Merge branch 'main' into adv-fix-scorecard-5.0.0-r4

wolfi-dev · Dec 22, 2024 · 4d42e94 · 4d42e94
2 parents 937a837 + 0be5b77
commit 4d42e94
Show file tree

Hide file tree

Showing 14 changed files with 94 additions and 0 deletions.
diff --git a/glow.advisories.yaml b/glow.advisories.yaml
@@ -65,6 +65,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/glow
             scanner: grype
+      - timestamp: 2024-12-22T13:38:48Z
+        type: fixed
+        data:
+          fixed-version: 2.0.0-r3
 
   - id: CGA-mxwc-74fh-p77h
     aliases:

diff --git a/hugo-extended.advisories.yaml b/hugo-extended.advisories.yaml
@@ -64,6 +64,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/hugo
             scanner: grype
+      - timestamp: 2024-12-21T18:18:04Z
+        type: fixed
+        data:
+          fixed-version: 0.140.0-r1
 
   - id: CGA-4r74-w9mc-9hvw
     aliases:

diff --git a/kubeadm-controlplane-controller.advisories.yaml b/kubeadm-controlplane-controller.advisories.yaml
@@ -61,6 +61,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/kubeadm-controlplane-controller
             scanner: grype
+      - timestamp: 2024-12-21T18:04:32Z
+        type: fixed
+        data:
+          fixed-version: 1.9.2-r1
 
   - id: CGA-7m4f-cm35-r6vq
     aliases:

diff --git a/neuvector-scanner.advisories.yaml b/neuvector-scanner.advisories.yaml
@@ -219,6 +219,18 @@ advisories:
         type: fixed
         data:
           fixed-version: 0_git20240528-r10
+      - timestamp: 2024-12-22T10:31:29Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: neuvector-scanner
+            componentID: bf92469ac1521c7c
+            componentName: golang.org/x/net
+            componentVersion: v0.23.0
+            componentType: go-module
+            componentLocation: /usr/local/bin/scanner
+            scanner: grype
 
   - id: CGA-p8xg-r44c-55h5
     aliases:

diff --git a/opa-envoy.advisories.yaml b/opa-envoy.advisories.yaml
@@ -25,3 +25,15 @@ advisories:
         type: fixed
         data:
           fixed-version: 0.70.0_rc1-r1
+      - timestamp: 2024-12-22T08:25:42Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: opa-envoy
+            componentID: 34345bdb2373cd87
+            componentName: golang.org/x/net
+            componentVersion: v0.30.0
+            componentType: go-module
+            componentLocation: /usr/bin/opa
+            scanner: grype
diff --git a/prometheus-alertmanager.advisories.yaml b/prometheus-alertmanager.advisories.yaml
@@ -166,6 +166,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/alertmanager
             scanner: grype
+      - timestamp: 2024-12-22T13:42:10Z
+        type: fixed
+        data:
+          fixed-version: 0.27.0-r13
 
   - id: CGA-hmfg-p87v-vwv4
     aliases:

diff --git a/secrets-store-csi-driver-provider-gcp.advisories.yaml b/secrets-store-csi-driver-provider-gcp.advisories.yaml
@@ -200,6 +200,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/secrets-store-csi-driver-provider-gcp
             scanner: grype
+      - timestamp: 2024-12-21T18:06:59Z
+        type: fixed
+        data:
+          fixed-version: 1.7.0-r1
 
   - id: CGA-q53p-fgj2-3j2m
     aliases:

diff --git a/slsa-verifier.advisories.yaml b/slsa-verifier.advisories.yaml
@@ -426,6 +426,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/slsa-verifier
             scanner: grype
+      - timestamp: 2024-12-21T17:42:47Z
+        type: fixed
+        data:
+          fixed-version: 2.6.0-r7
 
   - id: CGA-h3m2-ppgf-58hc
     aliases:

diff --git a/smarter-device-manager.advisories.yaml b/smarter-device-manager.advisories.yaml
@@ -231,6 +231,28 @@ advisories:
           type: vulnerable-code-not-included-in-package
           note: Only affects Windows
 
+  - id: CGA-wvj2-3chg-gqv6
+    aliases:
+      - CVE-2024-45338
+      - GHSA-w32m-9786-jp63
+    events:
+      - timestamp: 2024-12-22T09:10:41Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: smarter-device-manager
+            componentID: 40143f9b2943e893
+            componentName: golang.org/x/net
+            componentVersion: v0.29.0
+            componentType: go-module
+            componentLocation: /usr/bin/smarter-device-management
+            scanner: grype
+      - timestamp: 2024-12-22T13:17:39Z
+        type: fixed
+        data:
+          fixed-version: 1.20.11-r11
+
   - id: CGA-x944-qr2v-f5rw
     aliases:
       - CVE-2024-34156

diff --git a/sriov-network-device-plugin.advisories.yaml b/sriov-network-device-plugin.advisories.yaml
@@ -21,3 +21,7 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/sriovdp
             scanner: grype
+      - timestamp: 2024-12-21T18:02:00Z
+        type: fixed
+        data:
+          fixed-version: 3.8.0-r1
diff --git a/temporal.advisories.yaml b/temporal.advisories.yaml
@@ -172,6 +172,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/temporal
             scanner: grype
+      - timestamp: 2024-12-21T18:08:23Z
+        type: fixed
+        data:
+          fixed-version: 1.1.2-r2
 
   - id: CGA-87q2-mwvf-7f59
     aliases:

diff --git a/terraform-docs.advisories.yaml b/terraform-docs.advisories.yaml
@@ -74,6 +74,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/terraform-docs
             scanner: grype
+      - timestamp: 2024-12-21T17:39:19Z
+        type: fixed
+        data:
+          fixed-version: 0.19.0-r2
 
   - id: CGA-82g5-h23x-33p6
     aliases:

diff --git a/terraform-provider-aws.advisories.yaml b/terraform-provider-aws.advisories.yaml
@@ -21,6 +21,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/terraform-provider-aws
             scanner: grype
+      - timestamp: 2024-12-22T13:16:37Z
+        type: fixed
+        data:
+          fixed-version: 5.82.2-r0
 
   - id: CGA-43ch-mwp2-gv8j
     aliases:

diff --git a/vitess-20.0.advisories.yaml b/vitess-20.0.advisories.yaml
@@ -108,6 +108,10 @@ advisories:
             componentType: npm
             componentLocation: /vt/web/vtadmin/node_modules/nanoid/package.json
             scanner: grype
+      - timestamp: 2024-12-22T13:13:36Z
+        type: fixed
+        data:
+          fixed-version: 20.0.4-r3
 
   - id: CGA-qw57-j898-5h79
     aliases:
@@ -166,6 +170,10 @@ advisories:
         type: pending-upstream-fix
         data:
           note: It's not possible to bump 3 minor versions on this package, other dependencies still depend on this.
+      - timestamp: 2024-12-22T13:13:37Z
+        type: fixed
+        data:
+          fixed-version: 20.0.4-r3
 
   - id: CGA-wpr6-q8w2-pw5m
     aliases: