmount1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libncurses6", + "version": "6.3-2ubuntu0.1", + "purl": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libncurses6@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libncursesw6", + "version": "6.3-2ubuntu0.1", + "purl": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libncursesw6@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libnettle8", + "version": "3.7.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "6da09e685e5587f8873f662b007de45f75424fb33d2c4a51837380e683d33c7e" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GAP" + } + } + ], + "purl": "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnettle8@3.7.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nettle" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libnsl2", + "version": "1.3.0-2build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "cfeef478f96ace59617f4f93c2497776b98a33c99bf3602af46844ccf9cba9d3" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "permissive-fsf" + } + }, + { + "license": { + "name": "permissive-makefile-in" + } + }, + { + "license": { + "name": "permissive-autoconf-m4-no-warranty" + } + }, + { + "license": { + "name": "GPL-3+-autoconf-exception" + } + }, + { + "license": { + "name": "permissive-configure" + } + }, + { + "license": { + "name": "GPL-2+-autoconf-exception" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "GPL-2+-libtool-exception" + } + }, + { + "license": { + "name": "permissive-autoconf-m4" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnsl2@1.3.0-2build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libnsl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libp11-kit0", + "version": "0.24.0-6build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "70d9009af3c5cbf70c374b493f3a51f4d722757a8efe0d89af9796da78a51262" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "permissive-like-automake-output" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "ISC+IBM" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "same-as-rest-of-p11kit" + } + } + ], + "purl": "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libp11-kit0@0.24.0-6build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "p11-kit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.24.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam-modules-bin", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-modules-bin@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam-modules", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-modules@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam-runtime", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-runtime@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpam0g", + "version": "1.4.0-11ubuntu2.3", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam0g@1.4.0-11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "11ubuntu2.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpcre2-8-0", + "version": "10.39-3ubuntu0.1", + "purl": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpcre2-8-0@10.39-3ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pcre2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "10.39" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libpcre3", + "version": "8.39-13ubuntu0.22.04.1", + "purl": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpcre3@2:8.39-13ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pcre3" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "13ubuntu0.22.04.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "8.39" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libprocps8", + "version": "3.3.17-6ubuntu2.1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libprocps8@2:3.3.17-6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "procps" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3.17" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libseccomp2", + "version": "2.5.3-2ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "684ebb02924935f6c176eea7d42ac367fcd8f019450e4782c79e5abb349d6aab" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libseccomp2@2.5.3-2ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libseccomp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libselinux1", + "version": "3.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "b96c6b40ee2388bd51341cb11c0f1d5bcca29b9180b6e3a77a06b881f2913f7e" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libselinux1@3.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libselinux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsemanage-common", + "version": "3.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "bb60d1049ed3d7838b395785cab09f2210c04878fcae9391ea3499f62d04ec2d" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsemanage-common@3.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsemanage" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsemanage2", + "version": "3.3-1build2", + "hashes": [ + { + "alg": "SHA-256", + "content": "0ab2748fce09293ca2c4c1214460409f834be1736ec1b1841927302efd8fa9da" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsemanage2@3.3-1build2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsemanage" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsepol2", + "version": "3.3-1build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "d47b019f21865a9692e361d260e96a3234fd934cee37026dad8f41228d9363d8" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsepol2@3.3-1build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsepol" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsmartcols1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "b61722721fc4e2534823e391e6ed73655cf8c5b13e2977003f3b930f166260b0" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsmartcols1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libss2", + "version": "1.46.5-2ubuntu1.1", + "purl": "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libss2@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libssl3", + "version": "3.0.2-0ubuntu1.12", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libssl3@3.0.2-0ubuntu1.12" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openssl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu1.12" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Core developers " + }, + "name": "libstdc++6", + "version": "12.3.0-1ubuntu1~22.04", + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libstdc++6@12.3.0-1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1~22.04" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.3.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libsystemd0", + "version": "249.11-0ubuntu3.11", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-2 with Linux-syscall-note exception" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsystemd0@249.11-0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "systemd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "249.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtasn1-6", + "version": "4.18.0-4build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "c4258c87f569f6070312ad4b64a35cb00a9fffca07982b4aac5a3f340ab3e2cd" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtasn1-6@4.18.0-4build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtasn1-6" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.18.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtinfo6", + "version": "6.3-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtinfo6@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtirpc-common", + "version": "1.3.2-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "__AUTO_PERMISSIVE__" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "PERMISSIVE" + } + } + ], + "purl": "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtirpc-common@1.3.2-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtirpc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libtirpc3", + "version": "1.3.2-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "__AUTO_PERMISSIVE__" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "PERMISSIVE" + } + } + ], + "purl": "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtirpc3@1.3.2-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtirpc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libudev1", + "version": "249.11-0ubuntu3.11", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-2 with Linux-syscall-note exception" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libudev1@249.11-0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "systemd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0ubuntu3.11" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "249.11" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libunistring2", + "version": "1.0-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "988fb59de6a0a313844277e8a6e45d3dc16f5ea75a603a46b16b936426f0ac65" + } + ], + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "FreeSoftware" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.2+" + } + }, + { + "license": { + "name": "GPL-2+ with distribution exception" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "GFDL-1.2" + } + } + ], + "purl": "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libunistring2@1.0-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libunistring" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libuuid1", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "94f24383876c575a85c4fd87226e72fe9c9bbdbb52b6f4d71dade805e0d60d48" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libuuid1@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libxxhash0", + "version": "0.8.1-1", + "hashes": [ + { + "alg": "SHA-256", + "content": "71cf4300213c7ce65deadf37a21dc250d8162cdf1e41d7fda1e279a390051169" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxxhash0@0.8.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "xxhash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "libzstd1", + "version": "1.4.8+dfsg-3build1", + "hashes": [ + { + "alg": "SHA-256", + "content": "ae7db00ce8b093e50c994518b90203544e063b4bc574836a048bb142b950b2c9" + } + ], + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libzstd1@1.4.8+dfsg-3build1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libzstd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3build1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.8+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "login", + "version": "4.8.1-2ubuntu2.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "login@1:4.8.1-2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "shadow" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "logsave", + "version": "1.46.5-2ubuntu1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "logsave@1.46.5-2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46.5" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "lsb-base", + "version": "11.1.0ubuntu4", + "hashes": [ + { + "alg": "SHA-256", + "content": "23ac3e99b0c2cd0179a7f40fa5a24248345e16c515f222164dad2a638b4f04cf" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "lsb-base@11.1.0ubuntu4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "lsb" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "11.1.0ubuntu4" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "mawk", + "version": "1.3.4.20200120-3", + "hashes": [ + { + "alg": "SHA-256", + "content": "73aea4eef18e9960e04ea2de58c3ee1bb552af6c1dc889ab33c6c896d3387c97" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "mawk@1.3.4.20200120-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "mawk" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.4.20200120" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "mount", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "0f7242d9ffbc6a1147a633f0cff1de1476f436fe72846501d9232b63845dfdc3" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "mount@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "ncurses-base", + "version": "6.3-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ncurses-base@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "ncurses-bin", + "version": "6.3-2ubuntu0.1", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ncurses-bin@6.3-2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu0.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "passwd", + "version": "4.8.1-2ubuntu2.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "passwd@1:4.8.1-2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "shadow" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "perl-base", + "version": "5.34.0-3ubuntu1.3", + "licenses": [ + { + "license": { + "name": "GPL-1.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "REGCOMP" + } + }, + { + "license": { + "name": "GPL-2.0-with-bison-exception" + } + }, + { + "license": { + "name": "Unicode" + } + }, + { + "license": { + "name": "BZIP" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "RRA-KEEP-THIS-NOTICE" + } + }, + { + "license": { + "name": "BSD-3-clause-with-weird-numbering" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "TEXT-TABS" + } + }, + { + "license": { + "name": "BSD-4-clause-POWERDOG" + } + }, + { + "license": { + "name": "BSD-3-clause-GENERIC" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "SDBM-PUBLIC-DOMAIN" + } + }, + { + "license": { + "name": "DONT-CHANGE-THE-GPL" + } + }, + { + "license": { + "name": "Artistic-dist" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Artistic-2" + } + }, + { + "license": { + "name": "HSIEH-DERIVATIVE" + } + }, + { + "license": { + "name": "HSIEH-BSD" + } + } + ], + "purl": "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "perl-base@5.34.0-3ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "perl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3ubuntu1.3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.34.0" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "procps", + "version": "3.3.17-6ubuntu2.1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "procps@2:3.3.17-6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "procps" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6ubuntu2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.3.17" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "sed", + "version": "4.8-1ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "cb871eba3078dbfe67770e9b8c2087cf568f06769611360a7de293a806f266c5" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sed@4.8-1ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sed" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.8" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "sensible-utils", + "version": "0.0.17", + "hashes": [ + { + "alg": "SHA-256", + "content": "68fa82f5a319ffe48f51ea874117be3d6781c5f6b2ac4f172485fa690ebde4a3" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "All-permissive" + } + }, + { + "license": { + "name": "configure" + } + }, + { + "license": { + "name": "installsh" + } + } + ], + "purl": "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sensible-utils@0.0.17" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sensible-utils" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.0.17" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "sysvinit-utils", + "version": "3.01-1ubuntu1", + "hashes": [ + { + "alg": "SHA-256", + "content": "54c24d33f48253b1460a32208d3f91f30f97fb5094ffa03afb2d687ab4319a04" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sysvinit-utils@3.01-1ubuntu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sysvinit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.01" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "tar", + "version": "1.34+dfsg-1ubuntu0.1.22.04.2", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "tar@1.34+dfsg-1ubuntu0.1.22.04.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "tar" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1ubuntu0.1.22.04.2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.34+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Dimitri John Ledkov " + }, + "name": "ubuntu-keyring", + "version": "2021.03.26", + "hashes": [ + { + "alg": "SHA-256", + "content": "0d0e7ed6b112f5d03eabf3c7eb01ebdacf9c57714b279e90495cfc58c8c4520f" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ubuntu-keyring@2021.03.26" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ubuntu-keyring" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2021.03.26" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "usrmerge", + "version": "25ubuntu2", + "hashes": [ + { + "alg": "SHA-256", + "content": "43bed2d23b2005c0690017d7bf8c332d0fd73fea18be245bd838a3fe104c93ad" + } + ], + "licenses": [ + { + "license": { + "name": "GPL v2" + } + }, + { + "license": { + "name": "later" + } + } + ], + "purl": "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "usrmerge@25ubuntu2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "usrmerge" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "25ubuntu2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "util-linux", + "version": "2.37.2-4ubuntu3", + "hashes": [ + { + "alg": "SHA-256", + "content": "df52c8d589844aaf98b24fb22a9ce1be677eb30c70d8311c1a10c8c2d8b988d2" + } + ], + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "util-linux@2.37.2-4ubuntu3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4ubuntu3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37.2" + } + ] + }, + { + "bom-ref": "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "type": "library", + "supplier": { + "name": "Ubuntu Developers " + }, + "name": "zlib1g", + "version": "1.2.11.dfsg-2ubuntu9.2", + "licenses": [ + { + "license": { + "name": "Zlib" + } + } + ], + "purl": "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:a1360aae5271bbbf575b4057cb4158dbdfbcae76698189b55fb1039bc0207400" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a486411936734b0d1d201c8a0ed8e9d449a64d5033fdc33411ec95bc26460efb" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "zlib1g@1:1.2.11.dfsg-2ubuntu9.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "ubuntu" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "zlib" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2ubuntu9.2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.11.dfsg" + } + ] + } + ], + "dependencies": [ + { + "ref": "5303f1e6-739c-497b-8ad9-01b5318e8266", + "dependsOn": [ + "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/apt@2.4.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/adduser@3.118ubuntu5?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/base-passwd@3.5.52build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/base-files@12ubuntu4.4?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/bsdutils@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/dash@0.5.11%2Bgit20210903%2B057cd650a4ed-3build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/debianutils@5.5-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/diffutils@3.8-0ubuntu2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/e2fsprogs@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/findutils@4.8.0-1ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/grep@3.7-1build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/gzip@1.10-4ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/dpkg@1.21.1ubuntu2.2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/hostname@3.23ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libacl1@2.3.1-1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libapt-pkg6.0@2.4.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1" + ] + }, + { + "ref": "pkg:deb/ubuntu/libattr1@2.5.1-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit-common@3.0.7-1build1?arch=all&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcap-ng0@0.7.9-2.2build3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcap2@2.44-1ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libdb5.3@5.3.28%2Bdfsg1-0.8ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libdebconfclient0@0.261ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libext2fs2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgnutls30@3.7.3-4ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgpg-error0@1.43-3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libhogweed6@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgmp10@6.2.1%2Bdfsg-3ubuntu1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libidn2-0@2.3.2-2build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkeyutils1@1.6.1-2ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/liblz4-1@1.9.3-2build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libmount1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libblkid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libnettle8@3.7.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libnsl2@1.3.0-2build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libp11-kit0@0.24.0-6build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libffi8@3.4.2-4?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpam-modules-bin@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libpam-runtime@1.4.0-11ubuntu2.3?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libseccomp2@2.5.3-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libbz2-1.0@1.0.8-5build1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage-common@3.3-1build2?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsepol2@3.3-1build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsmartcols1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libss2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcom-err2@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.12?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/debconf@1.5.79ubuntu1?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/libtirpc3@1.3.2-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libtirpc-common@1.3.2-2ubuntu0.1?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.11?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libunistring2@1.0-1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libuuid1@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libxxhash0@0.8.1-1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/logsave@1.46.5-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/mawk@1.3.4.20200120-3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/mount@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libaudit1@3.0.7-1build1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libcrypt1@4.4.27-1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "pkg:deb/ubuntu/libpam-modules@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libpam0g@1.4.0-11ubuntu2.3?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libselinux1@3.3-1build2?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libsemanage2@3.3-1build2?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/procps@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "dependsOn": [ + "pkg:deb/ubuntu/init-system-helpers@1.62?arch=all&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/libprocps8@3.3.17-6ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/sed@4.8-1ubuntu2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/sensible-utils@0.0.17?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/sysvinit-utils@3.01-1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "pkg:deb/ubuntu/lsb-base@11.1.0ubuntu4?arch=all&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/tar@1.34%2Bdfsg-1ubuntu0.1.22.04.2?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/ubuntu-keyring@2021.03.26?arch=all&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/usrmerge@25ubuntu2?arch=all&distro=ubuntu-22.04", + "dependsOn": [ + "pkg:deb/ubuntu/perl-base@5.34.0-3ubuntu1.3?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:deb/ubuntu/util-linux@2.37.2-4ubuntu3?arch=amd64&distro=ubuntu-22.04", + "dependsOn": [] + }, + { + "ref": "pkg:deb/ubuntu/zlib1g@1.2.11.dfsg-2ubuntu9.2?arch=amd64&distro=ubuntu-22.04&epoch=1", + "dependsOn": [ + "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04" + ] + }, + { + "ref": "pkg:oci/ubuntu@sha256%3A6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fubuntu", + "dependsOn": [ + "5303f1e6-739c-497b-8ad9-01b5318e8266" + ] + } + ], + "vulnerabilities": [ + { + "id": "CVE-2016-2781", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + + "ratings": [ + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 2.1, + "severity": "info", + "method": "CVSSv2", + "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N" + }, + { + "source": { + "name": "nvd" + }, + "score": 6.5, + "severity": "medium", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.2, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C" + }, + { + "source": { + "name": "redhat" + }, + "score": 8.6, + "severity": "medium", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 20 + ], + "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2016-2781" + }, + { + "url": "http://seclists.org/oss-sec/2016/q1/452" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/3" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2016-2781" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + }, + { + "url": "https://lore.kernel.org/patchwork/patch/793178/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-2781" + } + ], + "published": "2017-02-07T15:59:00+00:00", + "updated": "2023-11-07T02:32:03+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "8.32-4.1ubuntu1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "TEMP-0290435-0B57B5", + "source": { + "name": "debian", + "url": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "ratings": [ + { + "source": { + "name": "debian" + }, + "severity": "low" + } + ], + "advisories": [ + { + "url": "https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5" + } + ], + "affects": [ + { + "ref": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64&distro=debian-10.12", + "versions": [ + { + "version": "1.30+dfsg-6", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2017-11164", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 7.8, + "severity": "high", + "method": "CVSSv2", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 3.3, + "severity": "low", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 674 + ], + "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2017-11164" + }, + { + "url": "http://openwall.com/lists/oss-security/2017/07/11/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/11/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/12/1" + }, + { + "url": "http://www.securityfocus.com/bid/99575" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2017-11164" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-11164" + } + ], + "published": "2017-07-11T03:29:00+00:00", + "updated": "2023-11-07T02:38:10+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/libpcre3@8.39-13ubuntu0.22.04.1?arch=amd64&distro=ubuntu-22.04&epoch=2", + "versions": [ + { + "version": "2:8.39-13ubuntu0.22.04.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2016-20013", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 5, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 770 + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2016-20013" + }, + { + "url": "https://akkadia.org/drepper/SHA-crypt.txt" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20013" + }, + { + "url": "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/" + }, + { + "url": "https://twitter.com/solardiz/status/795601240151457793" + } + ], + "published": "2022-02-19T05:15:09+00:00", + "updated": "2022-03-03T16:43:19+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "2.35-0ubuntu3.5", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.5?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "2.35-0ubuntu3.5", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-27943", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "amazon" + }, + "severity": "low" + }, + { + "source": { + "name": "nvd" + }, + "score": 4.3, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 674 + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-27943" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-27943" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27943" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039" + }, + { + "url": "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79" + }, + { + "url": "https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-27943" + } + ], + "published": "2022-03-26T13:15:07+00:00", + "updated": "2023-11-07T03:45:32+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "12.3.0-1ubuntu1~22.04", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "12.3.0-1ubuntu1~22.04", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "12.3.0-1ubuntu1~22.04", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-29383", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 3.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "photon" + }, + "severity": "low" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 74 + ], + "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-29383" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-29383" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29383" + }, + { + "url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d" + }, + { + "url": "https://github.com/shadow-maint/shadow/pull/687" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-29383" + }, + { + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/" + }, + { + "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + } + ], + "published": "2023-04-14T22:15:07+00:00", + "updated": "2023-04-24T18:05:30+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/login@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "versions": [ + { + "version": "1:4.8.1-2ubuntu2.1", + "status": "affected" + } + ] + }, + { + "ref": "pkg:deb/ubuntu/passwd@4.8.1-2ubuntu2.1?arch=amd64&distro=ubuntu-22.04&epoch=1", + "versions": [ + { + "version": "1:4.8.1-2ubuntu2.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2020-22916", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "description": "An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2020-22916" + }, + { + "url": "http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2020-22916" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234987" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1214590" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22916" + }, + { + "url": "https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability" + }, + { + "url": "https://github.com/tukaani-project/xz/issues/61" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22916" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2020-22916" + }, + { + "url": "https://tukaani.org/xz/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-22916" + } + ], + "published": "2023-08-22T19:16:19+00:00", + "updated": "2023-11-07T03:19:47+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/liblzma5@5.2.5-2ubuntu1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "5.2.5-2ubuntu1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-3715", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.8, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.6, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "medium" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 787, + 119 + ], + "description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-3715" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0340" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3715" + }, + { + "url": "https://bugzilla.redhat.com/2126720" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126720" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3715" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-0340.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0340" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2022-3715.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-0340.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3715" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3715" + } + ], + "published": "2023-01-05T15:15:10+00:00", + "updated": "2023-02-24T18:38:10+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "5.1-6ubuntu1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-3219", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "nvd" + }, + "score": 3.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.2, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 787 + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-3219" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3219" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127010" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3219" + }, + { + "url": "https://dev.gnupg.org/D556" + }, + { + "url": "https://dev.gnupg.org/T5993" + }, + { + "url": "https://marc.info/?l=oss-security&m=165696590211434&w=4" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230324-0001/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3219" + } + ], + "published": "2023-02-23T20:15:12+00:00", + "updated": "2023-05-26T16:31:34+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "2.2.27-3ubuntu2.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-4899", + "source": { + "name": "ubuntu", + "url": "https://git.launchpad.net/ubuntu-cve-tracker" + }, + "ratings": [ + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 400 + ], + "description": "asdfasfdA vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-4899" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-4899" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4899" + }, + { + "url": "https://github.com/facebook/zstd" + }, + { + "url": "https://github.com/facebook/zstd/issues/3200" + }, + { + "url": "https://github.com/facebook/zstd/pull/3220" + }, + { + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zstd/PYSEC-2023-121.yaml" + }, + { + "url": "https://github.com/sergey-dryabzhinsky/python-zstd/commit/c8a619aebdbd6b838fbfef6e19325a70f631a4c6" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230725-0005/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4899" + } + ], + "published": "2023-03-31T20:15:07+00:00", + "updated": "2023-11-07T03:59:16+00:00", + "affects": [ + { + "ref": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&distro=ubuntu-22.04", + "versions": [ + { + "version": "1.4.8+dfsg-3build1", + "status": "affected" + } + ] + } + ] + } + ] + } + \ No newline at end of file diff --git a/unittests/tools/test_cyclonedx_parser.py b/unittests/tools/test_cyclonedx_parser.py index cb740ebe3dc..272868cc5d6 100644 --- a/unittests/tools/test_cyclonedx_parser.py +++ b/unittests/tools/test_cyclonedx_parser.py @@ -5,7 +5,7 @@ from dojo.tools.cyclonedx.parser import CycloneDXParser -class TestParser(DojoTestCase): +class TestCyclonedxParser(DojoTestCase): def test_grype_report(self): with open("unittests/scans/cyclonedx/grype_dd_1_14_1.xml") as file: parser = CycloneDXParser() @@ -349,3 +349,16 @@ def test_cyclonedx_1_4_json_nested_cvssv31(self): self.assertEqual("log4j-core", finding.component_name) self.assertEqual("2.13.2", finding.component_version) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", finding.cvssv3) + + def test_cyclonedx_issue_9277(self): + """CycloneDX version 1.5 JSON format""" + with open("unittests/scans/cyclonedx/issue_9277.json") as file: + parser = CycloneDXParser() + findings = parser.get_findings(file, Test()) + for finding in findings: + self.assertIn(finding.severity, Finding.SEVERITIES) + finding.clean() + self.assertEqual(14, len(findings)) + with self.subTest(i=0): + finding = findings[1] + self.assertEqual("Description was not provided.", finding.description) From b2be9d4471d4ba04def81f2e9b2edb75c937a2e0 Mon Sep 17 00:00:00 2001 From: drJabber Date: Wed, 10 Jan 2024 22:59:39 +0300 Subject: [PATCH 37/46] Add bitbucket support to finding view SCM urls (#9262) * add bitbucket support for Finging view scm urls, some tests for it and appropriate doc update :bug: fix typo for MSDefender in settings.dist.py (#9249) Bump boto3 from 1.34.9 to 1.34.11 (#9254) Bumps [boto3](https://github.com/boto/boto3) from 1.34.9 to 1.34.11. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.9...1.34.11) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Update versions in application files Update release-x-manual-helm-chart.yml Update release-x-manual-helm-chart.yml Update versions in application files Bump lxml from 4.9.4 to 5.0.0 (#9251) Bumps [lxml](https://github.com/lxml/lxml) from 4.9.4 to 5.0.0. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](https://github.com/lxml/lxml/compare/lxml-4.9.4...lxml-5.0.0) --- updated-dependencies: - dependency-name: lxml dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Update rabbitmq:3.12.11-alpine Docker digest from 3.12.11 to 3.12.11-alpine (docker-compose.yml) (#9240) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Bump sqlalchemy from 2.0.23 to 2.0.24 (#9244) Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.23 to 2.0.24. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Bump drf-spectacular-sidecar from 2023.12.1 to 2024.1.1 (#9252) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2023.12.1 to 2024.1.1. - [Commits](https://github.com/tfranzel/drf-spectacular-sidecar/compare/2023.12.1...2024.1.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Update manusa/actions-setup-minikube action from v2.9.0 to v2.10.0 (.github/workflows/k8s-tests.yml) (#9257) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> fix pep8 fix imports Bump sqlalchemy from 2.0.24 to 2.0.25 (#9266) Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.24 to 2.0.25. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Bump pillow from 10.1.0 to 10.2.0 (#9265) Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.1.0 to 10.2.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](https://github.com/python-pillow/Pillow/compare/10.1.0...10.2.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> :bug: fix zap, issue #9242 (#9243) * :bug: fix zap, issue #9242 * adapt identiation API: Add Announcements (#9112) * Add Announcement to API * Add test_rest_framework * Add test_swagger_schema * Flake8 * Fix count * Skip test * Inc db_mig * Use DojoModelViewSet * inc db_mig :bug: None Type in cvss score in Trivy #9263e (#9268) Feature: Add Auditlog Retention and Cleanup (#9208) * feat: add auditlog retention * linting: satisfy flake8 * fix: forgot imports in tasks.py * fix: add necessary test-data * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update dojo/tasks.py Co-authored-by: kiblik * Update unittests/test_flush_auditlog.py Co-authored-by: kiblik * Update test_flush_auditlog.py removed spaces * fix: change default value for the retetion period to disable log recycling and mimic the default behavior. Then no change will happen until a user actively sets/ changes this parameter --------- Co-authored-by: MarianG Co-authored-by: kiblik fix doc * Update docs/content/en/integrations/source-code-repositories.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update docs/content/en/integrations/source-code-repositories.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: DVSutyagin Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- .../integrations/source-code-repositories.md | 39 ++++- .../static/images/product-custom-fields_1.png | Bin 0 -> 12797 bytes docs/static/images/product-scm-type_1.png | Bin 0 -> 19761 bytes ...ode-repositories-bitbucket-onpremise_1.png | Bin 0 -> 7633 bytes .../source-code-repositories-bitbucket_1.png | Bin 0 -> 7366 bytes .../source-code-repositories-gitlab_1.png | Bin 0 -> 7470 bytes dojo/models.py | 121 +++++++++++-- unittests/test_finding_model.py | 161 +++++++++++++++++- 8 files changed, 304 insertions(+), 17 deletions(-) create mode 100644 docs/static/images/product-custom-fields_1.png create mode 100644 docs/static/images/product-scm-type_1.png create mode 100644 docs/static/images/source-code-repositories-bitbucket-onpremise_1.png create mode 100644 docs/static/images/source-code-repositories-bitbucket_1.png create mode 100644 docs/static/images/source-code-repositories-gitlab_1.png diff --git a/docs/content/en/integrations/source-code-repositories.md b/docs/content/en/integrations/source-code-repositories.md index b8a0f2fe19d..7b7f5f04671 100644 --- a/docs/content/en/integrations/source-code-repositories.md +++ b/docs/content/en/integrations/source-code-repositories.md @@ -7,18 +7,47 @@ weight: 5 Findings can have a filepath and a line number as the location of the vulnerability. This is typically set when scanning an application with a Static Application Security Test (SAST) tool. If the repository of the source code is specified in the Engagement, DefectDojo will present the filepath as a link and the user can navigate directly to the location of the vulnerability. -## Setting the repository in the Engagement +## Setting the repository in the Engagement and Test -While editing the Engagement, users can set the URL of the repo. It needs to be the URL including the branch, e.g. https://github.com/DefectDojo/django-DefectDojo/tree/dev (GitHub) or https://gitlab.com/gitlab-org/gitlab/-/tree/master (GitLab). +### Engagement +While editing the Engagement, users can set the URL of the specific SCM repo. +For Interactive Engagement it needs to be the URL including the branch: +- for GitHub - like https://github.com/DefectDojo/django-DefectDojo/tree/dev +![Edit Engagement (GitHub)](../../../static/images/source-code-repositories_1.png) +- for GitLab - like https://gitlab.com/gitlab-org/gitlab/-/tree/master +![Edit Engagement (Gitlab)](../../../static/images/source-code-repositories-gitlab_1.png) +- for public BitBucket - like (like git clone url) +![Edit Engagement (Bitbucket public)](../../../static/images/source-code-repositories-bitbucket_1.png) +- for standalone/onpremise BitBucket https://bb.example.com/scm/some-project/some-repo.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url) +![Edit Engagement (Bitbucket standalone)](../../../static/images/source-code-repositories-bitbucket-onpremise_1.png) + +For CI/CD Engagement, where user could set commit hash, branch/tag and code line it should look like examples below: +- for GitHub - like https://github.com/DefectDojo/django-DefectDojo +- for GitLab - like https://gitlab.com/gitlab-org/gitlab +- for public BitBucket - like https://bitbucket.org/some-user/some-project.git (like git clone url) +- for standalone/onpremise BitBucket https://bb.example.com/scm/some-project.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url) + +If user does not set commit hash or branch/tag in appropriate fields of CI/CD Engagement edit form, the URL should look like in Interactive Engagement edit form. + +SCM navigation URL is composed from Repo URL using SCM Type. Github/Gitlab SCM type is default, but user could set certain SCM type in Product custom field "scm-type". + +Product custom fields: + +![Product custom fields](../../../static/images/product-custom-fields_1.png) + +Product SCM type add: + +![Product scm type](../../../static/images/product-scm-type_1.png) + +Possible SCM types could be 'github', 'gitlab', 'bitbucket', 'bitbucket-standalone' or nothing (for default github). -![Edit Engagement](../../images/source-code-repositories_1.png) ## Link in Finding When viewing a finding, the location will be presented as a link, if the repository of the source code has been set in the Engagement: -![Link to location](../../images/source-code-repositories_2.png) +![Link to location](../../../static/images/source-code-repositories_2.png) Clicking on this link will open a new tab in the browser, with the source file of the vulnerability at the corresponding line number: -![View in repository](../../images/source-code-repositories_3.png) +![View in repository](../../../static/images/source-code-repositories_3.png) diff --git a/docs/static/images/product-custom-fields_1.png b/docs/static/images/product-custom-fields_1.png new file mode 100644 index 0000000000000000000000000000000000000000..98ffc74fb2719d7960476134751f294b2a81f9d0 GIT binary patch literal 12797 zcmbulWmF|iwBHTG!!S4u?(XjHHn>g;CVXaZ(tYiDCZ=Vat)Vq)uLZs&Xj(ajGAMhGS;Dx~b5 zd9mT)Ewl7Fe6y4Vu&$FJMJ6VWA4Df|wT$s8uQa!+RIPldtO72i08^?WQ$8YRfqblw zJ`_!a&Wl;esfB+K$s`ol zz!C-{T05{Wxk%j`DZb$FP7?Nqx z9U?vM0U<^dPQV4T4z2$49W5mlWmHs@m-|!sE3=a}dnHG!jxvkP$mRYr9$3_gDbAVF zP#iL+3$HTm4c;Ijr`SZmJB(ORt1LA2f}Lc}W3v4l!=9$>?v`B_MgFFQxAxZSikjeS zfsBU$YDO=~$w8&hqF?7<%-_@Y+e!H44F$nsn?0p{Gm|*W##(44aLGz&W4j>rVVwid zKHrq8O$pIH6)rDSPL{v;gX!IsTwH`fJe_Q>S)t95;uv|`eHo<%9 zzz2k?Ma^a_eliRBqJ+)K{i)?Uaz3%YG?polK(M7P8Ha}63?N8*(XY{!&Uk8(` zf4Gno_x63K6wI9RP#t$T46cjnaRKwS+w|ES%!ph~?p%MdqZMTSg0QFAKDN9OB`RyO z)b}zGDMw+(L(IaI(EZ8q6BUo&W=r1~qC|rKa%lYR*=ERe7RX-Y$0MKFc#_G}6eb3H zlu-J3R7sc-_T9&H-*HpxqNn|;BRK5){2A1Xg)phg=7ppY6#Nu;qj?^`=Zfe|;uDi{ z#f{zH@Kr=sorMbYfCv^{?uo#`oy>Y#Au0}xv3X0OYR#!M8W`-1I_J~HKapfQln18M zll^BeR%aHo1Wk&SXj4^W_HHx*?d?3tr*63tF0gWV0+OdB7q_36m}TN5@=oJG-M9}b z+pCwn!QK^oCrAb778O_n{pv;5dqxRx)JiE;oKMjCKJoEjJM+sX)yx7u*e0%ZpjF$<5oSWhCzy zWR}mSA@HYA`hVP`o6@dG@E$ol;7DP_Nf2EA)zCCmK`+&gS{XYp^5S%UrS{Zvvt+gD zKa1h3Rg8YYB_TLRRj|u8eF#LW;POrv4Wc^;%9yFPa^bC$c(ctkTuEXSjw3DLPRUbD zz3jl>_b0azK;i#UqKt#{NE@{ss0lZneu1?q+z-_FtmE22Uo;6k=F25Ucu4;9)Z2XbL!8aEugq7^v}4Wxry2Xr-4=zt%~G7506|}F534F@3+9op zfeOT{(2CWX;t@tywpBqq#7Cq4GZiolR9mjmhdtsu`@4R}JdSZm#MB*{z?4Okn$Y4- z6%iGI5wY2t=|>znb4{j43%)mKBa_~djFY@}eM8azQW%Apss@^J%Sg1%iAh>wVh;3- zxv2lp|9F{o#^cVk`_9qFWQn{Lk~IY8pFN^-)~bESMlSnIAo6Wa<7vq=)|g}N!J&e0 zTXbt$oW;Z)Z{lg{=>6((cin<9QQ%6>UX#4 zz3#enXG*IRyDOpQ-VzRXCbS24FYGnS>)GPgl$Gv{xuJ?>bprF_!-ek1XZ7wR%?)d= z63$HIsP=eZ!-g-1nG+4U-vdIw<=6A0Q6{fb;DeXEkwULKTWsfzMXANnN{2qe)`Wm) zU*lOOUrmBtNpRhzu_itrGdvl!O0R@p@QJ{L=};tJ@GyBi5Gtz@mcOXplVE6k2gL1! z$nl=RXss>~+Dt#54F7q(R%P4(ZiDq{30a|icHMhCHSbW>*Yl*gZFeb@8ZY9$arF@z zEj61hd+r2na8Duf($dL;!Cqzhu0c|2AxaAv?z_8m_AFo^;Ym822kH!Ld}w1$UF?1e zqfjEx#>`wj7R!e?FMig?i!^`CWidGZ<>I)Quws+Shm>-;7yulXRcxio^pm$%=;V`k zu0n2CK?a^FIBAfkCd6!e*qP!~lRFJgghYZD**7ZM+bm=$`f}J$lpyo^tze_m>Sdfc z>8yqPt@ODY_Dz&mIm8mixDeCpr0{9;tU2m)o6xR_8M@*qp682p#*R_`73e9_KkRg4 zcQ)|CTAyd7H5f+sFv}K^D`Fe+4xlPa_wv9qPc{yIb`KW+0ir{oT9-F&H*P1Wg9$M} zDtSuts@axl1cgT8J@5o0?dJ#mTqslVWZ`(%oSj-irh8@P-E|JPXqU6c#yz_x?W&y2PC%*ADHLG~S;ZzM8H&1u8;m2f zoFbb4YE;t9rRUR)G?}>QH|j{~Q>ov5erZwc)65gybA@}7>*vpDGkjUCq}6L@TRK_| zVa?U~6(m91X)%|4=eRTVv6x)gQ4$M(L~qoy6Oi0!YrCFBv1pJo3|BKnkwzZN0^s%h zi9`LO$kmghDa4;Nazt8Sdy!E<33HcP*=pty|1$ece;<_Mr{PhATa8#2oF$&;kSbpB zX^G^`ZOMhlpUL2q!(ljo*qJVH1(6okrF?m2mei8YmTRH0#^+r=_m zpieNL@)QWh2K{$eclBWkKoSW+(3$d7t?eDvb#iOhgqM?Z8xD5izR1#_<9t)n;}Uuv zav8|!9%v1AN62AOAR9hxxV%i7dU;W-uJyPyL`7}MoS^H$R;YM4|Jf0cIPgccrf zT)EL&d^p&I1a1AEtb>w8$kvZbg_>YTreU7rdquZcn;==q=a-|I4TL_5BfqM-! zhP=Het58&jI(>AWa4z-nLHGyEoww~x{zMrS@-}T07}r zCnkHwOWp_EYc9n@)~#)?iw#B~5a_1qAa*JZn=2r+3{1p~f^zhD(>#Ru6Op(__gJ|p zl-c}nfu^F=$5H#?$kYKLhup+VWK}kVd^X;$(N@BQhRti;q1HRmgc`HDX#B7&g4^;J zQ$7p*Nc{cz1dRdTni4C5?8>MRI|h@j%{wlKzFOIjl-gpr5A%H-oEEs48*3*VMJHiy5e&sG|1lql`}6e$+1;oDr79SSz#QJzpU7P^?7aMoOIpKgu8+{A`W<-gbPoCOJ#5jIw6`AG1{9f>t8aQHb--Qq+}@Xl zHO%E$^qpRlPR^z6#)KzMn_v3RFqm03Y7F_4kpZh=uvgCSB%V*zim_Rfk+u2Ah#mV0 zDq;>=(-myHSGZF_*|3goq9>?;e|q-jvckKA^YXP8p?dA((}HEzPq_;Y9EP=3s>JQg z9!wBd7plcds2h*xxv~K{vSwD!*bk=%?}Lz+FZt+=40M`iV;<@?hu7ffIa4pefj;(B zQsz~gFU>Ax2`%Qa$c-L&id;+ctx8SGA8&*u74>GQtl04Q`1FOiykhw?XOCC#aGBa1 zsa#8EH@Xtlps34JsnL6p%ogK9OG)@#N1v^4{A;IUJR&q`HLQ>Zgq{+dYC&yx(pzA( zV9{pbW8NbgB$0dzmZ`%l^|aNCE8`qd9CH)hkh-Js!Iu-co@a!b?kdG%Z_bYs&*^1e zax>*hU@z~1MZf$~9F-y!%Z~)Tm6WZsY~{nT6C+~7kIr34a*Ldc1VLFB3YN;b>p)K8 zdkgLG2vX)+CLyk2IaEAA#PCYmv8>3}T7RfpX|B4yMO9vsmqV3U_CehY#L`+$(VUiu zhI2i4kfu9-qojuH&2CHS4XHM(!iETJDQS-Ue&`H>LMwWEs;t^NbeUrEBDjjh#w+U` z#rx!CnzQA6%~&%o7mW|J|8R+;tR_P{ABLHc(dzQr)Y_g9zMdvRxr z67^1fELen0GA1qn3No^2$*SV)V29w^#bTGo3}}`bf%S4JZnKfkp7pnaf&wk>5BD;b z0#6kpvmlwHg+RnDOBpr}ng*C$^BPy!+&!&#_abe4y30(I{#1IW!vO!lDkV{od>3H&!~@ve_msmBeNyGwGkeM{J2j zTBAi^0jaj+&Td5iITs+JJmYs2-SQjS%Ji%cY8KnnpiNDS6LTC6{2F^#N{ z>6IxzRmyk#Jb1bp1cX5c#&QHJBbhE{wG0=I9O`p+j(q+0Pd_Owxyv~2G4XfODI>E4 z;6ZaM*iBg?7zwRN?O`E2C|8-8Rnh|E#ePe5ytm&{e=BjKp~+6TXlZ9n!YHf#Lfjrb z*|aj4&bceDBUb6{l7VbPI1wbF2$5)ijtNchJ#YYZ`?v!uaxO?bjmbwpu;Sr`2z4Jju9D0sO+=b`J_&{^leC{tfWQOJ%#+NFlmZ zCXXAq!(^{8Y{ZqoT_n-zl=f%)LCZcX=c3OujI^$EJAM!cijx-x^}J`u4iUp^+>vvO zYDK@*-~%bBC3$X?3DnMb_~?YaZrQy5P<+|?7(6k~ZYb)9BfNBF^mxx!XiBZl)v}GV z9P5_xZ1#YFOFdU2&kd_;dz4D>n`yO8vC##iO?AZ5=S(VPP_I5cr>jkJD^9oAv^GJR z(kY0nTZX7;dTpNScuk=K`f@hrEU)~cW~^zR${0ca^&?B@ooMS8F^Jdb9bI!IkQBkqe^4J_kDQWc0F8(o+a@GX_dj z8eWWOex7VGW~%p>ZapScXzHu2V;>BuD9tKcTXysXR~s(37ltm%k=h$$=s|@&^emGTpxqYm`4e=k?ko`648!S z2TP+qf&OummMtc~EtcEu9Zi;}wd{0C-8^xAgHSO{Q%UpDj3MSNGmC;G99|-GbS|;< z;pft57(I193u`63i<}K@D_ss=Ifh^ zf{>NZWQ5s9z!N-yFN_C6SRJ{eNDcS9TsvC=2#s*_1?J-8ylMO%cFxf5JrqStzbIe$ znqxVfBmMY_r8hPoq$29SbdXXIY+dbTtGlaAg_HpfB@;z~d|Jy&^GZGZo4fhAuF8wc z8Nf`P_@=`7k!FPNOc&RY%7Vyoq#7z0_=NB|Fg(0>cJ?MSPBAb?-i?ApOyB|O-;gyB zB`ho$zIKbfG))Ia`pOX**c?I9swb1guRcuc8g8QT_t3{6K}_)+%d;bcaL&UYdh9b1gx zaW3f0cLf!+pkDtOb5gnsfl_aHjOEugQPYYjBCh^$Af>wJlQC%E^4UC~0Yx-hskV__ zLP#v9C3bq~bKKvr&G2q}i1XgV1sE5x-TM)U9!GQ*{?>|Y+S);HsZD1|0P-Jz)T!kZ zh(X%&JH~9xCc@Xa5HFYs&!5TVeZV8kW^0WsMS2;zdV-MOl68%S$$R0D_|;wS0jUF+ z?cl27;U7aTcDCvb_Yv}LrcEky-o7A{d{%oHX3nWRrH&zV{?KyYn!8eCbh;lQ1H&&| zUM$=yVSipVQ+cu6h0}bSD6-k#P(Yey_!>q0U4zsZUrXjD7B5v)fG)(34c>_2SZoDU zXY|3Ekr5bw1A`;R(j$+Og4ogVlpD7U(bLDO%qt9yTH1irYJxZ)2bm1Zd++L1qb_w+ zm!Erm`)K>2jMMwR;Fd6IRoF8r@Wd@ibc>6N>KHVkV&bH~^+plEz|h`X*+6yM-z(qP zhTkKqy}h%-x1fG1wW7vOZO&h^r#xW5xkV*&2Bo;h0K8YjJuT3)Kw)(sud3pz*ZY+! zSn{vKVnm7A{z!4#0Qny!V$79Zu%Yi6cwqj9Vm&y1wT9Mwk!boTmYzSM9URiOP|&fh zwa0fYAw~`QEd-oV8i%HhonR>pO=Gq%BEtT%G zUi?z#M-D@df0z$XI#CpZC8J?)Ftf#wO4a((m;`pR!LH9ZQrYHohp0@k<_^yf9l;|F z&_QU5uWx=we}-n&Yr+oi5OYSZwHxJO699QNo{0nAB>jbjBNv zYX=InH)n4YR>dxTB5qMJD6h<=pJ5X`cZExgN(xDD^7qO$H4T5}1Z0E1u=*1f2n_76 z6KLCj8Q0rl)(Uk_RTPQ80M^77aU1*IQ!sAx&y_g7oK|e4uO@=cnylp`^Bz~<6X|tf z2KqD<00k-k7jwZ>Fr`u#d%KTDQoDZBR5@rzHiwAyaPEoW3Qz%gatZ*3Fg&2?3b$N}~ z`!Bhb;W89Kju*kl1-a9D?)LJbgs`9az+f3)nMy0sRVat)nA&8`NO@W;+mEv3k!BZf z%sM$aWS>nc4%>A~7#}?%7+Kw=?_(Er$l?XaU)I~JPsqgu=;`SxQBOFt#zYq#AFVa! zzt<}3ExOCW{hAkU7Gn_cMN_&7VqR?_I>QB$EW{)Ff5?~oZ*m+NV_$ibz@Q-5_8-E$$X^zk-Lu*0^`9jygrEOa zx~9!=FcQrbE0|Il2;98;d=iKjC;5+ous`bl9u#nYe=khih$J8O)rtQqq4WP~AgTq2 zI>!XY(P>V-n%=SrG6V5fqavBvLefTllZuHs&R%0ya||%n#zJDV2yAX;y<9)o(dCsG z5gHNS{=$7Ap3_>M*-vG`yrX$+?4NkgWnmlVGO{s<$nqjfM@%2erm^I&_H+i$q}g$0 z^FxI3S4RT!b9t|8^7q!28F6>U3ANflPWAp7(Wc(;TC0;%Q+IaaF|b2bXWu@eaww#} zZ1o$<5QEVTIIMN$u13>77-V<=g&R#^gbfa}c?jgi@Pz5bV+`%BlnqC)=x2$$~3Ov1p2e|XP3{=jW2{+#l%D{9Zp}W*6uQU9?8dGlz~qEH@vQm!A1(KMrKi# zuFws>ejxxf%?l{G?YVW;;7Bvzu;0|_*;5y%MQ-2<0=i5aM#9X_(hX<)6_#uGn@WN! z=vU5n{+8v{?R|})%fzO;7808;m4b>TE;nf&76mxGZ zNS>;i=AM0H;A8mgh`kseQe=3gA-5SdQ#eum$16@9S-X8Vs2>hn?X>F^T_^CIO5sgQ z*6`yRUq#8KpAOH&43xD!l7=7QBE9!o)NDqdQX-EXRBv*tmhZ7bAJs=$B|e z`a`_};E5#Zz#ww!9c&)p5gNkO@y@RAU|<3E^E$< zu&TkE7=ZOAd(KnG(%nG=?l7GVUV$!_h)m~|hTAbC4*3G{>)dAa+KYRT4>K;QXndaj z$$3O`9OC2a`D$-ZqZ5UsOmlHzD$e3cV~L^M$t*(JkwykK7gk%Ek1O5tc9EgJO6sDl zbsAb*5=o9q0TAK-&5UJF5OQ-%AmGwhlhD6x>(W4E2|^>|*VaHZz|8!10h{0AD)yT< zqYs?c`}g>iVLg>;u4AbBXW zPZ?Hc%KHEgd?Yy9v*D{GyGmAX4wU${iv6PJ;lq}R;itZoMeeYbth?Kb%4WvjEGY!R zoXdIqcRVu&>>j$SQ$;`HpLFl!8}$>n2i+|VEl})Fl^IP2*evueho8Q9qQ9-c2)bTw zkjm4i48@exUbzpwQAUGh^?sQ)3jp|e|MAKlTiy!aKpIIqSFz0|+KD6yn8a2b97i9E zHR-aFu=V8I{G0OSPbryEwRz-B&F&ox4Grt?hnty-o3PTFcS}anaK}kjo=r%s?^cs; zNWYAHFke@Mx`ZM=$vH~u!BXFqHK{0G!=_;H&mI^Ua?rp30*qx07f9MyO20e0(O9po zK0vd!cShVvaHX6|zqeJnXho<8Fa%pL890=~BVKNKy^=S`wZ)Hl%rWkJBFPp*sd;##M`fg?d?!T*Tsp{eqc9#=AHX0_ZuOuFt-e0cYRJ0!}q!mVo zt>&cvb=u6?nnU^5a7ron{o^ZGW=B7t5p*XfC(MOK3YdB>@`}9lO4QX29ZH7$u02p; zY3Xju$mpn%QSB42@g&^0NeTC`KHQ7GHA>j|UAL~my=G1yQwr!)4d?e`ZcP%13=qHp z33{Y+u85!R0vvIo75|!FcAAOOmxIDkX=&*gVL`zU8`=9!bBw{;)BsO%l&1?pd)$Fj zY{_CO{YJUNX&m%~fR`PO8Uas^-=q3WjfU(*9R?7~*x1yLFUv@g;_|!bp~1)Nxz%F% z!|~0Onv7mkYLLJJvEvjmu_M;Uq6d_MF4w>%gqzm;5X;Vas{%~-ZHUVqEo6yQG8I;H z;zsJF>I?@*T;9X@mc#akP8pqqm;hZ^(*-%37vKhW$Lr?^zf@?8!cd$>UvjP-95zcx z2oJ)I+3+~%;R%5mzaaR_^LCg=L(^*E#=4xTS?pyNsFZQe6-)eBjF*PyGZj>OV0%^O z>kIxUP-s9>Z6uG5@utds#v7{#~z{S4R6@+!z0us@(2S&BmPS^AWK_ z&y>xM?Q9C8UbTjWIPfBh;#xCoI=qxOAn9}K%>Hi>y_dTXxP@$i%^AKhm_!Y`|x zN4YSd>6bJH^C&+bUZ6z|-LJXpl{zE;F?mxVmB>XO+a zGXCP&brwsfgV=XbSkCy<i)l4luO+(Zwmy<0iHH!fP zf#MIVT~wA=tJ%QL5P;@HYo=!Vu)2$i@MG*R6%HTN3UrQU1)A8^0#hK+vIDzH?nF)R z!LdPk(q?@Dn8mNAmNT=ZEAV^cF0b2i$tOPD*K4$r&93ayBn+6rY|GH{(Y!iZJht)l z3D$|tM6S>X^C1;8d(965>8p+PZGU`GxtmjGjNd;7bY%|29bO^-({<4%+Wg zb2vXPA8>3DexS4|Qe^j)X$$jCJBET;E_SOtJQ|`cl==g6u?1Dolu1g(M}95*ZTJiG zZaAaKv(ASj&ik90;{WC6s{f(Ivn5`oMQvC5;-z1-*Yv`_{Xs(7^>ErF6lkcF(Jv5J zuAEQ5LOgUC)+54~`$8i51NH%xza?hdouF2mtt8qXFHX1(@oQI_lcjis_NmactejAl z;UdnStwG(|(>_MHuN~B;k&bVw30wr+V{jXy^c=_E;6(pZXU~E^fLPO4*iCOw+TCDS zuwx)wlJm0bama7P>mys%Gz=9d0FI6AH!F20>z?!P2?Pt_wSpXUzMjk+2)!a1YrYG+ z-1=--#&s6v8dBYzUH)!wW5#Pg?6hA)4>~_8$?l!ujAaJqF5b~LFIo?1s^6^U3s z4}YAvS*rgZF^~PHImO|9lkw+vSz;G2wW+753iXtp@g>CW;mR0m;LKg8W!z(W2F}ZF z)(h&VJ*+{FYX9luE;c;&wrAN-K8lH*0`z`Ltq~(+pimrefp7CqxM5629Dy%=s|3I- ziU`gtf0hsDUsb1=S8RU(M7CKW43u6mw6TeCsr_n)DDy+|IT)D2OpaDR1FY@eHa(~H zoR%_=|B1a^ZhGs=W(rBSSL_fz%+hkdAey{CR7O{9k7|`W5_J4pV-15Goy6kjJeC6k z%jKNCE!cX#Y>YIHp)jfWutDsQux{sJO|A_PGU3IlyLn8|VxoP`#S19Ht7&o~AvET^ zGhzvlarMO%E!UHCynJ$PVS5QsC(-YiSd6Gv8lS_bp^@nL>UbEQq+3{Z)ns0f&u{*; zWe5Qt*og}5(p5VI#hE)y?Pk`d!E>tLPd4b8tk=(Vp>Dj62v9|MdpS?s3jJ$XT5n3q zHlIvUd$;(QESWl!M>sWpa|hRn16`FNVO(V}Od^fzdgxfvW2!r=`e z;Z!XH8v(H?fey5Gy@(@ArImZl{PXh+?3K30^crMO{4{0eKj^)Q%b#%v#B%B4?-}bg zak%QvgvHtHl`z`hk6t?A{P^dAqT-G zIu?-S$28!<<)ay6{NA|kYQQScF`Jw-#jd{|iC6LRVp1iCJ$#$7vL^k%4uE(qok#8e zAc-ZX_l@n?V77s1UwOdwBmBBsD*&tUvykWD$8j?GMO%e$DVnnea>UYJra#$zhyWWO z#;?~%=K<74ek86Ughu%7+u~K^dXP{O=Q%9^i*4aPEamE|h6)tRha-I}HRd$gLs6jI zk9ghpO}}#o=-~Rr zhPl-CWlCo#7y6;*`uMuf^db5oVopPodGCGHkk@1RPG1l>nEo$Lx%EkPU(3tDf&!z( z0%f<4wxqET*fPXS3zs{0R_H31GQG=7#hOZ;oSt*h*_6Elj&uhHZwSz-tKs%BmGyL~ z;6~(B9PbMK7m|-JbTnBIUesyV;iF7>et1u0o8#WeYabkf_Q9I}6gkZDm~|qlm$T{c z1B4U}qGYxf^p{wgRK#AAf=+{|T&%_=<}3at3QQlUxbk_vZ!Br3eEP%JhN)jmTJb71 z-x*cwQ#Sx)l=+R=p1Q~&W5k1A|J?n`0m&43H+^xYA`cW_Uf+=Y{r$B#tHP5xjfc>2 z2tS@P=Q*fm0|zre>@7r!BQ1CI%?5}`6x5sh3f^)5LT`I({*`c`Ot{Ata8HAS(o4U` z9&A8E4xT<12CT)X1?eIl&j^gJlleE{qP;iZt~O=NpPLLh1z$#tPVYlqi%-t=ViFG$;2V_kg1S52=hBrBZ)csc&JA?zQObXp;ii(xBWN0$uT^W%9P za}|hwneL346(H(u4+9Dw$ByBK_jax%Ja0hQ%UON3M)hLBFpnOS&x$U>hjP>iS5)|j z8}XjdmpT!RHx|!=RxI?k34KAyeoy3M^8R#1g{6>6b>p5;TT{16Kx z5d@>!!*EhfLA{_-!PRAP7O!PdS7X8C3Sq~yzt;S(A8-gP{P`9q&IprQ(jAqE2Rf{R zs*s+0j>JpM_nd&Y8>#MBZyry=0&38NzaWH{AJ#+?tZdr+Wcjsb=V1D+DT9~r_f9#n zdWMtzWSQmRE5^H5Eo-`hfHz{b{|HXrBcR_U6fa9SN;A8X?Ib4l5~ld9AmIn-J_EN% zY-$LWkO>SmuI)&03%y0bOy!gu<|F~JTD6ZE- zc5}h!>Ls5)mO(Q3a3{*s;BN1squo^fjYiHGWAdDNa<*3h!|RF>rfh9O%qHr#pDoQ> z*K$$^=~}RN%>9u{PQU4;*W-uJlFZ@tTYjWPE!bQ(neZJP>1f75R;$A!xqL|)|p4@+0U%!;Hl-2G7X2hKz@{)oWb zo6;-tR`INljxcy}O0auCnOpZa>i;f^*{oq z{ek9OTqzS_zBFtt&L4>ocV4?6`K$-?T7`wjwGK7(x7~F<@gx7PB%$!K1Pifs9Es%jh?rgP#b!gUs8s)#%-khljwuyi_Yhd{0E%ZE&P&@!r>BMxxoJ$ cNPqqbo;m6%s??IW1NOB^iphyq3F`;`H{IW;mnVc^!Gb#kcXxfkgS)%CyC=9qaM$4O_ORgkaCdmPyR&?Mvs*Ru$IR|b z?W?-g)qU^jKHYt9_xYUj=@+gbCxP?@?+XM31d`+rQ6&fn$k&ex4G!j`sj64UvIoA^ZFrrO?-$oKom{X?W|+}ULx!ptxCBQ05sUULvo*e`I_x~=Ial-_W`v=l$Fs6!;u70 z-@1ss4~>j?>43j}r067hOdrLmaPYn)L0|uh z{y0GRNGXMd^*?H1Mn!x2r?&98N$ihQCg^{QHW&{?;W}T(zP!A2H8;GllP=Kj7Xy;n zoR`ehYyrY5@kHi1SKKLzQVnpbszQnib{#(>0`h;Rcg8Yp=u69G8PIAZ+jzb=0B4=a zacycD3|}E;$9l)In4|l>tF{!W;_8;WGE<@IDQg(H!g8-nTdWzL66l|-NQNOBFB@BT zbVU$H2mC=mLYkH!m3}ez=M_&XY__dXXd7t;iC0?2dwWQ%C2W*l2Q#D%c|frBS_Jp1 zy{W&m?nfui?hYny=5+Ft$2LPd9%qkMQ(`x8d%R!qcT(B{;gvbj)#LAiSb~$#1;Niy zTvVJ6R>RFv>BON#3L_q9Qx|{%e&U+(uw-&SbKz^< z7v}EvJF=3T$1Gg)c+@u%A~6Po!&euX`AbZ1sb z+waCl-n(C&x9Q(4PUuV>nCyGg4nEsO`o4PRqtjnFG(S--Fa~|y28g=9OG^FVFj9#& zDKaGi0i?i+(*O||0z41GRMB?&}K!3hgNuiu|Y#YegkTt!0^qF1S z@i-UOf5J^+^;^MoN*k9R9)GOq;$Z^_3SX>1Sr~dI+6(f_6lR0NGP^Ps`PnjoWz)B5 z$m}k2khF)zO{~6$elhxLjtF)#zP)a4?RVfnHAV-9WXwpe8j2@Y+z6y~4!r4RYq)h& zDLqpWHLS8E1phfc{{^#=m@QEt%m#9gO1o23*0a0==LWHVJwE!u40op^(u#cMKHi;& zDpH=#@4NU*FZz{vo4p@Cw2z!;D)6^r?gRFEZF2 z#)QJ;o^`Ugn&iq7uw6`m)LrXZ#gfO*#Xkh}I#6(>pJ~m+<{M)g`Q+m~7>FxXHGQl& z3vETAr?~_V+CDz7#J&Q)nT5xxnkp!BHMyM*V)Ysub#_PfD`r}(mZzsp!^)rOqf`BC zX@1Kw$sj?HM73K%uq*paQ3cpTPjk7GJBTscZ1zkb{oVB(BxW)6aCcs* z(o`GodC_?PKsr*vzQrrry6o43z;B%kd*Pgr&P4aye8YXL+4_ztD+RVzC)L;jc?e8h zLdRS9qWf#mbU~ZyFbFSN(*&=g#xr*eM0qF5|L}R+zBJeIc5s6;a)t_206UqpwYlZu zli`}Ln2T?!3k7$+__+)Jm|2fkW|smRkAE)U2%P13St=chrP^u_+cBTi4MFHQ6%KvO zLg`F9@Ke9=s@aQXmQM6EvcFbHB3yln8soA{M;w2BSpuec(XZk}s{-Mzm# zGsGDJkIE|avEHnQ35cot3lH5+a?$FSHVdp%xv68M4>baZH`j-7f6qx5Zi~j&6AS6g@bua#>u|~8 zuy#a2{0W}YVSd<5^GZ+E0i=6ckvy3NSH-)Dfr7^YEOyqvy^gMX=y%S13p6(MT3IDo zB$iys(-LP*Ca5yS>@i_*B&8)qj!|R0w@{0E*9M{LjiLQ53Fs7bc|>kHZFOWMNp7ck z(3GMcFx6kWbpG`!dYR`N; z?w`Lp?w^`M44lB~lw;K!SsU~@r~`bbR=U_*f^WAYBh0yRFnhyiU>|K~#7CMAdbMqV zE$^njNtt8(^fr;L!DrQb;XFb*o!LNFz{Ok}slBC~BWo>%;9dV}ev!r08b2YE7v0Wy zic1^Xsi^Iv)C0acs&6UoJbdx+g>6_ft`3j`nm3C_bvZiU8oZtCF^Jp35*>J5RL?jU zn41gXWBpla(4Ls>4g>3!F+wg>4N_s4uRdFUpP-+fIhD5amkM0juj?}CKUnGy&lS>e zB%;Iob(881X?>>xJ?k(%9?4zK78wD-!92WF>LVGa;Mp`E(y}zDT(fMGyBlwGh1I>oiFaNWcy3TTd_l;NAg(o-a3T9Ht$e7%ZylLwF80QyWJy-_ zz$J5PSWipxXGpo}VU;?zYcx?{`RZZuctJnY_B@!1)me=jP81h8UOvF6i5IQmh~)Mx z4@A6-nzzPfOUOMz=g(J@u#SJXQ&TfcO|j9X*ns_5zK)32&>t}nfMu}T=}Fx&l`ERH zhS(XT#;qln`Kq8|i(~6w0m*fckS+SLhC2fc^c!fh5z5T3IhLXnbkG*bp=sxtj}C_X2YedK`_=lbsX@`;yo(N(q{KX&fFovUp;n|er;{DyvfuQN~WUR zA+OK6fDAxKuJr4;@_q&)M@RC%x3Q$iy6PUDG#t0Ok+I%elU$$Cha3>{HfHi3*13jN zuc`~@=Vw|VYE`A;4eA6 zh9(Ec1)+E#-ege`zFEXbV`_&e81}1Pe=w^l-KM#BaKf`&jjK2LB~R7t`D8Y)-5xdd z!3|C3Vq-9aBi1ZjX?TtpTWPjp4&$xf%Rt2d#GPba-#tp54%pD46tP#sEzlofEK%KDZ zyu`Q7m;laK_DJ(;!gq39B zKe`g|;d$rrw0Zp&(B^uiu&?(noMU)I1Ldi`UhHUrLYd=JgOt#9ZLAgKX7bY0_4XAv zVULBKJ`)?O@M;JJiKGu*$o;(eDqO2RhE1H1SC*G=;f%b)lI|qYzuIBj(4y9bUV?{y z>J3V|%gu=J8oNc=_(55P^SPWxwJv6S^H#mfSYM4N0FR?k8bKRT9W9)vAre~u%wVST zKJ7^pmjC_Z;|FHGqg67E!#0rB$grH##C+znR!};n-aiT&*Y}|f{ys8@K>Z*GcXhKrOJ@qzI z*zleKer}&_sPuW9zb9z0>s`!QFU)fP-N059NjbWP+tpJgYk7($Gk<27J9eGtw8FAP5IWZK&*U`; zR!<4mC+pD1*VFX|TLQU)WL?~=LsmKSH8r&9Sf;)56z`cTNhmx{Yx(ov`gNN>@CKe$ zNu4nZ{`PtrPx+a3%>`m19Vr9o1KdEJ1AkoMcQNdWrN;=-?e#)h~R-46BZ za0>n)JU>}yvTVKP?gC4!pKXMjA^o*nE#vD2WcB8;??i(+a|d_P53V_{VL1em9r%0cr8%9 zjNb-Vzk@F?)WPgUP6l`HIO_!*(Y?Ll7BhjUITKq3TE8pfntwHasBbx7=I7hUCW{xM z3;^P0g~k}4F7emNF>Dv?^G^Q}5=nRUia{|W-dZL*q64jPhM3)+AFP9a!im+$z?_z{t8Z>WeBv zdqc5ISAUs`sg+xyb#tnN`U^WMo~+0-Dy|jAiCx-^a6qi*NU?-1D4824petLm9O|N3VY_kLfE=aSAF7kfk^aWQkvRb`TieZ~+@ zhE)UcC1X;U+0sq$%hR1h6Q8;8TowO&8@gnMIkWR+vCn~0Qd%I?B!nhxm-)lc2G9O- zoSZM;W}XhI(=A#jK~qXgwV$C&%bM?m#_dVY3ye0R9s40qRM~tffku7i#s=X?+UlXt zQcp(>rWvp$faSbD&w4e@@b<{4+Ovjty@^X&#f~gRtpl`Ko58GNJ31o*RVx{7^0*BT z#BmL#naL?WJRq*gzGg8_PBESA!?xT#)b}|L++xS)qWIpQ=Tc><`BGG4I{+)KcHK7h zi4RF(dUWw#fap^sQ*rvlI()B(sU0cfE$?)(vFEIFyJo8qKNCS)cb~pqVb%C}NAdne z0}7939yHWOS@`Xv>kFqhk+B|cn7JLY9^n&fnK7^T-rGdZ1~5`~Q+OTju{`jB1edAi zWliYCK0~UJQx`{PI3y~ylKvSin+csSjW0 zPT|^^G_?FV!c{c7%JvJj06RgsQb0H7JjPez8`3g48=#rk63urzwtI z-KVZDij;T?;j$qU^m@L~uiKmGPsR=Lb?>4r z)E>}EYn-jF$z(KyA9LvK-VeW)7$8qZx5%#CuCl>RIM~WS)reR+_yW%Qyjd_Id^#5^B|YiMku`| zZRE0nQ7nI6e8u~-&7UhaT7337eESLB%>*nDJoi^=aaW3%Ez5twoWD(|XW4PWJx@|R zxIVqve^KUa+PhY}b016TeLLK!KaAj#_ZNuf`b&VY=Us#ZK*sNrx8y1w-5+X;)@iUA zC{7T}?T;QsmRFr(J-8MS%^E4rx&}_4~+|>a298XW_<(HdMz}exh!gwMPx9 ze1o&*)B{dYR5-bwyT$DC%#`^r;0x*13^|QIPfw|9w*cd1)%p8JV63Bm{}EZ?N%u0Q zZW_oS(q}Te?8|NTE zL^2f+sGVL!pXaUkb^%Gxf9W{$Q!iEs+IZWoDLY{EtOLG|R_S{=p3A8QH26f2lxeLx zLBFTYkI755y%D0n3hUK-u7}^0Yejzbh<>4kqd+;;*AUbbIDc6bpUihYWY$!?JXvC% zvU2y^`5GJNdP180n))%!>DG%Emv(V+iT}#_mV$@q%xw2>6=7f5o68xxBiRKcJGaD5 zQC9Wu148c~G^@T}h@!O=cFYRIYX@d#;G-E+IT=>J0N8ouiTN97VSM46qDf*Jm8n=P zr?cLRY6Ux6BFQ}omVpV@jFks7^BqI5s)61a#g;ZHLc7_ z^FC@xhf8z>$A1a)4Q!2(c#4-AuMsu5j_h#n@aj`0cA_2NeMqDV+CevS>`fKx(#fsF zri>NFhtv4g=1F;(oH;wz3(i&Q{yyyD@#sv3ld9jCH)FP@+91lHwYr6Ve(e7I{hhc_ zuvNR!mI=74cD!f5IN*`1WGzJL(t|w=;Bn#^<13OW=(`VN)S{3#AnY4FQ(EGzg7EW- zQ&YB@s@cVa6zOZ~=y{t1l*nrlQyAk+#>gJ)IcHxhQUk1fTb*RZT=@s53igMAxZm*j zd;-h2^e$lSFzME(&!$!lnBx_&^IIv3%!#<>O?G?D9zj=MzuodeZ=#NapVH`L8vADX8 z?Rksm>F`{e=^h?QqrjO@YHClH8K9d~=3(i+{-7<mU{m8$7L=midY+OLuDRITn$s2l*R%u#2{6oC`QY@ zu|>*-0-bPHn*1M5-+$klXo_ z?s*%dV*;x2RFMdL4D3BDo>g_OA_g;_^x~h#6l$#oJm^Y!Y(bxDC~#zHg3+-UZcB$@ zA&o@^)^i#wQ=sN=t_JW5vzr{XubaKuah0zq(c<5V@yIm6LYTm=$Cw@=wSERMxXaJ& zWH-?|t2OB&k1;MUUhu@6ZLcCZjkhA%UcMa1^Zm>Q7GgT1?Rhgfdnz`9+?YHY%#^4p zah^M)Ka~F-MwrWVeb-SULe^`vSZl|s^oH`3v?1ckqp7Bx|P?k0GG*$%;>=Pe#D6#Aesa^)%^;Sf%TmjYm;r(f~nH;N`Q8G-B6lMGK0oDvu`-Wt=M;z*{rt zsoJ;Hc7?)x1U!zMRens{ewd)vBOY#ltWZ|_{t!V&Oy~Jx1I2O@5{gr`4%ldG93&{r z7>4Zr&KvDxg_(P{(>1O~3%S|T=5$PH3h#TJz3idRTd4s>vxz0yDrH|hwf1{u6QZUV z3WjD+2N7Z0>RQJMrwPoWFsbEaO&RT$kQQM6!v5T|%Ss0NtT{94-M%LGopExX>Bd_V zNigAt>@Fygb@pI7d_?Q}RQ?S00f@q(^8&5)cOnwPqRMV^+s9hcToQ~VANyqZK*K_x zRhy(8$rj&a%SpG*u7X(YzXDDi1ZCnO^*Xe)g)faxV8Ocy>?ivS9H0A+hmfDHncuX1 z$D4H*@wX7{I%RS?*46tIXTZli2RIq6XOg8VyXc-XIM&8xDi1Ihc`-(j!4T%> zY|c8w-j}?tQLf^(AQiha_s=CR=M20Y%EfWH~S0KH<|TizZ!?1JVH*E&M*mW zc*K;druszaD*E?dyoHb5mY`mX!Ezgzj;Y_(z2f*0sxlRsSX!&l@cF8nwAD~i0_S|XltwEWVF~|!V`L3&SoQuufvYvjQ0q^zRv%ugrXLcIeq{c-e9Sk z1F=F!pwk(Llma|_RHHh>`{{cxT+<|JG%p>+@8zWRI;cZx$9}t&MgY(aJJO zkg5}X6P>1V6~noIa`$LK@wH@5FTEXxkgh+~SRIq2(LSYHzv=d(1N*tlJ)?!E)d)Jq zZj|GcJ@7j3w;s~!Q25diu=RO}g^AUnmV8je5nQpDkkVGM*9d*ia$sf78U$h zeHVAM5{c6G__psC_P1@zK%9MXm|wg+THa7!lO@>!9&Cj3YqyvEcu30g?->N3}5S8x(5tFw9!!p^;X*>YCZlI2;RwqxIAg=!O@qNa%W}-t|J55ux$7_4-qAyqE?PyUg z4SGeUZ|T&QtRT*Ga0D*|5?CwNFujmzLtcM)x^!h|if3E9oa!72UuJNme_^kOS|c=S zH}rfhjn$Pz+sq$C%VrKNZvfdVKxnR0kpDFWF>38&mYY zfGH^(=j+72bsY<}o60Fi$XUv|`Sf^U@`XoBd*&RRx9^vY2&x3R9^4bU7kso`lZXf%Ov25a3ZW_-fsz!>?P6*4l{D*rlz8S$nx|f($doMW`-HDKHQ{I)eC^hn|QdwRJmf2;+f&J z4^M2Oa9Nq)1wYzTVW!LZ2alyiQv9Ff-_u!Q6MwC)(l`0su-1dj6Ef~wM#(u&gOK#Q!LVH!TlPvdRkM*OgYw%mzw@{O zdD{1m3aUx|zV7fJ)Edvf#*+PUH9u*jnGAeZ#ae}qccY6dd8*cl5H*6dvaUNrA;js4-s+aUm7<_XHM4Iw6)?(~i zSoJnl2}yYOgpv6-b!$Z?6m& zKfwAXAmD~(&FSZqx^V|&xZ=T0zo1r2NT}iGz02qAtW55dm^2Alty|n5DR{^@$g*3( zt!53^e8c(C=EKb{WPkQY`H$N&ECJONyla_PBm$m}qRzmvGmYZQPosmKqc0Bxv*)3# zPh;Lbo6Q00e$A${eL^a1P|QwlJ=#F*xx~wJZdT_DS^~ayw2m`~@H8!*7ZHnvYT|Jp z21N*w5h1K`jiI}p{gw!H%wE2k^E5bM&duw`#QV>n`xl)r+I(B1!{K=y#F*FVtWVe& z>ZdUF^j@Y!8~bFr+)2S zi`OG_nFk+?@o~4yooeltd||(nPXoTq=(YuUQIA(-FbkanBh|&Vr&>Lp9fEdbD~VMv z=bqvnA4v znIb2#92hdj{Gjy?$%oLneoaWksS3R`8HIQE$CI5D3q$PwYW=r?JQ>U@W6g_xQMV(! z%NJPvi=~6&%ZSHldB4?uj>CWtmRJjw;0=v(uz6_HUm9aRfGpt0ovl4yYXmj}@7;Fv z<;L|etTFCNGo{%9559l4Hb6PI;HifA@${Ma;jmF$gPK<5VDJxaLfXsBN<)n*Gv$CY z=fd}stJV{#1vGXK{+zBiR(tt}D04dMKX%!}b!_r(NBXjoVhrlRn-OO%E$Vrvam^l; z(wOu^`wvgif1m-q*S2Ll;4_gQ&2Rj=GnvPw(5`CqA_vP#6go^67Q>o zR!E@W*iOuPd+41C=IclV68%K9lzT^!Vx^D{uXUU&NV%N9i74sA87^mEocTgPKZorf zsym}^&}WSa!-kTcAC^p;eqOW1s@vXI*T6uRw)t!7G{;9kKmc zy?XJh3Rhf?x~NlC3UPXew`A39IO?swjGp5Fnw<83N0 zu7t3lh2ENb)?ch;_DHvD8ARU(@+PVc;Hutv}JLRER#^FU9J&4=zOU-f#Z7CBc@^fPL-wSnsv zTxbk={OvdM`gfsXt}$cROiT{a?EG_t^DD5#nuB0#^biIt|LS<_S8VzDaa;2+^UKAB z)F!}wk6Qliep>ar!8*`$EaM(FM-Z%cB2>ctS($5-)LWh2{2n|Kw9wQw2d7+(=KOS3 z`I?C?a)XO>mR+^z>A92Y5;1ew?B;a#!NTLTgT4%br7Qc`;W!H^Zxk~vIV!l4#v`+l zdAIkBVvNG}Vr$P?@3QiM+_#@$pl4rRLR*^k1MOFe;TzeUY>w!FSN)#_2|1#s^g#xX zmd>juIVY1KKzr~~*M#A5sq~+s?46+)GIH&fEjx1|g~$Po(~N$mV|jlt!n5YPJF5$4*ruXN0RZF_ zNW`L{p(*8iW?wifE7F#x=?FS!&Pg{VXqS`p%*&eVG=u0Jqoc%-Xy{BAz{;(f{TB!azOyAut{=!WD zkPjnGsyOt~FJ+RcKZZ!)sU`A*OZ>qs%^srq7kT*q*qr~Js{bce<(VV)_ZK!&GBRR! z)Q^T=q=kirrP#BA{AjSge*KwGO&xL75=r`@8mh7?rmAXqcsR}FKjvU+S{g2I)``&v zF}m``>lI3tDO@4q(1q89H!JfHfkc$%PuUUFKNjYQi4NeFN))bru?L(7Rl?0*bjZWEsvBOd=5?oI8NfXjV1 zih!8mmYCrlTvn!4Gd@dK@md0S*S@E2+9JGxeKfrIVJ3=CWMp=mXJ<*1`E2(32LI@t z_ONQPm(%Lsadj`d-I`+V^km5S>qEOs(f;YvhR^JFLB;b!U|;Vrh8JP>_!fV_J`$b| zp18u=i9Tae0#|m^UW=Ev!rq4NEkH)3H7976Pd5**F zMFfw6nk+B;`Y|^`0zG*s%iVBzZPv`0YlEE#0|D4`bfRYh(Ly^iy_7M37uKP1101)Zi1hij|PVfZA%O;xjFxmnF0U)(j;avUbAGa z6euBhV~6sZ?^QM5+_kS}X0eCcxRcq*Q1>ID9qhhTmvFe7i@kuJjY6k?G-9O7uQJ%v z`rStOJVW(2lJ$Ux_mrY2y=#o?m97AK@&jy0Cn)M=_T^e>&5mizPo(xQ2iB4w6T-or zk8}&7dRW>s>Dj#~3BH?faQX`FCQ;hOImL;wVb#4p@KkM!_FqigcvF75HwIk%?aML& z(*Xgy{34x%Vr0jBL`r|moXxIn{PdebQxo~=SIZ_(mPlNx9fB^!j=8MRM6C7_YAh+c znAUm^6LnnNh*WH+6Mn5(E2|lQbGyTr8L^Yku#QY?+-F_%Qs@}}9s$W{H391ZML~4jP8!0 z`p8XB{!{Zk z^pa%W0@xCDum6-uF=bk^)(Tq*<+KPmh6;(*6dCEIzW`9WZxHP1BN_J%=3LvIADP%Z zB*ROC6dFQxY9lvq?O~MG^1t|YWsk)f5a#apdK3A)B z{EeZ>VPmTOw6^||$+UhDH1pfir-S;g>Gp`pZg+)AJ=gO{R?lWTgcFbqtuJFzT!jkq zzktq(_QR`A-FVm?)HRtSnz&~QH3r{e5X<|Xo^`__!jC@OrR=o0dM7Xq`j1`kroBAA z+90Q{=>m2hRbMWwF-+Tm!!7om+r7W$THB5!u*BC0whVT!26#@caJsPpZ$rf(Xa~bf zP(>8iPnO?F`tqBg2HG31XMZ494N=-CHmaxd%z=E}=89+Ly?^rkpnq>mv-g&-8xf#V zX0wV8y_G8U6^wFHZ__g*KXBQFO*(m&-iLiHhZ)n)OkQCyarjN#PatX7ID3G?3#-c> z7!@&+M40esBS(sv?H4WIMbNtm1H&2f9uR!#&+{M#rzpk0m4~v&K?dipG9=g%O4jOS zbSEAkLU@}oJAg)}ewi;es0UzGpf`S=??V(Y-vM140F)sNzPUZ>xD{H%Pk^9}beZOaboVw9h+)=rf?_$j*H(0Ey|$oGvd z<)~|<1i3R2@+$v70|Ps6gewCL7*(m>N*pDhs=z?Fvlr6y7@O$Wrqu9Jl|OTFsQmbf zs9f0UKGt01Lp&MQ3lTwu*2+(=C_TMBMAc6WrTacfi7I3v4-7Uk7rUjXpy_Y9{Caa* zY%TUUZd@xQ;@Saih~^ft3NJdk4hV1*z&fPEh3WI7Y>+_PugV1x54RtD0YHHZ__Lu& zJ&x8kQ}jW546(vbr`gBf8=daB)hwj0)3N>({xMWZSgPIoT9p+tRo)3Wv-?=;@P+TK zu$P(y-p*h`zUI$**0tY5j(ncs9?Lc@zpH;<#2q=47j3i^O880#QRadxI_4kx3t{JtSPCI?^1?U^t9*=HbzQDD=Kn`#`-Qcr#+y zywYta`^NQ^)6PLeM`N$cHLowM(T9@G0t7Tccf$N+=dOhunAgPcUl5=jI#J z4?}*WC=!kyTONC$%KnR3iRsNI-O_kp8%pA+6}hxF*%JLmMh-l#zU%#Jnz}C-YXV2P zs}Jfo6l~68cEBRNwNaFFe-KNGL;7r`jK-30ouxf!vEzLo-@O9MsC0W!{0gGuGH32>&S%o%h$T3Nz!MYwI@JQBh8^Q@ z@Pkydjp}{jB+6VKUH##~fNXebN{3-z_VL-x0H@V~H{`FLD@T?x6_e5FVQ}E5-28=O z1QF?u_@UsafOqS)k)338d7bI;Q8HTGcK^*r`DEt_IE&1ZHEOv1FN6nc8ivOe;651HXI3% z?O}MLO$+6!lb#7k*}#>$Z$h0dKMO>9?Eef5sUtc|)ej?KEO(HOM|Dn@#ya!hUfq9~ z@z~t4Bp2k}ny<&19kog0Pu9QJOZojKocdD<^=WaIjI{5|)%B$Ie4b>9ZBKa8c34Iv zPXtLiV4!n!(LLm9dlnrBL*e>55_ia4=({OkY{+!*VIP;piv0D-zrXWu%8SDi!>Bhem{IwR9W(te!T?*kuGhM7Wo#zYu6-0g4X5m%SkdR56O|AH zh*gFAhRmNzOvEM(mva=!DYL+v(=;!rV3`@SBo>jtgnFn$SgzXR7gttg`K$fv(eO@| z65*YxpL?qDnmo2d&lBVc1npUA*KP&yB@xfI5+xKuYhDU$r}AdDKZGy;GdyaS%te=V z!!J@B$T?moSG#wANWX|L?{s9keSf~^(FR3iheh2yCm+}mNXWAkE6B9)P4dunswT44=vE9DNdHB4_sy zp2jylJlf)?4%H|VZN}cP3_8h~ccNzrzm`yEv7InHAxl?0^+RIok7=tE9@b<_D?OHr zOZCa_jr21y`@^&D$La1S{sGBIPE%Qo2l&r~Uu>mtNA`%!dgh%|gOLqfioeriey{E3 znoJs{$`1>dCZ8dR>H(=zx~;HG$8)HhOn)wiy4LVxM*xMHTWT+%6_3o-$ny>#vYGQ_ zmq)t!LpN>5Udvo%?Ifu>(^geh-(#aZv5yc?motL6{#^uV{`wN{`PxSS&} zd8^~*PjC36Sps;Z;;J*+5>7tnk5tX-1YXG45;W$rj8fViqwO(Db$6)ZtnZ062L`lC zi19ne)Y(n(?=fkEI_vj7-{VMucuiT@=(M`-8cNOs@fsu2*!F9^Kp)z49Gswo+Qc%3 ztELD*2**qDs#$Wk0ti)+lE1p?t9d#Gv8@3>n(#upm_f-&;J#JG9Z8K&Jndbo}pZXMu^3mbpZBd&q-^v zcnCc{al(EhtYM0UqCzFY6KD~ibF%p=GB+!F5J)VoS$}Yr(fGXOpAm`?B;eh9J@D$>WqQo zkGPj?+kOAq879P)*P)*-oZ`{HqB;K_e*gE+DF08~3;+9g^Z%3RyZw1*L0KD`K#V_= zju-0Z{s3yxnn_fl1dD7W<0wii`tWo`i5W_|{;?=F8qly5<@HS(zqZVP_CzGR-m z=J&!41g6iI^Z#4%f!Z&C;a?9%UE1P5fBxv1(%y)Pik`8KCNorf(w|Fh!otAlVL#BR zRg}25QkKtI+5UWzB9oSpA!ldDs9%a2HnBQ63Jd!o@J~}RYbl9|ncQZ%ifZ>RPfPo7aZA5Av;k4F!oQn z@Vg+EO8V-ess*z|CMn*>&64L6YH#68CMW%FkS(K|3zFjV36yrYuE5KInWYvd%aXpUOumO-IRj$#V+KfEX_!E3 zvbDEZT{g&Db0|AQX)FnanyOqt8+`86CG>Hht9hrpwFV>`c!E2a^ILnVr#f8VwXYyo z^36G`A?vR>E9eC5*!MTrzs;|~D1L22mB`Y&a#LBII;MBvQuP70q2tfe`{R4JrOv6H zCtqVw0Hd>tLM^Fy?Ey|JXHA{#JgBqwh%@HEL4X->puEG!5mb(0uZ=9;fXx;;#hJ{3=bFB&-g!{ta4NxKV<$nN*JJHo=n%oP9C z#I7T`B~*RaQlzsD7pc8{Vsd-;+I-4hw;vGAy!XiR{Cc~>gdYaQ^n3XVjvv9NFeJy_ z$>r!j=|tZ+7t=ywe6_n2+PuJ*uVpHXPr+YLeG>%IWsvkzR?Jw9i#@elk$7cyX%pZR zhT-Mi*)kcc9~}>WH39*nzey2(!Z+Uu;M~s!iav7moK5q{5rml!t7~(gu*Id>Kh*AJ z$!q8;2xwZaP{thk!x@dXUu$UY_6N!%nm8l^Ds}0G1nM&EyEF$Uye+F9^`^RgTgynp z@_L`A3q%n3sVNx@$q-Vg;yp|6j#AfF9ccvnrvjvP8pgLxH0jSKTqTM`3~&@DH0d|e zf+$LeLE^66uI6a_OrYQu4;O>Qk~jY89{lI+gp=je7+=|1%2lF+o)*J3IQ!GSe&tY& zoKKYW&5H#LZ;B-Bd|7|*DwjM^JVH_(q1$ykq3ZHnJ(vXtl^1{8%l8fGU+WAS&HG%kbUjy7RCG+HZ2<4M z^W>tvSMLj8PDk_S5&b>cQB)}}n^DZKLSq*a=Iog5-)S=`xrQ(6p!go9^7sn8p=aDr zzLM5A*9aC={j4icPC;(TT$ESp;ki5G3vV@s+frx5vPoyVc&z2$bBwAs1A$+w@3znu zLM@(;Qe?ArJr2R#%V4{`Udx=TOEm-mSn;VFwf|MhnZHA!sBv7XD@8)cI-!VcLnb73 zLd;?a*)xV1%Zxp;m(JJ^rz{N(%32cPjLC914Kl`9$G(ivjNMpf>~!4c-sibL-5>6A z|AF^;-e11Y`+2_K?^~E>cHLE8U-!>#uI%E4W$?$MsK=;^hS8gM{<2DIs0tWD;Mhal zLyq@w8dvzlgh%$aW{5rQGq^wSKO;jyfQnntwfF0=GeHHeEKBE{d>D93fgU{zII!b( zQP}A-c*=61N?IAX`XwQ)H>4zCBE@=!2JsIKZL@x9Orj^B z!k(V-=0-Orp5K;JmCcNtbJ=URuJ-MK)Jokp^W6f1BI}Z##-9oQ$C&oU^Qm}=&+5sy zf=kmJmCuP`6gk!gqYDvsYz`bkDoCs!bv*$+u}`BUO6{t&bV=g${CG+iDcAP7>alu3 z`i#q{a+{59fI_F*?<3u*I4;L#&%GVS`s9>tjq2=;?0BNq&wM3(4L8nHMjATOCQbbr zD8^H>sUy_kCEOfk^__s{+`U-v(WZ+S~S+ zSvoe4#md#G^1ydVpUE;QYnc0;S(r1c-_PITQU*f}$XGEw!5JJGzTIuKFNJao1eTQ0 zcSa%v_x7y!234$Tzta1%4$Y)AkbR4cTjj{T4JqFT&R^<@)0_oaTU){#s!q=4TCmnv zY(A&x1;7v?4&81XY}6{%?)fby!8w}8et0=RfjHj7j**@w@K%R@MI@IS!P+8Vx1jCMFzFROJ9VaifhkL>F6wMl z9W_q0>ZCX`k8<#&y^8ChJ4!c)Ex!<-&g_2W>uDu4J^hyh`lDqv ziOw&b#diJMHFN#6VBWwhg<%@1w2+q;=(a_t=fyME&e8Yq{Bzo-+U0R8P!$nt56t&8 z0Q$RiZclagT1w(9Z^KGs-BW?mvMtR`#Bn?{=VtC zN-k>)8yjqpKi}lX5Y3<=qRJ$WTw$o|)EfEZZjBUbxJmgQNq%0mFXaU&-|b;PmQr z90uIM;C%*xV~%o8w?{6>ShO-R*#ml=eskvN_vcD&x?Bf}rho?z>cwvm8%0yp8y!li88W5W?J2&TL(VA7_=vY6+vqk!9*D*ctz)Nw5G~Or`EvD zbBtm|4T6B|qQ^N=ZwX?`GJf+0$M1znSLK-Ch2Ge*MjF1tR%e))YwVi_m#(8irdL0q zwc6I+i1DnMDk35scP{kG;-}N|E^oOCEuGH@SeOWdJaX*o80J@eT@t(u%m4z_MjCWx zJ-I*od-fpFasYRWkHNLYS=KyeVG>Kk*X!TsOU0!ogaG+mGSd5}eojBlVRKKGP1y5~ zzs?lrE$`uVS#H&FJ!o8CPxBzn=k5GJy^Ly+_7c%G(Y&_W`v$Qc{>-M!;X?oBgSg<@ zSBT~NrYL~7V;>T55h6D16b&Iatroo1)XLs*;vp4|x#efJmXwR?>#jbi-wmT}JgiLK{EZmvG9*sv%73J{bAb2tz27q zJ|bZY5wAWhb^9w}038qef^XyR1$M;~M9&|xxS1LWvTn{UUy`vCExgpdB~eZ7XOjW^ zW3L~E9W2p|M}Avw#|?*nN2)SSNtz{<h8>5`NDb{we7uoU;6@57Qjovpd@HAQKvSPtAOb|LVZeb(=0k$|hOo8!Q^9 zz!*i_*T%AV*k!&i3XGUtLGGkpIxMV|cZjxcSN~M_q4~|as#hS@#6-5-9i&ox3~1a} zb)vnt@MIXMT3Cjc7(OAOTmu5SHD&V}nyh`jtf+!j9691}ixyiWG#=t%@&xZQe()go zRe2ikf4D@g6jsi;JRN< z&VAqd?w?zCe)P=LbWiuxbj@`46Rn}9h>bypfrNyFt@KV#3keBD_Rp9R?d2cJ$qFF( z)1i3CDCwa6X#r?fQGe#7p7Q#h+AcPpJ|Enzk!*o3&erT6mhRTpKo2_?&y(lf5=cmt zmP&HcI=Ys%*^25g)y}MF29oL?~_ zCGor?sNV&K6K{&Pas2%G?zmf-aTcR<`;Vq3R9((s_VE8mB&fTmlNRE4*^^v4%;YN! zAsprkO<@8T8I8H;ZhoV4nQO5v2n#jD_1@#{^+V7mYs(fscR6dx00|J~aNv6MsdMdw z{0aQ+am(vTxu)tV{p;FO+=h~987qWo3~-(;EvSyK4)tABkWtBKrlz!3tA#qX-hN^c zjwtPX!q>9&J_k%r-q1Y^UWFKc4_M8`Oo?LW)pr$p@}s(V!7I@<`ODBd@YXBVK8VL1 zxcBNMyM*$-843X4hYqUydxjh0ZHJ85p-!x0Q&V3*zYT+hgg)GU;SMi>Ja+7Dd2HS? z=y1mUl#nj!kU40&)?ildu+5C*dPBn+>!#>kyumR4R=0;- zKOE^e`Mggp>9P671w^x>6t{VC8|n*SxuL+lE3{|cTL9yD9Zo$-O0q0{eJ~v2leDk9 z0?KxfHQT+T`jNeOkLfM<)ghSt@7>7(w;i5E*EqQRns8Khd(ksc4S2pQbj|nSSt+_; z+t%qaX9TtT<~^qYd3L(Ho_fJ&4}$i_N@*5eE;%!+$%ygnXuiV2M3TedG|W}=qfhOG zeyj3<)+B8pR>D$4Yb}lo9-w09dObV^{2hgCT=^l&a`qD*_F}0n&AHz_f}2#8*$`V@ zw2I6>LaG||5o1R?*282i7&2upRW!e&;S-JzSl!ME-n-$nQ~`uND>6k;8$il6M$Xw+ z)fN(I{(5QD{1Wej!mLI`?DKFT)lS_co+kQ`bxO>P1}oH3;GlM^CxFc7F$%I;t-=kL zFj8!`+Uzat6mP`cZ?=9QvWZC2({2yCps5}qLhd0X>d8ELz3Hs3}Sg*>1MK1+}Kd4(B#H&f6x ztL**E3H)m;ljZH2TY_CRKVWr#bp4tY@9P~w39x&d&W7tvBb&D2+Ioy%q@SI}%`y{8 zo?l=T!iN5-=ETC=fjk5c!fdCVD{^x6D-7hltJxOpM$V?|yfxEg7b{PB8qgv5xK=Ku zIVktDWRj$*Hv&&NLR%S^q?W*Sg{pRfC2c07MN_G@IqCLX(3KXsD!a>Ws!PzNjYz4@ zH(>FAwCoJ!#9(m$hzT7WRazIuG~RJhm=pQJZMfU=Fp(ZKMj|ba`QmaSPld9DC~^w6 z3($lwuBKG|^o$+#p)TO%RD}=a>@Agxq>|C;=?3>b_+OTjLc`gKsS8^wR5~C5W$yMb zB%MT5zi44xdxw!O4#mkRDQ3We*%%g=T+b$xmO=T&I>Ii7mxoHQ`tbT}#;q0Yhr9Ea zIJwdx1K`z4j!H#p+_5}*-v&0hU3g`BIdy{UodP?ENK z5TBX6_ttO${}0J(F?BmsQ$b>GdP}oh$wWc$XPOe>OB0Q)u!SxQ;jDNQnh||MRLHM@ zAEnQ88Te0Kh6(A?f~f{^Gjly*zyH2ds|QL6aGwL~bog>(jlnDpV4Ybht?U45@J>BiWM3 zt!5RBaR;IagpFAYmM?klU7b=zeQ_Ug-B>01yEFTK@}F4V`J71S^(NgeNaC9)DUb2a zsHvi@pMH<@t2vHIb+r&TO7ThO@_DB1-+|xkM!HlZeGBBxI8Ehe$cnc<`!XjqbMyH{ z|AFRDD5du6xXn0P4D&bZkRy72l7Ve|f;}@m_-WrlRkzc}frhG#j@(m>uG@gCd6oUW zk!r8CvjYaYe2uE#MxIB@NW;lc9Bn%!y{ax(m~D3)_b2DdcuSZ)GOU|oDC;$%&S6fS zA_m}b4I)eNk9^JJJkD;sNAFNh+Fy{kH@kmUejj{V8TaK|`_j{dQFp=1)FL=)C323yC;oJ!hnwxRsZ%;Gj5BsuDPv^*hh;hrQPP`fLTJPbM2U?ZTXVNvbq83Mztl))y zcI{v1U)=rYA#a7WKBiKuZ)NS#*_TN6K}N4U)L--yN!kSZkQ|Xe&k#Gue5nKZFq%C` z@vdBIdRCl5L*x{GEy-0}guRm%JXG3U(fH&^7hswtmNPClD z#oIp=k!DaPYK$gTA*L#)<%$X9-Msf%D`FMm9}(l3L*M37v&}?uteUBI{vTE!Xysj zQPmHq84Gb-Hp_08un_JddES*W7ZYt`D~Y25i6PwEJ~n|3xF)ayl?;*0md4=vU*?{v z9!2Sb78lE3b=dWzsXShfNJaexI!oM|S5Mj3=X1cp36I$)a414{;T%TYHu) zJ+#>{wGi312i@{-ML<5>WlQ_+QLT47h?l~6XEi$)tOC-;Y2WM@oS5OMmA z8?w2lq>o=Mf?vPQ>z^@D))y(^kXI>iGUA)iv3cxL_EWLjT*PW5du{m6^8(?WJl4ci6)ae z&aH_hiLP=-v5{kKTxvECi*+^c;klAhb>(GBXBLyM&sOgFis}#&YBp*-PFOZ;6P3wF zTpxWZML+DUs~zN;*qKwQZx?Cc97#ZCmn1wZPrzM)eq>h^QkdsbR}@`I?keo@F5X36 z3~b;fouUs-T6QLDh5qO6$&K%7w0qOv6>8hc73VM!O!?4hRMH| zGe-Msx_!3}@C^C*6T>$}ODb*)_$4F}XsXlLGBnr3Ej}DuoYf)>W|2H_r1zc7Gp?M; z=yk5to}0i)Go(DT-|8vuj>k`sP4m;DRs!-Xk&Lz!yI|sGza4L_55_HkuUY=^=Xd2e zdYAJ0anHaEzMGpQ7I3H|Su7Sou_*1mpvOC)GhT2~0cH9bD5Ko}HPBA?d&o3L)1Fuz zrFG2_ymoyCg&yIp0>B^Z+?_7MOQBHC-!2ShevQ4m(9Hm#IAYPeelFp3(9_g~+6w%p zO0ERCo$c~(1(eeT8tM#9t;Q*cOXi!pDLK&p4V~*pW{Z7;6=$r<{&OGfhXhx+S$fu?mnz zks3B@@;62W2l~=U;@$@P-out>gv!gyRnw)_#O_6j1P{3)NGV$fgRpZ05<0XPE?4Un zp}VKdr?a5}l;lwEbfhjXZBUEkx0{rmQ!0rV2bS|o{y8c>4UW_6D{PcC47l#8BuWIy z**6kA%$N&byUSg$!G{b(>>M1EA-`+z3m|ZAk1is7xoq2N8_Y2%~6^e?moFsE+F63Dc=%_GmdGr%kgppIibQy+Wt0yn~4-9|ru)Yf~cM@;E2 z)5m3j$*iBuoa;@IV;b4~h2b^nLGqEGHnUN;Fvoo=FK7U-vvb+4RyW3w%A1fjlw6S7 zLa)R4ZW^^3vpND7^$iPBGA%>hJIdSXy&v{(>sT{D^px#bA-u*SgC_GfKOK;&%4f%N zs+AdeHXBh*j{#>@29XXNgBn81hWxqdR=me32s2-gTV?9z9t=DV16}WffblHFFRh zIPZJ*y1>DJOo;fMf34OC_WY(JI=V6najvY2^nu1}RLbp&V5CJJxSQ&|$dtJ@RBZ4O zh>uVGlq_J8Q_v;3{%f4MYI&rjWeZtNXvwkl>61IgKN)(|yxuB7S;dqS!nAIlcChItM2dDQhZVheX3ZEr`l~|;YdK=vQ z&k323C-8keiOgy)i@uk!T%57q{mjrPntWAu-NVG-X8G&rkcAn;j!&KSk-${%V)rt< zjMp5m-(kNYm`zEn6MgRqei zPg$^#5U0muy}8y4^J%8sbd~(^a*eiBxgX_R*#{ye#+?pOM}Y`G0HPOhf`t71`Zw&v z5$YfrqI8tBmLPdKn?Ju-=fEBB*Trg+^j07mCK>c?W`(=#<25^C@=ZI88y?LT&@JEM}0KIyA?>~@G_T2l+g_3>I^1xBRDJEAe$jbnT{ z%JV>QSxagZ*!}qYw0pYTghw#+wgHg*_Jrtf)Qp_VU>l`H=(tqKoE`;kkF4BzG zN=WT!q$$LaP1Th!Xoi#u2l9&qw#uun&wNeh-;8ji5b`A|Dj@;FDeE{--gC!AAD~`) zFyQqJ96i5BQ_=d-)~YE0t35@Y&D2<<^_U{U;3FBVw;m;#&6i3Y0FlLj_-azm<;N?B zXMa^YiB^uGdM(R8Uzp_ok6 zHL}t~#mw{n6t<$!(PrM)kHE)EYt5!Xd@njb$PjSk?aiR_s3PQ0wU1%0c{%)LP^POP zW`S;}j&tax|B`Rb%kYFN0ZX*BTC%#PmeDPkIZqA~f9`0a5Qr`l+9UM=Let=rshSf$GIkDX+(A~{58>?L)}8{=nd=nbj7fx1K8Jn zjelX$vecM~S%~}S$YGl(v`|@Vk;8*^KbWlq@`7FOvEO$KUk{d<87)f8=~ioHe~7VD z5XUUf;;fh4F%SHlI>&VOa$d%)c`)JM9L>+S#HjasgNP130aXEOD&Nsew${GtTs-wi z+S-`a@<%)sqvK(vBNWRp}gwh3>P~t`xD)iKe7Br93Y1Z-Pg`?N6NAL?SWBoD3 zKt*1+2c)}kA-QY|#mZxLUK1-M`TeN|BLIf@RlgB@Dj^&T;VXm*5d%FimT7%{ZvxUl z5Czl#`yTZ-lX%{ugGiK}3b~JvB_zx#W16!W=r-)abAf-UV9L^qifhpDX;0QF9Lc^2O&KUP#%d0j>2%mUC~6*&a!9V(7*;HZ3s6 za+uZ(=ip$f6O>Te4Q%~>R&6BY&i;(h!=brMwJ$#W?cF(Y3oz34Zl2m;&qaZBr;u4m z@Mpc1Xr^wLJ**RRrE<;U5&T@PoD6J~p7iQBu5`kgSX5_ULCWX?k_c@&l2A0m5qkOwD~(Im19BWldAB0$6i9b zo_O~AHj>KFxs)MQWsfNr?kx34SEdJQ@0y?A+BS*GHKubxs;ut*2efk(n2cf%7?HXh zHj18r%(;f3{VgZzv^_Bv5iG&02G9c8Q#+xW)wb#cg-HKVX!Fku;(;PRS&TgW!D$m> zv<`xi3{|!T&}i;^_-}!ac39}^71hKwxB@;YC^zhh#?JY@WjR~U zA9pri$`=Oo3vjJnBc=7zwt71e#XN-8xw0g|qjgBd%OO^Qkk>5=anP>q;ledFH(uJ< z82{8w|5pxz*Ao|>DW%CwrQV<0O&N+g$$18Kz89SAk2(IBS?c);|9aR>p)lYT{1CMK zjlZ;n&wb*6r`Hy;XQ}D`9)YA$gbTG;0CGe`5Ck}}uOYm#hZ*BsrzDHx%5YoVT``Rw z`?(5=WRe(@F)sRjCK>wrYTaGoFCVBY3`$d_e#^;eQ*cA07si9*2F86+7y0eC`9I zf>ugkFsz%G$m4-uj^0t9cT)i;wH6Ru*xo7P%uw@ZVWk6H{_bp5Im>SIZ$B*N>qorZ zeQsC&vzad5HhA-#e~PeENr8Z7@|JZwgb z=PmUPVc5lFBKYNn|ia@Z&M%amnZctOW-C*MH%RmxXG5!lA*>5y+RhBhwrI9$&D^1KpK8#M`raBx()WTr}F3FFxVW*1c;eccmIpR(At74BxHF) z#o8w464*0*>qscSu8e(JR3CYMhJ|0-uyrt*0X;*8mQ>AZ@cq(pLZF+)gD^{pJ7tE} z)~J1ad@ewN?(rePSs+M`c7(^5D+k4yF8ZaZ_xC(&EQ{GPdpWQB z+yegdc9nO35vWcT9l)SDm+RG`L1$N2UOQqmkZo)%I&~`zmcNAV{QwOsBChc`@TPdr zO>Vq=@Z-y+D4#oT@LpmG292pqi4ZMtxPZMZsdt!IMw&bj>?L_f_u=7Hrf5%`3Axbe zkFZrDYrFS{8hGddQ6EFBA?U=Pn1SlhBO8UD`_c%EzQ#k;x(BzJS zNjdFo9>8)PD|1>?ZB4)--M&e4Ab0329q7!?2F7Sh^ugg zC+G=;(mha?o_4ljR+tL2B^#B_~?ffDS$#04rasR9T4OJeoRHy*{b*(?l1CDa;{~I{`e_4k>-7VT_ VO{%~T|AWaQDaotJ)ySBK{tr4K%6k9+ literal 0 HcmV?d00001 diff --git a/docs/static/images/source-code-repositories-bitbucket_1.png b/docs/static/images/source-code-repositories-bitbucket_1.png new file mode 100644 index 0000000000000000000000000000000000000000..d3e85d6b19b11a2d57e3ff79662ebf0ab33e72da GIT binary patch literal 7366 zcmb_hWmp_bv*v^Zf(Hu@!GpV75-hkb?ry;rcSwMs3GVI=K^Auj4q;h*v0yy1)ZmB+y($3#Iv!BKcGqltp@RQ&fd+jF$vG8vIR z_xtt~_)bCl`R^;>xz*?2Z88s8Jr6Ax8xL=DcWV?|XO|Dw96(EVYinnqor?zywMP;K zg;GyJ=B>6*_VJpp56%Kb?-^{B5rY=;o-XmboXl52FV>b+&8AG&I7UbdLetUFo<(-n zVOCSD;aSZ~sY?4}N5w(Tu+L7Po-YAm_sFj@f^U@ooq2m_;=52WK3F#JL|g3@_7^cZ-5?0&0=MA~hs-e|leBD$=W{>LU- zoQtb2piZHGn+53R_Ev+4NY)op@Xvs<5tWtYm5O$DcA+q(-!^lH@O=->iGNQ&n3S53 zaMpWO%#2Jv@DTM7&58Zb^trD90IWb$0_w*n89(U$cK5fq@A%2W@$dehUb{1F{^Q|i zy0YgC;<3ey%t_7x5VwDv*y`E3F&dz!kDn6@rrX#%rW7aaiyQQqF;pMzqMls#ELB>` zOb(W;Q~sxi+M8T_YSuF;yi)VyW$@HZovJappo{!8#-T_c=oFxyCn$a7Y;$$+X}$Hv zNs>VBXpKL%GMeXDaC5}F-pQRt6rMYDl8!Ewx!ZG8_$YsQi+Fv2cNeDjn%Tvju~Nu++3q62_iklUR_i?~jJs)W9(lLu-bmGi zpKL3^Z=vVJSDl}C3Ww{hjl4^rLN{rI271;~ak34>L-1ZkxWaI6lVMzc)<;|xFZ)Mf zLw#998FOxKF4!GZ7CDUD{$v{o z^A+TgbocExGnsH_c{`sf=_8hPI-PrPskZzr0@LJpUwwrfN9_^$XD0{eE_NE9u?2|aeZ zSqNk0e$MXLybGVGAvw%q`}-q|&XhMgc=xd+kTDux`I}CX2s=Z#(#jr>|EyQMu~Mmz zEMBG;+4o-1Doe$x`C+|I?7Cst0yx3229vOlVA*&tp8d8FHp=$ocJ+-j^bw$C|GhicY~i^_7n(a>Ie zc*;%C_(7ltUNxPylh=rw&y!2&$kgC*C$iN{Tn=p~d04NNYkGWNde4=rT{Bq2-DgL+`=UdAtE1iKR(!3TmmjjW(}|4aL_dkGyu*t2cV=V zIK*YROO9;l%~66U`+8FzpDy8yZuO9(vHzJ)oTl&C8B=8Nbv8}^A@BVhXDf-?rsf9g z{o@r$0naE=opwxWj{i(S>9c|=_q1d1*@uRyc_-{aDlD^x;8(N>QTyW^nvW_{?E=7F zY*Z2*>^*-K?||kNJw)U);~t8^@w3P?)B4o4Jr^_0HnJS?BK?4NT;Om^Yuft>{oDf$ zN&`@Kh=lEDRfra}gf{2at1Pq`QLxv&FO?_)BG+KH!7`j;EZ~BvMut9=2L*|&KT;}Z zTPVcgK9GT@QYME?t$jChC;*8aO_)fdrDhE(=va z)J+uz1hR4FzWA{?r9*Y0Ov?2 ztIe^T>{vkytseR~z95UbW9ER_*@%nrh;tPKDVwg&G+GfD7ck;1`UdF5Mf`WH<7$$p zC`-T}nGK|6C>)xaOTr{ixi&WCbzOCcw{D$n(Gqj8S8F^NN5&eFs3MyD;euj&lY5^s zC0-Tp<)p#x=vaoweab>s`LsgpoGAK0@8V zz7(ITF{+wIYF` zeVKA;@PN+~2+g>_&_1MEXdAk+J$zQ%CQu~y5@PK8i=aZicxS_VknsJS}kun!GeSAeh8Zh?^Moz!?3hQEUybqRZj1fe{#HX?xRFf zK(%n!rIzGU`42>r%e9|2md9JRB@c08bu4=tJR=SC?fEx?d7u&7pCkciXIa{qcxJ;_ z9c>v)L~$BodTlG&3z6{~93(gk!H=nASr)DrR3n!MmOcwCVIc<>i^OSVYf{Cz;9|2> zwYvl@Yg60rKMw+a9lpQ*rC*J$>hEJ1zc>-AA6)1t`B_0rva}f?1UZVE_MV>iC-w-& z|NF1lx;g9pB)^QDw%1?=&i=TqA?>6^TX{*J4xXdR;YnSG9KF(UD<1!u5lhV*#$_8E zQpTB(4>-h_`ZZs{T4JDVwNxlFVJw*!bi!25({pxMz@Uj+XMVgybm<(J-r*srWy5Z9 z_8Bdmf_~{&PZC8N@>bAYf;YM;yRO3C=CnEdUhpL4&~vw_;lZcmNys~l1*Rs)!<07Xu!QvOz1PS30>CB}=&}EuaI=4&swY)L zbKTpls|UM$%AGIy_ZU@AYR_FxvZfAlLRT-3-sM547ng)LcIG~U95Y;*IjdqdpRb4~ z=?ABlUX)9MIg3Kb$GeY58XO+~$~hFXv^);6%?j$&l8Bb@=aR76?+%?Y4wcdI&BBA$ z##zdWRrWw4PvW$3(U7uocK>Y$M|t>y-#hEDlJ@s{L#g8$9W%;m%`O+L5ED-?E43nj)>LOX(58 zrL{DSR@N?g>8KlZ(Sb)`IbrHt>bsnAwu|GOq21qAN~lA8bQ%DBm51#d{_&-zbdc>8 z6<5Grb3tjKET#C$SRmMY`*$$-?;G`z9#Tc^dd}{Jjc8t8iW}zehX-WuDhv4S*7` zT3P^hKf1W;^s^aGH{eFc-KTzvj68Pecd;t_n+vg(ErP;AmnDY&B%i+oe}9;Ivq%$a zRJAKTy|CKQ=sDDJ=g-d$f5(yfC#N)d@vnThT}!{IyqH<$h2H_wY#EY{y?`D7*KPF? zL7jgwymbQC&jyZA=sxc$DnwVG@M-gv9(x@U#ix=b{OuGh%V`|Dk;$3-v&qIS0zV zvdN11)#{B8C?%A&wL7r781;!12i$s*b5XfyVrm=nI|#d#6r5>OH>tj2PdTbOr&+a$ zjQ6Q}l*qG)i^B}UN;72^l_M%tJ;%Nm(%Q1&*wN##uVz8tyV zI61GDc~MG*bsI*m9c64rsG3q(wG`0Je#-egWg*V8aLM%SVstHcielnFOcxo~DsV4K z6@F+-{t`*uJJ*ONU{a~HmMKWIJw=~msMUV?AiD5tHiccSt-A8Z!HjjcZ7060vI9SD z(%q>c;_NpVv)!Q1iyhnMOs@!ZJyK+yon27CFqzmeQG&q|6BOISu|R;CT~<)%&J$4~ zm&}x$zSRPni%44zaffc1u6Am@Owy?KmkOC5=(8K;sb431cnyi(kS=TiDp8|-$rNp^ z_kZKY%pb{IS)RO9?bTtvpAZ@wIfLM+$`n}eTX?*4>%JFI;M^oyhQ38K#E z&7L&Y9VElF&|*cpBk^JbJ+LlCsdh{$CWRzcG2fGtwtg*JJx`6XIC%@I0NS~4y?)!r zi~;3Nf;*aS4Je?xvF<++z{CvRPN>Fnq=|^BMqX4#RuILy3u@Va@; zRGPlaV#7GyB3JZPXrupdwD*QsZpIEd9N7Pv*3?UFlqBg-;X<~r=%K4RIX}!3gD7^j z(-#YH7!p%NEvq7(9{!%v)zO-cX2#$(otHhKJ|ohmDWV4ZepzC}&zd7-^lWZ;K>wQ+#sEdu?wz%P zRy(bVDeumZ1;cH?YwvHjYQLza@?r+TrF110U+V22%uhriMe|~Tq>?vmX!BhI(7?TO z@ovqXlPJP+0S8S@7CW&+OSexE(AM<>)wbRxHc_YJ8fv6RT;y?;&DVsSkMHSu>2^&N z-)W^r3o^+>7?0&ng>DjLNm5Mp7qOt&tNi0Md-*tx3;#HjapUZ}O+&E@p%SIr$my z1mIKnsj8XdG(4=))`pT-rX%g1hkBr0!*)QIZjyr>8rjkg)zEzT#25=ZLho6}Sj%d+ zYwqHaYD*}aq0RZwvR3hK3}&Rxj8a`v2x^7+0Lmj@7kCRJX|~?6b%$vD>dVHVNHXYU1Q5UAJfGh zMT_omt$+PMLGl`yXLxEqb3RFb^W`d%XAp+E8(v)Ceek}_&nA67Fiq9Dv^Y=yd#?!% zUy!n?pW4cZ@lb@IvEdHvdxlVPN8LzQnX;9Zf&}*$S{fX4Xef9!M`tM3A*W-u{JCV3 z;Ew8(Q8JNI7z5+iuQuOvQxgILsIXc-y}$>iY)q~3fAJOt}xGnYC~Wj zFXE8m$N5eemW1wV_)%5zYkB=O#^1+$MC;&FI^3J>o-3VQc&28fHDNT3{?JyA?dNvt z(WpG#Z}3cx`D`FFh#$gn_Tj_ZnPr@8<%awzNBH|C$uG}(ayAW|p7v1$n^}LwK*V3k zgRDlRFkVRw4dq|jf`<{biFPI znzX_q;j24d!MxF5(Yq{avhse{ocC$f=2tg%TU)j67V8)mlhq9kGZKh4EbCuy$C-wf z9=E;k2`E*S!DL8~8B1{K;?{jg8QH;D>ImH}cj$=a`%Vh!(_!oTmk9!&3hEb|^@N?;G|<)oZ6218*X>WX4Zd;SDkZ;zGpJaUi6(+FIz2^!oM+B_~_l@Tgx%`Rg% zl26(j-M>akoos-cN$K9Td~;RdF6qqDl6dUHDib%j`#wTC>Jp>-jf*|H9IHdW#T6Y? zB~)hq76VU3mRt}>?{)YDLfJ0kaVd+aG5U`1!OIk?{(46l4oO0b5#^{zLZU0B!8R=> zJo~>?_eq`N#-HFWMJ0u;e2cG~%ry7q4Y3a0i;BjzgpJ`mWvsY~%(c>0I=PGa6C|f& z)D)-xfEzbwM*Y z11;7^aXdpM_EKnHPU1Q+LMXa=a-|zYE-)5>AynpmV;%fOy0E@WXDf|2=+coF{)A*N zSHD#FJ6lQR>Zrv1yoP>Xr2+6KJ6_`Fc>)8$SOKbb^=@?v8EwD=sRKb%6({Luk>ubR zc8g!=7})76gfm+ZD0;_N8ZrQLKkNwI_}Gyv=}g-m-O60>!IqH zQ2AWUSKYrb4^wb}o`ba}ZBZmashf{O+$ZI`dZOL2(<9wr9$obbnv2zN-V%pB4Qwki zDUR&#w;fD+0GHv7g5&z&-g?Rp^N8P&E~VrmqT#_A&1UL@PnS7mu!QE3%7GMb)J~NU zucZfNgl0S#PW2YF%y==9TbILU3sTM-W{zcN=q zX_VujZ%!AO&%!nXcU-*`pOkPoFeg& zzItplCaN}}8XOr_(rfdeGbAKZ1R(lti)mEGS$ubyC5m$uAqCUrwd|&6gmd!HUiC^| z&vx7qkPXipjwX)7Y^cr84eXcI*?o(iC1*Zsku9~rn{kH6TaNbZt2EyMJ9agPKj3&8 zUlu^)-*QLaIsh@RA?*P%Q1v{dG{7+p_%>Y>JNgkB+vzO_*cik21#IM4t5C|(pPMyq zKEsXrVPRqA8bxS+T}WsqmRgoy3{_HuYd+Lz7{q#&9;1d7BGV#Nm?tVrN8YrP!y)>J zTyFIm1`!$E9139Zc-5XT4VeLunoPJH)=K;{WAR4+2w1# zuVFe#?JT^C+JlpEBc}2tuPW}+;Yjf*9f#37YBixD-J=p`?Bn`R#C(z8Zd;jK{YFJh+^`zvQqN!#lI=7&vZNHfgcon#I0#*X{SY>{+rO+ z3NI?>y?^tMH?pzS|C8*JC!qeb?Y|BF4-fXgRY*LJXpNWMZY4**iAWR$Syh?ZcV=P# E1#IMa9smFU literal 0 HcmV?d00001 diff --git a/docs/static/images/source-code-repositories-gitlab_1.png b/docs/static/images/source-code-repositories-gitlab_1.png new file mode 100644 index 0000000000000000000000000000000000000000..2aa43b63d1e088b4b6a1970026590c0129b1d73d GIT binary patch literal 7470 zcmZXZbyyqUw)cTz#jUusl;U1oE4XWMiY7?$V8x0%6e});04+`f#i4j{4eo(ZEHnfN z&h0rpzjN>Vyz|GJz4y$lwV!9cv)7*WiPh0kCMKXKz`(#DR#j2Z!@$6P`KQf^kNd}x zL$?k8oUpxKsT$z_IRf$RV*d2$K#Im7eK!Ee*V@w_1L*4JV$bJg>uGQA>gC`DI)2b4 zhk?QPLsj9WfnVOys;{3Wn&k%)-SV{8axoSEp%8^`z{GULV)5)3r~{Of-mtAvtulSf z$f*$khFUkxzL8e1QixE%O;LF@FxIh)#!Gn;p%*uC;4hQx<>fh!4xHHCZdsqWBvCXp zeDoxO>=pjMObksP+=S-EzuW&ZTaJ^m2UzV1Ni6brRq>Dixvl-T(_B@yvsvoniI~bt zp19&7&S40D+<%Fg${*yk+)1tGtY!6R}hTLiYnb+1{3e@_a;P^mBCLQsn4E^ zQ8>0voCke*7$R6Y0elzVWg%v0IK*B0-j-wLDq$C$6*l4`)0p1P!q3rnF(I(IZbxJ` z(!ipnuhT$BGO@FoJnw}Z_uj4|?VY+jW$27U;aHZ$#t_S$-ok(1!eEZNX^YanV$zfZ z&Cz8eHzKX15Yn>s%MM1QbDRyVJSeMW7Z6$=@JoVIP|nase8R3f#o+D?xLbgdm6e34 z|5ZWe)Kk*vDJrj?-Vs6p0f7o55Ab9)ZP@p~{tNqV9I=Z#KBsANI0;>E&IUsk0!{o@ zGzH|uXB!nbwk~ej0QivdT%O4GH~OXTap>l+rc*SsW4SqanrQd7#k8AHTJvrhU1Hoi z-L6i!LV#Ju8BDjFSqq`>5g>Y+a<{qgzJ+=Ls%G{b)2#!cs!A-N6a>bl{HTjFL4i~C z9!yp4l*=#TIhXSGM$Qpup!|LQ2QtF;3e%f|39U7hEZ=@&zQ*yje8R}8xrQK?BQK5!pTNuL?9C4*eKvHi z#65oSYCoL4kT>a&lxo9^nTvHzE1zoG#^GnD<+59j74J9&F>NU)Jp7?>IM;ZyX_2gD zUjV5+EmOdn*R<|Ghp;(Sf4wpd!R<24&Jr!j?&M1X0Z!I3m^J)i6onyPAI)$hAFieN zh0G++)+&3hG(HD#G*K|-CPiv0?t3Ffq=^qFOHu=Uc;u_rhKJ%~Y2(vNuMUFf7HTLI zsVJwql7O??Vu1}H3GdSnLRk0scC$wdfgGLEZ0Fcn`?b|;UOxm6-AzDf;ErpHr-{U&p3uD znmv>I2?d*jDXdKD^pvu@1azq{t10Tv8jESuE2}h$|GXI?y~mEEsHxq$wWh4O=IcTK zd?c)HP<-~o8dPh^h@%6$mDC4I)#j{!EvQsBhWN<_Ojz_*nR~VR_t)`)#ZUv^!ISlu zezi@2>4X7n%`poWeRG!Ya^JR|hEi6_?+(h3dqL`C5yWf7$IISzEfe~#&7L1cN5t!n zH5m7(zZ*DCCkC$`*i_<)+KWGrX8e4P-cBwRyLC^CrgIHy7@1gzjff zKbQOP@Z57N)w)HW3@4`D+`zOCNn12nOWmC(W94LXw(LBv{Zz}vQLw8ne4;KjfCr6J z(s7PF7%jUR|{bn@KQ zm>WliCdz^2`tHMe=S&}Xp9{A1!S(p;v*qX8z_Tggu$hF21lrNk6cnN_5)7(4h zmk#f^BZuFV8=`&pewk1ta^R)0OP~rS~;iBJ4>DqEQ7+JfvF%cP$-{3yj%bw_U zJum2g!AP=-O|)x#H>Cr=L1=$7bjc9~u|EfKs0ZPqpxxjA%TMc4!5`ATO3H~UqISif z(k@hr-{NY+2VuxxY8hq5Nj!!#H>LrSr385In53pP!qYmcruuzVImVZ5c%lGhx_B@pYKlP(tsLvRzVrzgk3hh z{txW1>s=AJHr!|SJw}l1*})9Xb+^mQJaQdQ(;d zfqS6f_U!>_7*MdKR+?t+et5AR#wc>$P$-gE!%sbX^;^30a5LwcF9=R|1HYs&`OHBH znAjQ7Zi9h_GLOaIwlBNA&|K)8Y0Ha{?7CZ-yi0Z{7n6+wPR@(wXgd3n+hggd{+5qyF%sp)6dwQPGr)>fEhYH=$^chf zrO&N*C?GmWCiF^0zBP$B_KZ$uhj5@nKQTQYb#XNxb8~G1E(DBKDKa*`>#uWsD}2^l z=0G|IEIV#F^jA!89$) zs0F$_DOJ*zyR~75y*Gp{4eX6Bk_YU%S)E_HzO9IDzHMus1Mw14PuRTZcMuCi^iD6} zCgjK#4!N0n_=F4KxqZRu3sqYwT(95wDCwd!x^W<&G_4mBbNuP}Nxg%GP8(?C){I@iDQ5pGmTj)r^vG80QW%Vtr zmKe!-*h3N*l6=nV*|d$83{kgK@vqfc%1$f8#;FEb4t&VUn7y<$6u>>->mu>%R*Yx?d8t6 z-nI685)D~%xmW>g?PoX$dj^*Q$h^1QdO(`lbv~jnr~Z1MHSGuhe2oJ>4Bd4ViL#l= zE3j~~GHRDdIy2LQfLP~i6hk4)$1e?cp-O4TH$>r_Q~UHj4;ux9PB!bSZ2 zs9s`Dhu_&vj7hc6lykX~BpJA@Ci6q@yJg5oby;$3&h|t%3@aq0HkRr*SU@0lC$weH z$xs*=@5s*0Q}g}%rv8~BW?=0((Y|GVpKJ(uY6gx_sqS~hkR>Q@a^j95$qijXP}?2o z#B-p#lv(zwVOVr9O6Z0yMN8Cu4y!B+3mw8)5odUW2$ZO!6wRxu|K?lnn1AAsN}<{s zkjp}a=MNKQ*(*nCS43n&Z%r?`9RZf00U(Shq;dqB^hnYc<0dg5>V0`>C zx`5b&*Cdr-j9xEAp=Mq15g8skMQwkHsnNj57zt0?a63XaN;jX!OS|u@2jc=FSu+~F zXIYEo^L^Z}@vO`l>TrHU+Lb0T(q~-%;MOc)%X~>Ms^@Pmq3QX%Auo2i)N{}kVpF7` z56;ih=V<!GiL zJ-w{4(~+rm(;L&xbdN?cL>5F`lo|y{J=soqH?yrWV2L$v0`ApS5?A{ACOWN@tB?iE zY*I&0#YYMyElhxn2x_zFyA(tLZd;t|qMKL7mI0_~XKqNvmCE%+{1rpCJnHGV5vm80 z!_l}8E!GgicFIEfe0B` zi<>DPDXF+)i44^z+v9Lc*=On=ZzWYOy4Lh%{ajoUQ?g(ku9C@T`Zi+F?&B8d^dJhR zFkq~=HugkXx5TTbu|3HmWs0^Qhe|D-H(1>E%gn*#C+@LTUGb$uN!D4jm)Nuw(~xGY ztY#msRFP|dL^d$L6@PrEYBEC3)LTX)$RUqMuloi;Erxi+wdos~1^Qylx!bK_p4|E> z>h)`Gs!j$ns_Km>mwnY@3PTw_OijAHd{+)HK_zmJQo(Wl(qplxMlF7ceG&jvI8)2A zZ@hB(sFlh-xCY21V5h!tcGX>UuKxtB}q z(E|#RrEfc&l@D}O<6@sZ<4SKiW*Hi1%@tOCF7YwT?guZN+Yxhwb}mHm98-8kh{|gx ziopIvvan1c_7JFFsch6hR0@f!n)y6(wfF$`LcJxbnzJhahb07rFCaiF<23s@shsJP zS^*a@p|P1kNs$M3?3fa zKKC+S>A^4VnV_u~PP=*j23)ab);RZvq=-B1k`-5CPI}_S13P%&@t2kk?}?Kn`YMY& zuHuL7x72cYqC+fQk>qTBxrlr>J$-B-&A}ie;pwTP_Z5dJAh8%TEl!n7b+!BL=J~#A z(iI;04ce)!23>Obh3gc>oqC}4B{mfMKo;5g{Il(viw3)f|2iE{j&g8(6+5%_R0K}m zH>VenCB$qnDtJ0Eq-Eg3sbmcvc0hN^e<*(U$p`(ClP|1aC^NOEgbhsHK5vR zb<%QZHtP4VeAdMY3pBd;<;(B^s(~eP*dnbxc0=>|O?d{;CESi9YYT_Ug!Hu11+@6t2-l2ZRm(AkR+{ zt{(h7)`qxbe4aLgQ*eAo5cdFb!jvsiOWi$~L{7#y`pGQ>U~##oL64#*kt7BGnmXY7 zie9scf{p|8K626P2#RM?{jHJs)yr7snsS9Tx{y<8n0FO?sPGHAN1M(ChFZwhdm%M>2uK>ZdwS8`({Y1BO5JTTIP zuPpLpEidZJAUGMs8K3l*^1HN>*v-z?(wcH)-{OtKv)f)hdnQN*?M*9I3tld&uOFNP z#m1-j0uhhpSXr;zNfmbhKln);O@#svAGda{rAtBcxWbK9(9^KuN*+bjP@1bZU)>j!*y_rdP@ZMa$2*qi$Qd-P zAPR#kj>#pUv0KV5mQcJ%d&0>W?$q=Z%wqcUH+ip#AEzvu=6!$I@M^%!Zya+LaX!h| z*-^&VA+FC-(yiNTDP2jH;V6w#-@!j`JJq zq^L4mTen2&j9lyM#r897p)xaUyfXd9_e0XLrR~c_=@sfDMy@Bjq`{0`jOqrH?7<7< zp~al&Jz^Wy9VH4}+wnHAm1R5jry&|iCXevhbcyl9n*u|;)SoJAdw3$u6I)z8TNQ*xivBsBeB(U4jD$fiPRX@%`DCo zwMcuIQ9}^!5<)`OjK+--N3l?csUKHU@9SvCVJy39-q(kZ8&91SpWZ&1tC4%*ry&CL zt=VpxAvL8qFPx9wyRv-4e;w~NB^1G8Ia2(V)x!n4ea^__pB2zhr2E;n>M|Iwyx1m| zXsIXF8N*M7qR}D9EQ$~-n4HlCgV`yWnqw6iZvKdX{Ta{eKO$A>;E+QJD_wbY&k@eI2W_3m zNVilJzw$Db%CmurcQO(uKRLf){=~PcP^F1;*hv45p|RNXRD0B{B^fnUZ!XiG(;xgf zo%1;2Ja{*N6Q>VTiYW8E4sa=TUJ(C8?oK!q4=WZ@*I$$6*=Cl+70IAVM+>!?b+yQB zI3hH;8FVb(VtsgVDgA~?ymzSd=Tr0w#lMSvTmHx_RWf2R5;2EIlvBzil-7EjQy?M~ zyH9D9BCXl2*k&O@O}Wr5d!~uPSK5N-ncvxMs6i+B&sa{`nz8n5=@2r*QH_ELXmw}S=x|{h!3Gd9=jf?_BZwcoc7I9J`V z3(tH4RvJU^ZABIgkzl(GEL`nHtvmuLAgPQ zH3A_nN-ydz5&}U;?DoL*ftxhS`C5sbuC7UovKF3d`a=-j%;1|CAqM_!(|(2H#Ye~R zI_E2$H5O6IE_K6S@?V}k!=irf>?Okf0ydpf11(+@9E;Wl+`a;%mJ^s~Kc*7UJ|(Sl zg|cH&Y7`kydB%`3sTJCs8L$KbT-iFW9xH)rK9Jz#8bzOYL{DSaW{rN))i(|rPvS4Z zo2fc25yjEmdxjydp!ZPb>g+|z8dBo9#I|V(TLy?c z(t5apOzk_W-<)4{b% z7@a&&dcTqhIh|`=rp@};I6fMaAu2<@N^QwarUg!8iP z$URFsuNPda3Ed@ax?)?vPDWU7I@DU??DX^7>YhHhSEn*^L!w!!l%Hj~^iXk5gJEcr zyb!XLE@~kcoVgVFD7~k~uk{&nx%o3Mv9KN(5HfIDtJag`pK$NT8lOy4di$ljq4^lQ z{yzoldn&_QJW7@u+o5-Ki&3%H@h9*b&4lWJbx|G`3nlDjptco!V1_Ll(ZQyuPlVPg z$(Gs|%_~HzWWffLVVj$wmbJ<)>&{3HRZXkG^i9SJ>F8J&wfi)8eD*t0wW`aA{y)h@n)@Qb(fbmEqD)=HSi)*Y1fn`|al?Y>MDYVadWd)DHq6M_fRieoV^ zT;vipSDBMLW%dc5e0nYa?#Ejc*Mohtl;CsmU`fCLPsy;n@}iLTc$5DPyty&q-!_ec5(VlN1Z#h^ zORBY0iMh6V59Pk9O-4^7NRBSqcOJ^qDCe|@K05F%JC;s#zbLoGC~)R}h#Aal0g3?{EubBy57`mWR}o0yK+VZLCZh~%NaRu(Edp*-XZ@XS$W?pN*}9|{bv?ruiB|V6Rj8m&kYR=y~+QH6GJl`zO?i&Uiatq z75ty^%(!ATU+n*V7~4+k|GHv(__s>)$4^XV*#9%{3wh!nAg@uWiTFRj6GK%|OQGhK HRoMRk?`xZC literal 0 HcmV?d00001 diff --git a/dojo/models.py b/dojo/models.py index 556479184db..8648e87e017 100755 --- a/dojo/models.py +++ b/dojo/models.py @@ -3027,26 +3027,125 @@ def get_file_path_with_link(self): link = self.get_file_path_with_raw_link() return create_bleached_link(link, self.file_path) + def get_scm_type(self): + # extract scm type from product custom field 'scm-type' + + if hasattr(self.test.engagement, 'product'): + dojo_meta = DojoMeta.objects.filter(product=self.test.engagement.product, name='scm-type').first() + if dojo_meta: + st = dojo_meta.value.strip() + if st: + return st.lower() + return 'github' + + def bitbucket_public_prepare_scm_base_link(self, uri): + # bitbucket public (https://bitbucket.org) url template for browse is: + # https://bitbucket.org// + # but when you get repo url for git, its template is: + # https://bitbucket.org//.git + # so to create browser url - git url should be recomposed like below: + + parts_uri = uri.split('.git') + return parts_uri[0] + + def bitbucket_public_prepare_scm_link(self, uri): + # if commit hash or branch/tag is set for engagement/test - + # hash or branch/tag should be appended to base browser link + + link = self.bitbucket_public_prepare_scm_base_link(uri) + if self.test.commit_hash: + link += '/src/' + self.test.commit_hash + '/' + self.file_path + elif self.test.engagement.commit_hash: + link += '/src/' + self.test.engagement.commit_hash + '/' + self.file_path + elif self.test.branch_tag: + link += '/src/' + self.test.branch_tag + '/' + self.file_path + elif self.test.engagement.branch_tag: + link += '/src/' + self.test.engagement.branch_tag + '/' + self.file_path + else: + link += '/src/master/' + self.file_path + + return link + + def bitbucket_standalone_prepare_scm_base_link(self, uri): + # bitbucket onpremise/standalone url template for browse is: + # https://bb.example.com/projects//repos/ + # but when you get repo url for git, its template is: + # https://bb.example.com/scm//.git + # or for user public repo^ + # https://bb.example.com/users//repos/ + # but when you get repo url for git, its template is: + # https://bb.example.com/scm//.git (username often could be prefixed with ~) + # so to create borwser url - git url should be recomposed like below: + + parts_uri = uri.split('.git') + parts_scm = parts_uri[0].split('/scm/') + parts_project = parts_scm[1].split('/') + project = parts_project[0] + if project.startswith('~'): + return parts_scm[0] + '/users/' + parts_project[0][1:] + '/repos/' + parts_project[1] + '/browse' + else: + return parts_scm[0] + '/projects/' + parts_project[0] + '/repos/' + parts_project[1] + '/browse' + + def bitbucket_standalone_prepare_scm_link(self, uri): + # if commit hash or branch/tag is set for engagement/test - + # hash or barnch/tag should be appended to base browser link + + link = self.bitbucket_standalone_prepare_scm_base_link(uri) + if self.test.commit_hash: + link += '/' + self.file_path + '?at=' + self.test.commit_hash + elif self.test.engagement.commit_hash: + link += '/' + self.file_path + '?at=' + self.test.engagement.commit_hash + elif self.test.branch_tag: + link += '/' + self.file_path + '?at=' + self.test.branch_tag + elif self.test.engagement.branch_tag: + link += '/' + self.file_path + '?at=' + self.test.engagement.branch_tag + else: + link += '/' + self.file_path + + return link + + def github_prepare_scm_link(self, uri): + link = uri + + if self.test.commit_hash: + link += '/blob/' + self.test.commit_hash + '/' + self.file_path + elif self.test.engagement.commit_hash: + link += '/blob/' + self.test.engagement.commit_hash + '/' + self.file_path + elif self.test.branch_tag: + link += '/blob/' + self.test.branch_tag + '/' + self.file_path + elif self.test.engagement.branch_tag: + link += '/blob/' + self.test.engagement.branch_tag + '/' + self.file_path + else: + link += '/' + self.file_path + + return link + def get_file_path_with_raw_link(self): if self.file_path is None: return None + link = self.test.engagement.source_code_management_uri - if (self.test.engagement.source_code_management_uri is not None - and "https://github.com/" in self.test.engagement.source_code_management_uri): - if self.test.commit_hash: - link += '/blob/' + self.test.commit_hash + '/' + self.file_path - elif self.test.engagement.commit_hash: - link += '/blob/' + self.test.engagement.commit_hash + '/' + self.file_path - elif self.test.branch_tag: - link += '/blob/' + self.test.branch_tag + '/' + self.file_path - elif self.test.engagement.branch_tag: - link += '/blob/' + self.test.engagement.branch_tag + '/' + self.file_path + scm_type = self.get_scm_type() + if (self.test.engagement.source_code_management_uri is not None): + if scm_type == 'github' or ("https://github.com/" in self.test.engagement.source_code_management_uri): + link = self.github_prepare_scm_link(link) + elif scm_type == 'bitbucket-standalone': + link = self.bitbucket_standalone_prepare_scm_link(link) + elif scm_type == 'bitbucket': + link = self.bitbucket_public_prepare_scm_link(link) else: link += '/' + self.file_path else: link += '/' + self.file_path + + # than - add line part to browser url if self.line: - link = link + '#L' + str(self.line) + if scm_type == 'github' or scm_type == 'gitlab': + link = link + '#L' + str(self.line) + elif scm_type == 'bitbucket-standalone': + link = link + '#' + str(self.line) + elif scm_type == 'bitbucket': + link = link + '#lines-' + str(self.line) return link def get_references_with_links(self): diff --git a/unittests/test_finding_model.py b/unittests/test_finding_model.py index d6efb450668..ca7494142e5 100644 --- a/unittests/test_finding_model.py +++ b/unittests/test_finding_model.py @@ -1,5 +1,5 @@ from .dojo_test_case import DojoTestCase -from dojo.models import Finding, Test, Engagement +from dojo.models import Finding, Test, Engagement, DojoMeta class TestFindingModel(DojoTestCase): @@ -50,6 +50,165 @@ def test_get_file_path_with_link_and_source_code_management_uri(self): engagement.source_code_management_uri = 'URL' self.assertEqual('FilePath', finding.get_file_path_with_link()) + def test_get_file_path_with_link_and_source_code_management_uri_github_no_scm_type_with_details_and_line(self): + # checks that for github.com in uri dojo makes correct url to browse on github + + test = Test() + engagement = Engagement() + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + engagement.source_code_management_uri = 'https://github.com/some-test-account/some-test-repo' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_github_with_scm_type_with_details_and_line(self): + # checks that for github in custom field dojo makes correct url to browse on github + + # create scm-type custom field with value "github" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="github") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://github.com/some-test-account/some-test-repo' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public_project_with_no_details_and_line(self): + # checks that for public bitbucket (bitbucket.org) in custom field + # dojo makes correct url to browse on public bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket") + product_metadata.save() + + # create finding with scm uri line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/some-test-user/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public_project_with_commithash_and_line(self): + # checks that for public bitbucket (bitbucket.org) in custom field and existing commit hash in finding + # dojo makes correct url to browse on public bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/some-test-user/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_project_with_commithash_and_line(self): + # checks that for standalone bitbucket in custom field and existing commit hash in finding + # dojo makes correct url to browse on standalone/onpremise bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket-standalone" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket-standalone") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.commit_hash = "some-commit-hash" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/scm/some-test-project/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_project_with_branchtag_and_line(self): + # checks that for standalone bitbucket in custom field and existing branch/tag in finding + # dojo makes correct url to browse on standalone/onpremise bitbucket (for project uri) + + # create scm-type custom field with value "bitbucket-standalone" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket-standalone") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/scm/some-test-project/some-test-repo.git' + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + + def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_user_with_branchtag_and_line(self): + # checks that for standalone bitbucket in custom field and existing branch/tag in finding + # dojo makes correct url to browse on standalone/onpremise bitbucket (for user uri) + + # create scm-type custom field with value "bitbucket-standalone" + product_type = self.create_product_type('test_product_type') + product = self.create_product(name='test_product', prod_type=product_type) + product_metadata = DojoMeta(product=product, name="scm-type", value="bitbucket-standalone") + product_metadata.save() + + # create finding with scm uri and commit hash, branch and line + test = Test() + engagement = Engagement() + engagement.product = product + test.engagement = engagement + engagement.branch_tag = "some-branch" + finding = Finding() + finding.test = test + finding.file_path = 'some-folder/some-file.ext' + finding.line = 5432 + + engagement.source_code_management_uri = 'https://bb.example.com/scm/~some-user/some-test-repo.git' + + self.assertEqual('some-folder/some-file.ext', finding.get_file_path_with_link()) + def test_get_file_path_with_xss_attack(self): test = Test() engagement = Engagement() From 920c13db88f4c666e1db0c54d87fdde16523731f Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 10 Jan 2024 21:01:35 +0100 Subject: [PATCH 38/46] :bug: fix deduplication for trivy, #9290 (#9292) --- dojo/settings/settings.dist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 31f8d4f8f9e..ec105309fbb 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1230,7 +1230,7 @@ def saml2_attrib_map_format(dict): 'Acunetix360 Scan': ['title', 'description'], 'Terrascan Scan': ['vuln_id_from_tool', 'title', 'severity', 'file_path', 'line', 'component_name'], 'Trivy Operator Scan': ['title', 'severity', 'vulnerability_ids'], - 'Trivy Scan': ['title', 'severity', 'vulnerability_ids', 'cwe'], + 'Trivy Scan': ['title', 'severity', 'vulnerability_ids', 'cwe', 'description'], 'TFSec Scan': ['severity', 'vuln_id_from_tool', 'file_path', 'line'], 'Snyk Scan': ['vuln_id_from_tool', 'file_path', 'component_name', 'component_version'], 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], From 4ba1c3ce0908fa21d8dfa43a72d3fa9e3c9192ae Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 14:02:34 -0600 Subject: [PATCH 39/46] Update nginx/nginx-prometheus-exporter Docker tag from 1.0.0 to v1.1.0 (helm/defectdojo/values.yaml) (#9304) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- helm/defectdojo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 0f29fb23b33..99b648f6a8a 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -104,7 +104,7 @@ monitoring: # Add the nginx prometheus exporter sidecar prometheus: enabled: false - image: nginx/nginx-prometheus-exporter:1.0.0 + image: nginx/nginx-prometheus-exporter:1.1.0 imagePullPolicy: IfNotPresent annotations: {} From 29ba5d52cf2a95288a6678a6d49b4585bbe92160 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 10 Jan 2024 22:16:26 +0100 Subject: [PATCH 40/46] :bug: fix kiuwan (#9309) * :bug: fix kiuwan * :bug: fix #9307 * :bug: fix #9307, add vulnerability type --- dojo/tools/kiuwan/parser.py | 7 ++++++- unittests/scans/kiuwan/issue_9308.csv | 3 +++ unittests/tools/test_kiuwan_parser.py | 6 ++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/kiuwan/issue_9308.csv diff --git a/dojo/tools/kiuwan/parser.py b/dojo/tools/kiuwan/parser.py index 00e06a9edb4..e1b7d540ec2 100644 --- a/dojo/tools/kiuwan/parser.py +++ b/dojo/tools/kiuwan/parser.py @@ -58,9 +58,12 @@ def get_findings(self, filename, test): findingdict["file"] = row["File"] findingdict["line_number"] = row["Line number"] findingdict["description"] = ( - "**Vulnerability type** : " + "**Software characteristic** : " + row["Software characteristic"] + "\n\n" + + "**Vulnerability type** : " + + row["Vulnerability type"] + + "\n\n" + "**CWE Scope** : " + row["CWE Scope"] + "\n\n" @@ -116,6 +119,8 @@ def get_findings(self, filename, test): + finding.title + "|" + finding.description + + "|" + + str(finding.cwe) ).encode("utf-8") ).hexdigest() diff --git a/unittests/scans/kiuwan/issue_9308.csv b/unittests/scans/kiuwan/issue_9308.csv new file mode 100644 index 00000000000..f4326fcd287 --- /dev/null +++ b/unittests/scans/kiuwan/issue_9308.csv @@ -0,0 +1,3 @@ +Rule code,Rule,Priority,CWE,Software characteristic,Vulnerability type,Language,Effort,File,Line number,Line text,Source file,Source line number,Source line text,Muted,Normative,Status,CWE Scope,Framework +OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar,Avoid unused local variable,High,101,Maintainability,Other,Typescript,03m,file.js,12,self = this,,,,No,"Agile Alliance:Concise-CDED,CWE:563",none,, +OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar,Avoid unused local variable,High,102,Maintainability,Other,Typescript,03m,another-file.js,12,self = this,,,,No,"Agile Alliance:Concise-CDED,CWE:563",none,, diff --git a/unittests/tools/test_kiuwan_parser.py b/unittests/tools/test_kiuwan_parser.py index 7e856ef9e68..340868c0181 100644 --- a/unittests/tools/test_kiuwan_parser.py +++ b/unittests/tools/test_kiuwan_parser.py @@ -23,3 +23,9 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): parser = KiuwanParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(131, len(findings)) + + def test_parse_file_issue_9308(self): + testfile = open("unittests/scans/kiuwan/issue_9308.csv") + parser = KiuwanParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(2, len(findings)) From 159dca6baa4577e1728cd5d29ed2c9f0acb66671 Mon Sep 17 00:00:00 2001 From: kiblik Date: Wed, 10 Jan 2024 22:41:43 +0100 Subject: [PATCH 41/46] Fix 0195/0196 (#9312) --- ...ch_combined.py => 0196_notifications_sla_breach_combined.py} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename dojo/db_migrations/{0195_notifications_sla_breach_combined.py => 0196_notifications_sla_breach_combined.py} (92%) diff --git a/dojo/db_migrations/0195_notifications_sla_breach_combined.py b/dojo/db_migrations/0196_notifications_sla_breach_combined.py similarity index 92% rename from dojo/db_migrations/0195_notifications_sla_breach_combined.py rename to dojo/db_migrations/0196_notifications_sla_breach_combined.py index ea818bb5b34..f37cf6fda3f 100644 --- a/dojo/db_migrations/0195_notifications_sla_breach_combined.py +++ b/dojo/db_migrations/0196_notifications_sla_breach_combined.py @@ -7,7 +7,7 @@ class Migration(migrations.Migration): dependencies = [ - ('dojo', '0194_alter_finding_component_name'), + ('dojo', '0195_alter_announcement_dismissable'), ] operations = [ From 42548de78f47e97068a1b33d896ce078fe8ea644 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 10 Jan 2024 22:50:30 +0100 Subject: [PATCH 42/46] advance snyk to support snykcode and snykcontainer #9270 (#9289) * advance snyk to support snykcode and snykcontainer #9270 * :construction: update * works, but information in findings is still missing * shorten unittestfile * finish --- dojo/tools/snyk/parser.py | 65 +- unittests/scans/snyk/snykcode_issue_9270.json | 10782 ++++++++++++++++ .../scans/snyk/snykcontainer_issue_9270.json | 4041 ++++++ unittests/tools/test_snyk_parser.py | 15 +- 4 files changed, 14890 insertions(+), 13 deletions(-) create mode 100644 unittests/scans/snyk/snykcode_issue_9270.json create mode 100644 unittests/scans/snyk/snykcontainer_issue_9270.json diff --git a/dojo/tools/snyk/parser.py b/dojo/tools/snyk/parser.py index 0918fc7f110..b5ee592cabe 100755 --- a/dojo/tools/snyk/parser.py +++ b/dojo/tools/snyk/parser.py @@ -42,23 +42,25 @@ def parse_json(self, json_output): def get_items(self, tree, test): items = {} - target_file = tree.get("displayTargetFile", None) - upgrades = tree.get("remediation", {}).get("upgrade", None) + iterator = 0 if "vulnerabilities" in tree: + target_file = tree.get("displayTargetFile", None) + upgrades = tree.get("remediation", {}).get("upgrade", None) vulnerabilityTree = tree["vulnerabilities"] - for node in vulnerabilityTree: item = self.get_item( node, test, target_file=target_file, upgrades=upgrades ) - unique_key = node["title"] + str( - node["packageName"] - + str(node["version"]) - + str(node["from"]) - + str(node["id"]) + items[iterator] = item + iterator += 1 + elif "runs" in tree and tree["runs"][0].get("results"): + results = tree["runs"][0]["results"] + for node in results: + item = self.get_code_item( + node, test ) - items[unique_key] = item - + items[iterator] = item + iterator += 1 return list(items.values()) def get_item(self, vulnerability, test, target_file=None, upgrades=None): @@ -211,5 +213,48 @@ def get_item(self, vulnerability, test, target_file=None, upgrades=None): current_pack_version, upgraded_pack ) finding.mitigation += "\n - ".join(tertiary_upgrade_list) + return finding + def get_code_item(self, vulnerability, test): + ruleId = vulnerability["ruleId"] + ruleIndex = vulnerability["ruleIndex"] + message = vulnerability["message"]["text"] + score = vulnerability["properties"]["priorityScore"] + locations_uri = vulnerability["locations"][0]["physicalLocation"]["artifactLocation"]["uri"] + locations_uriBaseId = vulnerability["locations"][0]["physicalLocation"]["artifactLocation"]["uriBaseId"] + locations_startLine = vulnerability["locations"][0]["physicalLocation"]["region"]["startLine"] + locations_endLine = vulnerability["locations"][0]["physicalLocation"]["region"]["endLine"] + locations_startColumn = vulnerability["locations"][0]["physicalLocation"]["region"]["startColumn"] + locations_endColumn = vulnerability["locations"][0]["physicalLocation"]["region"]["endColumn"] + isAutofixable = vulnerability["properties"]["isAutofixable"] + if score <= 399: + severity = "Low" + elif score <= 699: + severity = "Medium" + elif score <= 899: + severity = "High" + else: + severity = "Critical" + # create the finding object + finding = Finding( + title=ruleId + "_" + locations_uri, + test=test, + severity=severity, + description="**ruleId**: " + str(ruleId) + "\n" + + "**ruleIndex**: " + str(ruleIndex) + "\n" + + "**message**: " + str(message) + "\n" + + "**score**: " + str(score) + "\n" + + "**uri**: " + locations_uri + "\n" + + "**uriBaseId**: " + locations_uriBaseId + "\n" + + "**startLine**: " + str(locations_startLine) + "\n" + + "**endLine**: " + str(locations_endLine) + "\n" + + "**startColumn**: " + str(locations_startColumn) + "\n" + + "**endColumn**: " + str(locations_endColumn) + "\n" + + "**isAutofixable**: " + str(isAutofixable) + "\n", + false_p=False, + duplicate=False, + out_of_scope=False, + static_finding=True, + dynamic_finding=False, + ) return finding diff --git a/unittests/scans/snyk/snykcode_issue_9270.json b/unittests/scans/snyk/snykcode_issue_9270.json new file mode 100644 index 00000000000..b9a56f85c44 --- /dev/null +++ b/unittests/scans/snyk/snykcode_issue_9270.json @@ -0,0 +1,10782 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "javascript/XSS", + "name": "XSS", + "shortDescription": { + "text": "Cross-site Scripting (XSS)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## Best practices for prevention\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "XSS", + "Security", + "SourceNetworkRequest", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/mjackson/unpkg/commit/db69375e9c944a115e0d542485694e5529e1ddd7?diff=split#diff-59f9f1a3f7e9116d78e320b8b4f3739db8ceaddcff22dae7d19dbc2a5304024aL-1", + "lines": [ + { + "line": "res.status(404).send(`Cannot find main file \"${mainFilename}\" in package ${req.packageSpec}`)\n", + "lineNumber": 95, + "lineChange": "removed" + }, + { + "line": "res.status(404).type('text').send(`Cannot find main file \"${mainFilename}\" in package ${req.packageSpec}`)\n", + "lineNumber": 95, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/themeblvd/backroad/commit/08be2967098668a994d9d8bd034452c7b5b1ae6b?diff=split#diff-a73913970ad590fbf5ed8688eed6f7eda75939c6217a98c2d583e27709b7226fL-1", + "lines": [ + { + "line": "res.status(500).send(err);\n", + "lineNumber": 80, + "lineChange": "removed" + }, + { + "line": "res.status(404).send({ message: 'User not found.' });\n", + "lineNumber": 80, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/embark-framework/embark/commit/efbe71f5e25a3070088a3ea3a08e953e8e446a52?diff=split#diff-7c96a33de8e6615819fd2eccdb5d047d6fde50184a37faf63235fcf90319a606L-1", + "lines": [ + { + "line": "return res.send(\"-- couldn't profile \" + contractName + \" - it's not deployed or could be an interface\");\n", + "lineNumber": 82, + "lineChange": "removed" + }, + { + "line": "return res.send({error: \"-- couldn't profile \" + contractName + \" - it's not deployed or could be an interface\"});\n", + "lineNumber": 82, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 141, + "cwe": [ + "CWE-79" + ] + } + }, + { + "id": "javascript/NoRateLimitingForExpensiveWebOperation", + "name": "NoRateLimitingForExpensiveWebOperation", + "shortDescription": { + "text": "Allocation of Resources Without Limits or Throttling" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\n\nWithout unlimited resources, software operating in the real world is inherently limited in the resources it may consume; similarly, servers are limited by the number of simultaneous sessions they can handle. Therefore, it is important for developers to design software that considers these real-world physical (or virtual) limitations and limits user sessions accordingly, both in terms of the number of user sessions and in the quantity of resources each user may demand. Software with this weakness does not include such limitations and as a result, individual user sessions may consume too many resources, leading to unintended software behavior including, potentially, denial of service. This can be compared to a single restaurant customer emptying out the entire buffet, leaving no food for other customers--or an entire busload mobbing the buffet all at once, with a similar effect. This may happen inadvertently or as a result of an attack by a malicious user.\n\n## Best practices for prevention\n* Test extensively to obtain baseline values indicating how the software performs in the real world under various conditions (normal and peak); use these values to determine reasonable software limits.\n* Set clear limits for all flexible parameters such as maximum allocable memory, number of processes within a given timeframe, file descriptors, requests per client, number of records per request, etc. This is particularly true for any parameters within user control.\n* Release all resources when no longer in use, including incorporating timeouts for inactive users, processes, and resources.\n* Familiarize Dev, Ops, and IT teams with best practices for recognizing and preventing DoS attacks and out-of-control resource allocation to prevent catastrophic failures.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoRateLimitingForExpensiveWebOperation", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ministryofjustice/apvs-external-web/commit/0c9c9b33869909092d7cb442f10e76a08e4acb60?diff=split#diff-322f0482bd28fc40f84fcb0aaf208fef7fb63082d462cf02d11f46e59c531c24L-1", + "lines": [ + { + "line": "// rate limiting\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "if (config.RATE_LIMITING_ENABLED === 'true') {\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": " app.enable('trust proxy')\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": " var limiter = new RateLimit({\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": " windowMs: parseInt(config.RATE_LIMITING_WINDOW_MILLISECONDS),\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": " max: parseInt(config.RATE_LIMITING_REQUEST_LIMIT),\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": " delayMs: 0, // disable delaying - full speed until the max limit is reached\n", + "lineNumber": 49, + "lineChange": "added" + }, + { + "line": " skip: function (req) {\n", + "lineNumber": 50, + "lineChange": "added" + }, + { + "line": " return req.url.startsWith('/public') // skip public assets\n", + "lineNumber": 51, + "lineChange": "added" + }, + { + "line": " }\n", + "lineNumber": 52, + "lineChange": "added" + }, + { + "line": " })\n", + "lineNumber": 53, + "lineChange": "added" + }, + { + "line": " // apply to all requests\n", + "lineNumber": 54, + "lineChange": "added" + }, + { + "line": " app.use(limiter)\n", + "lineNumber": 55, + "lineChange": "added" + }, + { + "line": "}\n", + "lineNumber": 56, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 57, + "lineChange": "added" + }, + { + "line": "var packageJson = require('../package.json')\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": "var developmentMode = app.get('env') === 'development'\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "var releaseVersion = packageJson.version\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": "var serviceName = 'Get help with prison visits'\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": "app.set('view engine', 'html')\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": "app.set('views', path.join(__dirname, 'views'))\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": "nunjucks(app, {\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " watch: developmentMode,\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " noCache: developmentMode\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": "app.use('/public', express.static(path.join(__dirname, 'public')))\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": "app.use('/public', express.static(path.join(__dirname, 'govuk_modules', 'govuk_template')))\n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": "app.use('/public', express.static(path.join(__dirname, 'govuk_modules', 'govuk_frontend_toolkit')))\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": "app.use(favicon(path.join(__dirname, 'govuk_modules', 'govuk_template', 'images', 'favicon.ico')))\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": "// Basic auth\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "if (config.BASIC_AUTH_ENABLED === 'true') {\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": " app.use(function (req, res, next) {\n", + "lineNumber": 78, + "lineChange": "none" + }, + { + "line": " var credentials = auth(req)\n", + "lineNumber": 79, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 80, + "lineChange": "none" + }, + { + "line": " if (req.url === '' || req.url === '/' || req.url === '/status') {\n", + "lineNumber": 81, + "lineChange": "none" + }, + { + "line": " next() // must leave root url free for Azure gateway\n", + "lineNumber": 82, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 83, + "lineChange": "none" + }, + { + "line": " if (!credentials ||\n", + "lineNumber": 84, + "lineChange": "none" + }, + { + "line": " credentials.name !== config.BASIC_AUTH_USERNAME ||\n", + "lineNumber": 85, + "lineChange": "none" + }, + { + "line": " credentials.pass !== config.BASIC_AUTH_PASSWORD) {\n", + "lineNumber": 86, + "lineChange": "none" + }, + { + "line": " res.statusCode = 401\n", + "lineNumber": 87, + "lineChange": "none" + }, + { + "line": " res.setHeader('WWW-Authenticate', 'Basic realm=\"APVS External Web\"')\n", + "lineNumber": 88, + "lineChange": "none" + }, + { + "line": " res.end('Access denied')\n", + "lineNumber": 89, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 90, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 91, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 92, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 93, + "lineChange": "none" + }, + { + "line": " })\n", + "lineNumber": 94, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 95, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 96, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.json())\n", + "lineNumber": 97, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.urlencoded({ extended: false }))\n", + "lineNumber": 98, + "lineChange": "none" + }, + { + "line": "app.use(expressSanitized())\n", + "lineNumber": 99, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 100, + "lineChange": "none" + }, + { + "line": "// Send assetPath to all views.\n", + "lineNumber": 101, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 102, + "lineChange": "none" + }, + { + "line": " res.locals.asset_path = '/public/'\n", + "lineNumber": 103, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 104, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 105, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 106, + "lineChange": "none" + }, + { + "line": "// Add variables that are available in all views.\n", + "lineNumber": 107, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 108, + "lineChange": "none" + }, + { + "line": " res.locals.serviceName = serviceName\n", + "lineNumber": 109, + "lineChange": "none" + }, + { + "line": " res.locals.releaseVersion = 'v' + releaseVersion\n", + "lineNumber": 110, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 111, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 112, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 113, + "lineChange": "none" + }, + { + "line": "// Set locale for translations.\n", + "lineNumber": 114, + "lineChange": "none" + }, + { + "line": "i18n.configure({\n", + "lineNumber": 115, + "lineChange": "none" + }, + { + "line": " locales: ['en', 'cy'],\n", + "lineNumber": 116, + "lineChange": "none" + }, + { + "line": " directory: path.join(__dirname, '/locales'),\n", + "lineNumber": 117, + "lineChange": "none" + }, + { + "line": " updateFiles: config.I18N_UPDATEFILES || true\n", + "lineNumber": 118, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 119, + "lineChange": "none" + }, + { + "line": "app.use(i18n.init)\n", + "lineNumber": 120, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 121, + "lineChange": "none" + }, + { + "line": "// Log each HTML request and it's response.\n", + "lineNumber": 122, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 123, + "lineChange": "none" + }, + { + "line": " // Log response started.\n", + "lineNumber": 124, + "lineChange": "none" + }, + { + "line": " log.info({ request: req }, 'Route Started.')\n", + "lineNumber": 125, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 126, + "lineChange": "none" + }, + { + "line": " // Log response finished.\n", + "lineNumber": 127, + "lineChange": "none" + }, + { + "line": " onFinished(res, function () {\n", + "lineNumber": 128, + "lineChange": "none" + }, + { + "line": " log.info({ response: res }, 'Route Complete.')\n", + "lineNumber": 129, + "lineChange": "none" + }, + { + "line": " })\n", + "lineNumber": 130, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 131, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 132, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 133, + "lineChange": "none" + }, + { + "line": "// Use cookie parser middleware (required for csurf)\n", + "lineNumber": 134, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser(config.EXT_APPLICATION_SECRET, { httpOnly: true, secure: config.EXT_SECURE_COOKIE === 'true' }))\n", + "lineNumber": 135, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 136, + "lineChange": "none" + }, + { + "line": "// Check for valid CSRF tokens on state-changing methods.\n", + "lineNumber": 137, + "lineChange": "none" + }, + { + "line": "var csrfProtection = csurf({ cookie: { httpOnly: true, secure: config.EXT_SECURE_COOKIE === 'true' } })\n", + "lineNumber": 138, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 139, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 140, + "lineChange": "none" + }, + { + "line": " csrfExcludeRoutes.forEach(function (route) {\n", + "lineNumber": 141, + "lineChange": "none" + }, + { + "line": " if (req.originalUrl.includes(route) && req.method === 'POST') {\n", + "lineNumber": 142, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 143, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 144, + "lineChange": "none" + }, + { + "line": " csrfProtection(req, res, next)\n", + "lineNumber": 145, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 146, + "lineChange": "none" + }, + { + "line": " })\n", + "lineNumber": 147, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 148, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 149, + "lineChange": "none" + }, + { + "line": "// Generate CSRF tokens to be sent in POST requests\n", + "lineNumber": 150, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 151, + "lineChange": "none" + }, + { + "line": " if (req.hasOwnProperty('csrfToken')) {\n", + "lineNumber": 152, + "lineChange": "none" + }, + { + "line": " res.locals.csrfToken = req.csrfToken()\n", + "lineNumber": 153, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 154, + "lineChange": "none" + }, + { + "line": " next()\n", + "lineNumber": 155, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 156, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 157, + "lineChange": "none" + }, + { + "line": "// Build the router to route all HTTP requests and pass to the routes file for route configuration.\n", + "lineNumber": 158, + "lineChange": "none" + }, + { + "line": "var router = express.Router()\n", + "lineNumber": 159, + "lineChange": "none" + }, + { + "line": "routes(router)\n", + "lineNumber": 160, + "lineChange": "none" + }, + { + "line": "app.use('/', router)\n", + "lineNumber": 161, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 162, + "lineChange": "none" + }, + { + "line": "// catch 404 and forward to error handler.\n", + "lineNumber": 163, + "lineChange": "none" + }, + { + "line": "app.use(function (req, res, next) {\n", + "lineNumber": 164, + "lineChange": "none" + }, + { + "line": " var err = new Error('Not Found')\n", + "lineNumber": 165, + "lineChange": "none" + }, + { + "line": " err.status = 404\n", + "lineNumber": 166, + "lineChange": "none" + }, + { + "line": " res.status(404)\n", + "lineNumber": 167, + "lineChange": "none" + }, + { + "line": " next(err)\n", + "lineNumber": 168, + "lineChange": "none" + }, + { + "line": "})\n", + "lineNumber": 169, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 170, + "lineChange": "none" + }, + { + "line": "// catch CSRF token errors\n", + "lineNumber": 171, + "lineChange": "none" + }, + { + "line": "app.use(function (err, req, res, next) {\n", + "lineNumber": 172, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/SOSML/SOSML/commit/7e27f8b78d458f8ca8a4313730af19de6dc948a2?diff=split#diff-4e0d36557976efd053a8a93638c538d9c6530933aceca263867cd67b5ed9e5baL-1", + "lines": [ + { + "line": "var callDockerLimiter = new RateLimit({\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": " windowMs: 10*60*1000, // 1 hour window\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": " delayAfter: 10, // begin slowing down responses after the first 10 requests\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": " delayMs: 100, // slow down subsequent responses by 100 milliseconds per request\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": " max: 50, // start blocking after 50 requests\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": " message: \"Too many requests made from this IP, please try again in a few minutes\"\n", + "lineNumber": 29, + "lineChange": "added" + }, + { + "line": "});\n", + "lineNumber": 30, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "function evalSMLCode(payload, response) {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " let dockerrunner = cmd.get(\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " 'docker run --cpus=1 --memory=128m --rm -i --read-only derjesko/mosmlfallback',\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " function (err, data, stderr) {\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " var last_line = data.split(/\\r?\\n/).pop();\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " var error_code = parseInt(last_line.substring(2));\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " error_text = '';\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " if (error_code > 0) {\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " if (error_code == 124) {\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " error_text = 'SML hit the time limit of 3 seconds.';\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, 'SML exited with ' + error_code);\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, error_text);\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": " );\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.write(payload);\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.destroy();\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "function readFile(name, callback) {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": " fs.readFile(name, 'utf8', function (err, data) {\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": " if (err) {\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " return console.log(err);\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": " callback(data);\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": "function outputFile(name, response) {\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": " readFile(name, function (data) {\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": "function listDir(name, response) {\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": " fs.readdir(name, function (err, items) {\n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/json');\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": " response.end(JSON.stringify({codes: items}));\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": "server.post('/api/fallback/',\n", + "lineNumber": 69, + "lineChange": "removed" + }, + { + "line": "server.post('/api/fallback/', callDockerLimiter,\n", + "lineNumber": 78, + "lineChange": "added" + }, + { + "line": " function (request, response) {\n", + "lineNumber": 79, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/SOSML/SOSML/commit/7e27f8b78d458f8ca8a4313730af19de6dc948a2?diff=split#diff-4e0d36557976efd053a8a93638c538d9c6530933aceca263867cd67b5ed9e5baL-1", + "lines": [ + { + "line": "var callDockerLimiter = new RateLimit({\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": " windowMs: 10*60*1000, // 1 hour window\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": " delayAfter: 10, // begin slowing down responses after the first 10 requests\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": " delayMs: 100, // slow down subsequent responses by 100 milliseconds per request\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": " max: 50, // start blocking after 50 requests\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": " message: \"Too many requests made from this IP, please try again in a few minutes\"\n", + "lineNumber": 29, + "lineChange": "added" + }, + { + "line": "});\n", + "lineNumber": 30, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "function evalSMLCode(payload, response) {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " let dockerrunner = cmd.get(\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " 'docker run --cpus=1 --memory=128m --rm -i --read-only derjesko/mosmlfallback',\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " function (err, data, stderr) {\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " var last_line = data.split(/\\r?\\n/).pop();\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " var error_code = parseInt(last_line.substring(2));\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " error_text = '';\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " if (error_code > 0) {\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " if (error_code == 124) {\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " error_text = 'SML hit the time limit of 3 seconds.';\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, 'SML exited with ' + error_code);\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " data = data.replace(last_line, error_text);\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": " );\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.write(payload);\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": " dockerrunner.stdin.destroy();\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "function readFile(name, callback) {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": " fs.readFile(name, 'utf8', function (err, data) {\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": " if (err) {\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " return console.log(err);\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": " callback(data);\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": "function outputFile(name, response) {\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": " readFile(name, function (data) {\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/plain');\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " response.end(data);\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": "function listDir(name, response) {\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": " fs.readdir(name, function (err, items) {\n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": " response.set('Content-Type', 'text/json');\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": " response.end(JSON.stringify({codes: items}));\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": "}\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": "server.post('/api/fallback/',\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": " function (request, response) {\n", + "lineNumber": 79, + "lineChange": "none" + }, + { + "line": " var payload = request.body.code;\n", + "lineNumber": 80, + "lineChange": "none" + }, + { + "line": " evalSMLCode(payload, response);\n", + "lineNumber": 81, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 82, + "lineChange": "none" + }, + { + "line": ");\n", + "lineNumber": 83, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 84, + "lineChange": "none" + }, + { + "line": "server.post('/api/validate/',\n", + "lineNumber": 76, + "lineChange": "removed" + }, + { + "line": "server.post('/api/validate/', callDockerLimiter,\n", + "lineNumber": 85, + "lineChange": "added" + }, + { + "line": " function (request, response) {\n", + "lineNumber": 86, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 27, + "cwe": [ + "CWE-770" + ] + } + }, + { + "id": "javascript/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "Ssrf", + "Security", + "SourceHttpBody", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/brislink/specter/commit/2b9c8046b4b1670e76011dad9c23dc67884f310a?diff=split#diff-b82186eeba82312da558b62cb554e48a69ad2768b38736aed0640d42fa7230a1L-1", + "lines": [ + { + "line": "\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\t\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\trequest(headers,function(error,response,body){\t\t\n", + "lineNumber": 13, + "lineChange": "removed" + }, + { + "line": "\t\t\t\t\n", + "lineNumber": 14, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 15, + "lineChange": "removed" + }, + { + "line": " var resultCount = paginationSize - 1;\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": " var results = body.hits;\n", + "lineNumber": 17, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": "\tif(results.hits.length===0) return res.send(404);\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": "\t\tvar total = body.hits.hits.length;\n", + "lineNumber": 20, + "lineChange": "removed" + }, + { + "line": "\t\tvar common = {\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": "\t\t\t\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": "\t\t\tdata : results.hits.slice(0,resultCount),\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "\t\t\tpageNo : pageNo,\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "\t\t\ttotal: total,\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "\t\t\tpreferences : preferences,\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\t\t\tindex: preferences.tagIndex\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\t\t};\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": " var dataToRender = helpers.buildResponse(common);\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": "\t\tdataToRender.tag = tag;\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": "\t\treturn res.render(constants.views.tagResults,dataToRender);\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " });\n", + "lineNumber": 33, + "lineChange": "removed" + } + ] + }, + { + "commitURL": "https://github.com/IoTKETI/Mobius/commit/df05de87c5d8c6f5f8625558c02e57b3260cf361?diff=split#diff-9c349b5d37e276e7b4ed18ad832fbe3772d2135fbca2d6dde6861d8cebb7a842L-1", + "lines": [ + { + "line": " else if(usesecure === 'enable') {\n", + "lineNumber": 230, + "lineChange": "none" + }, + { + "line": " options = {\n", + "lineNumber": 229, + "lineChange": "removed" + }, + { + "line": " hostname: usecoapcbhost,\n", + "lineNumber": 230, + "lineChange": "removed" + }, + { + "line": " port: usecsebaseport,\n", + "lineNumber": 231, + "lineChange": "removed" + }, + { + "line": " path: request.url,\n", + "lineNumber": 232, + "lineChange": "removed" + }, + { + "line": " method: request.method,\n", + "lineNumber": 233, + "lineChange": "removed" + }, + { + "line": " headers: headers,\n", + "lineNumber": 234, + "lineChange": "removed" + }, + { + "line": " ca: fs.readFileSync('ca-crt.pem')\n", + "lineNumber": 235, + "lineChange": "removed" + }, + { + "line": " };\n", + "lineNumber": 236, + "lineChange": "removed" + }, + { + "line": " options.ca = fs.readFileSync('ca-crt.pem');\n", + "lineNumber": 231, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 237, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 2, + "cwe": [ + "CWE-918" + ] + } + }, + { + "id": "javascript/NoHardcodedPasswords", + "name": "NoHardcodedPasswords", + "shortDescription": { + "text": "Use of Hardcoded Credentials" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\n\nDevelopers may use hardcoded credentials for convenience when coding in order to simplify their workflow. While they are responsible for removing these before production, occasionally this task may fall through the cracks. This also becomes a maintenance challenge when credentials are re-used across multiple applications.\n\nOnce attackers gain access, they may take advantage of privilege level to remove or alter data, take down a site or app, or hold any of the above for ransom. The risk across multiple similar projects is even greater. If code containing the credentials is reused across multiple projects, they will all be compromised.\n\n## Best practices for prevention\n* Plan software architecture such that keys and passwords are always stored outside the code, wherever possible.\n* Plan encryption into software architecture for all credential information and ensure proper handling of keys, credentials, and passwords.\n* Prompt for a secure password on first login rather than hard-code a default password.\n* If a hardcoded password or credential must be used, limit its use, for example, to system console users rather than via the network.\n* Use strong hashes for inbound password authentication, ideally with randomly assigned salts to increase the difficulty level in case of brute-force attack.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoHardcodedPasswords", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/MosheWorld/Teacher-Student-Backend/commit/8578b6d9666996ebbfeffc058b22ef076bb856ba?diff=split#diff-0d543c6db9caf085d6e9f704ed0a1ec6baf47092768cfcb746a3e42266d83672L-1", + "lines": [ + { + "line": "user: 'studyhubemail@gmail.com',\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "pass: 'nuaheuvhpv'\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "user: process.env.EMAIL_USERNAME,\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": "pass: process.env.EMAIL_PASSWORD\n", + "lineNumber": 24, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/huluoyang/freecodecamp.cn/commit/277a09a3c3062263b61fb0bf02e17fd2be8ccb79?diff=split#diff-407d92ccd5a2b9275fe28f063fc49fbbedf9a87cfa6a1c3b8c72ce4b86858787L-1", + "lines": [ + { + "line": "user: 'huluoyang@gmail.com',\n", + "lineNumber": 12, + "lineChange": "removed" + }, + { + "line": "pass: 'nopainnogain'\n", + "lineNumber": 13, + "lineChange": "removed" + }, + { + "line": "user: process.env.MANDRILL_USER || false,\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "pass: process.env.MANDRILL_PASSWORD\n", + "lineNumber": 14, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/tubackkhoa/tkframework/commit/0ac0f7964f71d71d3930e554cbaf928f39f4540f?diff=split#diff-ad73f37992e2c25b9ad0d945783289cbf65b92741918fabea31bfe5b9de96688L-1", + "lines": [ + { + "line": "password: \"abc123ABC\",\n", + "lineNumber": 15, + "lineChange": "removed" + }, + { + "line": "password: process.env.DB_PASS,\n", + "lineNumber": 15, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 44, + "cwe": [ + "CWE-798", + "CWE-259" + ] + } + }, + { + "id": "javascript/NoSqli", + "name": "NoSqli", + "shortDescription": { + "text": "NoSQL Injection" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nIn an NoSQL injection attack, the user can submit an NoSQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network. This is one of the most commonly exploited categories of vulnerability, but can largely be avoided through good coding practices.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoSqli", + "Security", + "SourceServer", + "SourceHttpBody", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/txwkx/book-room/commit/07d49f6d24577b1cc1f7374cd8156aba894ab481?diff=split#diff-386f21d62bc9118d346e66a9ea781c22cb0570a51656f80313d829b3a47eaeefL-1", + "lines": [ + { + "line": "const mongoose = require('mongoose');\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "//Model\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "const roomSchema = new mongoose.Schema({ name: String, title: String });\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": "const Room = mongoose.model('Room', roomSchema);\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": "const mongoose = require('mongoose'),\n", + "lineNumber": 1, + "lineChange": "added" + }, + { + "line": " ObjectId = mongoose.Types.ObjectId;\n", + "lineNumber": 2, + "lineChange": "added" + }, + { + "line": "const room = require('./models/roomModel');\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "const roomRouter = express.Router();\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "roomRouter.get('/', (req, res) => {\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " let query = {};\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": " Room.find(query, (err, rooms) => {\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": " if(err) res.status(500).send(err);\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": " else res.json(rooms);\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": " });\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "});\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "roomRouter.get('/:id', (req, res) => {\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " Room.findById(req.params.id, (err, room) => {\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": " const roomId = ObjectId(req.params.id);\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": " room.findById(roomId, (err, room) => {\n", + "lineNumber": 18, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/dnbard/brackets-extension-rating/commit/5005713d903d0f72e9166c852114ee2731b832b1?diff=split#diff-47f1ac8221ebff697d20f61a182c8c58ae0cfdb152ce1fa2f74e322f451d4ae6L-1", + "lines": [ + { + "line": " Extension.findOne({_id: id}, function(err, extension){\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": " if (err){\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": " res.status(500).send(err);\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": " } else if (!extension){\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": " res.status(404).send(extension);\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": " } else {\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": " if (typeof id !== 'string'){\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": " res.status(422).send();\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": " return;\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": " }\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": " if (!registry){\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": " res.status(500).send('Registry is not available');\n", + "lineNumber": 29, + "lineChange": "added" + }, + { + "line": " return;\n", + "lineNumber": 30, + "lineChange": "added" + }, + { + "line": " }\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": " extension = _.filter(registry, function(el){\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": " return el._id === id;\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": " });\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": " if (extension){\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/lydiahallie/CodeBuddy/commit/833bc261d0ea3d8bc879aef9e56819907523eef0?diff=split#diff-7b34d6d0aa663ac1e8442aee4f25c59ced93612f5b90c5fe6279ad48c7df1001L-1", + "lines": [ + { + "line": "const author = await User.findOne({ _id: currentUser._id });\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "const recipient = await User.findOne({ _id: user._id });\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "const author = await User.findOne({ _id: req.user._id });\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": "const recipient = await User.findOne({ _id: id });\n", + "lineNumber": 26, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 9, + "cwe": [ + "CWE-943" + ] + } + }, + { + "id": "javascript/HardcodedSecret/test", + "name": "HardcodedSecret/test", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedSecret", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ridoy/Monk/commit/d702fedf42ebc197c9131a09918affb6adb396ad?diff=split#diff-d20e0c91f722f4a7eb0a8a7dfa4d7799aa292685d66aaeb37f3122ff3594fefdL-1", + "lines": [ + { + "line": "}, 'SECRET');\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": "}, process.env.SECRET);\n", + "lineNumber": 41, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/xiaoshan5733/cms/commit/da6178e57541766a84406b42d526a18b72704180?diff=split#diff-a21b912911c328c339d5f819be1e95f0973d6fdf93c1e8f29ff9bb2fbe9933e4L-1", + "lines": [ + { + "line": "data = jwt.verify(token, 'cms')\n", + "lineNumber": 54, + "lineChange": "removed" + }, + { + "line": "data = jwt.verify(token, config.jwt.secret)\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/sidewalklabs/commonspace/commit/32f2996ef0daad6eadab6ac8dacef8cd68048704?diff=split#diff-8a8ae07582c9d433ec8c2e5c4310ff8901e604f4965c5b90a49117ad46c47595L-1", + "lines": [ + { + "line": "const token = jwt.sign(user, 'secret');\n", + "lineNumber": 50, + "lineChange": "removed" + }, + { + "line": "return res.json({user, token});\n", + "lineNumber": 51, + "lineChange": "removed" + }, + { + "line": "const token = jwt.sign(user, process.env.jwt_secret);\n", + "lineNumber": 53, + "lineChange": "added" + }, + { + "line": "return res.json({token});\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 60, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/JwtDecodeMethod", + "name": "JwtDecodeMethod", + "shortDescription": { + "text": "Insecure JWT Verification Method" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nSome JSON Web Token (JWT) parse/decode methods do not enforce validation or integrity checks of the JWT. If an application relies on these methods to authenticate users, an attacker could create arbitrary JWTs that may be accepted by the application.\n\n### Best practices for prevention\n\n- Always enforce JWT signature verification by using safe verification methods to ensure the structure and integrity of the JWT is validated before processing.\n\n## Best practices for prevention\n* [JWT Validation](https://auth0.com/docs/secure/tokens/json-web-tokens/validate-json-web-tokens)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "JwtDecodeMethod", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 0, + "cwe": [ + "CWE-347" + ] + } + }, + { + "id": "javascript/HardcodedNonCryptoSecret", + "name": "HardcodedNonCryptoSecret", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedNonCryptoSecret", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/DanielMil/Authentication-Server/commit/310ce5500e9e751ee2fd9f3018bf772e9aae8364?diff=split#diff-dcdc3e0b3362edb8fec2a51d3fa51f8fb8af8f70247e06d9887fa934834c9122L-1", + "lines": [ + { + "line": "// Set environment variables\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "const sessionSecret: any = process.env.SESSION_SECRET;\n", + "lineNumber": 15, + "lineChange": "added" + }, + { + "line": "const dbConnection: any = process.env.MONGO_URI; \n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": "// Mongo config\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "const DB_CONNECTION: any = process.env.MONGO_URI; \n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "mongoose.connect(DB_CONNECTION, { useNewUrlParser: true })\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " .then(() => console.log(\"Succesfully connected to MongoDB.\"))\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " .catch((err: mongoose.Error) => console.error(err));\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "const MongoStore = mongoStore(session); \n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "const db: any = mongoose.connection;\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "// Fix mongo deprecation warnings\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "mongoose.set('useNewUrlParser', true);\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "mongoose.set('useFindAndModify', false);\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "mongoose.set('useCreateIndex', true);\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "// Configure express session\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser());\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "app.use(session({\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " secret: \"secret\",\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": " secret: sessionSecret,\n", + "lineNumber": 33, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/virena-app/virena/commit/8058527e8ef71bfa81f0cb0fb35eb80d00e08fdb?diff=split#diff-186488e26aa960d29fec244ac086f15e024c5a84df47eeba233d9b8d2525de2dL-1", + "lines": [ + { + "line": "client_id: '8fcf3e5c2d3d5dd78188',\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "client_secret: '0e102c56021e1aa28005b469b3c83ef7cb7e5b0e'\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "client_id: process.env.GITINIT,\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "client_secret: process.env.GITSEE\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/nemtech/nem2-library-js/commit/dd101718759035849eeb9d4a388656acdb5bf6d9?diff=split#diff-59ccc41578f07869060f7aea9ceca193a407696cce3de9f7219f98187f65c5b7L-1", + "lines": [ + { + "line": "const hash = sha3_512.create();\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "hash.update('secret');\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": "const hash = new Ripemd160().update(Buffer.from('Test Hash 160')).digest('Hex');\t\t\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "const secretLockTransaction = {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\tdeadline: deadline(),\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "\tmosaicId: [3646934825, 3576016193],\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "\tmosaicAmount: uint64.fromUint(10000000),\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": "\tduration: uint64.fromUint(100),\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": "\thashAlgorithm: 0,\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "\tsecret: '225fe6d12b73a7d51f2992ce82951dbf8c173fa4',\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "\thashAlgorithm: HashAlgorithm.RIPEMD_160,\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\tsecret: hash,\n", + "lineNumber": 38, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 68, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/HardcodedSecret", + "name": "HardcodedSecret", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedSecret", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ridoy/Monk/commit/d702fedf42ebc197c9131a09918affb6adb396ad?diff=split#diff-d20e0c91f722f4a7eb0a8a7dfa4d7799aa292685d66aaeb37f3122ff3594fefdL-1", + "lines": [ + { + "line": "}, 'SECRET');\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": "}, process.env.SECRET);\n", + "lineNumber": 41, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/xiaoshan5733/cms/commit/da6178e57541766a84406b42d526a18b72704180?diff=split#diff-a21b912911c328c339d5f819be1e95f0973d6fdf93c1e8f29ff9bb2fbe9933e4L-1", + "lines": [ + { + "line": "data = jwt.verify(token, 'cms')\n", + "lineNumber": 54, + "lineChange": "removed" + }, + { + "line": "data = jwt.verify(token, config.jwt.secret)\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/sidewalklabs/commonspace/commit/32f2996ef0daad6eadab6ac8dacef8cd68048704?diff=split#diff-8a8ae07582c9d433ec8c2e5c4310ff8901e604f4965c5b90a49117ad46c47595L-1", + "lines": [ + { + "line": "const token = jwt.sign(user, 'secret');\n", + "lineNumber": 50, + "lineChange": "removed" + }, + { + "line": "return res.json({user, token});\n", + "lineNumber": 51, + "lineChange": "removed" + }, + { + "line": "const token = jwt.sign(user, process.env.jwt_secret);\n", + "lineNumber": 53, + "lineChange": "added" + }, + { + "line": "return res.json({token});\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 60, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/HardcodedNonCryptoSecret/test", + "name": "HardcodedNonCryptoSecret/test", + "shortDescription": { + "text": "Hardcoded Secret" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "## Details\n\nWhen constants are hardcoded into applications, this information could easily be reverse-engineered and become known to attackers. For example, if a breached authentication token is hardcoded in multiple places in the application, it may lead to components of the application remaining vulnerable if not all instances are changed.\nAnother negative effect of hard-coding constants is potential unpredictability in the application's performance if the development team fails to update every single instance of the hardcoded constant throughout the code. For these reasons, hard-coding security-relevant constants is considered bad coding practice and should be remedied if present and avoided in future.\n\n## Best practices for prevention\n- Never hard code security-related constants; use symbolic names or configuration lookup files.\n- As hard coding is often done by coders working alone on a small scale, examine all legacy code components and test carefully when scaling.\n- Adopt a \"future-proof code\" mindset: While use of constants may save a little time now and make development simpler in the short term, it could cost time and money adapting to scale or other unforeseen circumstances (such as new hardware) in the future.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HardcodedNonCryptoSecret", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/DanielMil/Authentication-Server/commit/310ce5500e9e751ee2fd9f3018bf772e9aae8364?diff=split#diff-dcdc3e0b3362edb8fec2a51d3fa51f8fb8af8f70247e06d9887fa934834c9122L-1", + "lines": [ + { + "line": "// Set environment variables\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "const sessionSecret: any = process.env.SESSION_SECRET;\n", + "lineNumber": 15, + "lineChange": "added" + }, + { + "line": "const dbConnection: any = process.env.MONGO_URI; \n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": "// Mongo config\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "const DB_CONNECTION: any = process.env.MONGO_URI; \n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "mongoose.connect(DB_CONNECTION, { useNewUrlParser: true })\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " .then(() => console.log(\"Succesfully connected to MongoDB.\"))\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " .catch((err: mongoose.Error) => console.error(err));\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "const MongoStore = mongoStore(session); \n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "const db: any = mongoose.connection;\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "// Fix mongo deprecation warnings\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "mongoose.set('useNewUrlParser', true);\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "mongoose.set('useFindAndModify', false);\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "mongoose.set('useCreateIndex', true);\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "// Configure express session\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser());\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "app.use(session({\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " secret: \"secret\",\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": " secret: sessionSecret,\n", + "lineNumber": 33, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/virena-app/virena/commit/8058527e8ef71bfa81f0cb0fb35eb80d00e08fdb?diff=split#diff-186488e26aa960d29fec244ac086f15e024c5a84df47eeba233d9b8d2525de2dL-1", + "lines": [ + { + "line": "client_id: '8fcf3e5c2d3d5dd78188',\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "client_secret: '0e102c56021e1aa28005b469b3c83ef7cb7e5b0e'\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "client_id: process.env.GITINIT,\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "client_secret: process.env.GITSEE\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/nemtech/nem2-library-js/commit/dd101718759035849eeb9d4a388656acdb5bf6d9?diff=split#diff-59ccc41578f07869060f7aea9ceca193a407696cce3de9f7219f98187f65c5b7L-1", + "lines": [ + { + "line": "const hash = sha3_512.create();\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "hash.update('secret');\n", + "lineNumber": 30, + "lineChange": "removed" + }, + { + "line": "const hash = new Ripemd160().update(Buffer.from('Test Hash 160')).digest('Hex');\t\t\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "const secretLockTransaction = {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\tdeadline: deadline(),\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "\tmosaicId: [3646934825, 3576016193],\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "\tmosaicAmount: uint64.fromUint(10000000),\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": "\tduration: uint64.fromUint(100),\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": "\thashAlgorithm: 0,\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": "\tsecret: '225fe6d12b73a7d51f2992ce82951dbf8c173fa4',\n", + "lineNumber": 37, + "lineChange": "removed" + }, + { + "line": "\thashAlgorithm: HashAlgorithm.RIPEMD_160,\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\tsecret: hash,\n", + "lineNumber": 38, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 68, + "cwe": [ + "CWE-547" + ] + } + }, + { + "id": "javascript/NoHardcodedPasswords/test", + "name": "NoHardcodedPasswords/test", + "shortDescription": { + "text": "Use of Hardcoded Credentials" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nDevelopers may use hardcoded credentials for convenience when coding in order to simplify their workflow. While they are responsible for removing these before production, occasionally this task may fall through the cracks. This also becomes a maintenance challenge when credentials are re-used across multiple applications.\n\nOnce attackers gain access, they may take advantage of privilege level to remove or alter data, take down a site or app, or hold any of the above for ransom. The risk across multiple similar projects is even greater. If code containing the credentials is reused across multiple projects, they will all be compromised.\n\n## Best practices for prevention\n* Plan software architecture such that keys and passwords are always stored outside the code, wherever possible.\n* Plan encryption into software architecture for all credential information and ensure proper handling of keys, credentials, and passwords.\n* Prompt for a secure password on first login rather than hard-code a default password.\n* If a hardcoded password or credential must be used, limit its use, for example, to system console users rather than via the network.\n* Use strong hashes for inbound password authentication, ideally with randomly assigned salts to increase the difficulty level in case of brute-force attack.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoHardcodedPasswords", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/MosheWorld/Teacher-Student-Backend/commit/8578b6d9666996ebbfeffc058b22ef076bb856ba?diff=split#diff-0d543c6db9caf085d6e9f704ed0a1ec6baf47092768cfcb746a3e42266d83672L-1", + "lines": [ + { + "line": "user: 'studyhubemail@gmail.com',\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "pass: 'nuaheuvhpv'\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "user: process.env.EMAIL_USERNAME,\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": "pass: process.env.EMAIL_PASSWORD\n", + "lineNumber": 24, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/huluoyang/freecodecamp.cn/commit/277a09a3c3062263b61fb0bf02e17fd2be8ccb79?diff=split#diff-407d92ccd5a2b9275fe28f063fc49fbbedf9a87cfa6a1c3b8c72ce4b86858787L-1", + "lines": [ + { + "line": "user: 'huluoyang@gmail.com',\n", + "lineNumber": 12, + "lineChange": "removed" + }, + { + "line": "pass: 'nopainnogain'\n", + "lineNumber": 13, + "lineChange": "removed" + }, + { + "line": "user: process.env.MANDRILL_USER || false,\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "pass: process.env.MANDRILL_PASSWORD\n", + "lineNumber": 14, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/tubackkhoa/tkframework/commit/0ac0f7964f71d71d3930e554cbaf928f39f4540f?diff=split#diff-ad73f37992e2c25b9ad0d945783289cbf65b92741918fabea31bfe5b9de96688L-1", + "lines": [ + { + "line": "password: \"abc123ABC\",\n", + "lineNumber": 15, + "lineChange": "removed" + }, + { + "line": "password: process.env.DB_PASS,\n", + "lineNumber": 15, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 44, + "cwe": [ + "CWE-798", + "CWE-259" + ] + } + }, + { + "id": "javascript/HTTPSourceWithUncheckedType", + "name": "HTTPSourceWithUncheckedType", + "shortDescription": { + "text": "Improper Type Validation" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nWhen an object is coming from `req.body` or `req.query`, coming from the express framework. The value of this property can be controlled by the user. This could be abused by an attacker to craft the properties of the object to crash the application or bypass its logic. As such, consider checking the type of the object.\n\nIf this weakness is present, illegitimate input provided from the user's end could lead to unpredictable results such as the program crashing, unauthorized access to secure resources or command execution at the server side. In addition, if the server is overwhelmed by these types of malfunctions, it may lead to denial of service to legitimate users and tasks.\n\nExample:\n\n```\nmodule.exports = function(req, res) {\n var data = req.query;\n // type of value isnt checked before being used\n data.ids = data.ids.split(',');\n doStuff(data.ids);\n\n };\n```\n\n\n\n## Best practices for prevention\n* Adopt a zero-trust model in which all input is considered potentially suspect.\n* Check the type of the object.\n\nExample:\n\n```\nmodule.exports = function(req, res) {\n var data = req.query;\n if (data.ids && typeof data.ids == 'string') {\n\n // type of value is checked\n data.ids = data.ids.split(',');\n doStuff(data.ids);\n } else {}\n };\n```\n\n## References\n\n* [CWE-1287: Improper Validation of Specified Type of Input](https://cwe.mitre.org/data/definitions/1287.html)\n* [JavaScript type confusion: Bypassed input validation (and how to remediate)](https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/)\n* [req.query Documentation](https://expressjs.com/en/4x/api.html#req.query)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HTTPSourceWithUncheckedType", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/alexolivero/Obscurify/commit/e4833d36d4aa981b050caca88919784147fc8d95?diff=split#diff-7b56e6433cf96918ac3b03d1d103fc0286e593ad610f9419dfe3f99309ec33acL-1", + "lines": [ + { + "line": "if( key < req.query.obscurifyScore.toString()){\r\n", + "lineNumber": 145, + "lineChange": "removed" + }, + { + "line": "if( parseInt(key) < parseInt(req.query.obscurifyScore)){\r\n", + "lineNumber": 144, + "lineChange": "added" + }, + { + "line": " usersBelow += value;\r\n", + "lineNumber": 146, + "lineChange": "none" + }, + { + "line": "}\r\n", + "lineNumber": 147, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/ansible-semaphore/semaphore/commit/dc2dac98ad166701ed94f346d99dc2ff44b8a721?diff=split#diff-223cdc8b17a7eed4b42bce8401320629190defc2ac7bc7950b8a1563eb66c10dL-1", + "lines": [ + { + "line": "if (req.body.identity && req.body.identity.length > 0) {\n", + "lineNumber": 51, + "lineChange": "removed" + }, + { + "line": "if (typeof req.body.identity == 'string' && req.body.identity.length > 0) {\n", + "lineNumber": 51, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Financial-Times/polyfill-service/commit/471ddf842dc4d672dbf3b09702d91b850d04e4b9?diff=split#diff-e4e457f4b65b990f84bd0649da30984786b38b197e0edcf3e01b168b682f5abeL-1", + "lines": [ + { + "line": "excludes: (req.query.excludes && req.query.excludes.split(',')) || [],\n", + "lineNumber": 58, + "lineChange": "removed" + }, + { + "line": "excludes: (typeof req.query.excludes === 'string' && req.query.excludes.split(',')) || [],\n", + "lineNumber": 58, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 39, + "cwe": [ + "CWE-1287" + ] + } + }, + { + "id": "python/UnsupportedLanguage/test", + "name": "UnsupportedLanguage/test", + "shortDescription": { + "text": "Python 2 source code" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "## Details\n\nThe Python 2 interpreter has been unsupported since January 2020 and does not receive security updates.\nThese source files appear to be in the Python 2 syntax, and therefore depend on unsupported 3rd party components for operation.\n\n## Best practices for prevention\n* If this code is still in use, port it to Python 3", + "text": "" + }, + "properties": { + "tags": [ + "python", + "UnsupportedLanguage", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 0, + "cwe": [ + "CWE-1104" + ] + } + }, + { + "id": "javascript/Sqli", + "name": "Sqli", + "shortDescription": { + "text": "SQL Injection" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nIn an SQL injection attack, the user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network. This is one of the most commonly exploited categories of vulnerability, but can largely be avoided through good coding practices.\n\n## Best practices for prevention\n* Avoid passing user-entered parameters directly to the SQL server.\n* Avoid using string concatenation to build SQL queries from user-entered parameters.\n* When coding, define SQL code first, then pass in parameters. Use prepared statements with parameterized queries. Examples include `SqlCommand()` in .NET and `bindParam()` in PHP.\n* Use strong typing for all parameters so unexpected user data will be rejected.\n* Where direct user input cannot be avoided for performance reasons, validate input against a very strict allowlist of permitted characters, avoiding special characters such as `? & / < > ; - ' \" \\` and spaces. Use a vendor-supplied escaping routine if possible.\n* Develop your application in an environment and/or using libraries that provide protection against SQL injection.\n* Harden your entire environment around a least-privilege model, ideally with isolated accounts with privileges only for particular tasks.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "Sqli", + "Security", + "SourceHttpParam", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/Urigo/WhatsApp-Clone-Server/commit/088088847265c4ea29791cdbdc98d21b4b7b3e7d?diff=split#diff-64fc2a1d7ebf96939c4047a39fc850f244454c0f3eff44c48d8249e29a6269e1L-1", + "lines": [ + { + "line": " const { rows } = await db.query(sql`\n", + "lineNumber": 134, + "lineChange": "removed" + }, + { + "line": " INSERT INTO messages(chat_id, sender_user_id, content)\n", + "lineNumber": 135, + "lineChange": "removed" + }, + { + "line": " VALUES(${chatId}, ${currentUser.id}, ${content})\n", + "lineNumber": 136, + "lineChange": "removed" + }, + { + "line": " RETURNING *\n", + "lineNumber": 137, + "lineChange": "removed" + }, + { + "line": " `);\n", + "lineNumber": 138, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 139, + "lineChange": "removed" + }, + { + "line": " const messageAdded = rows[0];\n", + "lineNumber": 140, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 141, + "lineChange": "removed" + }, + { + "line": " injector.get(PubSub).publish('messageAdded', {\n", + "lineNumber": 142, + "lineChange": "removed" + }, + { + "line": " messageAdded,\n", + "lineNumber": 143, + "lineChange": "removed" + }, + { + "line": " });\n", + "lineNumber": 144, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 145, + "lineChange": "removed" + }, + { + "line": " return messageAdded;\n", + "lineNumber": 146, + "lineChange": "removed" + }, + { + "line": " return injector\n", + "lineNumber": 134, + "lineChange": "added" + }, + { + "line": " .get(Chats)\n", + "lineNumber": 135, + "lineChange": "added" + }, + { + "line": " .addMessage({ chatId, content, userId: currentUser.id });\n", + "lineNumber": 136, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/vpdb/server/commit/25011eb029e72f51b0fc48259c8c0ea8b37b177d?diff=split#diff-dec1b2b754bba471fe0144e0960b50e5511aa6843c3fdd778a7e0e617938056bL-1", + "lines": [ + { + "line": "\t\t\t\tquery.or([\r\n", + "lineNumber": 124, + "lineChange": "removed" + }, + { + "line": "\t\t\t\tquery.push({ $or: [\r\n", + "lineNumber": 124, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t{ name: regex },\r\n", + "lineNumber": 125, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t{ username: regex }\r\n", + "lineNumber": 126, + "lineChange": "none" + }, + { + "line": "\t\t\t\t]);\r\n", + "lineNumber": 127, + "lineChange": "removed" + }, + { + "line": "\t\t\t\t]});\r\n", + "lineNumber": 127, + "lineChange": "added" + }, + { + "line": "\t\t\t}\r\n", + "lineNumber": 128, + "lineChange": "none" + }, + { + "line": "\t\t}\r\n", + "lineNumber": 129, + "lineChange": "none" + }, + { + "line": "\t\tif (req.query.name) {\r\n", + "lineNumber": 130, + "lineChange": "none" + }, + { + "line": "\t\t\tquery.where('name').equals(req.query.name);\r\n", + "lineNumber": 131, + "lineChange": "removed" + }, + { + "line": "\t\t\tquery.push({ name: new RegExp('^' + _.escapeRegExp(req.query.name) + '$', 'i') });\r\n", + "lineNumber": 131, + "lineChange": "added" + }, + { + "line": "\t\t}\r\n", + "lineNumber": 132, + "lineChange": "none" + }, + { + "line": "\r\n", + "lineNumber": 133, + "lineChange": "none" + }, + { + "line": "\t\t// filter by role\r\n", + "lineNumber": 134, + "lineChange": "none" + }, + { + "line": "\t\tif (canList && req.query.roles) {\r\n", + "lineNumber": 135, + "lineChange": "none" + }, + { + "line": "\t\t\t// sanitze and split\r\n", + "lineNumber": 136, + "lineChange": "none" + }, + { + "line": "\t\t\tlet roles = req.query.roles.trim().replace(/[^a-z0-9,-]+/gi, '').split(',');\r\n", + "lineNumber": 137, + "lineChange": "none" + }, + { + "line": "\t\t\tquery.where('roles').in(roles);\r\n", + "lineNumber": 138, + "lineChange": "removed" + }, + { + "line": "\t\t\tquery.push( { roles: { $in: roles }});\r\n", + "lineNumber": 138, + "lineChange": "added" + }, + { + "line": "\t\t}\r\n", + "lineNumber": 139, + "lineChange": "none" + }, + { + "line": "\r\n", + "lineNumber": 140, + "lineChange": "none" + }, + { + "line": "\t\treturn query.exec();\r\n", + "lineNumber": 141, + "lineChange": "removed" + }, + { + "line": "\t\tconsole.log(api.searchQuery(query));\r\n", + "lineNumber": 141, + "lineChange": "added" + }, + { + "line": "\t\treturn User.find(api.searchQuery(query)).exec();\r\n", + "lineNumber": 142, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/RedstoneDaedalus/verifybot/commit/b7d59d6b87e5eb4b5c8732969baca49466338c3d?diff=split#diff-913d641a0712b4b17eb483f777442426ecfc90bb4062492e9833586e5cbdea4aL-1", + "lines": [ + { + "line": "const data = await client.query(`SELECT * FROM linked_accounts WHERE secret_key = '${req.query.key ? req.query.key.replace(/[^a-z\\d]/ig, \"\") : \"\"}';`);\n", + "lineNumber": 125, + "lineChange": "removed" + }, + { + "line": "const data = await client.query(\"SELECT * FROM linked_accounts WHERE secret_key = ?;\", [cient.connection.escape(req.query.key || \"\")]);\n", + "lineNumber": 125, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 42, + "cwe": [ + "CWE-89" + ] + } + }, + { + "id": "javascript/HttpToHttps/test", + "name": "HttpToHttps/test", + "shortDescription": { + "text": "Cleartext Transmission of Sensitive Information" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\nThis weakness occurs when software transmits sensitive information, such as passwords or credit card numbers, in unencrypted form. This information may then be intercepted by threat actors using sniffer tools or interception techniques such as man-in-the-middle (MITM) attacks (often involving social engineering). Attackers can then use information gleaned to perform a variety of actions, depending on the information type. Possible actions include gaining unauthorized access, impersonating a user, moving laterally within the organization's network, or retrieving and potentially modifying files. This weakness is almost completely avoidable through intelligent architecture and design.\n\n## Best practices for prevention\n* Build web applications around a security mindset and the awareness that sniffers may be present at any time.\n* Ensure that all sensitive data transmission uses reliable encryption.\n* Implement security measures so that sensitive results are never returned in plain text.\n* Implement multiple-factor authentication methods to validate remote instances.\n* Use SSL not only at logon but throughout communications.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HttpToHttps", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/medic/couch2pg/commit/062eaa0f53d2cd2327232a695c60bf4c9fd589f6?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": "var httplib = require('http');\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "var httplib = require('https');\n", + "lineNumber": 1, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/dondi/GRNsight/commit/01e7d39d55ea9c18348a48aac5954183d825e834?diff=split#diff-65890f102baa526da3cc5d65e0528ea728fa9fa63659a7f2e1d523686240359cL-1", + "lines": [ + { + "line": "var https = require(\"http\");\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "var https = require(\"https\");\n", + "lineNumber": 2, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/watilde/npmbrew/commit/968a0cd04e732ede4552e60e86762ce77f7f0a5c?diff=split#diff-94469ba7812da76fe341041375403897426443f146321489331bb46bb45faf5bL-1", + "lines": [ + { + "line": "var http = require(\"http\")\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "var http = require(\"https\")\n", + "lineNumber": 2, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 4, + "cwe": [ + "CWE-319" + ] + } + }, + { + "id": "javascript/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PT", + "Security", + "SourceHttpParam", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/NodeBB/NodeBB/commit/cacc732015c64bba55a6ab45510086febccfb1b2?diff=split#diff-300f765b568b38163933bfcd40c75fe91709a35e9a7522bca2f8c5fe4b19195aL-1", + "lines": [ + { + "line": "\t\t\t\t\tuploadUserPicture(req.user.uid, req.files.userPhoto.name, req.files.userPhoto.path, res);\n", + "lineNumber": 101, + "lineChange": "removed" + }, + { + "line": "\t\t\t\t\tuploadUserPicture(req.user.uid, path.extname(req.files.userPhoto.name), req.files.userPhoto.path, res);\n", + "lineNumber": 101, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\treturn;\n", + "lineNumber": 102, + "lineChange": "none" + }, + { + "line": "\t\t\t\t}\n", + "lineNumber": 103, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\n", + "lineNumber": 104, + "lineChange": "none" + }, + { + "line": "\t\t\t\tvar absolutePath = path.join(global.configuration['ROOT_DIRECTORY'], global.nconf.get('upload_path'), path.basename(oldpicture));\n", + "lineNumber": 105, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\n", + "lineNumber": 106, + "lineChange": "none" + }, + { + "line": "\t\t\t\tfs.unlink(absolutePath, function(err) {\n", + "lineNumber": 107, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\tif(err) {\t\t\t\t\n", + "lineNumber": 108, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t\tconsole.error('[%d] %s', Date.now(), + err);\n", + "lineNumber": 109, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t}\n", + "lineNumber": 110, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t\n", + "lineNumber": 111, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\tuploadUserPicture(req.user.uid, path.extname(req.files.userPhoto.name), req.files.userPhoto.path, res);\n", + "lineNumber": 112, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\t\n", + "lineNumber": 113, + "lineChange": "none" + }, + { + "line": "\t\t\t\t});\n", + "lineNumber": 114, + "lineChange": "none" + }, + { + "line": "\t\t\t});\n", + "lineNumber": 115, + "lineChange": "none" + }, + { + "line": "\t\t});\n", + "lineNumber": 116, + "lineChange": "none" + }, + { + "line": "\t\t\n", + "lineNumber": 117, + "lineChange": "none" + }, + { + "line": "\t\tfunction uploadUserPicture(uid, extension, tempPath, res) {\n", + "lineNumber": 118, + "lineChange": "none" + }, + { + "line": "\t\t\tif(!extension) {\n", + "lineNumber": 119, + "lineChange": "none" + }, + { + "line": "\t\t\t\tres.send({\n", + "lineNumber": 120, + "lineChange": "none" + }, + { + "line": "\t\t\t\t\terror: 'Error uploading file! Error : Invalid extension!'\n", + "lineNumber": 121, + "lineChange": "none" + }, + { + "line": "\t\t\t\t});\n", + "lineNumber": 122, + "lineChange": "none" + }, + { + "line": "\t\t\t\treturn;\n", + "lineNumber": 123, + "lineChange": "none" + }, + { + "line": "\t\t\t}\n", + "lineNumber": 124, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 125, + "lineChange": "none" + }, + { + "line": "\t\t\tvar filename = uid + '-profileimg' + extension;\n", + "lineNumber": 126, + "lineChange": "none" + }, + { + "line": "\t\t\tvar uploadPath = path.join(global.configuration['ROOT_DIRECTORY'], global.nconf.get('upload_path'), filename);\n", + "lineNumber": 127, + "lineChange": "none" + }, + { + "line": "\t\t\t\n", + "lineNumber": 128, + "lineChange": "none" + }, + { + "line": "\t\t\t// @todo move to proper logging code - this should only be temporary\n", + "lineNumber": 129, + "lineChange": "none" + }, + { + "line": "\t\t\tconsole.log('Info: Attempting upload to: '+ uploadPath);\n", + "lineNumber": 130, + "lineChange": "none" + }, + { + "line": "\t\t\t\n", + "lineNumber": 131, + "lineChange": "none" + }, + { + "line": "\t\t\tvar is = fs.createReadStream(tempPath);\n", + "lineNumber": 132, + "lineChange": "none" + }, + { + "line": "\t\t\tvar os = fs.createWriteStream(uploadPath);\n", + "lineNumber": 133, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/vilmosioo/magma/commit/b13ae22e9cc3646444f949279c92dfa54fa2e882?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": "\tres.render(req.params.path || 'home');\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": "\tconsole.log(req.params.path);\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\tvar template = routes['/' + req.params.path] || routes['/'];\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\ttemplate = template.templateUrl;\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\tres.render(path.basename(template, path.extname(template)), {\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t\tconstants: {\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\t\t\tROUTES: JSON.stringify(routes)\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": "\t\t}\n", + "lineNumber": 49, + "lineChange": "added" + }, + { + "line": "\t});\n", + "lineNumber": 50, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/cube-js/cube.js/commit/256be019d9393daff7d8776be2c39bceafc49ce2?diff=split#diff-e3f9f2305d99d77628204eb1da6a6fd4695a3b3235274d4e7d8a65a150f0941fL-1", + "lines": [ + { + "line": "await Promise.all(files.map(file => fs.writeFile(path.join(file.fileName), file.content)));\n", + "lineNumber": 143, + "lineChange": "removed" + }, + { + "line": "await Promise.all(\n", + "lineNumber": 144, + "lineChange": "added" + }, + { + "line": " files.map(file => path.join(...[dashboardAppPath].concat(file.fileName.split('/'))))\n", + "lineNumber": 145, + "lineChange": "added" + }, + { + "line": ");\n", + "lineNumber": 146, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 42, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "javascript/UseCsurfForExpress", + "name": "UseCsurfForExpress", + "shortDescription": { + "text": "Cross-Site Request Forgery (CSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nCross-site request forgery is an attack in which a malicious third party takes advantage of a user's authenticated credentials (such as a browser cookie) to impersonate that trusted user and perform unauthorized actions. The web application server cannot tell the difference between legitimate and malicious requests. This type of attack generally begins by tricking the user with a social engineering attack, such as a link or popup that the user inadvertently clicks, causing an unauthorized request to be sent to the web server. Consequences vary: At a standard user level, attackers can change passwords, transfer funds, make purchases, or connect with contacts; from an administrator account, attackers can then make changes to or even take down the app itself.\n\n## Best practices for prevention\n* Use development frameworks that defend against CSRF, using a nonce, hash, or some other security device to the URL and/or to forms.\n* Implement secure, unique, hidden tokens that are checked by the server each time to validate state-change requests.\n* Never assume that authentication tokens and session identifiers mean a request is legitimate.\n* Understand and implement other safe-cookie techniques, such as double submit cookies.\n* Terminate user sessions when not in use, including automatic timeout.\n* Ensure rigorous coding practices and defenses against other commonly exploited CWEs, since cross-site scripting (XSS), for example, can be used to bypass defenses against CSRF.\n\n## References\n\n* [Express Documentation - Implement CSRF Protection](https://expressjs.com/en/resources/middleware/csurf.html)\n* [Node Security Checklist - CSRF](https://blog.risingstack.com/node-js-security-checklist/#csrf)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "UseCsurfForExpress", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/xiaoshan5733/cms/commit/cfa979899ffc5d7a1305571923ba6ae70548675b?diff=split#diff-e07d531ac040ce3f40e0ce632ac2a059d7cd60f20e61f78268ac3be015b3b28fL-1", + "lines": [ + { + "line": "var app = express();\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "//连接数据库\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "mongoose.connect(config.mongodb.uri);\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "var db = mongoose.connection;\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "db.on('error', console.error.bind(console, 'connection error:'));\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "db.once('open', function callback () {\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": " console.log('连接mongodb成功');\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "});\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "//引入数据模型\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "util.walk(appPath + '/server/models', null, function(path) {\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " require(path);\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "});\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "// view engine setup\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": "app.set('views', path.join(__dirname, 'views'));\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": "app.set('view engine', 'jade');\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": "//定义全局字段\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": "app.locals = {\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " title: 'CMS',\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " pretty: true,\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " moment: moment,\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " _: underscore,\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " util: util,\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " config: config,\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " adminDir: config.admin.dir ? ('/' + config.admin.dir) : ''\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": "};\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": "app.set('config', config);\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": "app.use(favicon());\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": "app.use(logger('dev'));\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.json());\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.urlencoded());\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": "app.use(cookieParser());\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": "app.use(session({\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " secret: 'ruoguan'/*,\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " store: new RedisStore*/\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "}));\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": "//app.use(csrf());\n", + "lineNumber": 58, + "lineChange": "removed" + }, + { + "line": "app.use(csrf());\n", + "lineNumber": 61, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Detry322/redisred/commit/57aeed9563c1020ca70093310634000d795ae3b4?diff=split#diff-e07d531ac040ce3f40e0ce632ac2a059d7cd60f20e61f78268ac3be015b3b28fL-1", + "lines": [ + { + "line": "var csrf = require('csurf');\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "//Initialize auth\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "authentication(passport, adminUsername, adminPassword);\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "//Initialize the app\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "var app = express();\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "app.set('views', './views');\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "app.set('view engine', 'jade');\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "app.use(favicon('./public/assets/favicon.png'));\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "app.use(bodyParser.urlencoded({ extended: false }));\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "app.use(expressSession({ secret: sessionSecret, resave: true, saveUninitialized: true }));\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "app.use(passport.initialize());\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "app.use(passport.session());\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "app.use(csrf());\n", + "lineNumber": 32, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/slidewiki/slidewiki-platform/commit/3e1fd3ff647826a1321f4272924da9bfbcc91383?diff=split#diff-a4c65ede64197e1a112899a68bf994485b889c4b143198bac4af53425b38406fL-1", + "lines": [ + { + "line": "import cookieParser from 'cookie-parser';\n", + "lineNumber": 10, + "lineChange": "added" + }, + { + "line": "import csrf from 'csurf';\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "import compression from 'compression';\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": "import debugLib from 'debug';\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "import path from 'path';\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "import serialize from 'serialize-javascript';\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "import {navigateAction} from 'fluxible-router';\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "import debugLib from 'debug';\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "import React from 'react';\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "import ReactDOM from 'react-dom/server';\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "import app from './app';\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "import HTMLComponent from './components/DefaultHTMLLayout';\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "import { createElementWithContext } from 'fluxible-addons-react';\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "import favicon from 'serve-favicon';\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "const env = process.env.NODE_ENV;\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "const debug = debugLib('slidewiki-platform');\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "const server = express();\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "server.use(favicon(path.join(__dirname, '/favicon.ico')));\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "server.use('/public', express['static'](path.join(__dirname, '/build')));\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "server.use('/bower_components', express['static'](path.join(__dirname, '/bower_components')));\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "server.use('/custom_modules', express['static'](path.join(__dirname, '/custom_modules')));\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "server.use('/assets', express['static'](path.join(__dirname, '/assets')));\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "server.use(compression());\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "server.use(bodyParser.json());\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": "server.use(csrf({cookie: true}));\n", + "lineNumber": 35, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 66, + "cwe": [ + "CWE-352" + ] + } + }, + { + "id": "javascript/PrototypePollution", + "name": "PrototypePollution", + "shortDescription": { + "text": "Prototype Pollution" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n\n- Property definition by path\n\n\n### Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n
\n\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n### Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of \"path\", they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n## Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n## Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n\n- Web server\n\n\n## Best practices for prevention\n\n1. Freeze the prototype - use `Object.freeze (Object.prototype)`.\n\n2. Require schema validation of JSON input.\n\n3. Avoid using unsafe recursive merge functions.\n\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n\n5. As a best practice use `Map` instead of `Object`.\n\n### For more information on this vulnerability type:\n\n[Arteau, Oliver. \"JavaScript prototype pollution attack in NodeJS application.\" GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PrototypePollution", + "Security", + "SourceServer", + "SourceHttpParam", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/VincentLoy/tweetParser.js/commit/31ccbf365abbb6398fb78705074c11458421cec6?diff=split#diff-343e9403c50c367c18f841170513c764a80c01c26a0d9c2746a5fd632febe770L-1", + "lines": [ + { + "line": " for (var i in datas) {\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": " var i;\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 19, + "lineChange": "added" + }, + { + "line": " for (i = 0; i < datas.length; i += 1) {\n", + "lineNumber": 20, + "lineChange": "added" + }, + { + "line": " if (datas[i].contributions > 1) {\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " datas[i].wording = \"contributions\";\n", + "lineNumber": 22, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/wachunga/omega/commit/0ea594b103c957680b02e5b3d3e6763cf49d2c3a?diff=split#diff-a4c65ede64197e1a112899a68bf994485b889c4b143198bac4af53425b38406fL-1", + "lines": [ + { + "line": "issues[id].assignee = assignee; \n", + "lineNumber": 47, + "lineChange": "removed" + }, + { + "line": "issues[id-1].assignee = assignee; \n", + "lineNumber": 47, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/vampd/vampd/commit/edc7005b68e3e42f461249f8257ba16664983a79?diff=split#diff-8832eceed707e9acd023cc8a42587cb109d860d7272ff10950e3a01bb6f9be94L-1", + "lines": [ + { + "line": "site.override_attributes.drupal.sites[site_name].actions = actions;\n", + "lineNumber": 53, + "lineChange": "removed" + }, + { + "line": "site.override_attributes.drupal.sites[site_name].deploy.action = actions;\n", + "lineNumber": 54, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 8, + "cwe": [ + "CWE-1321" + ] + } + }, + { + "id": "javascript/DOMXSS", + "name": "DOMXSS", + "shortDescription": { + "text": "Cross-site Scripting (XSS)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## Best practices for prevention\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "DOMXSS", + "Security", + "SourceResourceAccess", + "SourceNetworkRequest", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/quilime/dynamic-site/commit/0e64e840355d79a879f7eeab00d3b0f1bc33b484?diff=split#diff-3803a4142e90f0f59977727226f37112d7b946ccfeca5b47455aee1ae6dee97bL-1", + "lines": [ + { + "line": "codePre.innerHTML = prettyPrintOne(code);\n", + "lineNumber": 108, + "lineChange": "removed" + }, + { + "line": "codePre.innerText = code;\n", + "lineNumber": 111, + "lineChange": "added" + }, + { + "line": "prettyPrint();\n", + "lineNumber": 112, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/10up/distributor/commit/059a661149ceadc49f1093631cb4099f3ba4f2ac?diff=split#diff-d2e585d5738b595b24a722e974f1933e4ff11ee961254e6334a654d8927d7103L-1", + "lines": [ + { + "line": "endpointResult.innerHTML = dt.limited_connection;\n", + "lineNumber": 95, + "lineChange": "removed" + }, + { + "line": "endpointResult.innerText = dt.limited_connection;\n", + "lineNumber": 101, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/minj/foxtrick/commit/ada03f2d4d5e4ae9f7b2f4cfeb2eceaa5b4322d6?diff=split#diff-6e9376b3e13b333f7778db725b2e2b6ec79943d3752cb5e7104c47969c4bbd63L-1", + "lines": [ + { + "line": "a.innerHTML = Foxtrickl10n.getString('foxtrick.LeagueAndMatchChat.CupChat');\n", + "lineNumber": 96, + "lineChange": "removed" + }, + { + "line": "a.textContent = Foxtrickl10n.getString('foxtrick.LeagueAndMatchChat.CupChat');\n", + "lineNumber": 92, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 116, + "cwe": [ + "CWE-79" + ] + } + }, + { + "id": "javascript/InsecureHash", + "name": "InsecureHash", + "shortDescription": { + "text": "Use of Password Hash With Insufficient Computational Effort" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nSensitive information should never be stored in plain text, since this makes it very easy for unauthorized users, whether malicious insiders or outside attackers, to access. Hashing methods are used to make stored passwords and other sensitive data unreadable to users. For example, when a password is defined for the first time, it is hashed and then stored. The next time that user attempts to log on, the password they enter is hashed following the same procedure and compared with the stored value. In this way, the original password never needs to be stored in the system.\n\nHashing is a one-way scheme, meaning a hashed password cannot be reverse engineered. However, if an outdated or custom programmed hashing scheme is used, it becomes simple for an attacker with powerful modern computing power to gain access to the hashes used. This opens up access to all stored password information, leading to breached security. Therefore, it is essential for developers to understand modern, secure password hashing techniques.\n\n## Best practices for prevention\n* Use strong standard algorithms for hashing rather than simpler but outdated methods or DIY hashing schemes, which may have inherent weaknesses.\n* Use modular design for all code dealing with hashing so it can be swapped out as security standards change over time.\n* Use salting in combination with hashing (While this places more demands on resources, it is an essential step for tighter security.).\n* Implement zero-trust architecture to ensure that access to password data is granted only for legitimate business purposes.\n* Increase developer awareness of current standards in data security and cryptography.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "InsecureHash", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/emgram769/livechan-js/commit/99ecea722f7fc204ce3293ff2b0e315d0e61ccad?diff=split#diff-fdbfe737b6f8eaccddd46f57a79b5532942e1667c38ca880c32d89723af39857L-1", + "lines": [ + { + "line": "var hash_pass = crypto.createHash('sha1').update(password).digest('base64');\n", + "lineNumber": 88, + "lineChange": "removed" + }, + { + "line": "var hash_pass = crypto.createHash('sha512').update(config.admin_pw_salt, 'base64').update(password, 'utf8').digest('base64');\n", + "lineNumber": 88, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Synzvato/decentraleyes/commit/8855358381cff8156fe7a801d9201371034373a2?diff=split#diff-8e3adc8af301344e44c7efc3f4a24d375d02d285c617793db6d2eabe367b9d92L-1", + "lines": [ + { + "line": "hash = crypto.createHash('md5');\n", + "lineNumber": 139, + "lineChange": "removed" + }, + { + "line": "hash = crypto.createHash('sha512');\n", + "lineNumber": 139, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/openmrs/openmrs-contrib-id/commit/877c9a874b349a330b806414bfad82d03de39eb1?diff=split#diff-629444d01512e7f8fd688f67bf412d620053325ed416c34f940ffd52bb4420e2L-1", + "lines": [ + { + "line": "hash = crypto.createHash('md5');\n", + "lineNumber": 109, + "lineChange": "removed" + }, + { + "line": "hash = crypto.createHash('sha512');\n", + "lineNumber": 109, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 52, + "cwe": [ + "CWE-916" + ] + } + }, + { + "id": "javascript/ZipSlip", + "name": "ZipSlip", + "shortDescription": { + "text": "Arbitrary File Write via Archive Extraction (Zip Slip)" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "markdown": "## Details\n\nZip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.\n\n## Example\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "ZipSlip", + "Security", + "SourceArchive", + "", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 0, + "cwe": [ + "CWE-22" + ] + } + }, + { + "id": "javascript/NoHardcodedCredentials/test", + "name": "NoHardcodedCredentials/test", + "shortDescription": { + "text": "Use of Hardcoded Credentials" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nDevelopers may use hardcoded credentials for convenience when coding in order to simplify their workflow. While they are responsible for removing these before production, occasionally this task may fall through the cracks. This also becomes a maintenance challenge when credentials are re-used across multiple applications.\n\nOnce attackers gain access, they may take advantage of privilege level to remove or alter data, take down a site or app, or hold any of the above for ransom. The risk across multiple similar projects is even greater. If code containing the credentials is reused across multiple projects, they will all be compromised.\n\n## Best practices for prevention\n* Plan software architecture such that keys and passwords are always stored outside the code, wherever possible.\n* Plan encryption into software architecture for all credential information and ensure proper handling of keys, credentials, and passwords.\n* Prompt for a secure password on first login rather than hard-code a default password.\n* If a hardcoded password or credential must be used, limit its use, for example, to system console users rather than via the network.\n* Use strong hashes for inbound password authentication, ideally with randomly assigned salts to increase the difficulty level in case of brute-force attack.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "NoHardcodedCredentials", + "Security", + "InTest" + ], + "categories": [ + "Security", + "InTest" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/thallium205/BitcoinVisualizer/commit/3fd03f5ec7236a0602ea2960dc786b156601efc6?diff=split#diff-a0f6e6d9c44dcd75d4a33b841594a196ff2e74137919f62ac68935a991378528L-1", + "lines": [ + { + "line": "host : '10.0.0.1',\r\n", + "lineNumber": 2, + "lineChange": "removed" + }, + { + "line": "user : 'root',\r\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "password : 'webster',\r\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": "database : 'blockviewer'\r\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": "host : process.env.sqlhost,\r\n", + "lineNumber": 7, + "lineChange": "added" + }, + { + "line": "user : process.env.sqluser,\r\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": "password : process.env.sqlpass,\r\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": "database : process.env.sqldatabase\r\n", + "lineNumber": 10, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/azukiapp/azk/commit/f032902cd00ad2ed6dfb8d9f7d9f31e9db10b210?diff=split#diff-14c376258425dc4f37d3c24807f4b5ba8b060f4dd75d5e90f8d88396acacbf3bL-1", + "lines": [ + { + "line": "username: 'docker',\n", + "lineNumber": 298, + "lineChange": "removed" + }, + { + "line": "username: azk.cst.VM_USER,\n", + "lineNumber": 298, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/jedireza/aqua/commit/5c35c79f56ada04f4d2c565954ccf63f55b1f706?diff=split#diff-c85bcf94d1b915dac9d6da178bf7648fa1a910cbcdc14a82fef8a90cf9f62e21L-1", + "lines": [ + { + "line": "password : 'test',\n", + "lineNumber": 203, + "lineChange": "removed" + }, + { + "line": "email : 'test@test.com'\n", + "lineNumber": 204, + "lineChange": "removed" + }, + { + "line": "password : results.rootPassword,\n", + "lineNumber": 203, + "lineChange": "added" + }, + { + "line": "email : results.rootEmail\n", + "lineNumber": 204, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 30, + "cwe": [ + "CWE-798" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16)", + "[bypassSecurityTrustHtml](17)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 44, + "endColumn": 67 + } + } + } + ], + "fingerprints": { + "0": "041274fc0869f892f98d45c0bd6903f2cfad48bc93a806c69ccfdb2c86f32781", + "1": "7921a677.4773f344.607187b5.a517c54b.ef9f7d82.8020cfdf.df7e59ba.cde67692.72e8bf12.664e3b30.21371afe.dee12555.fbac9e17.787328db.83265159.de97a755" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 65, + "endColumn": 78 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 91 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 96 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 60, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 55, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/challenge.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 117, + "endLine": 117, + "startColumn": 29, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 117, + "endLine": 117, + "startColumn": 63, + "endColumn": 73 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 119, + "endLine": 119, + "startColumn": 29, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 120, + "endLine": 120, + "startColumn": 31, + "endColumn": 46 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 34, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 39, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 215, + "endLine": 215, + "startColumn": 25, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 68, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 68, + "endColumn": 99 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/score-board/score-board.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 216, + "endLine": 216, + "startColumn": 44, + "endColumn": 67 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[bypassSecurityTrustHtml](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 37, + "endColumn": 60 + } + } + } + ], + "fingerprints": { + "0": "1ea030f297935ab7db59fe215a71ce9c51aacfc72938e77d615d828f87adc0e0", + "1": "3df95e84.4773f344.607187b5.74eb2808.ef9f7d82.8020cfdf.83265159.428468b6.a6348f37.70b638aa.8b3a84e3.c559ebce.4463c21f.51429c53.83265159.7f547f77" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 12, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 68, + "endColumn": 72 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/image-captcha.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 20, + "endLine": 20, + "startColumn": 12, + "endColumn": 72 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 44, + "endLine": 44, + "startColumn": 30, + "endColumn": 40 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 44, + "endLine": 44, + "startColumn": 54, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 61, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 61, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/data-export/data-export.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 37, + "endColumn": 60 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13)", + "[bypassSecurityTrustHtml](14)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 37, + "endColumn": 60 + } + } + } + ], + "fingerprints": { + "0": "145bb7c088f3191c1b0d55120ac56ba0cbb22ea4b26198b225aee2f2b777e4ba", + "1": "839b1d0f.4773f344.607187b5.824d2503.ef9f7d82.8020cfdf.0b4f0b50.ae94f388.46b7c801.6b0b4bb5.81f55990.72a8f743.4463c21f.7312b3d3.83265159.a83217da" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 104, + "endColumn": 117 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 30, + "endLine": 30, + "startColumn": 7, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 30, + "endLine": 30, + "startColumn": 7, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 99, + "endColumn": 102 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 94, + "endColumn": 98 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/user.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 12, + "endColumn": 98 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 22, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 40, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 18, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 77, + "endColumn": 81 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 119, + "endColumn": 123 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 61, + "endColumn": 138 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 37, + "endColumn": 60 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12)", + "[bypassSecurityTrustHtml](13)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 43, + "endColumn": 66 + } + } + } + ], + "fingerprints": { + "0": "0b74757bb31439faf25f1dcf6062dd282cc8090d43b9d1b69fc44ac6b0c8a0fd", + "1": "7921a677.4773f344.607187b5.d7919eeb.ef9f7d82.81760a8a.566b8f28.cde67692.a6348f37.70b638aa.8b18f948.4a954e56.4463c21f.7312b3d3.83265159.a83217da" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 18, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 13, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 8, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 23, + "startColumn": 12, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 26, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 44, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 18, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 67, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 67, + "endColumn": 83 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/administration/administration.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 43, + "endColumn": 66 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12)", + "[bypassSecurityTrustHtml](13)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 45, + "endColumn": 68 + } + } + } + ], + "fingerprints": { + "0": "33df10f2aa9f160fc2b96996c33d9012491b8540f9ca56f7fdf4557d9edd621d", + "1": "cf7733e4.4773f344.ed5da594.a517c54b.ef9f7d82.32f843a3.0b4f0b50.116a0c7b.cf7733e4.eb7d1438.0a3df746.c8688b2b.ab9128a4.32f843a3.83265159.116a0c7b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 62, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 80, + "endColumn": 88 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 57, + "endColumn": 60 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 52, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/track-order.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 28, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 58, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 78, + "endColumn": 85 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 78, + "endColumn": 90 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 78, + "endColumn": 93 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 69, + "endColumn": 110 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/track-result/track-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 45, + "endColumn": 68 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[data from a remote resource](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16)", + "[bypassSecurityTrustHtml](17)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 47, + "endColumn": 70 + } + } + } + ], + "fingerprints": { + "0": "abd4e0bd5997a9d87e6687d628a4a73eccda02a164cbb4bcc2dfc5d0fb62b2ea", + "1": "7921a677.4773f344.607187b5.a517c54b.ef9f7d82.81760a8a.566b8f28.cde67692.cf7733e4.3635f48a.d7512ab0.e6336d2f.4463c21f.7312b3d3.83265159.9b5cefb9" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 22, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 18, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 36, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 13, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 8, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/feedback.service.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 23, + "startColumn": 12, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 26, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 44, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 81, + "endLine": 81, + "startColumn": 27, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 83, + "endLine": 83, + "startColumn": 76, + "endColumn": 85 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 83, + "endLine": 83, + "startColumn": 117, + "endColumn": 126 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 83, + "endLine": 83, + "startColumn": 9, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 71, + "endColumn": 80 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 71, + "endColumn": 83 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 71, + "endColumn": 91 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/about/about.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 84, + "endLine": 84, + "startColumn": 47, + "endColumn": 70 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from browser storage flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[browser storage](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[bypassSecurityTrustHtml](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 36, + "endLine": 36, + "startColumn": 43, + "endColumn": 66 + } + } + } + ], + "fingerprints": { + "0": "046e16ab4dbfb48a4781c00cff82e58e29672069dc0a150e72aed4b8da04427a", + "1": "cf7733e4.4773f344.607187b5.400fd3fd.90100e46.8020cfdf.0b4f0b50.66506c4e.46b7c801.706318d0.86aa5c73.400fd3fd.4463c21f.8020cfdf.cebf5fac.5691ba88" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 32, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 32, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 11, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 32, + "endLine": 32, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 33, + "endLine": 33, + "startColumn": 27, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 33, + "endLine": 33, + "startColumn": 17, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 34, + "endLine": 34, + "startColumn": 11, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 34, + "endLine": 34, + "startColumn": 11, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 36, + "endLine": 36, + "startColumn": 67, + "endColumn": 111 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/last-login-ip/last-login-ip.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 36, + "endLine": 36, + "startColumn": 43, + "endColumn": 66 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Unsanitized input from cookies flows into send, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[cookies](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15)", + "[send](16)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 15, + "endColumn": 19 + } + } + } + ], + "fingerprints": { + "0": "00ca59a0355087ec9f0affdc8fd90a7dbbdf6f4a31f3c55a053e5028fc1fc577", + "1": "839b1d0f.4773f344.a32ed1a1.d7919eeb.ef9f7d82.8020cfdf.cd61fc56.2f05c567.dca15045.6b0b4bb5.81f55990.4ee3cf31.cca38dbc.34a4d81a.0334236c.2f05c567" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 64, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 64, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 60, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 56, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 11, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 28, + "endColumn": 40 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 28, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 19, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 56, + "endColumn": 78 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 28, + "endLine": 28, + "startColumn": 26, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 47, + "endLine": 47, + "startColumn": 69, + "endColumn": 73 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 41, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 82, + "endColumn": 86 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 23, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 15, + "endColumn": 19 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 804, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Unsanitized input from an HTTP parameter flows into send, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[an HTTP parameter](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10)", + "[send](11)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 20 + } + } + } + ], + "fingerprints": { + "0": "ca83cad0f9e3992c2cdcd287969b4fe89bf3906a312dc6b114fcfaead4419687", + "1": "716f11c4.4773f344.cae2544c.289fcdd5.d3562abd.8020cfdf.83265159.2f05c567.9dc2a0d3.706318d0.cae2544c.289fcdd5.79a7d027.f8890b3c.0334236c.e6930396" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 26, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 26, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 22, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 16, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 14, + "endLine": 14, + "startColumn": 7, + "endColumn": 9 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 10 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 16, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 12, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 45, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 27, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 21, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/recycles.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 20 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 754, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Unsanitized input from an HTTP parameter flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[an HTTP parameter](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[bypassSecurityTrustHtml](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 151, + "endLine": 151, + "startColumn": 41, + "endColumn": 64 + } + } + } + ], + "fingerprints": { + "0": "22e73eee0efe2f75ab91d1b6197fcb36ca60a94dd923daf4398205d4bd5ac2f4", + "1": "b7602041.4773f344.607187b5.c484ae4b.ef9f7d82.8020cfdf.ea235696.cde67692.1f17e802.b6e32c83.72aa1700.c484ae4b.4463c21f.33e93315.ca2eca62.5b5a306a" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 144, + "endLine": 144, + "startColumn": 62, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 144, + "endLine": 144, + "startColumn": 62, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 144, + "endLine": 144, + "startColumn": 9, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 145, + "endLine": 145, + "startColumn": 9, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 146, + "endLine": 146, + "startColumn": 20, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 146, + "endLine": 146, + "startColumn": 31, + "endColumn": 35 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 148, + "endLine": 148, + "startColumn": 58, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 32, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 151, + "endLine": 151, + "startColumn": 65, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/search-result/search-result.component.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 151, + "endLine": 151, + "startColumn": 41, + "endColumn": 64 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 754, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "05062c87dc99cecece6ca2e0dcc2ca2534249be1f78e70af6121ef577079ec8c", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.c3f8dfad.b6e32c83.4937536e.4f83689a.fd1fa73f.cb9c4e89.83265159.b325124d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/userProfile.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 8, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 19, + "endLine": 47, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "625211daf741757913e91df57456e491e76d32baae2aa31b7324a621e8720991", + "1": "4923bf76.9c6e2949.8b18f948.c559ebce.fd1fa73f.5eabb05b.83265159.be9bb487.1db69a21.b6e32c83.8b18f948.c559ebce.c2cde80a.2da1a176.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 19, + "endLine": 47, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 23, + "endColumn": 39 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 51, + "endLine": 72, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "9754d33d2c25b45e7b1d70df4c2aa0dac731bdf5e9908e2a58e5b5c245eb4d2d", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.c3f8dfad.b6e32c83.a32ed1a1.4f83689a.fd1fa73f.cb9c4e89.83265159.b325124d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 51, + "endLine": 72, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/videoHandler.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 8, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/easterEgg.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "b2a03956040ab16ee56bbb15c3048b7527a6ed4334dec2935c6ecff64499a1d1", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.87ba341e.b6e32c83.4937536e.c559ebce.fd1fa73f.cb9c4e89.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/easterEgg.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/easterEgg.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 15, + "endLine": 15, + "startColumn": 9, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 45, + "startColumn": 17, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "fa2757c8d403548a54f45a6bdca7867a0a28107f4bd2a9fcb9ecf18200f9053b", + "1": "92e26ef2.4773f344.8b18f948.c559ebce.fd1fa73f.5fce695c.83265159.89d75565.92e26ef2.b6e32c83.8b18f948.c559ebce.fd1fa73f.5fce695c.83265159.89d75565" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 45, + "startColumn": 17, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 9, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 94, + "startColumn": 18, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "d99bbb6f4fb9f46875c66e28d01504c628074d304504c645efae8ae129582793", + "1": "92e26ef2.4773f344.aa4dda5f.c559ebce.fd1fa73f.5fce695c.83265159.89d75565.92e26ef2.4773f344.782a8fc0.c559ebce.fd1fa73f.5fce695c.83265159.29e8dc3a" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 94, + "startColumn": 18, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/dataErasure.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 87, + "endLine": 87, + "startColumn": 11, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/privacyPolicyProof.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "520b030a888a2b60aae83aed160b919d30cba715196707e27f44902cde0ce139", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.87ba341e.b6e32c83.4937536e.c559ebce.0cc54b27.cb9c4e89.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/privacyPolicyProof.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/privacyPolicyProof.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 15, + "endLine": 15, + "startColumn": 9, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/languages.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 11, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "a915535c27c481c411594f05b4cc1789b3c7fd1aab9eb6ed7f5481f5f09819aa", + "1": "099c30d7.9c6e2949.8b18f948.c559ebce.fd1fa73f.5eabb05b.83265159.be9bb487.c3f8dfad.b6e32c83.eff3b32f.4f83689a.fd1fa73f.becd9ff1.83265159.b325124d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/languages.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 11, + "endLine": 73, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/languages.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 8, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeSnippet.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 74, + "endLine": 120, + "startColumn": 32, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "1ebeb3f1c81c0895045bb35313f554f9bb3a4e401174286d3cea92b114b61390", + "1": "e7d2421a.9c6e2949.8b18f948.c559ebce.fd1fa73f.8020cfdf.83265159.33454e9d.e7d2421a.b6e32c83.7b031cb3.c559ebce.474b452e.becd9ff1.7b7de394.33454e9d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeSnippet.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 74, + "endLine": 120, + "startColumn": 32, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeSnippet.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 94, + "endLine": 94, + "startColumn": 47, + "endColumn": 59 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeFixes.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 69, + "endLine": 98, + "startColumn": 38, + "endColumn": 2 + } + } + } + ], + "fingerprints": { + "0": "3dd9cd9cc4132d9c049a111fb70a9078126d4563e444f1183c14c11e44b6457d", + "1": "a5aeea87.9c6e2949.8b18f948.c559ebce.fd1fa73f.5eabb05b.83265159.67311e43.a05cdd83.b6e32c83.7b031cb3.c559ebce.3a08f0d2.becd9ff1.7b7de394.6de01bb2" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeFixes.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 69, + "endLine": 98, + "startColumn": 38, + "endColumn": 2 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/vulnCodeFixes.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 46, + "endColumn": 61 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 554, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoRateLimitingForExpensiveWebOperation", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "markdown": "This {0} performs {1} and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", + "arguments": [ + "[endpoint handler](0)", + "[a file system operation](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/premiumReward.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + ], + "fingerprints": { + "0": "7c5bd04663f7f2d99a5b4a2306e5c5879f1dbb72ab7f55bd60d48380ef3b7d88", + "1": "4923bf76.4773f344.8b8d7a0c.c559ebce.fd1fa73f.5eabb05b.83265159.3cee0341.40bc0bae.b6e32c83.4937536e.c559ebce.fd1fa73f.cb9c4e89.83265159.041df0b3" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/premiumReward.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 16, + "startColumn": 10, + "endColumn": 4 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/premiumReward.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 15, + "endLine": 15, + "startColumn": 9, + "endColumn": 17 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 504, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/Ssrf", + "ruleIndex": 2, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into request.get, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5)", + "[request.get](6)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 23, + "startColumn": 30, + "endColumn": 15 + } + } + } + ], + "fingerprints": { + "0": "aac46065ef2da0fd582140907a91ceb700478885678eb2514bd6be88f423f1a6", + "1": "dca15045.70dd3b3b.568208f0.d7919eeb.79a7d027.98c7c24d.df7e59ba.377cd288.6849fe68.b6e32c83.568208f0.08906714.79a7d027.98c7c24d.83265159.a41fb358" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 13, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 19, + "endLine": 19, + "startColumn": 11, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 16, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/profileImageUrlUpload.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 23, + "startColumn": 30, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 801, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 77, + "endColumn": 85 + } + } + } + ], + "fingerprints": { + "0": "16d5be7628d45f333c93c4c34719773cffc76c5cabb20bb1b6d24012894f7656", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 77, + "endColumn": 85 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 92, + "endLine": 92, + "startColumn": 78, + "endColumn": 86 + } + } + } + ], + "fingerprints": { + "0": "b203dbff1fae69efd59c7816d07b9e61017893371f623e6d5194e53e6182022a", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.8030ba4b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 92, + "endLine": 92, + "startColumn": 78, + "endColumn": 86 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 42, + "endColumn": 50 + } + } + } + ], + "fingerprints": { + "0": "053124f7de915c72b62680448fa0dae1376075b94155babf06de21d09e516311", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 42, + "endColumn": 50 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in password.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[password](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 42, + "endColumn": 50 + } + } + } + ], + "fingerprints": { + "0": "0ae497be512b556e109e19c0440dda3c97f83bc158078bfb8ffa858e573ce203", + "1": "12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39.12567ef6.4773f344.bd65d204.e052b9a9.79a7d027.fcf3002d.ce4a9d89.1a479e39" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/Services/two-factor-auth-service.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 80, + "endLine": 80, + "startColumn": 42, + "endColumn": 50 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedPasswords", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Do not hardcode passwords in code. Found hardcoded password used in passwordRepeat.", + "markdown": "Do not hardcode passwords in code. Found hardcoded password used in {0}.", + "arguments": [ + "[passwordRepeat](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 111, + "endColumn": 125 + } + } + } + ], + "fingerprints": { + "0": "16d5be7628d45f333c93c4c34719773cffc76c5cabb20bb1b6d24012894f7656", + "1": "12567ef6.4773f344.607187b5.e052b9a9.79a7d027.fcf3002d.52789fac.8030ba4b.12567ef6.4773f344.607187b5.e052b9a9.79a7d027.fcf3002d.52789fac.8030ba4b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "frontend/src/app/oauth/oauth.component.spec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 85, + "endLine": 85, + "startColumn": 111, + "endColumn": 125 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 552, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into findOne, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[findOne](7)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 16, + "endColumn": 23 + } + } + } + ], + "fingerprints": { + "0": "d3e6d95802bfa65cdee1cc840eda6a7b8422f24962e436dd01730e6116e317ec", + "1": "93652555.4773f344.07efaa4d.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 24, + "endColumn": 35 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 16, + "endColumn": 23 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into findOne, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10)", + "[findOne](11)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 28, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "508ff7c452d0f0a821d3efbddf9c8ead6c964f813b9ead52ee2ebfe4882ee5f0", + "1": "93652555.4773f344.07efaa4d.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 43, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 38, + "endColumn": 41 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 36, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 28, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8)", + "[update](9)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 22, + "endColumn": 28 + } + } + } + ], + "fingerprints": { + "0": "98c5e37129708b191ac56a1b1984e16a6f40c2e8df534ee7935629794fa5db85", + "1": "12567ef6.4773f344.607187b5.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 13, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 24, + "endLine": 24, + "startColumn": 22, + "endColumn": 28 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12)", + "[update](13)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 30, + "endColumn": 36 + } + } + } + ], + "fingerprints": { + "0": "cd257a65b7a12c252af31b0293deb39e45738a460da8fd9dbaba89db52b4a305", + "1": "12567ef6.4773f344.607187b5.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.07efaa4d.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 20, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 16, + "endColumn": 24 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 16, + "endLine": 16, + "startColumn": 11, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 31, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 26, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 20, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 43, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 31, + "endLine": 31, + "startColumn": 38, + "endColumn": 41 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 42, + "endLine": 42, + "startColumn": 28, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 42, + "endLine": 42, + "startColumn": 23, + "endColumn": 26 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 42, + "endLine": 42, + "startColumn": 21, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/likeProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 30, + "endColumn": 36 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoSqli", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Unsanitized input from the HTTP request body flows into update, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.", + "arguments": [ + "[the HTTP request body](0)", + "[flows](1),(2),(3),(4)", + "[update](5)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 22 + } + } + } + ], + "fingerprints": { + "0": "403a9b0a3b2d6ed8a1f613645a03631613f8380c2f8e8a86d83422a2f70b66bf", + "1": "12567ef6.4773f344.607187b5.9163ada2.ef9f7d82.34a4d81a.df7e59ba.d66579bf.f759b1f9.b6e32c83.2d2c7aff.08906714.79a7d027.34a4d81a.0334236c.2151aa9e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 18, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 18, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 14, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 9, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 18, + "endLine": 18, + "startColumn": 7, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/updateProductReviews.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 16, + "endColumn": 22 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 752, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedSecret/test", + "ruleIndex": 5, + "level": "note", + "message": { + "text": "Hardcoded value is used as a cipher key (in jsonwebtoken.#default.sign). Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "markdown": "Hardcoded {0} is used as a {1}. Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "arguments": [ + "[value](0)", + "[cipher key (in jsonwebtoken.#default.sign)](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 149, + "endLine": 149, + "startColumn": 8, + "endColumn": 39 + } + } + } + ], + "fingerprints": { + "0": "8927f4670c679414a5cdfb3bd6bff6b363ce47acae79bd92803aa7e46f9f21a7", + "1": "20326186.4773f344.8b18f948.d7919eeb.79a7d027.8020cfdf.df938d4d.45cbaa21.20326186.4773f344.8b18f948.d7919eeb.79a7d027.8020cfdf.df938d4d.45cbaa21" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 149, + "endLine": 149, + "startColumn": 8, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 146, + "endLine": 146, + "startColumn": 35, + "endColumn": 39 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 401, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/JwtDecodeMethod", + "ruleIndex": 6, + "level": "warning", + "message": { + "text": "A JWT decode() method is used that decodes the token but does not check its validity or integrity. If the JWT has originated from an untrusted source, decoded data could be crafted by an attacker and should not be considered safe to use or process within the application. Always use JWT verification methods to validate the structure and integrity of a token.", + "markdown": "A JWT decode() method is used that decodes the token but does not check its validity or integrity. If the JWT has originated from an untrusted source, decoded data could be crafted by an attacker and should not be considered safe to use or process within the application. Always use JWT verification methods to validate the structure and integrity of a token.", + "arguments": [] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "routes/verify.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 41, + "endColumn": 51 + } + } + } + ], + "fingerprints": { + "0": "ba26f4ebc04a19051e00a5ec819e920845ad080a17d8b484b364ecce02b640bf", + "1": "46b7c801.4773f344.0f22609d.72a8f743.ef9f7d82.8020cfdf.ea4b1c47.ae94f388.46b7c801.4773f344.0f22609d.72a8f743.ef9f7d82.8020cfdf.ea4b1c47.ae94f388" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "routes/verify.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 41, + "endColumn": 51 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 301, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileCodeFlow" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedNonCryptoSecret", + "ruleIndex": 7, + "level": "error", + "message": { + "text": "Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.", + "markdown": "Avoid hardcoding values that are meant to be secret. Found {0} used in {1}.", + "arguments": [ + "[a hardcoded string](0)", + "[here](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 54, + "startColumn": 49, + "endColumn": 55 + } + } + } + ], + "fingerprints": { + "0": "ce76473d8a0de12d7deba29848fec2332cc17798cae52436f64242dd341b6ba2", + "1": "46b7c801.4773f344.607187b5.72a8f743.79a7d027.a47a18e2.dd02ad61.ae94f388.46b7c801.dd1130f5.8b18f948.61d81d8d.79a7d027.a47a18e2.468bb5d4.ae94f388" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 107 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 54, + "endLine": 54, + "startColumn": 49, + "endColumn": 55 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 801, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedSecret", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Hardcoded value is used as a cipher key (in jsonwebtoken.#default.verify). Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "markdown": "Hardcoded {0} is used as a {1}. Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "arguments": [ + "[value](0)", + "[cipher key (in jsonwebtoken.#default.verify)](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 107 + } + } + } + ], + "fingerprints": { + "0": "bd0cbcaad32d2a689a2b613cc191c8bd05eed93dbb3584632c7192475e3b7c61", + "1": "fc3065be.4773f344.8b18f948.61d81d8d.ef9f7d82.a47a18e2.468bb5d4.ae94f388.46b7c801.4773f344.8b18f948.61d81d8d.4c40509c.f30cf624.468bb5d4.ae94f388" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 83, + "endColumn": 107 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 197, + "endLine": 197, + "startColumn": 9, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/HardcodedSecret", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Hardcoded value is used as a cipher key (in crypto.#default.createHmac). Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "markdown": "Hardcoded {0} is used as a {1}. Generate the value with a cryptographically strong random number generator and do not hardcode it in source code.", + "arguments": [ + "[value](0)", + "[cipher key (in crypto.#default.createHmac)](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 20, + "endColumn": 902 + } + } + } + ], + "fingerprints": { + "0": "505b93a244fdf2552034cc5341be6bf71983ed87f9dc70780fe2589154471256", + "1": "ae77ea27.4773f344.8b18f948.d7919eeb.feee7bcb.5fce695c.c8cd882a.89d75565.839b1d0f.4773f344.191eaf2b.3b7658bb.ac82cb7b.5fce695c.c8cd882a.71520ffe" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 20, + "endColumn": 902 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "lib/insecurity.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 23, + "endColumn": 33 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 802, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedCredentials/test", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Do not hardcode credentials in code. Found hardcoded credential used in register.", + "markdown": "Do not hardcode credentials in code. Found hardcoded credential used in {0}.", + "arguments": [ + "[register](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 396, + "endLine": 396, + "startColumn": 22, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "0df952e0c180c52854d6919b014e50ddb8fb548cc6cc101fcee86385a5618e7b", + "1": "306348b3.4773f344.607187b5.d7919eeb.79a7d027.f7edcf51.d79c4c07.382555c6.6bb676bb.4773f344.c9330245.d7919eeb.ff08c1e7.5fce695c.d79c4c07.d85bc50f" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 396, + "endLine": 396, + "startColumn": 11, + "endColumn": 19 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 417, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/NoHardcodedCredentials/test", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Do not hardcode credentials in code. Found hardcoded credential used in register.", + "markdown": "Do not hardcode credentials in code. Found hardcoded credential used in {0}.", + "arguments": [ + "[register](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 433, + "endLine": 433, + "startColumn": 22, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "406af9b904e9b91700eb515b87979a86e7495640b3957ab2b0782b44aa4fbc0e", + "1": "306348b3.4773f344.607187b5.d7919eeb.79a7d027.f7edcf51.d79c4c07.382555c6.6bb676bb.4773f344.c9330245.d7919eeb.ff08c1e7.5fce695c.d79c4c07.d85bc50f" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "test/api/2faSpec.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 433, + "endLine": 433, + "startColumn": 11, + "endColumn": 19 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 417, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + } + ], + "properties": { + "coverage": [ + { + "isSupported": true, + "lang": "JavaScript", + "files": 15, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "TypeScript", + "files": 536, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "XML", + "files": 5, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "HTML", + "files": 75, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "Python", + "files": 3, + "type": "SUPPORTED" + }, + { + "isSupported": false, + "lang": "TypeScript", + "files": 35, + "type": "FAILED_PARSING" + }, + { + "isSupported": false, + "lang": "XML", + "files": 2, + "type": "FAILED_PARSING" + } + ] + } + } + ] + } + \ No newline at end of file diff --git a/unittests/scans/snyk/snykcontainer_issue_9270.json b/unittests/scans/snyk/snykcontainer_issue_9270.json new file mode 100644 index 00000000000..0cc8316fbab --- /dev/null +++ b/unittests/scans/snyk/snykcontainer_issue_9270.json @@ -0,0 +1,4041 @@ +{ + "vulnerabilities": [ + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libgcc-s1@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libgcc-s1", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libstdc++6@10.2.1-6", + "gcc-10/libgcc-s1@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libgcc-s1", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libgomp1@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libgomp1", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GCC10-5901313", + "cpes": [], + "title": "CVE-2023-4039", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4039", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "title": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "title": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2023-09-20T11:09:16.812999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-09-15T01:10:52.576715Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2023-11-08T09:43:38.403520Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-10` package and not the `gcc-10` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `gcc-10`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4039)\n- [arm-security@arm.com](https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64)\n- [arm-security@arm.com](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf)\n", + "epssDetails": { + "percentile": "0.14414", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4039" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "gcc-10", + "creationTime": "2023-09-14T00:55:43.720861Z", + "disclosureTime": "2023-09-13T09:15:15.690000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-14T00:54:21.518198Z", + "modificationTime": "2023-11-08T09:43:38.403520Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "gcc-10/libstdc++6@10.2.1-6" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "gcc-10/libstdc++6", + "version": "10.2.1-6" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-532215", + "cpes": [], + "title": "Resource Management Errors", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-4756", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-4756" + }, + { + "url": "http://cxib.net/stuff/glob-0day.c", + "title": "http://cxib.net/stuff/glob-0day.c" + }, + { + "url": "http://securityreason.com/achievement_securityalert/89", + "title": "http://securityreason.com/achievement_securityalert/89" + }, + { + "url": "http://securityreason.com/exploitalert/9223", + "title": "http://securityreason.com/exploitalert/9223" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=681681" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 4.3, + "modificationTime": "2023-02-09T11:23:31.120244Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:21.515733Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=681681)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756)\n", + "epssDetails": { + "percentile": "0.79904", + "probability": "0.00824", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-4756" + ], + "CWE": [ + "CWE-399" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:32:45.970155Z", + "disclosureTime": "2011-03-02T20:00:00Z", + "packageManager": "debian:11", + "publicationTime": "2011-03-02T20:00:00Z", + "modificationTime": "2023-11-08T09:41:21.515733Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894105", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4806", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4806" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4806", + "title": "https://access.redhat.com/security/cve/CVE-2023-4806" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/4", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/5", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/6", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/6" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://security.gentoo.org/glsa/202310-03", + "title": "https://security.gentoo.org/glsa/202310-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-27T01:10:58.963846Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286569Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4806)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4806)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237782)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/4)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/5)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/6)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://security.gentoo.org/glsa/202310-03)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.40141", + "probability": "0.00097", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4806" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:01.946655Z", + "disclosureTime": "2023-09-18T17:15:55.813000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:01.926030Z", + "modificationTime": "2023-11-08T09:44:04.286569Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894112", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4813", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4813" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4813", + "title": "https://access.redhat.com/security/cve/CVE-2023-4813" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231110-0003/", + "title": "https://security.netapp.com/advisory/ntap-20231110-0003/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-21T01:10:58.024645Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-10-12T11:02:48.940818Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286614Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4813)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4813)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237798)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0003/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.41335", + "probability": "0.00102", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4813" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:46.841726Z", + "disclosureTime": "2023-09-12T22:15:08.277000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:32.099229Z", + "modificationTime": "2023-11-08T09:44:04.286614Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-521063", + "cpes": [], + "title": "Out-of-Bounds", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 9.8, + "malicious": false, + "isDisputed": true, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010022" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850%23c3", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850%23c3" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010022", + "title": "https://ubuntu.com/security/CVE-2019-1010022" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-01-03T17:53:20.558676Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010022)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010022)\n", + "epssDetails": { + "percentile": "0.68021", + "probability": "0.00335", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010022" + ], + "CWE": [ + "CWE-119" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "critical", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:26.761208Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:33:32.251091Z", + "modificationTime": "2022-10-26T02:04:58.132579Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-521199", + "cpes": [], + "title": "Uncontrolled Recursion", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 7.5, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-9192", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-9192" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + }, + { + "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192", + "title": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-01-03T18:01:31.673539Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-9192)\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24269)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192)\n- [cve@mitre.org](https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.43326", + "probability": "0.00108", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-9192" + ], + "CWE": [ + "CWE-674" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "high", + "packageName": "glibc", + "creationTime": "2020-08-19T09:34:51.325920Z", + "disclosureTime": "2019-02-26T18:29:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-02-26T18:29:00Z", + "modificationTime": "2022-10-26T02:05:07.667771Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-522385", + "cpes": [], + "title": "Use of Insufficiently Random Values", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010025" + }, + { + "url": "https://support.f5.com/csp/article/K06046097", + "title": "https://support.f5.com/csp/article/K06046097" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010025", + "title": "https://ubuntu.com/security/CVE-2019-1010025" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-01-03T17:53:25.533412Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 2.9, + "modificationTime": "2023-11-08T09:41:53.285202Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010025)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22853)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010025)\n- [josh@bress.net](https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.63157", + "probability": "0.00255", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010025" + ], + "CWE": [ + "CWE-330" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:27.035439Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:33:59.230537Z", + "modificationTime": "2023-11-08T09:41:53.285202Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-529848", + "cpes": [], + "title": "Information Exposure", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010024" + }, + { + "url": "https://support.f5.com/csp/article/K06046097", + "title": "https://support.f5.com/csp/article/K06046097" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852" + }, + { + "url": "http://www.securityfocus.com/bid/109162", + "title": "http://www.securityfocus.com/bid/109162" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010024", + "title": "https://ubuntu.com/security/CVE-2019-1010024" + }, + { + "url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-01-03T17:53:36.633029Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:53.283850Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010024)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22852)\n- [Security Focus](http://www.securityfocus.com/bid/109162)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010024)\n- [josh@bress.net](https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.88369", + "probability": "0.02258", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010024" + ], + "CWE": [ + "CWE-200" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:29.535158Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:44:44.882448Z", + "modificationTime": "2023-11-08T09:41:53.283850Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-531451", + "cpes": [], + "title": "CVE-2019-1010023", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 8.8, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "title": "https://security-tracker.debian.org/tracker/CVE-2019-1010023" + }, + { + "url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "title": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851" + }, + { + "url": "http://www.securityfocus.com/bid/109167", + "title": "http://www.securityfocus.com/bid/109167" + }, + { + "url": "https://ubuntu.com/security/CVE-2019-1010023", + "title": "https://ubuntu.com/security/CVE-2019-1010023" + }, + { + "url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-01-03T17:53:36.820375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.8, + "modificationTime": "2023-11-08T09:41:53.271238Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nGNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010023)\n- [CONFIRM](https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22851)\n- [Security Focus](http://www.securityfocus.com/bid/109167)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010023)\n- [josh@bress.net](https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.82602", + "probability": "0.01081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-1010023" + ], + "CWE": [], + "ALTERNATIVE": [] + }, + "nvdSeverity": "high", + "packageName": "glibc", + "creationTime": "2020-08-19T09:35:27.642271Z", + "disclosureTime": "2019-07-15T04:15:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-07-24T09:36:38.241516Z", + "modificationTime": "2023-11-08T09:41:53.271238Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-531492", + "cpes": [], + "title": "Uncontrolled Recursion", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 7.5, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2018-20796", + "title": "https://security-tracker.debian.org/tracker/CVE-2018-20796" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + }, + { + "url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "title": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "title": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20190315-0002/", + "title": "https://security.netapp.com/advisory/ntap-20190315-0002/" + }, + { + "url": "http://www.securityfocus.com/bid/107160", + "title": "http://www.securityfocus.com/bid/107160" + }, + { + "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796", + "title": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796" + }, + { + "url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS", + "title": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-01-03T16:26:27.939810Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:53.328123Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2018-20796)\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141)\n- [MISC](https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796)\n- [cve@mitre.org](https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS)\n", + "epssDetails": { + "percentile": "0.77618", + "probability": "0.00678", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20796" + ], + "CWE": [ + "CWE-674" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "high", + "packageName": "glibc", + "creationTime": "2020-08-19T09:34:51.493703Z", + "disclosureTime": "2019-02-26T02:29:00Z", + "packageManager": "debian:11", + "publicationTime": "2019-02-26T02:29:00Z", + "modificationTime": "2023-11-08T09:41:53.328123Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-532215", + "cpes": [], + "title": "Resource Management Errors", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 4.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-4756", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-4756" + }, + { + "url": "http://cxib.net/stuff/glob-0day.c", + "title": "http://cxib.net/stuff/glob-0day.c" + }, + { + "url": "http://securityreason.com/achievement_securityalert/89", + "title": "http://securityreason.com/achievement_securityalert/89" + }, + { + "url": "http://securityreason.com/exploitalert/9223", + "title": "http://securityreason.com/exploitalert/9223" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=681681" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 4.3, + "modificationTime": "2023-02-09T11:23:31.120244Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:41:21.515733Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=681681)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756)\n", + "epssDetails": { + "percentile": "0.79904", + "probability": "0.00824", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-4756" + ], + "CWE": [ + "CWE-399" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2020-08-19T09:32:45.970155Z", + "disclosureTime": "2011-03-02T20:00:00Z", + "packageManager": "debian:11", + "publicationTime": "2011-03-02T20:00:00Z", + "modificationTime": "2023-11-08T09:41:21.515733Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894105", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4806", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4806" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4806", + "title": "https://access.redhat.com/security/cve/CVE-2023-4806" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237782" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/4", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/5", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/6", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/6" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://security.gentoo.org/glsa/202310-03", + "title": "https://security.gentoo.org/glsa/202310-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", + "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-27T01:10:58.963846Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286569Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4806)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4806)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237782)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/4)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/5)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/6)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://security.gentoo.org/glsa/202310-03)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/)\n- [secalert@redhat.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.40141", + "probability": "0.00097", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4806" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:01.946655Z", + "disclosureTime": "2023-09-18T17:15:55.813000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:01.926030Z", + "modificationTime": "2023-11-08T09:44:04.286569Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-GLIBC-5894112", + "cpes": [], + "title": "Use After Free", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.9, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-4813", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-4813" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4813", + "title": "https://access.redhat.com/security/cve/CVE-2023-4813" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", + "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2237798" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/03/8", + "title": "http://www.openwall.com/lists/oss-security/2023/10/03/8" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5453", + "title": "https://access.redhat.com/errata/RHSA-2023:5453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5455", + "title": "https://access.redhat.com/errata/RHSA-2023:5455" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231110-0003/", + "title": "https://security.netapp.com/advisory/ntap-20231110-0003/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7409", + "title": "https://access.redhat.com/errata/RHSA-2023:7409" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-09-21T01:10:58.024645Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-10-12T11:02:48.940818Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-11-08T09:44:04.286614Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nA flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.\n## Remediation\nThere is no fixed version for `Debian:11` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-4813)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-4813)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2237798)\n- [secalert@redhat.com](http://www.openwall.com/lists/oss-security/2023/10/03/8)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5453)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:5455)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0003/)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:7409)\n", + "epssDetails": { + "percentile": "0.41335", + "probability": "0.00102", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-4813" + ], + "CWE": [ + "CWE-416" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "glibc", + "creationTime": "2023-09-13T13:01:46.841726Z", + "disclosureTime": "2023-09-12T22:15:08.277000Z", + "packageManager": "debian:11", + "publicationTime": "2023-09-13T13:01:32.099229Z", + "modificationTime": "2023-11-08T09:44:04.286614Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1", + "glibc/libc6@2.31-13+deb11u7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "glibc/libc6", + "version": "2.31-13+deb11u7" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-518334", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.4, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2007-6755", + "title": "https://security-tracker.debian.org/tracker/CVE-2007-6755" + }, + { + "url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" + }, + { + "url": "http://rump2007.cr.yp.to/15-shumow.pdf", + "title": "http://rump2007.cr.yp.to/15-shumow.pdf" + }, + { + "url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/" + }, + { + "url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", + "title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + }, + { + "url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect" + }, + { + "url": "http://www.securityfocus.com/bid/63657", + "title": "http://www.securityfocus.com/bid/63657" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:25:00.865086Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-11-08T09:41:50.005364Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n", + "epssDetails": { + "percentile": "0.76307", + "probability": "0.00614", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2007-6755" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:23:31.735743Z", + "disclosureTime": "2013-10-11T22:55:00Z", + "packageManager": "debian:11", + "publicationTime": "2013-10-11T22:55:00Z", + "modificationTime": "2023-11-08T09:41:50.005364Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-525332", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.1, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-0928" + }, + { + "url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" + }, + { + "url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" + }, + { + "url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" + }, + { + "url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" + }, + { + "url": "http://xforce.iss.net/xforce/xfdb/56750", + "title": "http://xforce.iss.net/xforce/xfdb/56750" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "title": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" + }, + { + "url": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.1, + "modificationTime": "2023-02-09T11:22:59.868606Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [cve@mitre.org](http://www.osvdb.org/62808)\n- [cve@mitre.org](http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)\n", + "epssDetails": { + "percentile": "0.27307", + "probability": "0.00066", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-0928" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:30:53.411236Z", + "disclosureTime": "2010-03-05T19:30:00Z", + "packageManager": "debian:11", + "publicationTime": "2010-03-05T19:30:00Z", + "modificationTime": "2023-02-10T13:11:38.644692Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-6048819", + "cpes": [], + "title": "Improper Check for Unusual or Exceptional Conditions", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-5678", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-5678" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/", + "title": "https://security.netapp.com/advisory/ntap-20231130-0010/" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-5678)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231130-0010/)\n", + "epssDetails": { + "percentile": "0.33119", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-754" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2023-11-07T02:36:49.140701Z", + "disclosureTime": "2023-11-06T16:15:42.670000Z", + "packageManager": "debian:11", + "publicationTime": "2023-11-07T02:33:36.224937Z", + "modificationTime": "2023-11-22T11:02:51.571843Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-518334", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.4, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2007-6755", + "title": "https://security-tracker.debian.org/tracker/CVE-2007-6755" + }, + { + "url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" + }, + { + "url": "http://rump2007.cr.yp.to/15-shumow.pdf", + "title": "http://rump2007.cr.yp.to/15-shumow.pdf" + }, + { + "url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/" + }, + { + "url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", + "title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + }, + { + "url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect" + }, + { + "url": "http://www.securityfocus.com/bid/63657", + "title": "http://www.securityfocus.com/bid/63657" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:25:00.865086Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-11-08T09:41:50.005364Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n", + "epssDetails": { + "percentile": "0.76307", + "probability": "0.00614", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2007-6755" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:23:31.735743Z", + "disclosureTime": "2013-10-11T22:55:00Z", + "packageManager": "debian:11", + "publicationTime": "2013-10-11T22:55:00Z", + "modificationTime": "2023-11-08T09:41:50.005364Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-525332", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.1, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-0928" + }, + { + "url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" + }, + { + "url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" + }, + { + "url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" + }, + { + "url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" + }, + { + "url": "http://xforce.iss.net/xforce/xfdb/56750", + "title": "http://xforce.iss.net/xforce/xfdb/56750" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "title": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" + }, + { + "url": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.1, + "modificationTime": "2023-02-09T11:22:59.868606Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [cve@mitre.org](http://www.osvdb.org/62808)\n- [cve@mitre.org](http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)\n", + "epssDetails": { + "percentile": "0.27307", + "probability": "0.00066", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-0928" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:30:53.411236Z", + "disclosureTime": "2010-03-05T19:30:00Z", + "packageManager": "debian:11", + "publicationTime": "2010-03-05T19:30:00Z", + "modificationTime": "2023-02-10T13:11:38.644692Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-6048819", + "cpes": [], + "title": "Improper Check for Unusual or Exceptional Conditions", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-5678", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-5678" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/", + "title": "https://security.netapp.com/advisory/ntap-20231130-0010/" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-5678)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231130-0010/)\n", + "epssDetails": { + "percentile": "0.33119", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-754" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2023-11-07T02:36:49.140701Z", + "disclosureTime": "2023-11-06T16:15:42.670000Z", + "packageManager": "debian:11", + "publicationTime": "2023-11-07T02:33:36.224937Z", + "modificationTime": "2023-11-22T11:02:51.571843Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1", + "openssl/libssl1.1@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl/libssl1.1", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-518334", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.4, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2007-6755", + "title": "https://security-tracker.debian.org/tracker/CVE-2007-6755" + }, + { + "url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html" + }, + { + "url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" + }, + { + "url": "http://rump2007.cr.yp.to/15-shumow.pdf", + "title": "http://rump2007.cr.yp.to/15-shumow.pdf" + }, + { + "url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/" + }, + { + "url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", + "title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + }, + { + "url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect" + }, + { + "url": "http://www.securityfocus.com/bid/63657", + "title": "http://www.securityfocus.com/bid/63657" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:25:00.865086Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-11-08T09:41:50.005364Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n", + "epssDetails": { + "percentile": "0.76307", + "probability": "0.00614", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2007-6755" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:23:31.735743Z", + "disclosureTime": "2013-10-11T22:55:00Z", + "packageManager": "debian:11", + "publicationTime": "2013-10-11T22:55:00Z", + "modificationTime": "2023-11-08T09:41:50.005364Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-525332", + "cpes": [], + "title": "Cryptographic Issues", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.1, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928", + "title": "https://security-tracker.debian.org/tracker/CVE-2010-0928" + }, + { + "url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" + }, + { + "url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" + }, + { + "url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" + }, + { + "url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" + }, + { + "url": "http://xforce.iss.net/xforce/xfdb/56750", + "title": "http://xforce.iss.net/xforce/xfdb/56750" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "title": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" + }, + { + "url": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "title": "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.1, + "modificationTime": "2023-02-09T11:22:59.868606Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [cve@mitre.org](http://www.osvdb.org/62808)\n- [cve@mitre.org](http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf)\n", + "epssDetails": { + "percentile": "0.27307", + "probability": "0.00066", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2010-0928" + ], + "CWE": [ + "CWE-310" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2020-08-19T09:30:53.411236Z", + "disclosureTime": "2010-03-05T19:30:00Z", + "packageManager": "debian:11", + "publicationTime": "2010-03-05T19:30:00Z", + "modificationTime": "2023-02-10T13:11:38.644692Z", + "socialTrendAlert": false, + "relativeImportance": "unimportant", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl", + "version": "1.1.1w-0+deb11u1" + }, + { + "id": "SNYK-DEBIAN11-OPENSSL-6048819", + "cpes": [], + "title": "Improper Check for Unusual or Exceptional Conditions", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "" + ], + "semver": { + "vulnerable": [ + "*" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "linux", + "severity": "low", + "cvssScore": 5.3, + "malicious": false, + "isDisputed": false, + "references": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-5678", + "title": "https://security-tracker.debian.org/tracker/CVE-2023-5678" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "title": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/", + "title": "https://security.netapp.com/advisory/ntap-20231130-0010/" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n"-pubcheck" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n\n## Remediation\nThere is no fixed version for `Debian:11` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-5678)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20231106.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/11/06/2)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20231130-0010/)\n", + "epssDetails": { + "percentile": "0.33119", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-754" + ], + "ALTERNATIVE": [] + }, + "nvdSeverity": "medium", + "packageName": "openssl", + "creationTime": "2023-11-07T02:36:49.140701Z", + "disclosureTime": "2023-11-06T16:15:42.670000Z", + "packageManager": "debian:11", + "publicationTime": "2023-11-07T02:33:36.224937Z", + "modificationTime": "2023-11-22T11:02:51.571843Z", + "socialTrendAlert": false, + "relativeImportance": "minor issue", + "severityWithCritical": "low", + "from": [ + "docker-image|sarim04/juiceshop@latest", + "openssl@1.1.1w-0+deb11u1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "openssl", + "version": "1.1.1w-0+deb11u1" + } + ], + "ok": false, + "dependencyCount": 9, + "org": "sarim04", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "deb", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "docker": { + "binariesVulns": { + "issuesData": {}, + "affectedPkgs": {} + } + }, + "summary": "67 vulnerable dependency paths", + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 13, + "projectName": "docker-image|sarim04/juiceshop", + "platform": "linux/amd64", + "hasUnknownVersions": false, + "path": "sarim04/juiceshop:latest/juiceshop", + "applications": [ + { + "vulnerabilities": [ + { + "id": "SNYK-JS-EXPRESSJWT-575022", + "title": "Authorization Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "credit": [ + "IST Group" + ], + "semver": { + "vulnerable": [ + "<6.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "express-jwt", + "references": [ + { + "url": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 9.1, + "modificationTime": "2022-10-22T01:10:30.246806Z" + } + ], + "description": "## Overview\n[express-jwt](https://www.npmjs.com/package/express-jwt) is a JWT authentication middleware.\n\nAffected versions of this package are vulnerable to Authorization Bypass. The `algorithms` entry to be specified in the configuration is not being enforced. When `algorithms` is not specified in the configuration, with the combination of `jwks-rsa`, it may lead to authorization bypass.\n## Remediation\nUpgrade `express-jwt` to version 6.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef)\n", + "epssDetails": { + "percentile": "0.57214", + "probability": "0.00197", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-15084" + ], + "CWE": [ + "CWE-285" + ], + "GHSA": [ + "GHSA-6g6m-m6h5-w9gf" + ] + }, + "packageName": "express-jwt", + "proprietary": false, + "creationTime": "2020-07-01T09:33:11.790635Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-07-01T09:30:03Z", + "packageManager": "npm", + "publicationTime": "2020-07-01T15:32:36Z", + "modificationTime": "2022-10-22T01:10:30.246806Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "juice-shop@15.3.0", + "express-jwt@0.1.3" + ], + "upgradePath": [ + false, + "express-jwt@6.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "express-jwt", + "version": "0.1.3" + }, + { + "id": "SNYK-JS-JSONWEBTOKEN-3180022", + "title": "Improper Authentication", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<9.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "9.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2023-02-28T01:10:17.504751Z" + } + ], + "description": "## Overview\n[jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) is a JSON Web Token implementation (symmetric and asymmetric)\n\nAffected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. \r\n\r\n## Exploitability\r\nUsers are affected only if all of the following conditions are true for the `jwt.verify()` function:\r\n\r\n1) A token with no signature is received.\r\n\r\n2) No algorithms are specified.\r\n\r\n3) A falsy (e.g., `null`, `false`, `undefined`) secret or key is passed.\n## Remediation\nUpgrade `jsonwebtoken` to version 9.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3)\n- [GitHub Release](https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0)\n", + "epssDetails": { + "percentile": "0.13102", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23540" + ], + "CWE": [ + "CWE-287" + ], + "GHSA": [ + "GHSA-qwph-4952-7xr6" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2022-12-22T09:09:36.072853Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-12-22T03:32:59Z", + "packageManager": "npm", + "publicationTime": "2022-12-22T09:13:25.290846Z", + "modificationTime": "2023-02-28T01:10:17.504751Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@9.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "SNYK-JS-JSONWEBTOKEN-3180024", + "title": "Improper Restriction of Security Token Assignment", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<9.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "9.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 6.3, + "modificationTime": "2023-02-28T01:10:17.572355Z" + } + ], + "description": "## Overview\n[jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) is a JSON Web Token implementation (symmetric and asymmetric)\n\nAffected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the `secretOrPublicKey ` argument due to misconfigurations of the key retrieval function `jwt.verify()`. Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.\r\n\r\n**Note:**\r\nThis vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in `jwt.verify()` implementation with the same key retrieval function.\n## Remediation\nUpgrade `jsonwebtoken` to version 9.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3)\n- [GitHub Release](https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0)\n", + "epssDetails": { + "percentile": "0.19014", + "probability": "0.00053", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23541" + ], + "CWE": [ + "CWE-1259" + ], + "GHSA": [ + "GHSA-hjrf-2m68-5959" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2022-12-22T09:14:27.155728Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-12-22T03:33:19Z", + "packageManager": "npm", + "publicationTime": "2022-12-22T09:16:03.621406Z", + "modificationTime": "2023-02-28T01:10:17.572355Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@9.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "SNYK-JS-JSONWEBTOKEN-3180026", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<9.0.0" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "9.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 8.1, + "modificationTime": "2022-12-31T01:11:45.823807Z" + } + ], + "description": "## Overview\n[jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) is a JSON Web Token implementation (symmetric and asymmetric)\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm. \r\n\r\n## Exploitability\r\n\r\nUsers are affected when using an algorithm and a key type _other_ than the combinations mentioned below:\r\n\r\nEC: ES256, ES384, ES512\r\n \r\nRSA: RS256, RS384, RS512, PS256, PS384, PS512 \r\n\r\nRSA-PSS: PS256, PS384, PS512 \r\n\r\nAnd for Elliptic Curve algorithms:\r\n\r\nES256: prime256v1\r\n\r\nES384: secp384r1\r\n\r\nES512: secp521r1 \r\n\r\n## Workaround \r\n\r\nUsers who are unable to upgrade to the fixed version can use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.\n## Remediation\nUpgrade `jsonwebtoken` to version 9.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3)\n- [GitHub Release](https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0)\n", + "epssDetails": { + "percentile": "0.17011", + "probability": "0.00050", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23539" + ], + "CWE": [ + "CWE-327" + ], + "GHSA": [ + "GHSA-8cf7-32gw-wr33" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2022-12-22T09:19:03.430735Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-12-22T03:32:22Z", + "packageManager": "npm", + "publicationTime": "2022-12-22T10:32:50.173080Z", + "modificationTime": "2023-01-01T13:30:43.098324Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@9.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "npm:jsonwebtoken:20150331", + "title": "Authentication Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Tim McLean" + ], + "semver": { + "vulnerable": [ + "<4.2.2" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "4.2.2" + ], + "patches": [ + { + "id": "patch:npm:jsonwebtoken:20150331:0", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/jsonwebtoken/20150331/jsonwebtoken_20150331_0_0_1bb584bc382295eeb7ee8c4452a673a77a68b687_snyk.patch" + ], + "version": "=4.0.0 || =4.1.0 || =4.2.1", + "comments": [], + "modificationTime": "2019-12-03T11:40:45.753281Z" + } + ], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "jsonwebtoken", + "references": [ + { + "url": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "title": "Auth0 Blog" + }, + { + "url": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion", + "title": "PoC" + }, + { + "url": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "title": "Tim McLean Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-01-03T17:48:53.018995Z" + } + ], + "description": "## Overview\r\n[`jsonwebtoken`](https://www.npmjs.com/package/jsonwebtoken) is a JSON Web token implementation for symmetric and asymmetric keys.\r\nAffected versions of this package are vulnerable to an Authentication Bypass attack, due to the \"algorithm\" not being enforced. Attackers are given the opportunity to choose the algorithm sent to the server and generate signatures with arbitrary contents. The server expects an asymmetric key (RSA) but is sent a symmetric key (HMAC-SHA) with RSA's public key, so instead of going through a key validation process, the server will think the public key is actually an HMAC private key.\r\n\r\n## Remediation\r\nUpgrade `jsonwebtoken` to version 4.2.2 or greater.\r\n\r\n## References\r\n- [GitHub Commit](https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687)\r\n- [Tim McLean Blog](https://www.timmclean.net/2015/02/25/jwt-alg-none.html)\r\n- [Auth0 Blog](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/)", + "epssDetails": { + "percentile": "0.75071", + "probability": "0.00559", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-9235" + ], + "CWE": [ + "CWE-592" + ], + "NSP": [ + "17" + ], + "GHSA": [ + "GHSA-c7hr-j4mj-j2w6" + ], + "ALTERNATIVE": [ + "SNYK-JS-JSONWEBTOKEN-10037" + ] + }, + "packageName": "jsonwebtoken", + "proprietary": false, + "creationTime": "2015-03-31T16:00:00Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-JSONWEBTOKEN-10037" + ], + "disclosureTime": "2015-03-31T16:00:00Z", + "packageManager": "npm", + "publicationTime": "2015-03-31T16:00:00Z", + "modificationTime": "2023-09-29T09:15:01.983455Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "juice-shop@15.3.0", + "jsonwebtoken@0.4.0" + ], + "upgradePath": [ + false, + "jsonwebtoken@5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "jsonwebtoken", + "version": "0.4.0" + }, + { + "id": "SNYK-JS-SANITIZEHTML-1070780", + "title": "Validation Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", + "credit": [ + "Ron Masas", + "Checkmarx" + ], + "semver": { + "vulnerable": [ + "<2.3.2" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/commit/6012524e7824a2c8f6782b2bc5f93b1261723403", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/460", + "title": "GitHub PR" + }, + { + "url": "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "title": "POC: Potential Exploit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-01-03T16:36:59.234021Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:37:50.578095Z" + } + ], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Validation Bypass. There is no proper validation of the hostnames set by the `allowedIframeHostnames` option when the `allowIframeRelativeUrls` is set to `true`. This allows attackers to bypass the hostname whitelist for the iframe element.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `sanitize-html` to version 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/apostrophecms/sanitize-html/commit/6012524e7824a2c8f6782b2bc5f93b1261723403)\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/460)\n- [POC: Potential Exploit](https://advisory.checkmarx.net/advisory/CX-2021-4309)\n", + "epssDetails": { + "percentile": "0.48819", + "probability": "0.00137", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-26540" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-mjxr-4v3x-q3m4" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2021-02-09T08:21:52.232749Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-02-09T08:07:33Z", + "packageManager": "npm", + "publicationTime": "2021-02-09T16:34:45.881363Z", + "modificationTime": "2023-11-08T09:37:50.578095Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "SNYK-JS-SANITIZEHTML-1070786", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Ron Masas", + "Checkmarx" + ], + "semver": { + "vulnerable": [ + "<2.3.1" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/458", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2022-04-27T01:10:36.338203Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:37:50.738101Z" + } + ], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. Internationalized domain name (IDN) is not properly handled. This allows attackers to bypass hostname whitelist validation set by the `allowedIframeHostnames` option.\n## Remediation\nUpgrade `sanitize-html` to version 2.3.1 or higher.\n## References\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/458)\n", + "epssDetails": { + "percentile": "0.48819", + "probability": "0.00137", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-26539" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rjqq-98f6-6j3r" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2021-02-09T08:37:16.368073Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-02-09T08:21:55Z", + "packageManager": "npm", + "publicationTime": "2021-02-09T16:34:49Z", + "modificationTime": "2023-11-08T09:37:50.738101Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "SNYK-JS-SANITIZEHTML-2957526", + "title": "Regular Expression Denial of Service (ReDoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Nariyoshi Chida of NTT Security Japan" + ], + "semver": { + "vulnerable": [ + "<2.7.1" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/557", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-09-02T01:11:51.670814Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T09:37:50.786715Z" + } + ], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `sanitize-html` to version 2.7.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c)\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/557)\n", + "epssDetails": { + "percentile": "0.44428", + "probability": "0.00112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-25887" + ], + "CWE": [ + "CWE-1333" + ] + }, + "packageName": "sanitize-html", + "proprietary": true, + "creationTime": "2022-07-21T08:00:56.827849Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-07-21T07:37:40Z", + "packageManager": "npm", + "publicationTime": "2022-08-29T13:28:12.439235Z", + "modificationTime": "2023-11-08T09:37:50.786715Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "SNYK-JS-SANITIZEHTML-585892", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "credit": [ + "mikesamuel" + ], + "semver": { + "vulnerable": [ + "<2.0.0-beta" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.0.0-beta" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "critical", + "cvssScore": 9.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/apostrophecms/sanitize-html/pull/156", + "title": "GitHub PR" + } + ], + "cvssDetails": [], + "description": "## Overview\n[sanitize-html](https://github.com/punkave/sanitize-html) is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using `transformTags` could be vulnerable to code execution.\n## Remediation\nUpgrade `sanitize-html` to version 2.0.0-beta or higher.\n## References\n- [GitHub PR](https://github.com/apostrophecms/sanitize-html/pull/156)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2020-07-17T15:02:43.082824Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-09-07T09:46:18Z", + "packageManager": "npm", + "publicationTime": "2020-09-07T09:46:10Z", + "modificationTime": "2020-09-07T15:37:06.961614Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@2.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "npm:sanitize-html:20141024", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "<1.4.3" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.4.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "title": "CVE" + }, + { + "url": "https://github.com/punkave/sanitize-html/issues/29", + "title": "GitHub Issue" + }, + { + "url": "https://nodesecurity.io/advisories/135", + "title": "Node Security Advisories" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-01-03T17:40:52.414772Z" + } + ], + "description": "## Overview\r\n\r\nSince the sanitize-html module trusts 'text' coming from htmlparser2, and outputs it without further escaping (because htmlparser2 does not decode entities in text before delivering it), this results in an XSS attack vector if sanitize-html ignores the img tag (according to user-configured filter rules) but passes the text intact, as it must do to keep any text in documents.\r\n\r\n\r\n## References\r\n- https://github.com/punkave/sanitize-html/issues/29", + "epssDetails": { + "percentile": "0.47924", + "probability": "0.00132", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-1000237" + ], + "CWE": [ + "CWE-79" + ], + "GHSA": [ + "GHSA-3j7m-hmh3-9jmp" + ], + "ALTERNATIVE": [ + "SNYK-JS-SANITIZEHTML-10048" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2015-11-06T02:09:36.180000Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-SANITIZEHTML-10048" + ], + "disclosureTime": "2015-11-06T02:09:36Z", + "packageManager": "npm", + "publicationTime": "2015-11-06T02:09:36Z", + "modificationTime": "2022-01-03T17:40:52.414772Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@1.4.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "npm:sanitize-html:20160801", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "credit": [ + "Björn Kimminich" + ], + "semver": { + "vulnerable": [ + "<=1.4.2" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 4.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/punkave/sanitize-html/issues/29", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "description": "## Overview\nSanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.\n\nSource: _Node Security Project_\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `sanitize-html` to `1.4.3` or later\n\n## References\n- https://github.com/punkave/sanitize-html/issues/29\n- https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf\n\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-79" + ], + "NSP": [ + "135" + ], + "ALTERNATIVE": [ + "SNYK-JS-SANITIZEHTML-10127" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2016-08-02T08:28:08.097000Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-SANITIZEHTML-10127" + ], + "disclosureTime": "2016-08-01T18:02:31Z", + "packageManager": "npm", + "publicationTime": "2016-08-01T18:02:31Z", + "modificationTime": "2020-12-14T14:41:17.951016Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@1.4.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + }, + { + "id": "npm:sanitize-html:20161026", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C", + "credit": [ + "Andrew Krasichkov" + ], + "semver": { + "vulnerable": [ + "<1.11.4" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "1.11.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "js", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "sanitize-html", + "references": [ + { + "url": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/punkave/sanitize-html/issues/100", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-01-03T16:21:19.197646Z" + } + ], + "description": "## Overview\n[`sanitize-html`](https://www.npmjs.com/package/sanitize-html) is a library for scrubbing html input of malicious values.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. If at least one `nonTextTags` tag is allowed, a malicious user may potentially conduct an XSS attack.\n\n**PoC:**\n```js\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !!\n```\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `sanitize-html` to version 1.11.4 or later.\n\n## References\n- [GitHub Issue](https://github.com/punkave/sanitize-html/issues/100)\n- [GitHub Commit](https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)\n", + "epssDetails": { + "percentile": "0.35000", + "probability": "0.00084", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-16016" + ], + "CWE": [ + "CWE-79" + ], + "NSP": [ + "154" + ], + "GHSA": [ + "GHSA-xc6g-ggrc-qq4r" + ], + "ALTERNATIVE": [ + "SNYK-JS-SANITIZEHTML-10461" + ] + }, + "packageName": "sanitize-html", + "proprietary": false, + "creationTime": "2017-04-12T10:49:58.283000Z", + "functions_new": [], + "alternativeIds": [ + "SNYK-JS-SANITIZEHTML-10461" + ], + "disclosureTime": "2016-03-26T23:49:58.283000Z", + "packageManager": "npm", + "publicationTime": "2017-04-12T11:00:58.283000Z", + "modificationTime": "2022-01-03T16:21:19.197646Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "juice-shop@15.3.0", + "sanitize-html@1.4.2" + ], + "upgradePath": [ + false, + "sanitize-html@1.11.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "sanitize-html", + "version": "1.4.2" + } + ], + "ok": false, + "dependencyCount": 71, + "org": "sarim04", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "docker": {}, + "summary": "12 vulnerable dependency paths", + "remediation": { + "unresolved": [], + "upgrade": { + "express-jwt@0.1.3": { + "upgradeTo": "express-jwt@6.0.0", + "upgrades": [ + "express-jwt@0.1.3" + ], + "vulns": [ + "SNYK-JS-EXPRESSJWT-575022" + ] + }, + "jsonwebtoken@0.4.0": { + "upgradeTo": "jsonwebtoken@9.0.0", + "upgrades": [ + "jsonwebtoken@0.4.0", + "jsonwebtoken@0.4.0", + "jsonwebtoken@0.4.0", + "jsonwebtoken@0.4.0" + ], + "vulns": [ + "SNYK-JS-JSONWEBTOKEN-3180022", + "SNYK-JS-JSONWEBTOKEN-3180024", + "SNYK-JS-JSONWEBTOKEN-3180026", + "npm:jsonwebtoken:20150331" + ] + }, + "sanitize-html@1.4.2": { + "upgradeTo": "sanitize-html@2.7.1", + "upgrades": [ + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2", + "sanitize-html@1.4.2" + ], + "vulns": [ + "SNYK-JS-SANITIZEHTML-2957526", + "SNYK-JS-SANITIZEHTML-1070780", + "SNYK-JS-SANITIZEHTML-1070786", + "SNYK-JS-SANITIZEHTML-585892", + "npm:sanitize-html:20161026", + "npm:sanitize-html:20141024", + "npm:sanitize-html:20160801" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 12, + "targetFile": "/juice-shop/package.json", + "projectName": "juice-shop", + "displayTargetFile": "/juice-shop/package.json", + "hasUnknownVersions": false, + "path": "sarim04/juiceshop:latest" + } + ] + } + \ No newline at end of file diff --git a/unittests/tools/test_snyk_parser.py b/unittests/tools/test_snyk_parser.py index 6eb9e04de89..18018c95582 100644 --- a/unittests/tools/test_snyk_parser.py +++ b/unittests/tools/test_snyk_parser.py @@ -163,13 +163,22 @@ def test_snykParser_update_libs_tag(self): with open("unittests/scans/snyk/single_project_upgrade_libs.json") as testfile: parser = SnykParser() findings = parser.get_findings(testfile, Test()) - for index in range(len(findings)): - print(index, findings[index], findings[index].unsaved_tags) self.assertEqual(254, len(findings)) # acme-review@1.0.0: Remote Code Execution (RCE) finding = findings[227] - print(finding, finding.severity, finding.unsaved_tags) self.assertEqual("High", finding.severity) self.assertIn('target_file:package-lock.json', finding.unsaved_tags) self.assertIn('upgrade_to:react-scripts@5.0.0', finding.unsaved_tags) self.assertIn('shell-quote@1.7.2', finding.mitigation) + + def test_snykcontainer_issue_9270(self): + with open("unittests/scans/snyk/snykcontainer_issue_9270.json") as testfile: + parser = SnykParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(25, len(findings)) + + def test_snykcode_issue_9270(self): + with open("unittests/scans/snyk/snykcode_issue_9270.json") as testfile: + parser = SnykParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(39, len(findings)) From 1b0f710f0baae0c5093227b9dcbaa43c860ebfb1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 13:53:33 -0600 Subject: [PATCH 43/46] Bump boto3 from 1.34.15 to 1.34.16 (#9319) Bumps [boto3](https://github.com/boto/boto3) from 1.34.15 to 1.34.16. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.15...1.34.16) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index fd0f5308626..0945023a51f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.15 # Required for Celery Broker AWS (SQS) support +boto3==1.34.16 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.1 From ec3a2f5cd97bdecdf35627ed7bc2f176871d1797 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 13:53:52 -0600 Subject: [PATCH 44/46] Bump markdown from 3.5.1 to 3.5.2 (#9318) Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.5.1 to 3.5.2. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](https://github.com/Python-Markdown/markdown/compare/3.5.1...3.5.2) --- updated-dependencies: - dependency-name: markdown dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0945023a51f..6dafa098a1c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -32,7 +32,7 @@ humanize==4.9.0 jira==3.6.0 PyGithub==1.58.2 lxml==5.1.0 -Markdown==3.5.1 +Markdown==3.5.2 mysqlclient==2.1.1 openpyxl==3.1.2 xlrd==1.2.0 From e38d0fd56950f75b97351ccb5bfb1da0a6503cfb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 13:54:18 -0600 Subject: [PATCH 45/46] Bump vulners from 2.1.1 to 2.1.2 (#9317) Bumps [vulners]() from 2.1.1 to 2.1.2. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 6dafa098a1c..47bbe361b15 100644 --- a/requirements.txt +++ b/requirements.txt @@ -81,5 +81,5 @@ blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support boto3==1.34.16 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 -vulners==2.1.1 +vulners==2.1.2 fontawesomefree==6.5.1 From eb81636bb2dcf29ec1f76f5a42432f75bc73d657 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 15:44:42 -0600 Subject: [PATCH 46/46] Bump boto3 from 1.34.16 to 1.34.17 (#9324) Bumps [boto3](https://github.com/boto/boto3) from 1.34.16 to 1.34.17. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.34.16...1.34.17) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 47bbe361b15..ab920a5d083 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,7 +79,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.34.16 # Required for Celery Broker AWS (SQS) support +boto3==1.34.17 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.2 fontawesomefree==6.5.1