diff --git a/components/producers/blackduck/BUILD b/components/producers/blackduck/BUILD new file mode 100644 index 000000000..727cf95bd --- /dev/null +++ b/components/producers/blackduck/BUILD @@ -0,0 +1,52 @@ +subinclude( + "//build/defs:buildkit", + "///k8s//build/defs:k8s", + "//build/defs:dracon", +) + +go_binary( + name = "blackduck-parser", + srcs = [ + "main.go", + ], + deps = [ + "//api/proto/v1", + "//components/producers", + "//pkg/context", + "//third_party/go/github.com/package-url/packageurl-go", + ], +) + +go_test( + name = "blackduck_test", + srcs = [ + "main.go", + "main_test.go", + ], + deps = [ + "//api/proto/v1", + "//components/producers", + "//pkg/context", + "//pkg/testutil", + "//third_party/go/github.com/package-url/packageurl-go", + "//third_party/go/github.com/stretchr/testify", + ], +) + +buildkit_distroless_image( + name = "image", + srcs = [":blackduck-parser"], + visibility = [ + "//examples/...", + ], +) + +dracon_component( + name = "blackduck", + images = [ + ":image", + "//third_party/docker/securego/gosec", + ], + task = "task.yaml", + visibility = ["//examples/pipelines/..."], +) diff --git a/components/producers/blackduck/data.json b/components/producers/blackduck/data.json new file mode 100644 index 000000000..7c2e14755 --- /dev/null +++ b/components/producers/blackduck/data.json @@ -0,0 +1,3103 @@ +{ + "hubUILink": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components", + "hubAPILink": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components", + "versionId": "0e7a2872-230f-4eee-a9f0-b18e1c50c2d3", + "totalComponentsFound": 30, + "matchedFlag": true, + "headers": [ + "ComponentName", + "ComponentVersion", + "Critical", + "High", + "Medium", + "Low", + "Operational Risk", + "License Risk", + "License" + ], + "summary": { + "securityRisksSeverityCritical": 1, + "securityRisksSeverityHigh": 9, + "securityRisksSeverityMedium": 1, + "securityRisksSeverityLow": 0, + "licenseRisksSeverityHigh": 0, + "licenseRisksSeverityMedium": 4, + "licenseRisksSeverityLow": 0, + "operationRisksSeverityHigh": 4, + "operationRisksSeverityMedium": 3, + "operationRisksSeverityLow": 22, + "quarantineEligibleFlag": true, + "scanStartTime": "2024-01-18T17:07:01.596Z", + "scanCompleteTime": "2024-01-18T17:07:13.284Z" + }, + "scanId": "ed8590ff-1d07-4a91-8453-d0a8abd792a3", + "appid": "171845", + "appname": "dtliveupdateconsumer", + "releaseid": "LatestProductionDeployedScan", + "projectId": "eec0e9a7-d2e5-41e7-97b2-f91c46df9685", + "data": [ + { + "componentName": "Apache Kafka", + "componentVersion": "3.1.2", + "releasedOn": "2022-09-09T20:08:36.000Z", + "critical": 0, + "high": 1, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa", + "versionid": "b54827b4-ee6f-4204-9f13-f3504e064efa", + "ctcid": "", + "checksum": "", + "componentid": "05248305-719c-4b7d-a693-0b1a7992b4ec", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/kafka-clients-3.1.2.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/kafka-clients-3.1.2.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "kafka-clients-3.1.2.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "BDSA-2023-0235", + "summary": "Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server.", + "publishedDate": "2023-02-09T12:35:59.049Z", + "lastModified": "2023-02-09T12:35:59.037Z", + "source": "BDSA", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-502" + ], + "cvss2": { + "baseScore": 6.5, + "impactSubscore": 6.4, + "exploitabilitySubscore": 8.0, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authentication": "SINGLE", + "confidentialityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "temporalMetrics": { + "exploitability": "PROOF_OF_CONCEPT", + "remediationLevel": "OFFICIAL_FIX", + "reportConfidence": "CONFIRMED", + "score": 5.1 + }, + "source": "BDSA", + "severity": "MEDIUM", + "integrityImpact": "PARTIAL", + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C)", + "overallScore": 5.1 + }, + "cvss3": { + "baseScore": 8.8, + "impactSubscore": 5.9, + "exploitabilitySubscore": 2.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "BDSA", + "severity": "HIGH", + "temporalMetrics": { + "exploitCodeMaturity": "PROOF_OF_CONCEPT", + "remediationLevel": "OFFICIAL_FIX", + "reportConfidence": "CONFIRMED", + "score": 7.9 + }, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "overallScore": 7.9 + }, + "useCvss3": true, + "overallScore": 7.9, + "solutionAvailable": true, + "workaroundAvailable": false, + "exploitAvailable": true, + "bdsaTags": [ + "RCE" + ], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-0235" + }, + { + "rel": "unmatched-related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-25194", + "label": "CVE-2023-25194" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerabilities/BDSA-2023-0235/remediation" + } + ] + }, + "name": "BDSA-2023-0235", + "description": "Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server." + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "3.1.2", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2", + "externalNamespace": "maven", + "externalId": "org.apache.kafka:kafka-clients:3.1.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.kafka:kafka-clients:3.1.2" + } + }, + { + "componentName": "Apache Log4j", + "componentVersion": "2.17.2", + "releasedOn": "2022-02-27T18:35:56.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140", + "versionid": "86f3974b-d17a-4bc7-8592-61a618a0e140", + "ctcid": "", + "checksum": "", + "componentid": "7460c937-f013-4c3a-bdf3-ace04cfd0304", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.17.2", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b", + "externalNamespace": "maven", + "externalId": "org.apache.logging.log4j:log4j-core:2.17.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.logging.log4j:log4j-core:2.17.2" + } + }, + { + "componentName": "Apache Log4J API", + "componentVersion": "2.17.2", + "releasedOn": "2022-02-23T20:28:37.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/44d8c92a-f682-4904-b571-c83f83ae1a91/versions/36b26205-cef2-4a93-98d4-14658e23f108", + "versionid": "36b26205-cef2-4a93-98d4-14658e23f108", + "ctcid": "", + "checksum": "", + "componentid": "44d8c92a-f682-4904-b571-c83f83ae1a91", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.17.2", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/44d8c92a-f682-4904-b571-c83f83ae1a91/versions/36b26205-cef2-4a93-98d4-14658e23f108/origins/e312622f-cfbd-4e45-8337-eb7f5cde784a", + "externalNamespace": "maven", + "externalId": "org.apache.logging.log4j:log4j-api:2.17.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/44d8c92a-f682-4904-b571-c83f83ae1a91/versions/36b26205-cef2-4a93-98d4-14658e23f108/origins/e312622f-cfbd-4e45-8337-eb7f5cde784a" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/44d8c92a-f682-4904-b571-c83f83ae1a91/versions/36b26205-cef2-4a93-98d4-14658e23f108/origins/e312622f-cfbd-4e45-8337-eb7f5cde784a/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/44d8c92a-f682-4904-b571-c83f83ae1a91/versions/36b26205-cef2-4a93-98d4-14658e23f108/origins/e312622f-cfbd-4e45-8337-eb7f5cde784a/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/44d8c92a-f682-4904-b571-c83f83ae1a91/versions/36b26205-cef2-4a93-98d4-14658e23f108/origins/e312622f-cfbd-4e45-8337-eb7f5cde784a/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.logging.log4j:log4j-api:2.17.2" + } + }, + { + "componentName": "Apache Log4j to SLF4J Adapter", + "componentVersion": "2.17.2", + "releasedOn": "2022-02-23T20:30:28.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/80b231bf-8524-4db8-a134-41f6359bc101/versions/cebbbf67-2ce8-4b9d-bcfb-8963555103b8", + "versionid": "cebbbf67-2ce8-4b9d-bcfb-8963555103b8", + "ctcid": "", + "checksum": "", + "componentid": "80b231bf-8524-4db8-a134-41f6359bc101", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.17.2", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/80b231bf-8524-4db8-a134-41f6359bc101/versions/cebbbf67-2ce8-4b9d-bcfb-8963555103b8/origins/d274e94b-935f-4313-8880-ed7312a9bfaa", + "externalNamespace": "maven", + "externalId": "org.apache.logging.log4j:log4j-to-slf4j:2.17.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/80b231bf-8524-4db8-a134-41f6359bc101/versions/cebbbf67-2ce8-4b9d-bcfb-8963555103b8/origins/d274e94b-935f-4313-8880-ed7312a9bfaa" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/80b231bf-8524-4db8-a134-41f6359bc101/versions/cebbbf67-2ce8-4b9d-bcfb-8963555103b8/origins/d274e94b-935f-4313-8880-ed7312a9bfaa/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/80b231bf-8524-4db8-a134-41f6359bc101/versions/cebbbf67-2ce8-4b9d-bcfb-8963555103b8/origins/d274e94b-935f-4313-8880-ed7312a9bfaa/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/80b231bf-8524-4db8-a134-41f6359bc101/versions/cebbbf67-2ce8-4b9d-bcfb-8963555103b8/origins/d274e94b-935f-4313-8880-ed7312a9bfaa/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.logging.log4j:log4j-to-slf4j:2.17.2" + } + }, + { + "componentName": "Apache Tomcat", + "componentVersion": "9.0.83", + "releasedOn": "2023-11-10T01:47:29.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/5e9f2637-8280-42f4-b12c-7544cc49e6a4", + "versionid": "5e9f2637-8280-42f4-b12c-7544cc49e6a4", + "ctcid": "", + "checksum": "", + "componentid": "5a7e1c49-9a98-4393-b4e0-8011122bbe2f", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "9.0.83", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/5e9f2637-8280-42f4-b12c-7544cc49e6a4/origins/86974050-447c-4988-b671-2cd026108280", + "externalNamespace": "maven", + "externalId": "org.apache.tomcat.embed:tomcat-embed-core:9.0.83", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/5e9f2637-8280-42f4-b12c-7544cc49e6a4/origins/86974050-447c-4988-b671-2cd026108280" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/5e9f2637-8280-42f4-b12c-7544cc49e6a4/origins/86974050-447c-4988-b671-2cd026108280/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/5e9f2637-8280-42f4-b12c-7544cc49e6a4/origins/86974050-447c-4988-b671-2cd026108280/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/5e9f2637-8280-42f4-b12c-7544cc49e6a4/origins/86974050-447c-4988-b671-2cd026108280/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.tomcat.embed:tomcat-embed-core:9.0.83" + } + }, + { + "componentName": "Apache Tomcat", + "componentVersion": "9.0.81", + "releasedOn": "2023-10-10T01:10:06.000Z", + "critical": 0, + "high": 1, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945", + "versionid": "fcaa4dea-eaed-48f0-85af-feb369a58945", + "ctcid": "", + "checksum": "", + "componentid": "5a7e1c49-9a98-4393-b4e0-8011122bbe2f", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/javax/", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar!/", + "compositePathContext": "/javax/#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar!/", + "fileName": "javax" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "CVE-2023-46589", + "summary": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n", + "publishedDate": "2023-11-28T16:15:06.943Z", + "lastModified": "2024-01-05T11:15:09.847Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-444" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-46589" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-3298", + "label": "BDSA-2023-3298" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerabilities/CVE-2023-46589/remediation" + } + ] + }, + "name": "CVE-2023-46589", + "description": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n" + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "9.0.81", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d", + "externalNamespace": "maven", + "externalId": "org.apache.tomcat:tomcat-annotations-api:9.0.81", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.tomcat:tomcat-annotations-api:9.0.81" + } + }, + { + "componentName": "Camel Quarkus :: Support :: Spring :: Beans", + "componentVersion": "2.13.1", + "releasedOn": "2022-11-04T07:41:02.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/8d0410f1-351a-4286-adb8-e4f5a9da3eac/versions/88899415-f98c-4eb1-94b4-36d14145ac98", + "versionid": "88899415-f98c-4eb1-94b4-36d14145ac98", + "ctcid": "", + "checksum": "", + "componentid": "8d0410f1-351a-4286-adb8-e4f5a9da3eac", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.13.1", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/8d0410f1-351a-4286-adb8-e4f5a9da3eac/versions/88899415-f98c-4eb1-94b4-36d14145ac98/origins/f7b53069-6328-481f-9443-c0b2f5ea4dfd", + "externalNamespace": "maven", + "externalId": "org.apache.camel.quarkus:camel-quarkus-support-spring-beans:2.13.1", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/8d0410f1-351a-4286-adb8-e4f5a9da3eac/versions/88899415-f98c-4eb1-94b4-36d14145ac98/origins/f7b53069-6328-481f-9443-c0b2f5ea4dfd" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/8d0410f1-351a-4286-adb8-e4f5a9da3eac/versions/88899415-f98c-4eb1-94b4-36d14145ac98/origins/f7b53069-6328-481f-9443-c0b2f5ea4dfd/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/8d0410f1-351a-4286-adb8-e4f5a9da3eac/versions/88899415-f98c-4eb1-94b4-36d14145ac98/origins/f7b53069-6328-481f-9443-c0b2f5ea4dfd/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/8d0410f1-351a-4286-adb8-e4f5a9da3eac/versions/88899415-f98c-4eb1-94b4-36d14145ac98/origins/f7b53069-6328-481f-9443-c0b2f5ea4dfd/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.camel.quarkus:camel-quarkus-support-spring-beans:2.13.1" + } + }, + { + "componentName": "FindBugs jsr305", + "componentVersion": "3.0.2", + "releasedOn": "2017-03-31T04:55:50.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/1dd30afc-69b6-450f-b52f-f7c757fef842/versions/56ab9f83-8fed-48fd-a1a4-e0450d871a7a", + "versionid": "56ab9f83-8fed-48fd-a1a4-e0450d871a7a", + "ctcid": "", + "checksum": "", + "componentid": "1dd30afc-69b6-450f-b52f-f7c757fef842", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "3.0.2", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/1dd30afc-69b6-450f-b52f-f7c757fef842/versions/56ab9f83-8fed-48fd-a1a4-e0450d871a7a/origins/fc4dfa4d-2a32-4b28-8acd-68d61925fef9", + "externalNamespace": "maven", + "externalId": "com.google.code.findbugs:jsr305:3.0.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/1dd30afc-69b6-450f-b52f-f7c757fef842/versions/56ab9f83-8fed-48fd-a1a4-e0450d871a7a/origins/fc4dfa4d-2a32-4b28-8acd-68d61925fef9" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/1dd30afc-69b6-450f-b52f-f7c757fef842/versions/56ab9f83-8fed-48fd-a1a4-e0450d871a7a/origins/fc4dfa4d-2a32-4b28-8acd-68d61925fef9/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/1dd30afc-69b6-450f-b52f-f7c757fef842/versions/56ab9f83-8fed-48fd-a1a4-e0450d871a7a/origins/fc4dfa4d-2a32-4b28-8acd-68d61925fef9/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/1dd30afc-69b6-450f-b52f-f7c757fef842/versions/56ab9f83-8fed-48fd-a1a4-e0450d871a7a/origins/fc4dfa4d-2a32-4b28-8acd-68d61925fef9/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.google.code.findbugs:jsr305:3.0.2" + } + }, + { + "componentName": "GridGain", + "componentVersion": "8.8.25.1", + "releasedOn": "2023-02-09T12:11:38.467Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Basic Proprietary Commercial License", + "ownership": "NON_OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/f74ebe1b-8011-41ef-90b1-2093b0c77230/versions/32852154-7d44-4c51-9301-3e76a9259c85", + "versionid": "32852154-7d44-4c51-9301-3e76a9259c85", + "ctcid": "", + "checksum": "", + "componentid": "f74ebe1b-8011-41ef-90b1-2093b0c77230", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "8.8.25.1", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/f74ebe1b-8011-41ef-90b1-2093b0c77230/versions/32852154-7d44-4c51-9301-3e76a9259c85/origins/f5df4062-ba57-4491-8d00-44f7cdec98dc", + "externalNamespace": "nuget", + "externalId": "GridGain/8.8.25.1", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/f74ebe1b-8011-41ef-90b1-2093b0c77230/versions/32852154-7d44-4c51-9301-3e76a9259c85/origins/f5df4062-ba57-4491-8d00-44f7cdec98dc" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/f74ebe1b-8011-41ef-90b1-2093b0c77230/versions/32852154-7d44-4c51-9301-3e76a9259c85/origins/f5df4062-ba57-4491-8d00-44f7cdec98dc/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/f74ebe1b-8011-41ef-90b1-2093b0c77230/versions/32852154-7d44-4c51-9301-3e76a9259c85/origins/f5df4062-ba57-4491-8d00-44f7cdec98dc/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/f74ebe1b-8011-41ef-90b1-2093b0c77230/versions/32852154-7d44-4c51-9301-3e76a9259c85/origins/f5df4062-ba57-4491-8d00-44f7cdec98dc/copyrights" + } + ] + }, + "originName": "nuget", + "originId": "GridGain/8.8.25.1" + } + }, + { + "componentName": "jackson-annotations", + "componentVersion": "2.13.5", + "releasedOn": "2023-01-23T00:04:13.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/d5b90213-52f8-4429-b3c7-ed582af929d2/versions/24de707e-76f8-49ad-8920-8f4bde57f5c3", + "versionid": "24de707e-76f8-49ad-8920-8f4bde57f5c3", + "ctcid": "", + "checksum": "", + "componentid": "d5b90213-52f8-4429-b3c7-ed582af929d2", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.13.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/d5b90213-52f8-4429-b3c7-ed582af929d2/versions/24de707e-76f8-49ad-8920-8f4bde57f5c3/origins/299b0828-2d7c-4fa6-994d-723d5e627502", + "externalNamespace": "maven", + "externalId": "com.fasterxml.jackson.core:jackson-annotations:2.13.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/d5b90213-52f8-4429-b3c7-ed582af929d2/versions/24de707e-76f8-49ad-8920-8f4bde57f5c3/origins/299b0828-2d7c-4fa6-994d-723d5e627502" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/d5b90213-52f8-4429-b3c7-ed582af929d2/versions/24de707e-76f8-49ad-8920-8f4bde57f5c3/origins/299b0828-2d7c-4fa6-994d-723d5e627502/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/d5b90213-52f8-4429-b3c7-ed582af929d2/versions/24de707e-76f8-49ad-8920-8f4bde57f5c3/origins/299b0828-2d7c-4fa6-994d-723d5e627502/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/d5b90213-52f8-4429-b3c7-ed582af929d2/versions/24de707e-76f8-49ad-8920-8f4bde57f5c3/origins/299b0828-2d7c-4fa6-994d-723d5e627502/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.fasterxml.jackson.core:jackson-annotations:2.13.5" + } + }, + { + "componentName": "jackson-core", + "componentVersion": "2.13.5", + "releasedOn": "2023-01-23T00:24:37.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/4c08d575-40e5-4778-acd6-b76230f3a895/versions/385b8c33-4174-4d19-9c78-732e6d7308c7", + "versionid": "385b8c33-4174-4d19-9c78-732e6d7308c7", + "ctcid": "", + "checksum": "", + "componentid": "4c08d575-40e5-4778-acd6-b76230f3a895", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.13.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/4c08d575-40e5-4778-acd6-b76230f3a895/versions/385b8c33-4174-4d19-9c78-732e6d7308c7/origins/961b3f37-f3a6-4b71-87bb-97555dbb4d92", + "externalNamespace": "maven", + "externalId": "com.fasterxml.jackson.core:jackson-core:2.13.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/4c08d575-40e5-4778-acd6-b76230f3a895/versions/385b8c33-4174-4d19-9c78-732e6d7308c7/origins/961b3f37-f3a6-4b71-87bb-97555dbb4d92" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/4c08d575-40e5-4778-acd6-b76230f3a895/versions/385b8c33-4174-4d19-9c78-732e6d7308c7/origins/961b3f37-f3a6-4b71-87bb-97555dbb4d92/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/4c08d575-40e5-4778-acd6-b76230f3a895/versions/385b8c33-4174-4d19-9c78-732e6d7308c7/origins/961b3f37-f3a6-4b71-87bb-97555dbb4d92/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/4c08d575-40e5-4778-acd6-b76230f3a895/versions/385b8c33-4174-4d19-9c78-732e6d7308c7/origins/961b3f37-f3a6-4b71-87bb-97555dbb4d92/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.fasterxml.jackson.core:jackson-core:2.13.5" + } + }, + { + "componentName": "jackson-databind", + "componentVersion": "2.13.5", + "releasedOn": "2023-01-23T00:48:17.000Z", + "critical": 0, + "high": 0, + "medium": 1, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a", + "versionid": "fc32b0fb-db44-46af-950b-7d3d4be2c53a", + "ctcid": "", + "checksum": "", + "componentid": "ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/jackson-databind-2.13.5.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/jackson-databind-2.13.5.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "jackson-databind-2.13.5.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "CVE-2023-35116", + "summary": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.", + "publishedDate": "2023-06-14T14:15:10.960Z", + "lastModified": "2023-12-07T12:13:13.217Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2023-06-21T10:04:11.877Z", + "updatedAt": "2023-06-29T00:02:40.350Z", + "createdBy": { + "userName": "blackduck_system", + "firstName": "System", + "lastName": "User", + "user": "https://citiopensourcehub31.citigroup.net/api/users/00000000-0000-0000-0004-000000000011" + }, + "updatedBy": { + "userName": "blackduck_system", + "firstName": "System", + "lastName": "User", + "user": "https://citiopensourcehub31.citigroup.net/api/users/00000000-0000-0000-0004-000000000011" + }, + "cweIds": [ + "CWE-770" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 4.7, + "impactSubscore": 3.6, + "exploitabilitySubscore": 1.0, + "attackVector": "LOCAL", + "attackComplexity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "MEDIUM", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 4.7 + }, + "useCvss3": true, + "overallScore": 4.7, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-35116" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-1491", + "label": "BDSA-2023-1491" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerabilities/CVE-2023-35116/remediation" + } + ] + }, + "name": "CVE-2023-35116", + "description": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker." + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "2.13.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4", + "externalNamespace": "maven", + "externalId": "com.fasterxml.jackson.core:jackson-databind:2.13.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ce7ad18a-6e02-4565-a51c-4fc2c5bc7c47/versions/fc32b0fb-db44-46af-950b-7d3d4be2c53a/origins/a0a82925-66da-44ad-b3b9-eea705d423a4/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.fasterxml.jackson.core:jackson-databind:2.13.5" + } + }, + { + "componentName": "Jackson-datatype-jdk8", + "componentVersion": "2.13.5", + "releasedOn": "2023-01-23T01:26:56.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/93477a6b-05b7-4f6f-a576-818aba23378f/versions/39a4439c-4074-40b2-a941-ffc9aa9d09bd", + "versionid": "39a4439c-4074-40b2-a941-ffc9aa9d09bd", + "ctcid": "", + "checksum": "", + "componentid": "93477a6b-05b7-4f6f-a576-818aba23378f", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.13.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/93477a6b-05b7-4f6f-a576-818aba23378f/versions/39a4439c-4074-40b2-a941-ffc9aa9d09bd/origins/f033816c-1b27-4a3c-8db8-56faa7407c7b", + "externalNamespace": "maven", + "externalId": "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/93477a6b-05b7-4f6f-a576-818aba23378f/versions/39a4439c-4074-40b2-a941-ffc9aa9d09bd/origins/f033816c-1b27-4a3c-8db8-56faa7407c7b" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/93477a6b-05b7-4f6f-a576-818aba23378f/versions/39a4439c-4074-40b2-a941-ffc9aa9d09bd/origins/f033816c-1b27-4a3c-8db8-56faa7407c7b/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/93477a6b-05b7-4f6f-a576-818aba23378f/versions/39a4439c-4074-40b2-a941-ffc9aa9d09bd/origins/f033816c-1b27-4a3c-8db8-56faa7407c7b/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/93477a6b-05b7-4f6f-a576-818aba23378f/versions/39a4439c-4074-40b2-a941-ffc9aa9d09bd/origins/f033816c-1b27-4a3c-8db8-56faa7407c7b/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.5" + } + }, + { + "componentName": "Jackson-Datatype-JSR310", + "componentVersion": "2.13.5", + "releasedOn": "2023-01-23T01:26:50.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/69a1f40e-2423-412c-98e3-869fa0919e37/versions/3562c104-7883-4b15-8be4-aa1e1f4c63d3", + "versionid": "3562c104-7883-4b15-8be4-aa1e1f4c63d3", + "ctcid": "", + "checksum": "", + "componentid": "69a1f40e-2423-412c-98e3-869fa0919e37", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.13.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/69a1f40e-2423-412c-98e3-869fa0919e37/versions/3562c104-7883-4b15-8be4-aa1e1f4c63d3/origins/2c85027e-d1f4-48bc-ae3d-b2fdf95c4204", + "externalNamespace": "maven", + "externalId": "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/69a1f40e-2423-412c-98e3-869fa0919e37/versions/3562c104-7883-4b15-8be4-aa1e1f4c63d3/origins/2c85027e-d1f4-48bc-ae3d-b2fdf95c4204" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/69a1f40e-2423-412c-98e3-869fa0919e37/versions/3562c104-7883-4b15-8be4-aa1e1f4c63d3/origins/2c85027e-d1f4-48bc-ae3d-b2fdf95c4204/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/69a1f40e-2423-412c-98e3-869fa0919e37/versions/3562c104-7883-4b15-8be4-aa1e1f4c63d3/origins/2c85027e-d1f4-48bc-ae3d-b2fdf95c4204/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/69a1f40e-2423-412c-98e3-869fa0919e37/versions/3562c104-7883-4b15-8be4-aa1e1f4c63d3/origins/2c85027e-d1f4-48bc-ae3d-b2fdf95c4204/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.5" + } + }, + { + "componentName": "Jackson-module-parameter-names", + "componentVersion": "2.13.5", + "releasedOn": "2023-01-23T01:26:57.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/d70e298c-686c-4c33-8605-e8c55124ffe2/versions/ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1", + "versionid": "ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1", + "ctcid": "", + "checksum": "", + "componentid": "d70e298c-686c-4c33-8605-e8c55124ffe2", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.13.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/d70e298c-686c-4c33-8605-e8c55124ffe2/versions/ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1/origins/4eba7831-3c74-411e-bbb4-bec4255865d9", + "externalNamespace": "maven", + "externalId": "com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/d70e298c-686c-4c33-8605-e8c55124ffe2/versions/ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1/origins/4eba7831-3c74-411e-bbb4-bec4255865d9" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/d70e298c-686c-4c33-8605-e8c55124ffe2/versions/ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1/origins/4eba7831-3c74-411e-bbb4-bec4255865d9/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/d70e298c-686c-4c33-8605-e8c55124ffe2/versions/ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1/origins/4eba7831-3c74-411e-bbb4-bec4255865d9/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/d70e298c-686c-4c33-8605-e8c55124ffe2/versions/ef8cb30e-7b53-41cc-b7be-5ad8fe5fd8a1/origins/4eba7831-3c74-411e-bbb4-bec4255865d9/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.5" + } + }, + { + "componentName": "Jakarta Annotations API", + "componentVersion": "1.3.5", + "releasedOn": "2019-08-02T11:09:25.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "(GNU General Public License v2.0 w/Classpath exception OR Eclipse Public License 2.0)", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/4aaf6ea9-170f-4bd1-aba9-54febcb0544e/versions/9b279da0-d8ef-4b03-af41-b63306f4e21f", + "versionid": "9b279da0-d8ef-4b03-af41-b63306f4e21f", + "ctcid": "", + "checksum": "", + "componentid": "4aaf6ea9-170f-4bd1-aba9-54febcb0544e", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.3.5", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/4aaf6ea9-170f-4bd1-aba9-54febcb0544e/versions/9b279da0-d8ef-4b03-af41-b63306f4e21f/origins/885added-9bd9-4b49-927e-423a224498c1", + "externalNamespace": "maven", + "externalId": "jakarta.annotation:jakarta.annotation-api:1.3.5", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/4aaf6ea9-170f-4bd1-aba9-54febcb0544e/versions/9b279da0-d8ef-4b03-af41-b63306f4e21f/origins/885added-9bd9-4b49-927e-423a224498c1" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/4aaf6ea9-170f-4bd1-aba9-54febcb0544e/versions/9b279da0-d8ef-4b03-af41-b63306f4e21f/origins/885added-9bd9-4b49-927e-423a224498c1/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/4aaf6ea9-170f-4bd1-aba9-54febcb0544e/versions/9b279da0-d8ef-4b03-af41-b63306f4e21f/origins/885added-9bd9-4b49-927e-423a224498c1/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/4aaf6ea9-170f-4bd1-aba9-54febcb0544e/versions/9b279da0-d8ef-4b03-af41-b63306f4e21f/origins/885added-9bd9-4b49-927e-423a224498c1/copyrights" + } + ] + }, + "originName": "maven", + "originId": "jakarta.annotation:jakarta.annotation-api:1.3.5" + } + }, + { + "componentName": "JMS API", + "componentVersion": "2.0.1", + "releasedOn": "2015-03-11T18:43:36.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "(Common Development and Distribution License 1.1 OR Sun GPL With Classpath Exception v2.0)", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/5c309a7f-f4dd-414b-9f3a-a44d131151d3/versions/48620340-79f5-4de6-8f26-9c4496d25001", + "versionid": "48620340-79f5-4de6-8f26-9c4496d25001", + "ctcid": "", + "checksum": "", + "componentid": "5c309a7f-f4dd-414b-9f3a-a44d131151d3", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.0.1", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/5c309a7f-f4dd-414b-9f3a-a44d131151d3/versions/48620340-79f5-4de6-8f26-9c4496d25001/origins/d3d58a1a-5486-46ad-809b-1b2a861678e5", + "externalNamespace": "maven", + "externalId": "javax.jms:javax.jms-api:2.0.1", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5c309a7f-f4dd-414b-9f3a-a44d131151d3/versions/48620340-79f5-4de6-8f26-9c4496d25001/origins/d3d58a1a-5486-46ad-809b-1b2a861678e5" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5c309a7f-f4dd-414b-9f3a-a44d131151d3/versions/48620340-79f5-4de6-8f26-9c4496d25001/origins/d3d58a1a-5486-46ad-809b-1b2a861678e5/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5c309a7f-f4dd-414b-9f3a-a44d131151d3/versions/48620340-79f5-4de6-8f26-9c4496d25001/origins/d3d58a1a-5486-46ad-809b-1b2a861678e5/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/5c309a7f-f4dd-414b-9f3a-a44d131151d3/versions/48620340-79f5-4de6-8f26-9c4496d25001/origins/d3d58a1a-5486-46ad-809b-1b2a861678e5/copyrights" + } + ] + }, + "originName": "maven", + "originId": "javax.jms:javax.jms-api:2.0.1" + } + }, + { + "componentName": "JUL to SLF4J bridge", + "componentVersion": "1.7.36", + "releasedOn": "2022-02-08T13:35:41.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "MIT License", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/55eb330c-b748-48aa-af59-9b965fcfb02c/versions/ae394e15-a743-4475-a7cf-42ac0dec2711", + "versionid": "ae394e15-a743-4475-a7cf-42ac0dec2711", + "ctcid": "", + "checksum": "", + "componentid": "55eb330c-b748-48aa-af59-9b965fcfb02c", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.7.36", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/55eb330c-b748-48aa-af59-9b965fcfb02c/versions/ae394e15-a743-4475-a7cf-42ac0dec2711/origins/ae090417-d546-422c-b78e-436c92c25389", + "externalNamespace": "maven", + "externalId": "org.slf4j:jul-to-slf4j:1.7.36", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/55eb330c-b748-48aa-af59-9b965fcfb02c/versions/ae394e15-a743-4475-a7cf-42ac0dec2711/origins/ae090417-d546-422c-b78e-436c92c25389" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/55eb330c-b748-48aa-af59-9b965fcfb02c/versions/ae394e15-a743-4475-a7cf-42ac0dec2711/origins/ae090417-d546-422c-b78e-436c92c25389/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/55eb330c-b748-48aa-af59-9b965fcfb02c/versions/ae394e15-a743-4475-a7cf-42ac0dec2711/origins/ae090417-d546-422c-b78e-436c92c25389/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/55eb330c-b748-48aa-af59-9b965fcfb02c/versions/ae394e15-a743-4475-a7cf-42ac0dec2711/origins/ae090417-d546-422c-b78e-436c92c25389/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.slf4j:jul-to-slf4j:1.7.36" + } + }, + { + "componentName": "Logback", + "componentVersion": "1.2.12", + "releasedOn": "2023-03-24T01:09:40.000Z", + "critical": 0, + "high": 2, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "(GNU Lesser General Public License v2.1 only OR Eclipse Public License 1.0)", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906", + "versionid": "d2b58809-7248-46e7-b64f-606d0a98c906", + "ctcid": "", + "checksum": "", + "componentid": "6ca9663c-41d4-44c0-8d1e-b1b12745bdc5", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/logback-classic-1.2.12.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/logback-classic-1.2.12.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "logback-classic-1.2.12.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 2, + "items": [ + { + "id": "CVE-2023-6481", + "summary": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.13,\u00a01.3.13 and\u00a01.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", + "publishedDate": "2023-12-04T09:15:37.250Z", + "lastModified": "2023-12-07T19:57:46.020Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2023-12-04T15:32:16.553Z", + "updatedAt": "2023-12-07T20:30:29.826Z", + "createdBy": { + "userName": "blackduck_system", + "firstName": "System", + "lastName": "User", + "user": "https://citiopensourcehub31.citigroup.net/api/users/00000000-0000-0000-0004-000000000011" + }, + "updatedBy": { + "userName": "blackduck_system", + "firstName": "System", + "lastName": "User", + "user": "https://citiopensourcehub31.citigroup.net/api/users/00000000-0000-0000-0004-000000000011" + }, + "cweIds": [], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-6481" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-3341", + "label": "BDSA-2023-3341" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerabilities/CVE-2023-6481/remediation" + } + ] + }, + "name": "CVE-2023-6481", + "description": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.13,\u00a01.3.13 and\u00a01.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n" + }, + { + "id": "CVE-2023-6378", + "summary": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", + "publishedDate": "2023-11-29T12:15:07.543Z", + "lastModified": "2023-12-05T21:00:10.557Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2023-12-04T15:32:16.553Z", + "updatedAt": "2023-12-05T00:32:54.303Z", + "createdBy": { + "userName": "blackduck_system", + "firstName": "System", + "lastName": "User", + "user": "https://citiopensourcehub31.citigroup.net/api/users/00000000-0000-0000-0004-000000000011" + }, + "updatedBy": { + "userName": "blackduck_system", + "firstName": "System", + "lastName": "User", + "user": "https://citiopensourcehub31.citigroup.net/api/users/00000000-0000-0000-0004-000000000011" + }, + "cweIds": [ + "CWE-502" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-6378" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-3307", + "label": "BDSA-2023-3307" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerabilities/CVE-2023-6378/remediation" + } + ] + }, + "name": "CVE-2023-6378", + "description": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n" + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "1.2.12", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c", + "externalNamespace": "maven", + "externalId": "ch.qos.logback:logback-core:1.2.12", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/6ca9663c-41d4-44c0-8d1e-b1b12745bdc5/versions/d2b58809-7248-46e7-b64f-606d0a98c906/origins/2b9777cc-b853-46d0-8771-90f240e0cf1c/copyrights" + } + ] + }, + "originName": "maven", + "originId": "ch.qos.logback:logback-core:1.2.12" + } + }, + { + "componentName": "LZ4 Java", + "componentVersion": "1.8.0", + "releasedOn": "2021-06-11T02:50:41.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/dbcb5534-4689-4242-b513-284030f9e4aa/versions/37a888ee-c411-4cd0-be68-97471f7e9ce2", + "versionid": "37a888ee-c411-4cd0-be68-97471f7e9ce2", + "ctcid": "", + "checksum": "", + "componentid": "dbcb5534-4689-4242-b513-284030f9e4aa", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.8.0", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/dbcb5534-4689-4242-b513-284030f9e4aa/versions/37a888ee-c411-4cd0-be68-97471f7e9ce2/origins/2c49ac9b-8b4b-43d9-b094-ee1c64c13ff5", + "externalNamespace": "maven", + "externalId": "org.lz4:lz4-java:1.8.0", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/dbcb5534-4689-4242-b513-284030f9e4aa/versions/37a888ee-c411-4cd0-be68-97471f7e9ce2/origins/2c49ac9b-8b4b-43d9-b094-ee1c64c13ff5" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/dbcb5534-4689-4242-b513-284030f9e4aa/versions/37a888ee-c411-4cd0-be68-97471f7e9ce2/origins/2c49ac9b-8b4b-43d9-b094-ee1c64c13ff5/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/dbcb5534-4689-4242-b513-284030f9e4aa/versions/37a888ee-c411-4cd0-be68-97471f7e9ce2/origins/2c49ac9b-8b4b-43d9-b094-ee1c64c13ff5/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/dbcb5534-4689-4242-b513-284030f9e4aa/versions/37a888ee-c411-4cd0-be68-97471f7e9ce2/origins/2c49ac9b-8b4b-43d9-b094-ee1c64c13ff5/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.lz4:lz4-java:1.8.0" + } + }, + { + "componentName": "Piranha Servlet - API", + "componentVersion": "20.12.0", + "releasedOn": "2020-12-13T14:24:14.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "MIT License", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/c752a431-314a-44a6-9c04-59b105b73ac0/versions/c618e3f3-cfd7-478a-a65c-ce7b4a46e871", + "versionid": "c618e3f3-cfd7-478a-a65c-ce7b4a46e871", + "ctcid": "", + "checksum": "", + "componentid": "c752a431-314a-44a6-9c04-59b105b73ac0", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "20.12.0", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/c752a431-314a-44a6-9c04-59b105b73ac0/versions/c618e3f3-cfd7-478a-a65c-ce7b4a46e871/origins/3d01cee6-157b-4960-93b1-954dcc2cfc79", + "externalNamespace": "maven", + "externalId": "cloud.piranha.servlet:piranha-servlet-api:20.12.0", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/c752a431-314a-44a6-9c04-59b105b73ac0/versions/c618e3f3-cfd7-478a-a65c-ce7b4a46e871/origins/3d01cee6-157b-4960-93b1-954dcc2cfc79" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/c752a431-314a-44a6-9c04-59b105b73ac0/versions/c618e3f3-cfd7-478a-a65c-ce7b4a46e871/origins/3d01cee6-157b-4960-93b1-954dcc2cfc79/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/c752a431-314a-44a6-9c04-59b105b73ac0/versions/c618e3f3-cfd7-478a-a65c-ce7b4a46e871/origins/3d01cee6-157b-4960-93b1-954dcc2cfc79/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/c752a431-314a-44a6-9c04-59b105b73ac0/versions/c618e3f3-cfd7-478a-a65c-ce7b4a46e871/origins/3d01cee6-157b-4960-93b1-954dcc2cfc79/copyrights" + } + ] + }, + "originName": "maven", + "originId": "cloud.piranha.servlet:piranha-servlet-api:20.12.0" + } + }, + { + "componentName": "Pure-java LZ4 and xxHash", + "componentVersion": "1.8.0", + "releasedOn": "2021-06-19T06:45:06.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/51b6b7f9-8b25-49be-bda6-b938f90086d7/versions/50a879cf-63a4-4b66-aeae-4157af251c9e", + "versionid": "50a879cf-63a4-4b66-aeae-4157af251c9e", + "ctcid": "", + "checksum": "", + "componentid": "51b6b7f9-8b25-49be-bda6-b938f90086d7", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.8.0", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/51b6b7f9-8b25-49be-bda6-b938f90086d7/versions/50a879cf-63a4-4b66-aeae-4157af251c9e/origins/fb43b3fb-b852-4032-b28a-11a869ca7688", + "externalNamespace": "maven", + "externalId": "org.lz4:lz4-pure-java:1.8.0", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/51b6b7f9-8b25-49be-bda6-b938f90086d7/versions/50a879cf-63a4-4b66-aeae-4157af251c9e/origins/fb43b3fb-b852-4032-b28a-11a869ca7688" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/51b6b7f9-8b25-49be-bda6-b938f90086d7/versions/50a879cf-63a4-4b66-aeae-4157af251c9e/origins/fb43b3fb-b852-4032-b28a-11a869ca7688/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/51b6b7f9-8b25-49be-bda6-b938f90086d7/versions/50a879cf-63a4-4b66-aeae-4157af251c9e/origins/fb43b3fb-b852-4032-b28a-11a869ca7688/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/51b6b7f9-8b25-49be-bda6-b938f90086d7/versions/50a879cf-63a4-4b66-aeae-4157af251c9e/origins/fb43b3fb-b852-4032-b28a-11a869ca7688/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.lz4:lz4-pure-java:1.8.0" + } + }, + { + "componentName": "SLF4J API Module", + "componentVersion": "1.7.36", + "releasedOn": "2022-02-08T13:33:55.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "MIT License", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/ca782761-ef54-4eb6-b7f0-b9fbb15a0698/versions/1587e123-4c0d-4f25-aa89-32dc78ff0202", + "versionid": "1587e123-4c0d-4f25-aa89-32dc78ff0202", + "ctcid": "", + "checksum": "", + "componentid": "ca782761-ef54-4eb6-b7f0-b9fbb15a0698", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.7.36", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/ca782761-ef54-4eb6-b7f0-b9fbb15a0698/versions/1587e123-4c0d-4f25-aa89-32dc78ff0202/origins/970f2b32-2e9b-4be7-9a13-ce7728583bed", + "externalNamespace": "maven", + "externalId": "org.slf4j:slf4j-api:1.7.36", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ca782761-ef54-4eb6-b7f0-b9fbb15a0698/versions/1587e123-4c0d-4f25-aa89-32dc78ff0202/origins/970f2b32-2e9b-4be7-9a13-ce7728583bed" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ca782761-ef54-4eb6-b7f0-b9fbb15a0698/versions/1587e123-4c0d-4f25-aa89-32dc78ff0202/origins/970f2b32-2e9b-4be7-9a13-ce7728583bed/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ca782761-ef54-4eb6-b7f0-b9fbb15a0698/versions/1587e123-4c0d-4f25-aa89-32dc78ff0202/origins/970f2b32-2e9b-4be7-9a13-ce7728583bed/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ca782761-ef54-4eb6-b7f0-b9fbb15a0698/versions/1587e123-4c0d-4f25-aa89-32dc78ff0202/origins/970f2b32-2e9b-4be7-9a13-ce7728583bed/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.slf4j:slf4j-api:1.7.36" + } + }, + { + "componentName": "snappy-java", + "componentVersion": "1.1.8.4", + "releasedOn": "2021-01-25T20:25:24.000Z", + "critical": 0, + "high": 4, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5", + "versionid": "ddb25abd-e395-4a37-84e0-4d57b9a5efd5", + "ctcid": "", + "checksum": "", + "componentid": "2a30e2d4-f015-41ea-a99d-cc9bf22ef435", + "matchedFiles": { + "totalCount": 4, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/snappy-java-1.1.8.4.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/snappy-java-1.1.8.4.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "snappy-java-1.1.8.4.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + }, + { + "filePath": { + "path": "/org/xerial/snappy/native/SunOS/sparc/libsnappyjava.so", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/snappy-java-1.1.8.4.jar!/", + "compositePathContext": "/org/xerial/snappy/native/SunOS/sparc/libsnappyjava.so#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/snappy-java-1.1.8.4.jar!/", + "fileName": "libsnappyjava.so" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + }, + { + "filePath": { + "path": "/org/xerial/snappy/native/SunOS/x86_64/libsnappyjava.so", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/snappy-java-1.1.8.4.jar!/", + "compositePathContext": "/org/xerial/snappy/native/SunOS/x86_64/libsnappyjava.so#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/snappy-java-1.1.8.4.jar!/", + "fileName": "libsnappyjava.so" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + }, + { + "filePath": { + "path": "/org/xerial/snappy/native/SunOS/x86/libsnappyjava.so", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/snappy-java-1.1.8.4.jar!/", + "compositePathContext": "/org/xerial/snappy/native/SunOS/x86/libsnappyjava.so#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/snappy-java-1.1.8.4.jar!/", + "fileName": "libsnappyjava.so" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 4, + "items": [ + { + "id": "CVE-2023-43642", + "summary": "snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.", + "publishedDate": "2023-09-25T20:15:11.723Z", + "lastModified": "2023-09-26T15:46:35.600Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-770" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-43642" + }, + { + "rel": "unmatched-related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-2536", + "label": "BDSA-2023-2536" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities/CVE-2023-43642/remediation" + } + ] + }, + "name": "CVE-2023-43642", + "description": "snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources." + }, + { + "id": "CVE-2023-34455", + "summary": "snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1.\n\nThe code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn\u2019t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.\n\nIn the case that the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code doesn\u2019t test the legality of the `chunkSize` variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error.\n\nVersion 1.1.10.1 contains a patch for this issue.", + "publishedDate": "2023-06-15T18:15:09.347Z", + "lastModified": "2023-08-18T14:15:23.960Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-770" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-34455" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-2110", + "label": "BDSA-2023-2110" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities/CVE-2023-34455/remediation" + } + ] + }, + "name": "CVE-2023-34455", + "description": "snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1.\n\nThe code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn\u2019t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.\n\nIn the case that the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code doesn\u2019t test the legality of the `chunkSize` variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error.\n\nVersion 1.1.10.1 contains a patch for this issue." + }, + { + "id": "CVE-2023-34454", + "summary": "snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error.\n\nThe function `compress(char[] input)` in the file `Snappy.java` receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress` function.\n\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\n\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn\u2019t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a `java.lang.NegativeArraySizeException` exception will be raised while trying to allocate the array `buf`. On the other side, if the result is positive, the `buf` array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\n\nThe same issue exists also when using the `compress` functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won\u2019t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\n\nVersion 1.1.10.1 contains a patch for this issue.", + "publishedDate": "2023-06-15T17:15:09.873Z", + "lastModified": "2023-06-27T16:04:04.517Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-190" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-34454" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-2113", + "label": "BDSA-2023-2113" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities/CVE-2023-34454/remediation" + } + ] + }, + "name": "CVE-2023-34454", + "description": "snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error.\n\nThe function `compress(char[] input)` in the file `Snappy.java` receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress` function.\n\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\n\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn\u2019t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a `java.lang.NegativeArraySizeException` exception will be raised while trying to allocate the array `buf`. On the other side, if the result is positive, the `buf` array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\n\nThe same issue exists also when using the `compress` functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won\u2019t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\n\nVersion 1.1.10.1 contains a patch for this issue." + }, + { + "id": "CVE-2023-34453", + "summary": "snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error.\n\nThe function `shuffle(int[] input)` in the file `BitShuffle.java` receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a `java.lang.NegativeArraySizeException` exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as `java.lang.ArrayIndexOutOfBoundsException`.\n\nThe same issue exists also when using the `shuffle` functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\n\nVersion 1.1.10.1 contains a patch for this vulnerability.", + "publishedDate": "2023-06-15T17:15:09.790Z", + "lastModified": "2023-06-27T15:59:58.483Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-190" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-34453" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-2111", + "label": "BDSA-2023-2111" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities/CVE-2023-34453/remediation" + } + ] + }, + "name": "CVE-2023-34453", + "description": "snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error.\n\nThe function `shuffle(int[] input)` in the file `BitShuffle.java` receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a `java.lang.NegativeArraySizeException` exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as `java.lang.ArrayIndexOutOfBoundsException`.\n\nThe same issue exists also when using the `shuffle` functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\n\nVersion 1.1.10.1 contains a patch for this vulnerability." + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "1.1.8.4", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3", + "externalNamespace": "maven", + "externalId": "org.xerial.snappy:snappy-java:1.1.8.4", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/2a30e2d4-f015-41ea-a99d-cc9bf22ef435/versions/ddb25abd-e395-4a37-84e0-4d57b9a5efd5/origins/d3ea4efd-bd80-4fe3-bd2b-73cb2f349eb3/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.xerial.snappy:snappy-java:1.1.8.4" + } + }, + { + "componentName": "Spring Boot", + "componentVersion": "2.7.18", + "releasedOn": "2023-11-23T08:05:22.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/ee1b331d-05e0-4bd1-b6ef-727c3b98e324/versions/a88a774b-ea36-4063-9d39-22728e86ff2c", + "versionid": "a88a774b-ea36-4063-9d39-22728e86ff2c", + "ctcid": "", + "checksum": "", + "componentid": "ee1b331d-05e0-4bd1-b6ef-727c3b98e324", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.7.18", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/ee1b331d-05e0-4bd1-b6ef-727c3b98e324/versions/a88a774b-ea36-4063-9d39-22728e86ff2c/origins/df96b918-7d4a-4371-9382-be7f3272dbbb", + "externalNamespace": "maven", + "externalId": "org.springframework.boot:spring-boot-jarmode-layertools:2.7.18", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ee1b331d-05e0-4bd1-b6ef-727c3b98e324/versions/a88a774b-ea36-4063-9d39-22728e86ff2c/origins/df96b918-7d4a-4371-9382-be7f3272dbbb" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ee1b331d-05e0-4bd1-b6ef-727c3b98e324/versions/a88a774b-ea36-4063-9d39-22728e86ff2c/origins/df96b918-7d4a-4371-9382-be7f3272dbbb/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ee1b331d-05e0-4bd1-b6ef-727c3b98e324/versions/a88a774b-ea36-4063-9d39-22728e86ff2c/origins/df96b918-7d4a-4371-9382-be7f3272dbbb/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ee1b331d-05e0-4bd1-b6ef-727c3b98e324/versions/a88a774b-ea36-4063-9d39-22728e86ff2c/origins/df96b918-7d4a-4371-9382-be7f3272dbbb/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.springframework.boot:spring-boot-jarmode-layertools:2.7.18" + } + }, + { + "componentName": "Spring Commons Logging Bridge", + "componentVersion": "5.3.31", + "releasedOn": "2023-11-16T08:38:29.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/ecf27560-a36d-4183-bc5d-4f7566a5de6e/versions/baf8c17a-9364-4b41-be5a-e99cc1b739d9", + "versionid": "baf8c17a-9364-4b41-be5a-e99cc1b739d9", + "ctcid": "", + "checksum": "", + "componentid": "ecf27560-a36d-4183-bc5d-4f7566a5de6e", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "5.3.31", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/ecf27560-a36d-4183-bc5d-4f7566a5de6e/versions/baf8c17a-9364-4b41-be5a-e99cc1b739d9/origins/c7955e0b-26a8-402d-8d79-5806e961c6c2", + "externalNamespace": "maven", + "externalId": "org.springframework:spring-jcl:5.3.31", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ecf27560-a36d-4183-bc5d-4f7566a5de6e/versions/baf8c17a-9364-4b41-be5a-e99cc1b739d9/origins/c7955e0b-26a8-402d-8d79-5806e961c6c2" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/ecf27560-a36d-4183-bc5d-4f7566a5de6e/versions/baf8c17a-9364-4b41-be5a-e99cc1b739d9/origins/c7955e0b-26a8-402d-8d79-5806e961c6c2/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ecf27560-a36d-4183-bc5d-4f7566a5de6e/versions/baf8c17a-9364-4b41-be5a-e99cc1b739d9/origins/c7955e0b-26a8-402d-8d79-5806e961c6c2/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/ecf27560-a36d-4183-bc5d-4f7566a5de6e/versions/baf8c17a-9364-4b41-be5a-e99cc1b739d9/origins/c7955e0b-26a8-402d-8d79-5806e961c6c2/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.springframework:spring-jcl:5.3.31" + } + }, + { + "componentName": "Spring Framework", + "componentVersion": "5.3.31", + "releasedOn": "2023-11-16T08:38:41.000Z", + "critical": 1, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7", + "versionid": "7c281058-0549-4cac-b1d7-1118c0c903e7", + "ctcid": "", + "checksum": "", + "componentid": "09f17d81-b282-43ec-9f2b-36c8021d3ca7", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/spring-core-5.3.31.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/spring-core-5.3.31.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "spring-core-5.3.31.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "CVE-2016-1000027", + "summary": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.", + "publishedDate": "2020-01-02T23:15:11.857Z", + "lastModified": "2023-04-20T09:15:07.047Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-502" + ], + "cvss2": { + "baseScore": 7.5, + "impactSubscore": 6.4, + "exploitabilitySubscore": 10.0, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authentication": "NONE", + "confidentialityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "source": "NVD", + "severity": "HIGH", + "integrityImpact": "PARTIAL", + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)", + "overallScore": 7.5 + }, + "cvss3": { + "baseScore": 9.8, + "impactSubscore": 5.9, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "CRITICAL", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "overallScore": 9.8 + }, + "useCvss3": true, + "overallScore": 9.8, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2016-1000027" + }, + { + "rel": "unmatched-related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2016-1700", + "label": "BDSA-2016-1700" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerabilities/CVE-2016-1000027/remediation" + } + ] + }, + "name": "CVE-2016-1000027", + "description": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data." + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "5.3.31", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806", + "externalNamespace": "maven", + "externalId": "org.springframework:spring-beans:5.3.31", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/09f17d81-b282-43ec-9f2b-36c8021d3ca7/versions/7c281058-0549-4cac-b1d7-1118c0c903e7/origins/9a9183f9-356f-4761-9491-641e563fd806/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.springframework:spring-beans:5.3.31" + } + }, + { + "componentName": "Spring Kafka", + "componentVersion": "2.8.11", + "releasedOn": "2022-11-21T16:54:36.000Z", + "critical": 0, + "high": 1, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3", + "versionid": "757b2269-01ee-41c8-a6d6-d975506b8ce3", + "ctcid": "", + "checksum": "", + "componentid": "224ed982-2a2f-4e9f-aa76-563b8bbdb3e7", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/spring-kafka-2.8.11.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/spring-kafka-2.8.11.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "spring-kafka-2.8.11.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://citiopensourcehub31.citigroup.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "CVE-2023-34040", + "summary": "In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * The user does not\u00a0configure an ErrorHandlingDeserializer for the key and/or value of the record\n * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.\n * The user allows untrusted sources to publish to a Kafka topic\n\n\nBy default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.\n\n\n", + "publishedDate": "2023-08-24T13:15:07.453Z", + "lastModified": "2023-10-18T17:56:38.093Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://citiopensourcehub31.citigroup.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-502" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.8, + "impactSubscore": 5.9, + "exploitabilitySubscore": 1.8, + "attackVector": "LOCAL", + "attackComplexity": "LOW", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "overallScore": 7.8 + }, + "useCvss3": true, + "overallScore": 7.8, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/CVE-2023-34040" + }, + { + "rel": "related-vulnerability", + "href": "https://citiopensourcehub31.citigroup.net/api/vulnerabilities/BDSA-2023-2569", + "label": "BDSA-2023-2569" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerabilities/CVE-2023-34040/remediation" + } + ] + }, + "name": "CVE-2023-34040", + "description": "In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * The user does not\u00a0configure an ErrorHandlingDeserializer for the key and/or value of the record\n * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.\n * The user allows untrusted sources to publish to a Kafka topic\n\n\nBy default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.\n\n\n" + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "2.8.11", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e", + "externalNamespace": "maven", + "externalId": "org.springframework.kafka:spring-kafka:2.8.11", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/224ed982-2a2f-4e9f-aa76-563b8bbdb3e7/versions/757b2269-01ee-41c8-a6d6-d975506b8ce3/origins/b359b614-cc07-4868-b0a6-2edaffd42a3e/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.springframework.kafka:spring-kafka:2.8.11" + } + }, + { + "componentName": "spring-retry", + "componentVersion": "1.3.4", + "releasedOn": "2022-10-14T07:47:09.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/a25e4d6f-d9c7-4f21-a8da-9f1382772e42/versions/3a5296e6-4e11-460f-be4f-794994f05151", + "versionid": "3a5296e6-4e11-460f-be4f-794994f05151", + "ctcid": "", + "checksum": "", + "componentid": "a25e4d6f-d9c7-4f21-a8da-9f1382772e42", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.3.4", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/a25e4d6f-d9c7-4f21-a8da-9f1382772e42/versions/3a5296e6-4e11-460f-be4f-794994f05151/origins/fb591807-3a61-4a96-b80a-87f8b832a283", + "externalNamespace": "maven", + "externalId": "org.springframework.retry:spring-retry:1.3.4", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/a25e4d6f-d9c7-4f21-a8da-9f1382772e42/versions/3a5296e6-4e11-460f-be4f-794994f05151/origins/fb591807-3a61-4a96-b80a-87f8b832a283" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/a25e4d6f-d9c7-4f21-a8da-9f1382772e42/versions/3a5296e6-4e11-460f-be4f-794994f05151/origins/fb591807-3a61-4a96-b80a-87f8b832a283/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/a25e4d6f-d9c7-4f21-a8da-9f1382772e42/versions/3a5296e6-4e11-460f-be4f-794994f05151/origins/fb591807-3a61-4a96-b80a-87f8b832a283/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/a25e4d6f-d9c7-4f21-a8da-9f1382772e42/versions/3a5296e6-4e11-460f-be4f-794994f05151/origins/fb591807-3a61-4a96-b80a-87f8b832a283/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.springframework.retry:spring-retry:1.3.4" + } + }, + { + "componentName": "zstd-jni", + "componentVersion": "1.5.0-4", + "releasedOn": "2021-07-21T11:42:54.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "HIGH", + "licenseRisk": "MEDIUM", + "license": "BSD 2-clause \"Simplified\" License", + "ownership": "OPEN_SOURCE", + "kburl": "https://citiopensourcehub31.citigroup.net/api/components/c519291b-7070-4246-83c4-19b1eabeb343/versions/b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb", + "versionid": "b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb", + "ctcid": "", + "checksum": "", + "componentid": "c519291b-7070-4246-83c4-19b1eabeb343", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "1.5.0-4", + "origin": "https://citiopensourcehub31.citigroup.net/api/components/c519291b-7070-4246-83c4-19b1eabeb343/versions/b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb/origins/26af957b-38d9-476f-b215-d5b933af0ef5", + "externalNamespace": "maven", + "externalId": "com.github.luben:zstd-jni:1.5.0-4", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://citiopensourcehub31.citigroup.net/api/components/c519291b-7070-4246-83c4-19b1eabeb343/versions/b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb/origins/26af957b-38d9-476f-b215-d5b933af0ef5" + }, + { + "rel": "matched-files", + "href": "https://citiopensourcehub31.citigroup.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/c519291b-7070-4246-83c4-19b1eabeb343/versions/b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb/origins/26af957b-38d9-476f-b215-d5b933af0ef5/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://citiopensourcehub31.citigroup.net/api/components/c519291b-7070-4246-83c4-19b1eabeb343/versions/b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb/origins/26af957b-38d9-476f-b215-d5b933af0ef5/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://citiopensourcehub31.citigroup.net/api/components/c519291b-7070-4246-83c4-19b1eabeb343/versions/b0fa52aa-92f8-4d8c-b8dd-58912e29a4cb/origins/26af957b-38d9-476f-b215-d5b933af0ef5/copyrights" + } + ] + }, + "originName": "maven", + "originId": "com.github.luben:zstd-jni:1.5.0-4" + } + } + ] +} \ No newline at end of file diff --git a/components/producers/blackduck/kustomization.yaml b/components/producers/blackduck/kustomization.yaml new file mode 100644 index 000000000..ccaa796fa --- /dev/null +++ b/components/producers/blackduck/kustomization.yaml @@ -0,0 +1,144 @@ +# DO NOT EDIT. Code generated by: +# github.com/ocurity/dracon//build/tools/kustomize-component-generator. + +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - task.yaml +patches: + # Add the Task to the Tekton Pipeline. + - patch: | + apiVersion: tekton.dev/v1beta1 + kind: Pipeline + metadata: + name: unused + spec: + workspaces: + - name: source-code-ws + tasks: + - name: producer-golang-gosec + taskRef: + name: producer-golang-gosec + workspaces: + - name: source-code-ws + workspace: source-code-ws + params: + - name: producer-golang-gosec-flags + value: + - $(params.producer-golang-gosec-flags) + params: + - name: producer-golang-gosec-flags + type: array + default: + - -r + - -quiet + - -sort + - -nosec + target: + kind: Pipeline + # Add anchors to Task. + - patch: | + apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: producer-golang-gosec + labels: + v1.dracon.ocurity.com/component: producer + spec: + params: + - name: anchors + type: array + description: A list of tasks that this task depends on using their anchors. + default: [] + results: + - name: anchor + description: An anchor to allow other tasks to depend on this task. + steps: + - name: anchor + image: docker.io/busybox:1.35.0 + script: echo "$(context.task.name)" > "$(results.anchor.path)" + target: + kind: Task + name: producer-golang-gosec + # If we have a `source` task in the pipeline (added by a `source` component), + # depend on the completion of that source by referencing its anchor. + - patch: | + apiVersion: tekton.dev/v1beta1 + kind: Pipeline + metadata: + name: unused + spec: + tasks: + - name: producer-golang-gosec + params: + - name: anchors + value: + - $(tasks.source.results.anchor) + target: + kind: Pipeline + annotationSelector: v1.dracon.ocurity.com/has-source=true + # If we have a producer-aggregator task in the pipeline (added by the + # producer-aggregator component), make it depend on the completion of this + # producer. + - patch: | + apiVersion: tekton.dev/v1beta1 + kind: Pipeline + metadata: + name: unused + spec: + tasks: + - name: producer-aggregator + params: + - name: anchors + value: + - $(tasks.producer-golang-gosec.results.anchor) + target: + kind: Pipeline + annotationSelector: v1.dracon.ocurity.com/has-producer-aggregator=true + # Add scan information to Task. + - patch: | + apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: producer-golang-gosec + labels: + v1.dracon.ocurity.com/component: producer + spec: + params: + - name: dracon_scan_id + type: string + - name: dracon_scan_start_time + type: string + steps: + - name: run-gosec + image: docker.io/securego/gosec:2.15.0 + env: + - name: DRACON_SCAN_TIME + value: $(params.dracon_scan_start_time) + - name: DRACON_SCAN_ID + value: $(params.dracon_scan_id) + - name: produce-issues + image: ghcr.io/ocurity/dracon/components/producers/golang-gosec/image:latest + env: + - name: DRACON_SCAN_TIME + value: $(params.dracon_scan_start_time) + - name: DRACON_SCAN_ID + value: $(params.dracon_scan_id) + target: + kind: Task + name: producer-golang-gosec + - patch: | + apiVersion: tekton.dev/v1beta1 + kind: Pipeline + metadata: + name: unused + spec: + tasks: + - name: producer-golang-gosec + params: + - name: dracon_scan_id + value: $(tasks.base.results.dracon-scan-id) + - name: dracon_scan_start_time + value: $(tasks.base.results.dracon-scan-start-time) + target: + kind: Pipeline diff --git a/components/producers/blackduck/main.go b/components/producers/blackduck/main.go new file mode 100644 index 000000000..ddcb1e40e --- /dev/null +++ b/components/producers/blackduck/main.go @@ -0,0 +1,204 @@ +package main + +import ( + "fmt" + "log" + "strconv" + "strings" + "time" + + v1 "github.com/ocurity/dracon/api/proto/v1" + + "github.com/ocurity/dracon/components/producers" + packageurl "github.com/package-url/packageurl-go" +) + +func main() { + if err := producers.ParseFlags(); err != nil { + log.Fatal(err) + } + + inFile, err := producers.ReadInFile() + if err != nil { + log.Fatal(err) + } + + var results BlackduckOut + if err := producers.ParseJSON(inFile, &results); err != nil { + log.Fatal(err) + } + + issues, err := parseIssues(&results) + if err != nil { + log.Fatal(err) + } + if err := producers.WriteDraconOut( + "gosec", + issues, + ); err != nil { + log.Fatal(err) + } +} + +func cweIdsToInt(ids []string) []int32 { + res := []int32{} + for _, id := range ids { + newID := strings.ReplaceAll(id, "CWE-", "") + newIntID, err := strconv.Atoi(newID) + if err != nil { + log.Println(err) + continue + } + res = append(res, int32(newIntID)) + } + return res +} + +func BDTargetToPurl(originName, originID string) string { + splitOrigin := strings.Split(originID, ":") + return packageurl.NewPackageURL(originName, splitOrigin[0], splitOrigin[1], splitOrigin[2], packageurl.Qualifiers{}, "").ToString() +} + +func parseIssues(out *BlackduckOut) ([]*v1.Issue, error) { + issues := []*v1.Issue{} + for _, r := range out.Data { + for _, vuln := range r.Vulnerabilities.Items { + cwe := cweIdsToInt(vuln.CweIds) + severity := v1.Severity_SEVERITY_UNSPECIFIED + if vuln.UseCvss3 { + switch vuln.Cvss3.Severity { + case "CRITICAL": + severity = v1.Severity_SEVERITY_CRITICAL + case "HIGH": + severity = v1.Severity_SEVERITY_HIGH + case "MEDIUM": + severity = v1.Severity_SEVERITY_MEDIUM + case "LOW": + severity = v1.Severity_SEVERITY_LOW + case "INFO": + severity = v1.Severity_SEVERITY_INFO + case "UNASSIGNED": + severity = v1.Severity_SEVERITY_UNSPECIFIED + } + } + cve := "" + if !strings.HasPrefix(vuln.Name, "CVE") { + for _, metaLink := range vuln.Meta.Links { + if strings.HasPrefix(metaLink.Label, "CVE") { + cve = metaLink.Label + } + } + } else { + cve = vuln.Name + } + description := fmt.Sprintf("%s\nSolution Available: %t\nWorkaround Available: %t\nExploit Available: %t\nOriginal Description: %s", vuln.Summary, vuln.SolutionAvailable, vuln.WorkaroundAvailable, vuln.ExploitAvailable, vuln.Description) + iss := &v1.Issue{ + Cvss: vuln.Cvss3.OverallScore, + Cwe: cwe, + Cve: cve, + Target: BDTargetToPurl(r.Origins.OriginName, r.Origins.OriginID), + Type: vuln.ID, + Title: vuln.Summary, + Severity: severity, + Confidence: v1.Confidence_CONFIDENCE_UNSPECIFIED, + Description: description, + } + issues = append(issues, iss) + + } + } + + return issues, nil +} + +// BlackduckOut models the output of a blackduck scan +type BlackduckOut struct { + TotalComponentsFound int `json:"totalComponentsFound,omitempty"` + MatchedFlag bool `json:"matchedFlag,omitempty"` + Headers []string `json:"headers,omitempty"` + Appid string `json:"appid,omitempty"` + Appname string `json:"appname,omitempty"` + Releaseid string `json:"releaseid,omitempty"` + ProjectID string `json:"projectId,omitempty"` + Data []struct { + ComponentName string `json:"componentName,omitempty"` + ComponentVersion string `json:"componentVersion,omitempty"` + Componentid string `json:"componentid,omitempty"` + MatchedFiles struct { + Items []struct { + FilePath struct { + Path string `json:"path,omitempty"` + ArchiveContext string `json:"archiveContext,omitempty"` + CompositePathContext string `json:"compositePathContext,omitempty"` + FileName string `json:"fileName,omitempty"` + } `json:"filePath,omitempty"` + Usages []string `json:"usages,omitempty"` + } `json:"items,omitempty"` + } `json:"matchedFiles,omitempty"` + Vulnerabilities struct { + Items []struct { + ID string `json:"id,omitempty"` + Summary string `json:"summary,omitempty"` + PublishedDate time.Time `json:"publishedDate,omitempty"` + LastModified time.Time `json:"lastModified,omitempty"` + Source string `json:"source,omitempty"` + RemediationStatus string `json:"remediationStatus,omitempty"` + CreatedAt time.Time `json:"createdAt,omitempty"` + UpdatedAt time.Time `json:"updatedAt,omitempty"` + CreatedBy struct { + UserName string `json:"userName,omitempty"` + FirstName string `json:"firstName,omitempty"` + LastName string `json:"lastName,omitempty"` + User string `json:"user,omitempty"` + } `json:"createdBy,omitempty"` + UpdatedBy struct { + UserName string `json:"userName,omitempty"` + FirstName string `json:"firstName,omitempty"` + LastName string `json:"lastName,omitempty"` + User string `json:"user,omitempty"` + } `json:"updatedBy,omitempty"` + CweIds []string `json:"cweIds,omitempty"` + Cvss3 struct { + Severity string `json:"severity,omitempty"` + Vector string `json:"vector,omitempty"` + OverallScore float64 `json:"overallScore,omitempty"` + } `json:"cvss3,omitempty"` + UseCvss3 bool `json:"useCvss3,omitempty"` + OverallScore float64 `json:"overallScore,omitempty"` + SolutionAvailable bool `json:"solutionAvailable,omitempty"` + WorkaroundAvailable bool `json:"workaroundAvailable,omitempty"` + ExploitAvailable bool `json:"exploitAvailable,omitempty"` + BdsaTags []string `json:"bdsaTags,omitempty"` + Meta struct { + Allow []string `json:"allow,omitempty"` + Href string `json:"href,omitempty"` + Links []struct { + Rel string `json:"rel,omitempty"` + Href string `json:"href,omitempty"` + Label string `json:"label,omitempty"` + } `json:"links,omitempty"` + } `json:"_meta,omitempty"` + Name string `json:"name,omitempty"` + Description string `json:"description,omitempty"` + } `json:"items,omitempty"` + AppliedFilters []any `json:"appliedFilters,omitempty"` + } `json:"vulnerabilities,omitempty"` + Policyviolations struct{} `json:"policyviolations,omitempty"` + Origins struct { + Name string `json:"name,omitempty"` + Origin string `json:"origin,omitempty"` + ExternalNamespace string `json:"externalNamespace,omitempty"` + ExternalID string `json:"externalId,omitempty"` + ExternalNamespaceDistribution bool `json:"externalNamespaceDistribution,omitempty"` + Meta struct { + Allow []any `json:"allow,omitempty"` + Links []struct { + Rel string `json:"rel,omitempty"` + Href string `json:"href,omitempty"` + } `json:"links,omitempty"` + } `json:"_meta,omitempty"` + OriginName string `json:"originName,omitempty"` + OriginID string `json:"originId,omitempty"` + } `json:"origins,omitempty"` + } `json:"data,omitempty"` +} diff --git a/components/producers/blackduck/main_test.go b/components/producers/blackduck/main_test.go new file mode 100644 index 000000000..817fd8dc9 --- /dev/null +++ b/components/producers/blackduck/main_test.go @@ -0,0 +1,571 @@ +package main + +import ( + "encoding/json" + "testing" + + v1 "github.com/ocurity/dracon/api/proto/v1" + + "github.com/stretchr/testify/assert" +) + +func TestParseIssues(t *testing.T) { + var results BlackduckOut + err := json.Unmarshal([]byte(BDOut), &results) + assert.Nil(t, err) + + issues, err := parseIssues(&results) + assert.Nil(t, err) + // cwe0 := []int32{400} + // cwe1 := []int32{601, 918} + expectedIssue := []*v1.Issue{ + { + Target: "pkg:maven/org.apache.tomcat/tomcat-annotations-api@9.0.81", + Type: "CVE-2023-46589", + Title: "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n", + Severity: 4, + Cvss: 7.5, + Description: "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n\nSolution Available: false\nWorkaround Available: false\nExploit Available: false\nOriginal Description: Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n", + Cve: "CVE-2023-46589", + Cwe: []int32{444}, + }, + { + Target: "pkg:maven/org.apache.kafka/kafka-clients@3.1.2", + Type: "BDSA-2023-0235", + Title: "Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server.", + Severity: 4, + Cvss: 7.9, + Description: "Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server.\nSolution Available: true\nWorkaround Available: false\nExploit Available: true\nOriginal Description: Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server.", + Cve: "CVE-2023-25194", + Cwe: []int32{502}, + }, + } + assert.Equal(t, expectedIssue, issues) +} + +var BDOut = `{ + "hubUILink": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components", + "hubAPILink": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components", + "versionId": "0e7a2872-230f-4eee-a9f0-b18e1c50c2d3", + "totalComponentsFound": 30, + "matchedFlag": true, + "headers": [ + "ComponentName", + "ComponentVersion", + "Critical", + "High", + "Medium", + "Low", + "Operational Risk", + "License Risk", + "License" + ], + "summary": { + "securityRisksSeverityCritical": 1, + "securityRisksSeverityHigh": 9, + "securityRisksSeverityMedium": 1, + "securityRisksSeverityLow": 0, + "licenseRisksSeverityHigh": 0, + "licenseRisksSeverityMedium": 4, + "licenseRisksSeverityLow": 0, + "operationRisksSeverityHigh": 4, + "operationRisksSeverityMedium": 3, + "operationRisksSeverityLow": 22, + "quarantineEligibleFlag": true, + "scanStartTime": "2024-01-18T17:07:01.596Z", + "scanCompleteTime": "2024-01-18T17:07:13.284Z" + }, + "scanId": "ed8590ff-1d07-4a91-8453-d0a8abd792a3", + "appid": "171845", + "appname": "dtliveupdateconsumer", + "releaseid": "LatestProductionDeployedScan", + "projectId": "eec0e9a7-d2e5-41e7-97b2-f91c46df9685", + "data": [ + { + "componentName": "Apache Tomcat", + "componentVersion": "9.0.81", + "releasedOn": "2023-10-10T01:10:06.000Z", + "critical": 0, + "high": 1, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://foo.opensourcehub31.blah.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945", + "versionid": "fcaa4dea-eaed-48f0-85af-feb369a58945", + "ctcid": "", + "checksum": "", + "componentid": "5a7e1c49-9a98-4393-b4e0-8011122bbe2f", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/javax/", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar!/", + "compositePathContext": "/javax/#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar!/", + "fileName": "javax" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://foo.opensourcehub31.blah.net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "CVE-2023-46589", + "summary": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n", + "publishedDate": "2023-11-28T16:15:06.943Z", + "lastModified": "2024-01-05T11:15:09.847Z", + "source": "NVD", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://foo.opensourcehub31.blah.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://foo.opensourcehub31.blah.net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-444" + ], + "cvss2": { + "baseScore": 0.0, + "impactSubscore": 0.0, + "exploitabilitySubscore": 1.2, + "accessVector": "LOCAL", + "accessComplexity": "HIGH", + "authentication": "MULTIPLE", + "confidentialityImpact": "NONE", + "availabilityImpact": "NONE", + "source": "NVD", + "severity": "LOW", + "integrityImpact": "NONE", + "vector": "(AV:L/AC:H/Au:M/C:N/I:N/A:N)", + "overallScore": 0.0 + }, + "cvss3": { + "baseScore": 7.5, + "impactSubscore": 3.6, + "exploitabilitySubscore": 3.9, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "NVD", + "severity": "HIGH", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "overallScore": 7.5 + }, + "useCvss3": true, + "overallScore": 7.5, + "solutionAvailable": false, + "workaroundAvailable": false, + "exploitAvailable": false, + "bdsaTags": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://foo.opensourcehub31.blah.net/api/vulnerabilities/CVE-2023-46589" + }, + { + "rel": "related-vulnerability", + "href": "https://foo.opensourcehub31.blah.net/api/vulnerabilities/BDSA-2023-3298", + "label": "BDSA-2023-3298" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerabilities/CVE-2023-46589/remediation" + } + ] + }, + "name": "CVE-2023-46589", + "description": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n" + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "9.0.81", + "origin": "https://foo.opensourcehub31.blah.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d", + "externalNamespace": "maven", + "externalId": "org.apache.tomcat:tomcat-annotations-api:9.0.81", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://foo.opensourcehub31.blah.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d" + }, + { + "rel": "matched-files", + "href": "https://foo.opensourcehub31.blah.net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://foo.opensourcehub31.blah.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://foo.opensourcehub31.blah.net/api/components/5a7e1c49-9a98-4393-b4e0-8011122bbe2f/versions/fcaa4dea-eaed-48f0-85af-feb369a58945/origins/82f84e5d-1ac9-4812-9159-701a9fb07c3d/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.tomcat:tomcat-annotations-api:9.0.81" + } + },{ + "componentName": "Apache Kafka", + "componentVersion": "3.1.2", + "releasedOn": "2022-09-09T20:08:36.000Z", + "critical": 0, + "high": 1, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://foo.opensourcehub31.foo..net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa", + "versionid": "b54827b4-ee6f-4204-9f13-f3504e064efa", + "ctcid": "", + "checksum": "", + "componentid": "05248305-719c-4b7d-a693-0b1a7992b4ec", + "matchedFiles": { + "totalCount": 1, + "items": [ + { + "filePath": { + "path": "/BOOT-INF/lib/kafka-clients-3.1.2.jar", + "archiveContext": "extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "compositePathContext": "/BOOT-INF/lib/kafka-clients-3.1.2.jar#extractedContent/dtwebhook/webhook/dtliveupdateconsumer.jar!/", + "fileName": "kafka-clients-3.1.2.jar" + }, + "usages": [ + "DYNAMICALLY_LINKED" + ], + "_meta": { + "links": [ + { + "rel": "codelocations", + "href": "https://foo.opensourcehub31.foo..net/api/codelocations/c10e650e-5257-44f2-a0e7-ad5694c5dcf8" + } + ] + } + } + ], + "appliedFilters": [], + "_meta": {} + }, + "vulnerabilities": { + "totalCount": 1, + "items": [ + { + "id": "BDSA-2023-0235", + "summary": "Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server.", + "publishedDate": "2023-02-09T12:35:59.049Z", + "lastModified": "2023-02-09T12:35:59.037Z", + "source": "BDSA", + "remediationStatus": "NEW", + "createdAt": "2024-01-18T17:07:20.083Z", + "updatedAt": "2024-01-18T17:07:20.083Z", + "createdBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://foo.opensourcehub31.foo..net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "updatedBy": { + "userName": "eb_bd_fid", + "firstName": "eb_bd_fid", + "lastName": "eb_bd_fid", + "user": "https://foo.opensourcehub31.foo..net/api/users/c5c8c47c-32c6-424e-b199-f9c154bf26fa" + }, + "cweIds": [ + "CWE-502" + ], + "cvss2": { + "baseScore": 6.5, + "impactSubscore": 6.4, + "exploitabilitySubscore": 8.0, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authentication": "SINGLE", + "confidentialityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "temporalMetrics": { + "exploitability": "PROOF_OF_CONCEPT", + "remediationLevel": "OFFICIAL_FIX", + "reportConfidence": "CONFIRMED", + "score": 5.1 + }, + "source": "BDSA", + "severity": "MEDIUM", + "integrityImpact": "PARTIAL", + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C)", + "overallScore": 5.1 + }, + "cvss3": { + "baseScore": 8.8, + "impactSubscore": 5.9, + "exploitabilitySubscore": 2.8, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "source": "BDSA", + "severity": "HIGH", + "temporalMetrics": { + "exploitCodeMaturity": "PROOF_OF_CONCEPT", + "remediationLevel": "OFFICIAL_FIX", + "reportConfidence": "CONFIRMED", + "score": 7.9 + }, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "overallScore": 7.9 + }, + "useCvss3": true, + "overallScore": 7.9, + "solutionAvailable": true, + "workaroundAvailable": false, + "exploitAvailable": true, + "bdsaTags": [ + "RCE" + ], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerabilities", + "links": [ + { + "rel": "vulnerability", + "href": "https://foo.opensourcehub31.foo..net/api/vulnerabilities/BDSA-2023-0235" + }, + { + "rel": "unmatched-related-vulnerability", + "href": "https://foo.opensourcehub31.foo..net/api/vulnerabilities/CVE-2023-25194", + "label": "CVE-2023-25194" + }, + { + "rel": "vulnerability-with-remediation", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerabilities/BDSA-2023-0235/remediation" + } + ] + }, + "name": "BDSA-2023-0235", + "description": "Apache Kafka is vulnerable to remote code execution (RCE) due to insecure handling of untrusted serialized data sent using the Kafka REST API. This could allow an attacker to supply crafted data to execute Java deserialization gadget chains on the Kafka connect server." + } + ], + "appliedFilters": [], + "_meta": { + "allow": [ + "GET" + ], + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerabilities", + "links": [ + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=exploitAvailable", + "name": "exploitAvailable", + "label": "Exploit" + }, + { + "rel": "range-filter", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=securityRiskScore", + "name": "securityRiskScore", + "label": "Overall Score" + }, + { + "rel": "quick-filter", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=reachable", + "name": "reachable", + "label": "Reachable" + }, + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=remediationType", + "name": "remediationType", + "label": "Remediation Status" + }, + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=solutionAvailable", + "name": "solutionAvailable", + "label": "Solution" + }, + { + "rel": "static-filter", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/vulnerability-filters?filterKey=workaroundAvailable", + "name": "workaroundAvailable", + "label": "Workaround" + } + ] + } + }, + "policyviolations": {}, + "origins": { + "name": "3.1.2", + "origin": "https://foo.opensourcehub31.foo..net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2", + "externalNamespace": "maven", + "externalId": "org.apache.kafka:kafka-clients:3.1.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://foo.opensourcehub31.foo..net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2" + }, + { + "rel": "matched-files", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://foo.opensourcehub31.foo..net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://foo.opensourcehub31.foo..net/api/components/05248305-719c-4b7d-a693-0b1a7992b4ec/versions/b54827b4-ee6f-4204-9f13-f3504e064efa/origins/abc9553b-a18b-4709-8914-fc6b8e7ba6c2/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.kafka:kafka-clients:3.1.2" + } + }, + { + "componentName": "Apache Log4j", + "componentVersion": "2.17.2", + "releasedOn": "2022-02-27T18:35:56.000Z", + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "operationalRisk": "LOW", + "licenseRisk": "", + "license": "Apache License 2.0", + "ownership": "OPEN_SOURCE", + "kburl": "https://foo.opensourcehub31.foo..net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140", + "versionid": "86f3974b-d17a-4bc7-8592-61a618a0e140", + "ctcid": "", + "checksum": "", + "componentid": "7460c937-f013-4c3a-bdf3-ace04cfd0304", + "matchedFiles": {}, + "vulnerabilities": {}, + "policyviolations": {}, + "origins": { + "name": "2.17.2", + "origin": "https://foo.opensourcehub31.foo..net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b", + "externalNamespace": "maven", + "externalId": "org.apache.logging.log4j:log4j-core:2.17.2", + "externalNamespaceDistribution": false, + "_meta": { + "allow": [], + "links": [ + { + "rel": "origin", + "href": "https://foo.opensourcehub31.foo..net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b" + }, + { + "rel": "matched-files", + "href": "https://foo.opensourcehub31.foo..net/api/projects/eec0e9a7-d2e5-41e7-97b2-f91c46df9685/versions/0e7a2872-230f-4eee-a9f0-b18e1c50c2d3/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b/matched-files" + }, + { + "rel": "upgrade-guidance", + "href": "https://foo.opensourcehub31.foo..net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b/upgrade-guidance" + }, + { + "rel": "component-origin-copyrights", + "href": "https://foo.opensourcehub31.foo..net/api/components/7460c937-f013-4c3a-bdf3-ace04cfd0304/versions/86f3974b-d17a-4bc7-8592-61a618a0e140/origins/f6b76814-4d31-459b-9eb8-56802c29a16b/copyrights" + } + ] + }, + "originName": "maven", + "originId": "org.apache.logging.log4j:log4j-core:2.17.2" + } + } + ] +}` diff --git a/components/producers/blackduck/task.yaml b/components/producers/blackduck/task.yaml new file mode 100644 index 000000000..ef50caf80 --- /dev/null +++ b/components/producers/blackduck/task.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: producer-blackduck + labels: + v1.dracon.ocurity.com/component: producer +spec: + volumes: + - name: scratch + emptyDir: {} + workspaces: + - name: source-code-ws + description: The workspace containing the source-code to scan. + steps: + + - name: produce-issues + imagePullPolicy: IfNotPresent + image: ghcr.io/ocurity/dracon/components/producers/blackduck/image:latest + command: ["app/components/producers/blackduck/blackduck-parser"] + args: + - "-in=/scratch/out.json" + - "-out=$(workspaces.source-code-ws.path)/.dracon/producers/blackduck.pb" + volumeMounts: + - mountPath: /scratch + name: scratch