gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-21 14:50:53 -08:00
Code Issues Packages Projects Releases Wiki Activity

BREAKING(report): migrate to new json schema (#1265)

Browse Source
This commit is contained in:
Teppei Fukuda
2021-10-04 16:22:24 +09:00
committed by GitHub
parent da905108b4
commit b37f682ee2
51 changed files with 131927 additions and 130069 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/release.yaml vendored
View File

@@ -4,7 +4,7 @@ on:
tags: tags:
- "v*" - "v*"
env: env:
GO_VERSION: "1.16" GO_VERSION: "1.17"
GH_USER: "aqua-bot" GH_USER: "aqua-bot"
jobs: jobs:
release: release:

2
.github/workflows/test.yaml vendored
View File

@@ -10,7 +10,7 @@ on:
- 'LICENSE' - 'LICENSE'
pull_request: pull_request:
env: env:
GO_VERSION: "1.16" GO_VERSION: "1.17"
jobs: jobs:
test: test:
name: Test name: Test

2
go.mod
View File

@@ -7,7 +7,7 @@ require (
github.com/Masterminds/sprig v2.22.0+incompatible github.com/Masterminds/sprig v2.22.0+incompatible
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/fanal v0.0.0-20211001165956-9cea0606a6f1 github.com/aquasecurity/fanal v0.0.0-20211003152019-761279c3f9c6
github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

4
go.sum
View File

@@ -202,8 +202,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/fanal v0.0.0-20211001165956-9cea0606a6f1 h1:WBmDGVe27yNPxqHuciYOG3D6Mwe16lgs9jmCo+gRGL4= github.com/aquasecurity/fanal v0.0.0-20211003152019-761279c3f9c6 h1:RKgiEqKpv22QY3+p46EEoKmkpoS4toH1CNV0A6aKPro=
github.com/aquasecurity/fanal v0.0.0-20211001165956-9cea0606a6f1/go.mod h1:FyKpqN6I6emeoEFdU3BKHyTpr47g2gwzIdJQDbm/Z+0= github.com/aquasecurity/fanal v0.0.0-20211003152019-761279c3f9c6/go.mod h1:FyKpqN6I6emeoEFdU3BKHyTpr47g2gwzIdJQDbm/Z+0=
github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 h1:xsniAD6IrP+stY8tkytxE2tk8czkzSN3XaUvzoi1hCk= github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 h1:xsniAD6IrP+stY8tkytxE2tk8czkzSN3XaUvzoi1hCk=
github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU= github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

329
integration/client_server_test.go
View File

@@ -23,10 +23,9 @@ import (
"github.com/aquasecurity/trivy/pkg/report" "github.com/aquasecurity/trivy/pkg/report"
) )
type args struct { type csArgs struct {
Format string Format string
TemplatePath string TemplatePath string
Version string
IgnoreUnfixed bool IgnoreUnfixed bool
Severity []string Severity []string
IgnoreIDs []string IgnoreIDs []string
@@ -36,24 +35,22 @@ type args struct {
} }
func TestClientServer(t *testing.T) { func TestClientServer(t *testing.T) {
cases := []struct { tests := []struct {
name string name string
testArgs args args csArgs
golden string golden string
wantErr string wantErr string
}{ }{
{ {
name: "alpine 3.10 integration", name: "alpine 3.10 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/alpine-310.tar.gz",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
golden: "testdata/alpine-310.json.golden", golden: "testdata/alpine-310.json.golden",
}, },
{ {
name: "alpine 3.10 integration with --ignore-unfixed option", name: "alpine 3.10 integration with --ignore-unfixed option",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Input: "testdata/fixtures/images/alpine-310.tar.gz", Input: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
@@ -61,8 +58,7 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "alpine 3.10 integration with medium and high severity", name: "alpine 3.10 integration with medium and high severity",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Severity: []string{"MEDIUM", "HIGH"}, Severity: []string{"MEDIUM", "HIGH"},
Input: "testdata/fixtures/images/alpine-310.tar.gz", Input: "testdata/fixtures/images/alpine-310.tar.gz",
@@ -71,64 +67,30 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "alpine 3.10 integration with .trivyignore", name: "alpine 3.10 integration with .trivyignore",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: false, IgnoreUnfixed: false,
IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"}, IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"},
Input: "testdata/fixtures/images/alpine-310.tar.gz", Input: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
golden: "testdata/alpine-310-ignore-cveids.json.golden", golden: "testdata/alpine-310-ignore-cveids.json.golden",
}, },
{
name: "alpine 3.10 integration with gitlab template",
testArgs: args{
Format: "template",
TemplatePath: "@../contrib/gitlab.tpl",
Version: "dev",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.gitlab.golden",
},
{
name: "alpine 3.10 integration with gitlab-codequality template",
testArgs: args{
Format: "template",
TemplatePath: "@../contrib/gitlab-codequality.tpl",
Version: "dev",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.gitlab-codequality.golden",
},
{
name: "alpine 3.10 integration with sarif template",
testArgs: args{
Format: "template",
TemplatePath: "@../contrib/sarif.tpl",
Version: "dev",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.sarif.golden",
},
{ {
name: "alpine 3.9 integration", name: "alpine 3.9 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/alpine-39.tar.gz",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
}, },
golden: "testdata/alpine-39.json.golden", golden: "testdata/alpine-39.json.golden",
}, },
{ {
name: "debian buster integration", name: "debian buster integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/debian-buster.tar.gz",
Input: "testdata/fixtures/images/debian-buster.tar.gz",
}, },
golden: "testdata/debian-buster.json.golden", golden: "testdata/debian-buster.json.golden",
}, },
{ {
name: "debian buster integration with --ignore-unfixed option", name: "debian buster integration with --ignore-unfixed option",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Input: "testdata/fixtures/images/debian-buster.tar.gz", Input: "testdata/fixtures/images/debian-buster.tar.gz",
}, },
@@ -136,24 +98,21 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "debian stretch integration", name: "debian stretch integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/debian-stretch.tar.gz",
Input: "testdata/fixtures/images/debian-stretch.tar.gz",
}, },
golden: "testdata/debian-stretch.json.golden", golden: "testdata/debian-stretch.json.golden",
}, },
{ {
name: "ubuntu 18.04 integration", name: "ubuntu 18.04 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
}, },
golden: "testdata/ubuntu-1804.json.golden", golden: "testdata/ubuntu-1804.json.golden",
}, },
{ {
name: "ubuntu 18.04 integration with --ignore-unfixed option", name: "ubuntu 18.04 integration with --ignore-unfixed option",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz", Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
}, },
@@ -161,24 +120,21 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "ubuntu 16.04 integration", name: "ubuntu 16.04 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
}, },
golden: "testdata/ubuntu-1604.json.golden", golden: "testdata/ubuntu-1604.json.golden",
}, },
{ {
name: "centos 7 integration", name: "centos 7 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/centos-7.tar.gz",
Input: "testdata/fixtures/images/centos-7.tar.gz",
}, },
golden: "testdata/centos-7.json.golden", golden: "testdata/centos-7.json.golden",
}, },
{ {
name: "centos 7 integration with --ignore-unfixed option", name: "centos 7 integration with --ignore-unfixed option",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Input: "testdata/fixtures/images/centos-7.tar.gz", Input: "testdata/fixtures/images/centos-7.tar.gz",
}, },
@@ -186,8 +142,7 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "centos 7 integration with low and high severity", name: "centos 7 integration with low and high severity",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Severity: []string{"LOW", "HIGH"}, Severity: []string{"LOW", "HIGH"},
Input: "testdata/fixtures/images/centos-7.tar.gz", Input: "testdata/fixtures/images/centos-7.tar.gz",
@@ -196,32 +151,28 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "centos 6 integration", name: "centos 6 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/centos-6.tar.gz",
Input: "testdata/fixtures/images/centos-6.tar.gz",
}, },
golden: "testdata/centos-6.json.golden", golden: "testdata/centos-6.json.golden",
}, },
{ {
name: "ubi 7 integration", name: "ubi 7 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/ubi-7.tar.gz",
Input: "testdata/fixtures/images/ubi-7.tar.gz",
}, },
golden: "testdata/ubi-7.json.golden", golden: "testdata/ubi-7.json.golden",
}, },
{ {
name: "distroless base integration", name: "distroless base integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/distroless-base.tar.gz",
Input: "testdata/fixtures/images/distroless-base.tar.gz",
}, },
golden: "testdata/distroless-base.json.golden", golden: "testdata/distroless-base.json.golden",
}, },
{ {
name: "distroless base integration with --ignore-unfixed option", name: "distroless base integration with --ignore-unfixed option",
testArgs: args{ args: csArgs{
Version: "dev",
IgnoreUnfixed: true, IgnoreUnfixed: true,
Input: "testdata/fixtures/images/distroless-base.tar.gz", Input: "testdata/fixtures/images/distroless-base.tar.gz",
}, },
@@ -229,116 +180,152 @@ func TestClientServer(t *testing.T) {
}, },
{ {
name: "distroless python27 integration", name: "distroless python27 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/distroless-python27.tar.gz",
Input: "testdata/fixtures/images/distroless-python27.tar.gz",
}, },
golden: "testdata/distroless-python27.json.golden", golden: "testdata/distroless-python27.json.golden",
}, },
{ {
name: "amazon 1 integration", name: "amazon 1 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/amazon-1.tar.gz",
Input: "testdata/fixtures/images/amazon-1.tar.gz",
}, },
golden: "testdata/amazon-1.json.golden", golden: "testdata/amazon-1.json.golden",
}, },
{ {
name: "amazon 2 integration", name: "amazon 2 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/amazon-2.tar.gz",
Input: "testdata/fixtures/images/amazon-2.tar.gz",
}, },
golden: "testdata/amazon-2.json.golden", golden: "testdata/amazon-2.json.golden",
}, },
{ {
name: "oracle 6 integration", name: "oracle 6 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
}, },
golden: "testdata/oraclelinux-6-slim.json.golden", golden: "testdata/oraclelinux-6-slim.json.golden",
}, },
{ {
name: "oracle 7 integration", name: "oracle 7 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
}, },
golden: "testdata/oraclelinux-7-slim.json.golden", golden: "testdata/oraclelinux-7-slim.json.golden",
}, },
{ {
name: "oracle 8 integration", name: "oracle 8 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
}, },
golden: "testdata/oraclelinux-8-slim.json.golden", golden: "testdata/oraclelinux-8-slim.json.golden",
}, },
{ {
name: "opensuse leap 15.1 integration", name: "opensuse leap 15.1 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
}, },
golden: "testdata/opensuse-leap-151.json.golden", golden: "testdata/opensuse-leap-151.json.golden",
}, },
{ {
name: "opensuse leap 42.3 integration", name: "opensuse leap 42.3 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
}, },
golden: "testdata/opensuse-leap-423.json.golden", golden: "testdata/opensuse-leap-423.json.golden",
}, },
{ {
name: "photon 1.0 integration", name: "photon 1.0 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/photon-10.tar.gz",
Input: "testdata/fixtures/images/photon-10.tar.gz",
}, },
golden: "testdata/photon-10.json.golden", golden: "testdata/photon-10.json.golden",
}, },
{ {
name: "photon 2.0 integration", name: "photon 2.0 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/photon-20.tar.gz",
Input: "testdata/fixtures/images/photon-20.tar.gz",
}, },
golden: "testdata/photon-20.json.golden", golden: "testdata/photon-20.json.golden",
}, },
{ {
name: "photon 3.0 integration", name: "photon 3.0 integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/photon-30.tar.gz",
Input: "testdata/fixtures/images/photon-30.tar.gz",
}, },
golden: "testdata/photon-30.json.golden", golden: "testdata/photon-30.json.golden",
}, },
{ {
name: "buxybox with Cargo.lock integration", name: "buxybox with Cargo.lock integration",
testArgs: args{ args: csArgs{
Version: "dev", Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
}, },
golden: "testdata/busybox-with-lockfile.json.golden", golden: "testdata/busybox-with-lockfile.json.golden",
}, },
}
app, addr, cacheDir := setup(t, setupOptions{})
for _, c := range tests {
t.Run(c.name, func(t *testing.T) {
osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
// Run Trivy client
err := app.Run(osArgs)
require.NoError(t, err)
compareReports(t, c.golden, outputFile)
})
}
}
func TestClientServerWithTemplate(t *testing.T) {
tests := []struct {
name string
args csArgs
golden string
}{
{
name: "alpine 3.10 integration with gitlab template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/gitlab.tpl",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.gitlab.golden",
},
{
name: "alpine 3.10 integration with gitlab-codequality template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/gitlab-codequality.tpl",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.gitlab-codequality.golden",
},
{
name: "alpine 3.10 integration with sarif template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/sarif.tpl",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.sarif.golden",
},
{ {
name: "alpine 3.10 integration with ASFF template", name: "alpine 3.10 integration with ASFF template",
testArgs: args{ args: csArgs{
Format: "template", Format: "template",
TemplatePath: "@../contrib/asff.tpl", TemplatePath: "@../contrib/asff.tpl",
Version: "dev",
Input: "testdata/fixtures/images/alpine-310.tar.gz", Input: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
golden: "testdata/alpine-310.asff.golden", golden: "testdata/alpine-310.asff.golden",
}, },
{ {
name: "alpine 3.10 integration with html template", name: "alpine 3.10 integration with html template",
testArgs: args{ args: csArgs{
Format: "template", Format: "template",
TemplatePath: "@../contrib/html.tpl", TemplatePath: "@../contrib/html.tpl",
Version: "dev",
Input: "testdata/fixtures/images/alpine-310.tar.gz", Input: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
golden: "testdata/alpine-310.html.golden", golden: "testdata/alpine-310.html.golden",
@@ -347,36 +334,40 @@ func TestClientServer(t *testing.T) {
app, addr, cacheDir := setup(t, setupOptions{}) app, addr, cacheDir := setup(t, setupOptions{})
for _, c := range cases { for _, tt := range tests {
t.Run(c.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
report.Now = func() time.Time { report.Now = func() time.Time {
return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC) return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
} }
os.Setenv("AWS_REGION", "test-region") t.Setenv("AWS_REGION", "test-region")
os.Setenv("AWS_ACCOUNT_ID", "123456789012") t.Setenv("AWS_ACCOUNT_ID", "123456789012")
osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden) osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
defer cleanup()
// Run Trivy client // Run Trivy client
err := app.Run(osArgs) err := app.Run(osArgs)
require.NoError(t, err) require.NoError(t, err)
compare(t, c.golden, outputFile) want, err := os.ReadFile(tt.golden)
require.NoError(t, err)
got, err := os.ReadFile(outputFile)
require.NoError(t, err)
assert.EqualValues(t, string(want), string(got))
}) })
} }
} }
func TestClientServerWithToken(t *testing.T) { func TestClientServerWithToken(t *testing.T) {
cases := []struct { cases := []struct {
name string name string
testArgs args args csArgs
golden string golden string
wantErr string wantErr string
}{ }{
{ {
name: "alpine 3.10 integration with token", name: "alpine 3.10 integration with token",
testArgs: args{ args: csArgs{
Version: "dev",
Input: "testdata/fixtures/images/alpine-310.tar.gz", Input: "testdata/fixtures/images/alpine-310.tar.gz",
ClientToken: "token", ClientToken: "token",
ClientTokenHeader: "Trivy-Token", ClientTokenHeader: "Trivy-Token",
@@ -385,8 +376,7 @@ func TestClientServerWithToken(t *testing.T) {
}, },
{ {
name: "invalid token", name: "invalid token",
testArgs: args{ args: csArgs{
Version: "dev",
Input: "testdata/fixtures/images/distroless-base.tar.gz", Input: "testdata/fixtures/images/distroless-base.tar.gz",
ClientToken: "invalidtoken", ClientToken: "invalidtoken",
ClientTokenHeader: "Trivy-Token", ClientTokenHeader: "Trivy-Token",
@@ -395,8 +385,7 @@ func TestClientServerWithToken(t *testing.T) {
}, },
{ {
name: "invalid token header", name: "invalid token header",
testArgs: args{ args: csArgs{
Version: "dev",
Input: "testdata/fixtures/images/distroless-base.tar.gz", Input: "testdata/fixtures/images/distroless-base.tar.gz",
ClientToken: "valid-token", ClientToken: "valid-token",
ClientTokenHeader: "Trivy-Token", ClientTokenHeader: "Trivy-Token",
@@ -411,12 +400,10 @@ func TestClientServerWithToken(t *testing.T) {
token: serverToken, token: serverToken,
tokenHeader: serverTokenHeader, tokenHeader: serverTokenHeader,
}) })
defer os.RemoveAll(cacheDir)
for _, c := range cases { for _, c := range cases {
t.Run(c.name, func(t *testing.T) { t.Run(c.name, func(t *testing.T) {
osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden) osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
defer cleanup()
// Run Trivy client // Run Trivy client
err := app.Run(osArgs) err := app.Run(osArgs)
@@ -429,7 +416,7 @@ func TestClientServerWithToken(t *testing.T) {
assert.NoError(t, err, c.name) assert.NoError(t, err, c.name)
} }
compare(t, c.golden, outputFile) compareReports(t, c.golden, outputFile)
}) })
} }
} }
@@ -444,29 +431,26 @@ func TestClientServerWithRedis(t *testing.T) {
defer os.RemoveAll(cacheDir) defer os.RemoveAll(cacheDir)
// Test parameters // Test parameters
testArgs := args{ testArgs := csArgs{
Version: "dev", Input: "testdata/fixtures/images/centos-7.tar.gz",
Input: "testdata/fixtures/images/centos-7.tar.gz",
} }
golden := "testdata/centos-7.json.golden" golden := "testdata/centos-7.json.golden"
t.Run("centos 7", func(t *testing.T) { t.Run("centos 7", func(t *testing.T) {
osArgs, outputFile, cleanup := setupClient(t, testArgs, addr, cacheDir, golden) osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
defer cleanup()
// Run Trivy client // Run Trivy client
err := app.Run(osArgs) err := app.Run(osArgs)
require.NoError(t, err) require.NoError(t, err)
compare(t, golden, outputFile) compareReports(t, golden, outputFile)
}) })
// Terminate the Redis container // Terminate the Redis container
require.NoError(t, redisC.Terminate(ctx)) require.NoError(t, redisC.Terminate(ctx))
t.Run("sad path", func(t *testing.T) { t.Run("sad path", func(t *testing.T) {
osArgs, _, cleanup := setupClient(t, testArgs, addr, cacheDir, golden) osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)
defer cleanup()
// Run Trivy client // Run Trivy client
err := app.Run(osArgs) err := app.Run(osArgs)
@@ -524,7 +508,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
return osArgs return osArgs
} }
func setupClient(t *testing.T, c args, addr string, cacheDir string, golden string) ([]string, string, func()) { func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
t.Helper() t.Helper()
osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr} osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr}
@@ -546,13 +530,9 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
) )
} }
var err error
var ignoreTmpDir string
if len(c.IgnoreIDs) != 0 { if len(c.IgnoreIDs) != 0 {
ignoreTmpDir, err = os.MkdirTemp("", "ignore") trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
require.NoError(t, err, "failed to create a temp dir") err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
trivyIgnore := filepath.Join(ignoreTmpDir, ".trivyignore")
err = os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
require.NoError(t, err, "failed to write .trivyignore") require.NoError(t, err, "failed to write .trivyignore")
osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...) osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
} }
@@ -564,24 +544,14 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
} }
// Setup the output file // Setup the output file
var outputFile string outputFile := filepath.Join(t.TempDir(), "output.json")
if *update { if *update {
outputFile = golden outputFile = golden
} else {
output, _ := os.CreateTemp("", "integration")
assert.Nil(t, output.Close())
outputFile = output.Name()
}
cleanup := func() {
_ = os.Remove(ignoreTmpDir)
if !*update {
_ = os.Remove(outputFile)
}
} }
osArgs = append(osArgs, []string{"--output", outputFile}...) osArgs = append(osArgs, []string{"--output", outputFile}...)
return osArgs, outputFile, cleanup
return osArgs, outputFile
} }
func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) { func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) {
@@ -611,18 +581,3 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
addr := fmt.Sprintf("redis://%s:%s", ip, p.Port()) addr := fmt.Sprintf("redis://%s:%s", ip, p.Port())
return redis, addr return redis, addr
} }
func compare(t *testing.T, wantFile, gotFile string) {
t.Helper()
// Compare want and got
want, err := os.ReadFile(wantFile)
assert.NoError(t, err)
got, err := os.ReadFile(gotFile)
assert.NoError(t, err)
if strings.HasSuffix(wantFile, ".json.golden") {
assert.JSONEq(t, string(want), string(got))
} else {
assert.EqualValues(t, string(want), string(got))
}
}

302
integration/docker_engine_test.go
View File

@@ -7,6 +7,7 @@ import (
"context" "context"
"io" "io"
"os" "os"
"path/filepath"
"strings" "strings"
"testing" "testing"
@@ -28,220 +29,220 @@ func TestRun_WithDockerEngine(t *testing.T) {
severity []string severity []string
ignoreIDs []string ignoreIDs []string
testfile string testfile string
expectedOutputFile string wantOutputFile string
expectedError string wantError string
}{ }{
// All of these cases should pass for either // All of these cases should pass for either
// $ trivy <args> // $ trivy <args>
// $ trivy image <args> // $ trivy image <args>
{ {
name: "happy path, valid image path, alpine:3.10", name: "happy path, valid image path, alpine:3.10",
imageTag: "alpine:3.10", imageTag: "alpine:3.10",
expectedOutputFile: "testdata/alpine-310.json.golden", wantOutputFile: "testdata/alpine-310.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz", testfile: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
{ {
name: "happy path, valid image path, with image subcommand, alpine:3.10", name: "happy path, valid image path, with image subcommand, alpine:3.10",
withImageSubcommand: true, withImageSubcommand: true,
imageTag: "alpine:3.10", imageTag: "alpine:3.10",
expectedOutputFile: "testdata/alpine-310.json.golden", wantOutputFile: "testdata/alpine-310.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz", testfile: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
{ {
name: "happy path, valid image path, alpine:3.10, ignore unfixed", name: "happy path, valid image path, alpine:3.10, ignore unfixed",
ignoreUnfixed: true, ignoreUnfixed: true,
imageTag: "alpine:3.10", imageTag: "alpine:3.10",
expectedOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden", wantOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz", testfile: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
{ {
name: "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity", name: "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
ignoreUnfixed: true, ignoreUnfixed: true,
severity: []string{"MEDIUM", "HIGH"}, severity: []string{"MEDIUM", "HIGH"},
imageTag: "alpine:3.10", imageTag: "alpine:3.10",
expectedOutputFile: "testdata/alpine-310-medium-high.json.golden", wantOutputFile: "testdata/alpine-310-medium-high.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz", testfile: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
{ {
name: "happy path, valid image path, alpine:3.10, with .trivyignore", name: "happy path, valid image path, alpine:3.10, with .trivyignore",
imageTag: "alpine:3.10", imageTag: "alpine:3.10",
ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"}, ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"},
expectedOutputFile: "testdata/alpine-310-ignore-cveids.json.golden", wantOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz", testfile: "testdata/fixtures/images/alpine-310.tar.gz",
}, },
{ {
name: "happy path, valid image path, alpine:3.9", name: "happy path, valid image path, alpine:3.9",
imageTag: "alpine:3.9", imageTag: "alpine:3.9",
expectedOutputFile: "testdata/alpine-39.json.golden", wantOutputFile: "testdata/alpine-39.json.golden",
testfile: "testdata/fixtures/images/alpine-39.tar.gz", testfile: "testdata/fixtures/images/alpine-39.tar.gz",
}, },
{ {
name: "happy path, valid image path, amazonlinux:1", name: "happy path, valid image path, amazonlinux:1",
imageTag: "amazonlinux:1", imageTag: "amazonlinux:1",
expectedOutputFile: "testdata/amazon-1.json.golden", wantOutputFile: "testdata/amazon-1.json.golden",
testfile: "testdata/fixtures/images/amazon-1.tar.gz", testfile: "testdata/fixtures/images/amazon-1.tar.gz",
}, },
{ {
name: "happy path, valid image path, amazonlinux:2", name: "happy path, valid image path, amazonlinux:2",
imageTag: "amazonlinux:2", imageTag: "amazonlinux:2",
expectedOutputFile: "testdata/amazon-2.json.golden", wantOutputFile: "testdata/amazon-2.json.golden",
testfile: "testdata/fixtures/images/amazon-2.tar.gz", testfile: "testdata/fixtures/images/amazon-2.tar.gz",
}, },
{ {
name: "happy path, valid image path, centos:6", name: "happy path, valid image path, centos:6",
imageTag: "centos:6", imageTag: "centos:6",
expectedOutputFile: "testdata/centos-6.json.golden", wantOutputFile: "testdata/centos-6.json.golden",
testfile: "testdata/fixtures/images/centos-6.tar.gz", testfile: "testdata/fixtures/images/centos-6.tar.gz",
}, },
{ {
name: "happy path, valid image path, centos:7", name: "happy path, valid image path, centos:7",
imageTag: "centos:7", imageTag: "centos:7",
expectedOutputFile: "testdata/centos-7.json.golden", wantOutputFile: "testdata/centos-7.json.golden",
testfile: "testdata/fixtures/images/centos-7.tar.gz", testfile: "testdata/fixtures/images/centos-7.tar.gz",
}, },
{ {
name: "happy path, valid image path, centos:7, with --ignore-unfixed option", name: "happy path, valid image path, centos:7, with --ignore-unfixed option",
imageTag: "centos:7", imageTag: "centos:7",
ignoreUnfixed: true, ignoreUnfixed: true,
expectedOutputFile: "testdata/centos-7-ignore-unfixed.json.golden", wantOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/centos-7.tar.gz", testfile: "testdata/fixtures/images/centos-7.tar.gz",
}, },
{ {
name: "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity", name: "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
imageTag: "centos:7", imageTag: "centos:7",
ignoreUnfixed: true, ignoreUnfixed: true,
severity: []string{"LOW", "HIGH"}, severity: []string{"LOW", "HIGH"},
expectedOutputFile: "testdata/centos-7-low-high.json.golden", wantOutputFile: "testdata/centos-7-low-high.json.golden",
testfile: "testdata/fixtures/images/centos-7.tar.gz", testfile: "testdata/fixtures/images/centos-7.tar.gz",
}, },
{ {
name: "happy path, valid image path, debian:buster", name: "happy path, valid image path, debian:buster",
imageTag: "debian:buster", imageTag: "debian:buster",
expectedOutputFile: "testdata/debian-buster.json.golden", wantOutputFile: "testdata/debian-buster.json.golden",
testfile: "testdata/fixtures/images/debian-buster.tar.gz", testfile: "testdata/fixtures/images/debian-buster.tar.gz",
}, },
{ {
name: "happy path, valid image path, debian:buster, with --ignore-unfixed option", name: "happy path, valid image path, debian:buster, with --ignore-unfixed option",
ignoreUnfixed: true, ignoreUnfixed: true,
imageTag: "debian:buster", imageTag: "debian:buster",
expectedOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden", wantOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/debian-buster.tar.gz", testfile: "testdata/fixtures/images/debian-buster.tar.gz",
}, },
{ {
name: "happy path, valid image path, debian:stretch", name: "happy path, valid image path, debian:stretch",
imageTag: "debian:stretch", imageTag: "debian:stretch",
expectedOutputFile: "testdata/debian-stretch.json.golden", wantOutputFile: "testdata/debian-stretch.json.golden",
testfile: "testdata/fixtures/images/debian-stretch.tar.gz", testfile: "testdata/fixtures/images/debian-stretch.tar.gz",
}, },
{ {
name: "happy path, valid image path, distroless:base", name: "happy path, valid image path, distroless:base",
imageTag: "gcr.io/distroless/base:latest", imageTag: "gcr.io/distroless/base:latest",
expectedOutputFile: "testdata/distroless-base.json.golden", wantOutputFile: "testdata/distroless-base.json.golden",
testfile: "testdata/fixtures/images/distroless-base.tar.gz", testfile: "testdata/fixtures/images/distroless-base.tar.gz",
}, },
{ {
name: "happy path, valid image path, distroless:base", name: "happy path, valid image path, distroless:base",
imageTag: "gcr.io/distroless/base:latest", imageTag: "gcr.io/distroless/base:latest",
expectedOutputFile: "testdata/distroless-base.json.golden", wantOutputFile: "testdata/distroless-base.json.golden",
testfile: "testdata/fixtures/images/distroless-base.tar.gz", testfile: "testdata/fixtures/images/distroless-base.tar.gz",
}, },
{ {
name: "happy path, valid image path, distroless:base, with --ignore-unfixed option", name: "happy path, valid image path, distroless:base, with --ignore-unfixed option",
imageTag: "gcr.io/distroless/base:latest", imageTag: "gcr.io/distroless/base:latest",
ignoreUnfixed: true, ignoreUnfixed: true,
expectedOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden", wantOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/distroless-base.tar.gz", testfile: "testdata/fixtures/images/distroless-base.tar.gz",
}, },
{ {
name: "happy path, valid image path, distroless:python2.7", name: "happy path, valid image path, distroless:python2.7",
imageTag: "gcr.io/distroless/python2.7:latest", imageTag: "gcr.io/distroless/python2.7:latest",
expectedOutputFile: "testdata/distroless-python27.json.golden", wantOutputFile: "testdata/distroless-python27.json.golden",
testfile: "testdata/fixtures/images/distroless-python27.tar.gz", testfile: "testdata/fixtures/images/distroless-python27.tar.gz",
}, },
{ {
name: "happy path, valid image path, oraclelinux:6-slim", name: "happy path, valid image path, oraclelinux:6-slim",
imageTag: "oraclelinux:6-slim", imageTag: "oraclelinux:6-slim",
expectedOutputFile: "testdata/oraclelinux-6-slim.json.golden", wantOutputFile: "testdata/oraclelinux-6-slim.json.golden",
testfile: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz", testfile: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
}, },
{ {
name: "happy path, valid image path, oraclelinux:7-slim", name: "happy path, valid image path, oraclelinux:7-slim",
imageTag: "oraclelinux:7-slim", imageTag: "oraclelinux:7-slim",
expectedOutputFile: "testdata/oraclelinux-7-slim.json.golden", wantOutputFile: "testdata/oraclelinux-7-slim.json.golden",
testfile: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz", testfile: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
}, },
{ {
name: "happy path, valid image path, oraclelinux:8-slim", name: "happy path, valid image path, oraclelinux:8-slim",
imageTag: "oraclelinux:8-slim", imageTag: "oraclelinux:8-slim",
expectedOutputFile: "testdata/oraclelinux-8-slim.json.golden", wantOutputFile: "testdata/oraclelinux-8-slim.json.golden",
testfile: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz", testfile: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
}, },
{ {
name: "happy path, valid image path, ubuntu:16.04", name: "happy path, valid image path, ubuntu:16.04",
imageTag: "ubuntu:16.04", imageTag: "ubuntu:16.04",
expectedOutputFile: "testdata/ubuntu-1604.json.golden", wantOutputFile: "testdata/ubuntu-1604.json.golden",
testfile: "testdata/fixtures/images/ubuntu-1604.tar.gz", testfile: "testdata/fixtures/images/ubuntu-1604.tar.gz",
}, },
{ {
name: "happy path, valid image path, ubuntu:18.04", name: "happy path, valid image path, ubuntu:18.04",
imageTag: "ubuntu:18.04", imageTag: "ubuntu:18.04",
expectedOutputFile: "testdata/ubuntu-1804.json.golden", wantOutputFile: "testdata/ubuntu-1804.json.golden",
testfile: "testdata/fixtures/images/ubuntu-1804.tar.gz", testfile: "testdata/fixtures/images/ubuntu-1804.tar.gz",
}, },
{ {
name: "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option", name: "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
imageTag: "ubuntu:18.04", imageTag: "ubuntu:18.04",
ignoreUnfixed: true, ignoreUnfixed: true,
expectedOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden", wantOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/ubuntu-1804.tar.gz", testfile: "testdata/fixtures/images/ubuntu-1804.tar.gz",
}, },
{ {
name: "happy path, valid image path, registry.redhat.io/ubi7", name: "happy path, valid image path, registry.redhat.io/ubi7",
imageTag: "registry.redhat.io/ubi7", imageTag: "registry.redhat.io/ubi7",
expectedOutputFile: "testdata/ubi-7.json.golden", wantOutputFile: "testdata/ubi-7.json.golden",
testfile: "testdata/fixtures/images/ubi-7.tar.gz", testfile: "testdata/fixtures/images/ubi-7.tar.gz",
}, },
{ {
name: "happy path, valid image path, opensuse leap 15.1", name: "happy path, valid image path, opensuse leap 15.1",
imageTag: "opensuse/leap:latest", imageTag: "opensuse/leap:latest",
expectedOutputFile: "testdata/opensuse-leap-151.json.golden", wantOutputFile: "testdata/opensuse-leap-151.json.golden",
testfile: "testdata/fixtures/images/opensuse-leap-151.tar.gz", testfile: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
}, },
{ {
name: "happy path, valid image path, opensuse leap 42.3", name: "happy path, valid image path, opensuse leap 42.3",
imageTag: "opensuse/leap:42.3", imageTag: "opensuse/leap:42.3",
expectedOutputFile: "testdata/opensuse-leap-423.json.golden", wantOutputFile: "testdata/opensuse-leap-423.json.golden",
testfile: "testdata/fixtures/images/opensuse-leap-423.tar.gz", testfile: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
}, },
{ {
name: "happy path, valid image path, photon 1.0", name: "happy path, valid image path, photon 1.0",
imageTag: "photon:1.0-20190823", imageTag: "photon:1.0-20190823",
expectedOutputFile: "testdata/photon-10.json.golden", wantOutputFile: "testdata/photon-10.json.golden",
testfile: "testdata/fixtures/images/photon-10.tar.gz", testfile: "testdata/fixtures/images/photon-10.tar.gz",
}, },
{ {
name: "happy path, valid image path, photon 2.0", name: "happy path, valid image path, photon 2.0",
imageTag: "photon:2.0-20190726", imageTag: "photon:2.0-20190726",
expectedOutputFile: "testdata/photon-20.json.golden", wantOutputFile: "testdata/photon-20.json.golden",
testfile: "testdata/fixtures/images/photon-20.tar.gz", testfile: "testdata/fixtures/images/photon-20.tar.gz",
}, },
{ {
name: "happy path, valid image path, photon 3.0", name: "happy path, valid image path, photon 3.0",
imageTag: "photon:3.0-20190823", imageTag: "photon:3.0-20190823",
expectedOutputFile: "testdata/photon-30.json.golden", wantOutputFile: "testdata/photon-30.json.golden",
testfile: "testdata/fixtures/images/photon-30.tar.gz", testfile: "testdata/fixtures/images/photon-30.tar.gz",
}, },
{ {
name: "buxybox with Cargo.lock integration", name: "buxybox with Cargo.lock integration",
imageTag: "busy-cargo:latest", imageTag: "busy-cargo:latest",
expectedOutputFile: "testdata/busybox-with-lockfile.json.golden", wantOutputFile: "testdata/busybox-with-lockfile.json.golden",
testfile: "testdata/fixtures/images/busybox-with-lockfile.tar.gz", testfile: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
}, },
{ {
name: "sad path, invalid image", name: "sad path, invalid image",
invalidImage: true, invalidImage: true,
testfile: "badimage:latest", testfile: "badimage:latest",
expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest)", wantError: "unable to inspect the image (index.docker.io/library/badimage:latest)",
}, },
} }
@@ -276,9 +277,8 @@ func TestRun_WithDockerEngine(t *testing.T) {
require.NoError(t, err, tc.name) require.NoError(t, err, tc.name)
} }
of, err := os.CreateTemp("", "integration-docker-engine-output-file-*") tmpDir := t.TempDir()
require.NoError(t, err, tc.name) output := filepath.Join(tmpDir, "result.json")
defer os.Remove(of.Name())
// run trivy // run trivy
app := commands.NewApp("dev") app := commands.NewApp("dev")
@@ -288,7 +288,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
trivyArgs = append(trivyArgs, "image") trivyArgs = append(trivyArgs, "image")
} }
trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", of.Name()}...) trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", output}...)
if tc.ignoreUnfixed { if tc.ignoreUnfixed {
trivyArgs = append(trivyArgs, "--ignore-unfixed") trivyArgs = append(trivyArgs, "--ignore-unfixed")
@@ -308,20 +308,18 @@ func TestRun_WithDockerEngine(t *testing.T) {
err = app.Run(trivyArgs) err = app.Run(trivyArgs)
switch { switch {
case tc.expectedError != "": case tc.wantError != "":
require.NotNil(t, err) require.NotNil(t, err)
assert.Contains(t, err.Error(), tc.expectedError, tc.name) assert.Contains(t, err.Error(), tc.wantError, tc.name)
return return
default: default:
assert.NoError(t, err, tc.name) assert.NoError(t, err, tc.name)
} }
// check for vulnerability output info // check for vulnerability output info
got, err := io.ReadAll(of) got := readReport(t, output)
assert.NoError(t, err, tc.name) want := readReport(t, tc.wantOutputFile)
want, err := os.ReadFile(tc.expectedOutputFile) assert.Equal(t, want, got)
assert.NoError(t, err, tc.name)
assert.JSONEq(t, string(want), string(got), tc.name)
// cleanup // cleanup
_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{ _, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{

18
integration/fs_test.go
View File

@@ -6,11 +6,11 @@ package integration
import ( import (
"io" "io"
"os" "os"
"path/filepath"
"strings" "strings"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/commands" "github.com/aquasecurity/trivy/pkg/commands"
) )
@@ -118,15 +118,9 @@ func TestFilesystem(t *testing.T) {
} }
// Setup the output file // Setup the output file
var outputFile string outputFile := filepath.Join(t.TempDir(), "output.json")
if *update { if *update {
outputFile = tt.golden outputFile = tt.golden
} else {
output, err := os.CreateTemp("", "integration")
require.NoError(t, err)
assert.Nil(t, output.Close())
defer os.Remove(output.Name())
outputFile = output.Name()
} }
osArgs = append(osArgs, "--output", outputFile) osArgs = append(osArgs, "--output", outputFile)
@@ -140,12 +134,10 @@ func TestFilesystem(t *testing.T) {
assert.Nil(t, app.Run(osArgs)) assert.Nil(t, app.Run(osArgs))
// Compare want and got // Compare want and got
want, err := os.ReadFile(tt.golden) want := readReport(t, tt.golden)
assert.NoError(t, err) got := readReport(t, outputFile)
got, err := os.ReadFile(outputFile)
assert.NoError(t, err)
assert.JSONEq(t, string(want), string(got)) assert.Equal(t, want, got)
}) })
} }
} }

28
integration/integration_test.go
View File

@@ -15,9 +15,11 @@ import (
"testing" "testing"
"time" "time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy/pkg/report"
) )
var update = flag.Bool("update", false, "update golden files") var update = flag.Bool("update", false, "update golden files")
@@ -85,3 +87,29 @@ func waitPort(ctx context.Context, addr string) error {
} }
} }
} }
func readReport(t *testing.T, filePath string) report.Report {
t.Helper()
f, err := os.Open(filePath)
require.NoError(t, err, filePath)
defer f.Close()
var res report.Report
err = json.NewDecoder(f).Decode(&res)
require.NoError(t, err, filePath)
// We don't compare history because the nano-seconds in "created" don't match
res.Metadata.ImageConfig.History = nil
// We don't compare repo tags because the archive doesn't support it
res.Metadata.RepoTags = nil
return res
}
func compareReports(t *testing.T, wantFile, gotFile string) {
want := readReport(t, wantFile)
got := readReport(t, gotFile)
assert.Equal(t, want, got)
}

88
integration/registry_test.go
View File

@@ -26,7 +26,6 @@ import (
_ "github.com/aquasecurity/fanal/analyzer" _ "github.com/aquasecurity/fanal/analyzer"
testdocker "github.com/aquasecurity/trivy/integration/docker" testdocker "github.com/aquasecurity/trivy/integration/docker"
"github.com/aquasecurity/trivy/pkg/commands" "github.com/aquasecurity/trivy/pkg/commands"
"github.com/aquasecurity/trivy/pkg/report"
) )
const ( const (
@@ -193,7 +192,7 @@ func TestRegistry(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
// 2. Scan it // 2. Scan it
resultFile, cleanup, err := scan(t, imageRef, baseDir, tc.golden, tc.option) resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
if tc.wantErr != "" { if tc.wantErr != "" {
require.NotNil(t, err) require.NotNil(t, err)
@@ -202,57 +201,40 @@ func TestRegistry(t *testing.T) {
} else { } else {
require.NoError(t, err) require.NoError(t, err)
} }
defer cleanup()
// 3. Compare want and got // 3. Read want and got
golden, err := os.Open(tc.golden) want := readReport(t, tc.golden)
assert.NoError(t, err) got := readReport(t, resultFile)
var want report.Results // 4 Update some dynamic fields
err = json.NewDecoder(golden).Decode(&want) want.ArtifactName = s
require.NoError(t, err) for i := range want.Results {
want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
}
want.Metadata.RepoDigests = []string{
fmt.Sprintf("%s/alpine@sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f", registryURL.Host),
}
result, err := os.Open(resultFile) // 5. Compare want and got
assert.NoError(t, err) assert.Equal(t, want, got)
var got report.Results
err = json.NewDecoder(result).Decode(&got)
require.NoError(t, err)
assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
}) })
} }
} }
func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, func(), error) { func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
cleanup := func() {}
// Set up testing DB // Set up testing DB
cacheDir := gunzipDB(t) cacheDir := gunzipDB(t)
// Setup the output file // Setup the output file
var outputFile string outputFile := filepath.Join(t.TempDir(), "output.json")
if *update && goldenFile != "" { if *update {
outputFile = goldenFile outputFile = goldenFile
} else {
output, err := os.CreateTemp("", "integration")
if err != nil {
return "", cleanup, err
}
defer output.Close()
outputFile = output.Name()
cleanup = func() {
os.Remove(outputFile)
}
} }
// Setup env // Setup env
if err := setupEnv(imageRef, baseDir, opt); err != nil { if err := setupEnv(t, imageRef, baseDir, opt); err != nil {
return "", cleanup, err return "", err
} }
defer unsetEnv()
// Setup CLI App // Setup CLI App
app := commands.NewApp("dev") app := commands.NewApp("dev")
@@ -262,15 +244,13 @@ func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt
// Run Trivy // Run Trivy
if err := app.Run(osArgs); err != nil { if err := app.Run(osArgs); err != nil {
return "", cleanup, err return "", err
} }
return outputFile, cleanup, nil return outputFile, nil
} }
func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error { func setupEnv(t *testing.T, imageRef name.Reference, baseDir string, opt registryOption) error {
if err := os.Setenv("TRIVY_INSECURE", "true"); err != nil { t.Setenv("TRIVY_INSECURE", "true")
return err
}
if opt.Username != "" && opt.Password != "" { if opt.Username != "" && opt.Password != "" {
if opt.RegistryToken { if opt.RegistryToken {
@@ -279,26 +259,10 @@ func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error
if err != nil { if err != nil {
return err return err
} }
if err := os.Setenv("TRIVY_REGISTRY_TOKEN", token); err != nil { t.Setenv("TRIVY_REGISTRY_TOKEN", token)
return err
}
} else { } else {
if err := os.Setenv("TRIVY_USERNAME", opt.Username); err != nil { t.Setenv("TRIVY_USERNAME", opt.Username)
return err t.Setenv("TRIVY_PASSWORD", opt.Password)
}
if err := os.Setenv("TRIVY_PASSWORD", opt.Password); err != nil {
return err
}
}
}
return nil
}
func unsetEnv() error {
envs := []string{"TRIVY_INSECURE", "TRIVY_USERNAME", "TRIVY_PASSWORD", "TRIVY_REGISTRY_TOKEN"}
for _, e := range envs {
if err := os.Unsetenv(e); err != nil {
return err
} }
} }
return nil return nil

16
integration/standalone_tar_test.go
View File

@@ -6,6 +6,7 @@ package integration
import ( import (
"io" "io"
"os" "os"
"path/filepath"
"strings" "strings"
"testing" "testing"
@@ -381,7 +382,6 @@ func TestRun_WithTar(t *testing.T) {
for _, c := range cases { for _, c := range cases {
t.Run(c.name, func(t *testing.T) { t.Run(c.name, func(t *testing.T) {
osArgs := []string{"trivy"} osArgs := []string{"trivy"}
osArgs = append(osArgs, "--cache-dir", cacheDir) osArgs = append(osArgs, "--cache-dir", cacheDir)
if c.testArgs.WithImageSubcommand { if c.testArgs.WithImageSubcommand {
@@ -423,14 +423,9 @@ func TestRun_WithTar(t *testing.T) {
} }
// Setup the output file // Setup the output file
var outputFile string outputFile := filepath.Join(t.TempDir(), "output.json")
if *update { if *update {
outputFile = c.golden outputFile = c.golden
} else {
output, _ := os.CreateTemp("", "integration")
assert.Nil(t, output.Close())
defer os.Remove(output.Name())
outputFile = output.Name()
} }
osArgs = append(osArgs, []string{"--output", outputFile}...) osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -439,12 +434,7 @@ func TestRun_WithTar(t *testing.T) {
assert.Nil(t, app.Run(osArgs)) assert.Nil(t, app.Run(osArgs))
// Compare want and got // Compare want and got
want, err := os.ReadFile(c.golden) compareReports(t, c.golden, outputFile)
assert.NoError(t, err)
got, err := os.ReadFile(outputFile)
assert.NoError(t, err)
assert.JSONEq(t, string(want), string(got))
}) })
} }
} }

386
integration/testdata/alpine-310-ignore-cveids.json.golden vendored
View File

@@ -1,173 +1,223 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)", "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "alpine", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "alpine",
"VulnerabilityID": "CVE-2019-1551", "Name": "3.10.2",
"PkgName": "libcrypto1.1", "EOSL": true
"InstalledVersion": "1.1.1c-r0", },
"FixedVersion": "1.1.1d-r2", "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"Layer": { "DiffIDs": [
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551", "created": "2019-08-20T20:19:55.211423266Z",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).", "empty_layer": true
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-200" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
"V2Score": 5 ]
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1547", "Cmd": [
"PkgName": "libcrypto1.1", "/bin/sh"
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
], ],
"CVSS": { "Env": [
"nvd": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
], ],
"PublishedDate": "2019-09-10T17:15:00Z", "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"LastModifiedDate": "2019-09-12T16:15:00Z" "ArgsEscaped": true
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}
]
}

690
integration/testdata/alpine-310-ignore-unfixed.json.golden vendored
View File

@@ -1,325 +1,375 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)", "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "alpine", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "alpine",
"VulnerabilityID": "CVE-2019-1549", "Name": "3.10.2",
"PkgName": "libcrypto1.1", "EOSL": true
"InstalledVersion": "1.1.1c-r0", },
"FixedVersion": "1.1.1d-r0", "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"Layer": { "DiffIDs": [
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549", "created": "2019-08-20T20:19:55.211423266Z",
"Title": "openssl: information disclosure in fork()", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "empty_layer": true
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-330" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
"V2Score": 5 ]
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1551", "Cmd": [
"PkgName": "libcrypto1.1", "/bin/sh"
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
], ],
"CVSS": { "Env": [
"nvd": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
], ],
"PublishedDate": "2019-12-06T18:15:00Z", "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"LastModifiedDate": "2019-12-25T11:15:00Z" "ArgsEscaped": true
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}
]
}

530
integration/testdata/alpine-310-medium-high.json.golden vendored
View File

@@ -1,245 +1,295 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)", "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "alpine", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "alpine",
"VulnerabilityID": "CVE-2019-1549", "Name": "3.10.2",
"PkgName": "libcrypto1.1", "EOSL": true
"InstalledVersion": "1.1.1c-r0", },
"FixedVersion": "1.1.1d-r0", "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"Layer": { "DiffIDs": [
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549", "created": "2019-08-20T20:19:55.211423266Z",
"Title": "openssl: information disclosure in fork()", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "empty_layer": true
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-330" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
"V2Score": 5 ]
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1551", "Cmd": [
"PkgName": "libcrypto1.1", "/bin/sh"
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
], ],
"CVSS": { "Env": [
"nvd": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
], ],
"PublishedDate": "2019-12-06T18:15:00Z", "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"LastModifiedDate": "2019-12-25T11:15:00Z" "ArgsEscaped": true
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}
]
}
]
}

706
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -1,333 +1,383 @@
[ {
{ "SchemaVersion": 2,
"Target": "localhost:32779/alpine:3.10 (alpine 3.10.2)", "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "alpine", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "alpine",
"VulnerabilityID": "CVE-2019-1549", "Name": "3.10.2",
"PkgName": "libcrypto1.1", "EOSL": true
"InstalledVersion": "1.1.1c-r0", },
"FixedVersion": "1.1.1d-r0", "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"Layer": { "DiffIDs": [
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609", "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" ],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549", "created": "2019-08-20T20:19:55.211423266Z",
"Title": "openssl: information disclosure in fork()", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "empty_layer": true
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-330" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
"V2Score": 5 ]
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1551", "Cmd": [
"PkgName": "libcrypto1.1", "/bin/sh"
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
], ],
"CVSS": { "Env": [
"nvd": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
], ],
"PublishedDate": "2019-12-06T18:15:00Z", "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"LastModifiedDate": "2019-12-25T11:15:00Z" "ArgsEscaped": true
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}
]
}

690
integration/testdata/alpine-310.json.golden vendored
View File

@@ -1,325 +1,375 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)", "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "alpine", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "alpine",
"VulnerabilityID": "CVE-2019-1549", "Name": "3.10.2",
"PkgName": "libcrypto1.1", "EOSL": true
"InstalledVersion": "1.1.1c-r0", },
"FixedVersion": "1.1.1d-r0", "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"Layer": { "DiffIDs": [
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549", "created": "2019-08-20T20:19:55.211423266Z",
"Title": "openssl: information disclosure in fork()", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "empty_layer": true
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-330" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
"V2Score": 5 ]
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1551", "Cmd": [
"PkgName": "libcrypto1.1", "/bin/sh"
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
], ],
"CVSS": { "Env": [
"nvd": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
], ],
"PublishedDate": "2019-12-06T18:15:00Z", "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"LastModifiedDate": "2019-12-25T11:15:00Z" "ArgsEscaped": true
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}
]
}

810
integration/testdata/alpine-39.json.golden vendored
View File

@@ -1,385 +1,435 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)", "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "alpine", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "alpine",
"VulnerabilityID": "CVE-2019-1549", "Name": "3.9.4",
"PkgName": "libcrypto1.1", "EOSL": true
"InstalledVersion": "1.1.1b-r1", },
"FixedVersion": "1.1.1d-r0", "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
"Layer": { "DiffIDs": [
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81" "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
],
"ImageConfig": {
"architecture": "amd64",
"container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
"created": "2019-05-11T00:07:03.510395965Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-05-11T00:07:03.358250803Z",
"created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549", "created": "2019-05-11T00:07:03.510395965Z",
"Title": "openssl: information disclosure in fork()", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "empty_layer": true
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-330" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
"V2Score": 5 ]
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1551", "Cmd": [
"PkgName": "libcrypto1.1", "/bin/sh"
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
], ],
"CVSS": { "Env": [
"nvd": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
], ],
"PublishedDate": "2019-12-06T18:15:00Z", "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
"LastModifiedDate": "2019-12-25T11:15:00Z" "ArgsEscaped": true
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl-utils",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl-utils",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
}
]
}
]
}

1379
integration/testdata/amazon-1.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

7065
integration/testdata/amazon-2.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

314
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -1,136 +1,186 @@
[ {
{ "SchemaVersion": 2,
"Target": "Cargo.lock", "ArtifactName": "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
"Class": "lang-pkgs", "ArtifactType": "container_image",
"Type": "cargo", "Metadata": {
"Vulnerabilities": [ "ImageID": "sha256:17c82adee8b5ffec7d6e30dba333bb37986add86afeb4a07754407bb049faedb",
{ "DiffIDs": [
"VulnerabilityID": "RUSTSEC-2019-0001", "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
"PkgName": "ammonia", "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
"InstalledVersion": "1.9.0", ],
"FixedVersion": "\u003e= 2.1.0", "ImageConfig": {
"Layer": { "architecture": "amd64",
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" "created": "2020-04-26T16:23:28.996276377Z",
"docker_version": "19.03.8",
"history": [
{
"created": "2020-03-10T00:19:32.83969331Z",
"created_by": "/bin/sh -c #(nop) ADD file:450bea8cddb743ed282cb1ade3d1614033172b93ef531c69a4e49fda3016cef0 in / "
}, },
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001", {
"Title": "Uncontrolled recursion leads to abort in HTML serialization", "created": "2020-03-10T00:19:33.019716493Z",
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.", "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
"Severity": "UNKNOWN", "empty_layer": true
"References": [ },
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210" {
"created": "2020-04-26T16:23:28.996276377Z",
"created_by": "/bin/sh -c #(nop) ADD 343df0159abcc51b06b4e56bfd4c06d2003b88947ed93b0cec6214ae5985669e in . "
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
"sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
] ]
}, },
{ "config": {
"VulnerabilityID": "RUSTSEC-2016-0001", "Cmd": [
"PkgName": "openssl", "sh"
"InstalledVersion": "0.8.3", ],
"FixedVersion": "\u003e= 0.9.0", "Env": [
"Layer": { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" ],
}, "Image": "sha256:83aa35aa1c79e4b6957e018da6e322bfca92bf3b4696a211b42502543c242d6f",
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001", "ArgsEscaped": true
"Title": "SSL/TLS MitM vulnerability due to insecure defaults",
"Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.3.1",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.4.0",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0018",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.13",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
"Title": "smallvec creates uninitialized value of any type",
"Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/126"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0009",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
"Title": "Double-free and use-after-free in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/148"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0012",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
"Title": "Memory corruption in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/149"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0017",
"PkgName": "tempdir",
"InstalledVersion": "0.3.7",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
"Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
"Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-lang-deprecated/tempdir/pull/46"
]
} }
] }
} },
] "Results": [
{
"Target": "Cargo.lock",
"Class": "lang-pkgs",
"Type": "cargo",
"Vulnerabilities": [
{
"VulnerabilityID": "RUSTSEC-2019-0001",
"PkgName": "ammonia",
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
"Title": "Uncontrolled recursion leads to abort in HTML serialization",
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
]
},
{
"VulnerabilityID": "RUSTSEC-2016-0001",
"PkgName": "openssl",
"InstalledVersion": "0.8.3",
"FixedVersion": "\u003e= 0.9.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
"Title": "SSL/TLS MitM vulnerability due to insecure defaults",
"Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.3.1",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.4.0",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0018",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.13",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
"Title": "smallvec creates uninitialized value of any type",
"Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/126"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0009",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
"Title": "Double-free and use-after-free in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/148"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0012",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
"Title": "Memory corruption in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/149"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0017",
"PkgName": "tempdir",
"InstalledVersion": "0.3.7",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
"Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
"Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-lang-deprecated/tempdir/pull/46"
]
}
]
}
]
}

54570
integration/testdata/centos-6.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

9397
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

5107
integration/testdata/centos-7-low-high.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

58729
integration/testdata/centos-7.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1495
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

6557
integration/testdata/debian-buster.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

11587
integration/testdata/debian-stretch.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

215
integration/testdata/distroless-base-ignore-unfixed.json.golden vendored
View File

@@ -1,87 +1,134 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)", "ArtifactName": "testdata/fixtures/images/distroless-base.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "debian", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "debian",
"VulnerabilityID": "CVE-2019-1563", "Name": "9.9"
"PkgName": "libssl1.1", },
"InstalledVersion": "1.1.0k-1~deb9u1", "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
"FixedVersion": "1.1.0l-1~deb9u1", "DiffIDs": [
"Layer": { "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
],
"ImageConfig": {
"architecture": "amd64",
"author": "Bazel",
"created": "1970-01-01T00:00:00Z",
"history": [
{
"author": "Bazel",
"created": "1970-01-01T00:00:00Z",
"created_by": "bazel build ..."
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563", "author": "Bazel",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "created": "1970-01-01T00:00:00Z",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "created_by": "bazel build ..."
"Severity": "MEDIUM", }
"CweIDs": [ ],
"CWE-311" "os": "linux",
], "rootfs": {
"CVSS": { "type": "layers",
"nvd": { "diff_ids": [
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
"V2Score": 4.3 "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
}, ]
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}, },
{ "config": {
"VulnerabilityID": "CVE-2019-1563", "Env": [
"PkgName": "openssl", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"InstalledVersion": "1.1.0k-1~deb9u1", "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
"FixedVersion": "1.1.0l-1~deb9u1", ]
"Layer": {
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Layer": {
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Layer": {
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}
]
}
]
}

2239
integration/testdata/distroless-base.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

8110
integration/testdata/distroless-python27.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

93
integration/testdata/dockerfile-custom-policies.json.golden vendored
View File

@@ -1,40 +1,57 @@
[ {
{ "SchemaVersion": 2,
"Target": "Dockerfile", "ArtifactName": "testdata/fixtures/fs/custom-policy",
"Class": "config", "ArtifactType": "filesystem",
"Type": "dockerfile", "Metadata": {
"MisconfSummary": { "ImageConfig": {
"Successes": 0, "architecture": "",
"Failures": 2, "created": "0001-01-01T00:00:00Z",
"Exceptions": 0 "os": "",
}, "rootfs": {
"Misconfigurations": [ "type": "",
{ "diff_ids": null
"Type": "N/A",
"ID": "N/A",
"Title": "N/A",
"Message": "something bad: bar",
"Namespace": "user.bar",
"Query": "data.user.bar.deny",
"Severity": "UNKNOWN",
"Status": "FAIL",
"Layer": {
"DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
}
}, },
{ "config": {}
"Type": "N/A", }
"ID": "N/A", },
"Title": "N/A", "Results": [
"Message": "something bad: foo", {
"Namespace": "user.foo", "Target": "Dockerfile",
"Query": "data.user.foo.deny", "Class": "config",
"Severity": "UNKNOWN", "Type": "dockerfile",
"Status": "FAIL", "MisconfSummary": {
"Layer": { "Successes": 0,
"DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc" "Failures": 2,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "N/A",
"ID": "N/A",
"Title": "N/A",
"Message": "something bad: bar",
"Namespace": "user.bar",
"Query": "data.user.bar.deny",
"Severity": "UNKNOWN",
"Status": "FAIL",
"Layer": {
"DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
}
},
{
"Type": "N/A",
"ID": "N/A",
"Title": "N/A",
"Message": "something bad: foo",
"Namespace": "user.foo",
"Query": "data.user.foo.deny",
"Severity": "UNKNOWN",
"Status": "FAIL",
"Layer": {
"DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
}
} }
} ]
] }
} ]
] }

39
integration/testdata/dockerfile-namespace-exception.json.golden vendored
View File

@@ -1,12 +1,29 @@
[ {
{ "SchemaVersion": 2,
"Target": "Dockerfile", "ArtifactName": "testdata/fixtures/fs/namespace-exception",
"Class": "config", "ArtifactType": "filesystem",
"Type": "dockerfile", "Metadata": {
"MisconfSummary": { "ImageConfig": {
"Successes": 0, "architecture": "",
"Failures": 0, "created": "0001-01-01T00:00:00Z",
"Exceptions": 1 "os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
} }
} },
] "Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 0,
"Failures": 0,
"Exceptions": 1
}
}
]
}

39
integration/testdata/dockerfile-rule-exception.json.golden vendored
View File

@@ -1,12 +1,29 @@
[ {
{ "SchemaVersion": 2,
"Target": "Dockerfile", "ArtifactName": "testdata/fixtures/fs/rule-exception",
"Class": "config", "ArtifactType": "filesystem",
"Type": "dockerfile", "Metadata": {
"MisconfSummary": { "ImageConfig": {
"Successes": 0, "architecture": "",
"Failures": 0, "created": "0001-01-01T00:00:00Z",
"Exceptions": 1 "os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
} }
} },
] "Results": [
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 0,
"Failures": 0,
"Exceptions": 1
}
}
]
}

83
integration/testdata/dockerfile.json.golden vendored
View File

@@ -1,34 +1,51 @@
[ {
{ "SchemaVersion": 2,
"Target": "Dockerfile", "ArtifactName": "testdata/fixtures/fs/dockerfile",
"Class": "config", "ArtifactType": "filesystem",
"Type": "dockerfile", "Metadata": {
"MisconfSummary": { "ImageConfig": {
"Successes": 0, "architecture": "",
"Failures": 1, "created": "0001-01-01T00:00:00Z",
"Exceptions": 0 "os": "",
}, "rootfs": {
"Misconfigurations": [ "type": "",
{ "diff_ids": null
"Type": "Dockerfile Security Check", },
"ID": "DS002", "config": {}
"Title": "Image user should not be 'root'", }
"Description": "It is a good practice to run the container as a non-root user.", },
"Message": "Specify at least 1 USER command in Dockerfile", "Results": [
"Namespace": "appshield.dockerfile.DS002", {
"Query": "data.appshield.dockerfile.DS002.deny", "Target": "Dockerfile",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", "Class": "config",
"Severity": "HIGH", "Type": "dockerfile",
"PrimaryURL": "https://avd.aquasec.com/appshield/ds002", "MisconfSummary": {
"References": [ "Successes": 0,
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "Failures": 1,
"https://avd.aquasec.com/appshield/ds002" "Exceptions": 0
], },
"Status": "FAIL", "Misconfigurations": [
"Layer": { {
"DiffID": "sha256:2f8334a38883ba260fc9cab989110b8eea18721ee15c319b83fa3eba8d5981ca" "Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "It is a good practice to run the container as a non-root user.",
"Message": "Specify at least 1 USER command in Dockerfile",
"Namespace": "appshield.dockerfile.DS002",
"Query": "data.appshield.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/appshield/ds002"
],
"Status": "FAIL",
"Layer": {
"DiffID": "sha256:2f8334a38883ba260fc9cab989110b8eea18721ee15c319b83fa3eba8d5981ca"
}
} }
} ]
] }
} ]
] }

526
integration/testdata/fluentd-multiple-lockfiles.json.golden vendored
View File

@@ -1,224 +1,326 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)", "ArtifactName": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "debian", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "debian",
"VulnerabilityID": "CVE-2019-5188", "Name": "10.2"
"PkgName": "e2fsprogs", },
"InstalledVersion": "1.44.5-1+deb10u2", "ImageID": "sha256:5a992077baba51b97f27591a10d54d2f2723dc9c81a3fe419e261023f2554933",
"FixedVersion": "1.44.5-1+deb10u3", "DiffIDs": [
"Layer": { "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f",
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e",
"sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0",
"sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9",
"sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89",
"sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
],
"ImageConfig": {
"architecture": "amd64",
"container": "232f3fc7ddffd71dc3ff52c6c0c3a5feea2f51acffd9b53850a8fc6f1a15319a",
"created": "2020-03-04T13:59:39.161374106Z",
"docker_version": "19.03.4",
"history": [
{
"created": "2019-11-22T14:55:09.912242636Z",
"created_by": "/bin/sh -c #(nop) ADD file:bc8179c87c8dbb3d962bed1801f99e7c860ff03797cde6ad19b107d43b973ada in / "
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188", "created": "2019-11-22T14:55:10.253859615Z",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", "created_by": "/bin/sh -c #(nop) CMD [\"bash\"]",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "empty_layer": true
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
}, },
"References": [ {
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", "created": "2020-03-04T13:58:17.973854594Z",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", "created_by": "/bin/sh -c #(nop) ARG DEBIAN_FRONTEND=noninteractive",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", "empty_layer": true
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libcom-err2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188", "created": "2020-03-04T13:58:18.12120844Z",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", "created_by": "/bin/sh -c #(nop) COPY file:4e7fdb1bc31a0f689d88f6af28d4f0352e89a2ac598c523e9637da3de75bfada in /tmp/install.sh "
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
}, },
"References": [ {
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", "created": "2020-03-04T13:58:18.26894021Z",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", "created_by": "/bin/sh -c #(nop) COPY file:c03560fcb4f0aff4cecd93039c348ba4992564740c77e3d6049a44fe79ca44ab in /Gemfile "
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libext2fs2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188", "created": "2020-03-04T13:59:37.96119583Z",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", "created_by": "|1 DEBIAN_FRONTEND=noninteractive /bin/sh -c chmod +x /tmp/install.sh \u0026\u0026 /bin/bash -l -c /tmp/install.sh \u0026\u0026 rm /tmp/*"
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
}, },
"References": [ {
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", "created": "2020-03-04T13:59:38.583719926Z",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", "created_by": "/bin/sh -c #(nop) COPY file:f742fdea941d5baccbf9a9c45ccc9cd943377f3c3e07da787a8d8d9f92a8b3d3 in /etc/fluent/fluent.conf "
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224", "created": "2020-03-04T13:59:38.72131564Z",
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", "created_by": "/bin/sh -c #(nop) COPY file:a9ce963551c165ec55bb4d982d96336caa97e8c70011eb4ca58927956bd08e2a in /run.sh "
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
}, },
"References": [ {
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", "created": "2020-03-04T13:59:38.844116271Z",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", "created_by": "/bin/sh -c #(nop) EXPOSE 80",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", "empty_layer": true
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libss2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
}, },
"SeveritySource": "nvd", {
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188", "created": "2020-03-04T13:59:38.99446051Z",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", "created_by": "/bin/sh -c #(nop) ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "empty_layer": true
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
}, },
"References": [ {
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", "created": "2020-03-04T13:59:39.161374106Z",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", "created_by": "/bin/sh -c #(nop) CMD [\"/run.sh\"]",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", "empty_layer": true
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", }
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", ],
"https://usn.ubuntu.com/4249-1/", "os": "linux",
"https://usn.ubuntu.com/usn/usn-4249-1" "rootfs": {
], "type": "layers",
"PublishedDate": "2020-01-08T16:15:00Z", "diff_ids": [
"LastModifiedDate": "2020-01-28T06:15:00Z" "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f",
} "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e",
] "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0",
}, "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9",
{ "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89",
"Target": "Ruby", "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
"Class": "lang-pkgs",
"Type": "gemspec",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-8165",
"PkgName": "activesupport",
"PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
"InstalledVersion": "6.0.2.1",
"FixedVersion": "~\u003e 5.2.4.3, \u003e= 6.0.3.1",
"Layer": {
"DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
"Title": "Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
"Description": "There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\n\nVersions Affected: rails \u003c 5.2.5, rails \u003c 6.0.4\nNot affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions: rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\n\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\n\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\n\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.\n",
"Severity": "UNKNOWN",
"References": [
"https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"
] ]
},
"config": {
"Cmd": [
"/run.sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
],
"Image": "sha256:2a538358cddc4824e9eff1531e0c63ae5e3cda85d2984c647df9b1c816b9b86b",
"ExposedPorts": {
"80/tcp": {}
}
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "e2fsprogs",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libcom-err2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libext2fs2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libss2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
}
]
},
{
"Target": "Ruby",
"Class": "lang-pkgs",
"Type": "gemspec",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-8165",
"PkgName": "activesupport",
"PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
"InstalledVersion": "6.0.2.1",
"FixedVersion": "~\u003e 5.2.4.3, \u003e= 6.0.3.1",
"Layer": {
"DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
"Title": "Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
"Description": "There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\n\nVersions Affected: rails \u003c 5.2.5, rails \u003c 6.0.4\nNot affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions: rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\n\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\n\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\n\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.\n",
"Severity": "UNKNOWN",
"References": [
"https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"
]
}
]
}
]
}

459
integration/testdata/nodejs.json.golden vendored
View File

@@ -1,227 +1,244 @@
[ {
{ "SchemaVersion": 2,
"Target": "package-lock.json", "ArtifactName": "testdata/fixtures/fs/nodejs",
"Class": "lang-pkgs", "ArtifactType": "filesystem",
"Type": "npm", "Metadata": {
"Vulnerabilities": [ "ImageConfig": {
{ "architecture": "",
"VulnerabilityID": "CVE-2019-11358", "created": "0001-01-01T00:00:00Z",
"PkgName": "jquery", "os": "",
"InstalledVersion": "3.3.9", "rootfs": {
"FixedVersion": "3.4.0", "type": "",
"Layer": { "diff_ids": null
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
"Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
"Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
"http://seclists.org/fulldisclosure/2019/May/10",
"http://seclists.org/fulldisclosure/2019/May/11",
"http://seclists.org/fulldisclosure/2019/May/13",
"http://www.openwall.com/lists/oss-security/2019/06/03/2",
"http://www.securityfocus.com/bid/108023",
"https://access.redhat.com/errata/RHSA-2019:1456",
"https://backdropcms.org/security/backdrop-sa-core-2019-009",
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
"https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
"https://github.com/jquery/jquery/pull/4333",
"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
"https://hackerone.com/reports/454365",
"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"https://seclists.org/bugtraq/2019/Apr/32",
"https://seclists.org/bugtraq/2019/Jun/12",
"https://seclists.org/bugtraq/2019/May/18",
"https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
"https://www.debian.org/security/2019/dsa-4434",
"https://www.debian.org/security/2019/dsa-4460",
"https://www.drupal.org/sa-core-2019-006"
],
"PublishedDate": "2019-04-20T00:29:00Z",
"LastModifiedDate": "2019-06-12T17:29:00Z"
}, },
{ "config": {}
"VulnerabilityID": "CVE-2019-10744", }
"PkgName": "lodash", },
"InstalledVersion": "4.17.4", "Results": [
"FixedVersion": "4.17.12", {
"Layer": { "Target": "package-lock.json",
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c" "Class": "lang-pkgs",
}, "Type": "npm",
"SeveritySource": "nvd", "Vulnerabilities": [
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", {
"Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "VulnerabilityID": "CVE-2019-11358",
"Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "PkgName": "jquery",
"Severity": "CRITICAL", "InstalledVersion": "3.3.9",
"CweIDs": [ "FixedVersion": "3.4.0",
"CWE-20" "Layer": {
], "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}, },
"redhat": { "SeveritySource": "nodejs-security-wg",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
"V3Score": 9.1 "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
} "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
}, "Severity": "MEDIUM",
"References": [ "CweIDs": [
"https://access.redhat.com/errata/RHSA-2019:3024", "CWE-79"
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744", ],
"https://github.com/lodash/lodash/issues/4348", "CVSS": {
"https://github.com/lodash/lodash/pull/4336", "nvd": {
"https://nvd.nist.gov/vuln/detail/CVE-2019-10744", "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"https://security.netapp.com/advisory/ntap-20191004-0005/", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"https://snyk.io/vuln/SNYK-JS-LODASH-450202" "V2Score": 4.3,
], "V3Score": 6.1
"PublishedDate": "2019-07-26T00:15:00Z", },
"LastModifiedDate": "2019-10-04T09:15:00Z" "redhat": {
}, "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
{ "V3Score": 5.6
"VulnerabilityID": "CVE-2018-16487", }
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.11",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
"Title": "lodash: Prototype pollution in utilities function",
"Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
"Severity": "HIGH",
"CweIDs": [
"CWE-254"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}, },
"redhat": { "References": [
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
"V3Score": 5.6 "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
} "http://seclists.org/fulldisclosure/2019/May/10",
"http://seclists.org/fulldisclosure/2019/May/11",
"http://seclists.org/fulldisclosure/2019/May/13",
"http://www.openwall.com/lists/oss-security/2019/06/03/2",
"http://www.securityfocus.com/bid/108023",
"https://access.redhat.com/errata/RHSA-2019:1456",
"https://backdropcms.org/security/backdrop-sa-core-2019-009",
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
"https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
"https://github.com/jquery/jquery/pull/4333",
"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
"https://hackerone.com/reports/454365",
"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"https://seclists.org/bugtraq/2019/Apr/32",
"https://seclists.org/bugtraq/2019/Jun/12",
"https://seclists.org/bugtraq/2019/May/18",
"https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
"https://www.debian.org/security/2019/dsa-4434",
"https://www.debian.org/security/2019/dsa-4460",
"https://www.drupal.org/sa-core-2019-006"
],
"PublishedDate": "2019-04-20T00:29:00Z",
"LastModifiedDate": "2019-06-12T17:29:00Z"
}, },
"References": [ {
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", "VulnerabilityID": "CVE-2019-10744",
"https://hackerone.com/reports/380873", "PkgName": "lodash",
"https://nvd.nist.gov/vuln/detail/CVE-2018-16487", "InstalledVersion": "4.17.4",
"https://security.netapp.com/advisory/ntap-20190919-0004/", "FixedVersion": "4.17.12",
"https://www.npmjs.com/advisories/782" "Layer": {
], "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
"PublishedDate": "2019-02-01T18:29:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1010266",
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.11",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
"Title": "Moderate severity vulnerability that affects lodash",
"Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-400"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4,
"V3Score": 6.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266",
"https://github.com/lodash/lodash/issues/3359",
"https://github.com/lodash/lodash/wiki/Changelog",
"https://nvd.nist.gov/vuln/detail/CVE-2019-1010266",
"https://security.netapp.com/advisory/ntap-20190919-0004/",
"https://snyk.io/vuln/SNYK-JS-LODASH-73639"
],
"PublishedDate": "2019-07-17T21:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2018-3721",
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.5",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
"Title": "lodash: Prototype pollution in utilities function",
"Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"Severity": "LOW",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 4,
"V3Score": 6.5
}, },
"redhat": { "SeveritySource": "nvd",
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
"V3Score": 2.9 "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
} "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"V3Score": 9.1
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2019:3024",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744",
"https://github.com/lodash/lodash/issues/4348",
"https://github.com/lodash/lodash/pull/4336",
"https://nvd.nist.gov/vuln/detail/CVE-2019-10744",
"https://security.netapp.com/advisory/ntap-20191004-0005/",
"https://snyk.io/vuln/SNYK-JS-LODASH-450202"
],
"PublishedDate": "2019-07-26T00:15:00Z",
"LastModifiedDate": "2019-10-04T09:15:00Z"
}, },
"References": [ {
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", "VulnerabilityID": "CVE-2018-16487",
"https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", "PkgName": "lodash",
"https://hackerone.com/reports/310443", "InstalledVersion": "4.17.4",
"https://nvd.nist.gov/vuln/detail/CVE-2018-3721", "FixedVersion": "4.17.11",
"https://security.netapp.com/advisory/ntap-20190919-0004/" "Layer": {
], "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
"PublishedDate": "2018-06-07T02:29:00Z", },
"LastModifiedDate": "2019-10-03T00:03:00Z" "SeveritySource": "nodejs-security-wg",
} "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
] "Title": "lodash: Prototype pollution in utilities function",
} "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
] "Severity": "HIGH",
"CweIDs": [
"CWE-254"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
"https://hackerone.com/reports/380873",
"https://nvd.nist.gov/vuln/detail/CVE-2018-16487",
"https://security.netapp.com/advisory/ntap-20190919-0004/",
"https://www.npmjs.com/advisories/782"
],
"PublishedDate": "2019-02-01T18:29:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1010266",
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.11",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
"Title": "Moderate severity vulnerability that affects lodash",
"Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-400"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4,
"V3Score": 6.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266",
"https://github.com/lodash/lodash/issues/3359",
"https://github.com/lodash/lodash/wiki/Changelog",
"https://nvd.nist.gov/vuln/detail/CVE-2019-1010266",
"https://security.netapp.com/advisory/ntap-20190919-0004/",
"https://snyk.io/vuln/SNYK-JS-LODASH-73639"
],
"PublishedDate": "2019-07-17T21:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2018-3721",
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.5",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
"Title": "lodash: Prototype pollution in utilities function",
"Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"Severity": "LOW",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 4,
"V3Score": 6.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 2.9
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721",
"https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
"https://hackerone.com/reports/310443",
"https://nvd.nist.gov/vuln/detail/CVE-2018-3721",
"https://security.netapp.com/advisory/ntap-20190919-0004/"
],
"PublishedDate": "2018-06-07T02:29:00Z",
"LastModifiedDate": "2019-10-03T00:03:00Z"
}
]
}
]
}

645
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -1,297 +1,354 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)", "ArtifactName": "testdata/fixtures/images/opensuse-leap-151.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "opensuse.leap", "Metadata": {
"Vulnerabilities": [ "OS": {
{ "Family": "opensuse.leap",
"VulnerabilityID": "openSUSE-SU-2019:2596-1", "Name": "15.1",
"PkgName": "cpio", "EOSL": true
"InstalledVersion": "2.12-lp151.2.68", },
"FixedVersion": "2.12-lp151.3.3.1", "ImageID": "sha256:fef5ad254f6378f08071cfa2daaf05a1ce9857141c944b67a40742e63e65cecc",
"Layer": { "DiffIDs": [
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
}, ],
"Title": "Security update for cpio", "ImageConfig": {
"Description": "This update for cpio fixes the following issues:\n\n- CVE-2019-14866: Fixed an improper validation of the values written \n in the header of a TAR file through the to_oct() function which could \n have led to unexpected TAR generation (bsc#1155199).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "architecture": "amd64",
"Severity": "MEDIUM", "author": "Fabian Vogt \u003cfvogt@suse.com\u003e",
"References": [ "created": "2019-11-05T15:54:41Z",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html", "history": [
"https://www.suse.com/support/security/rating/" {
"created": "2019-11-05T15:54:41Z",
"created_by": "KIWI 9.17.16"
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
] ]
}, },
{ "config": {
"VulnerabilityID": "openSUSE-SU-2020:0166-1", "Cmd": [
"PkgName": "libcom_err2", "/bin/bash"
"InstalledVersion": "1.43.8-lp151.5.6.1", ],
"FixedVersion": "1.43.8-lp151.5.12.1", "Labels": {
"Layer": { "org.openbuildservice.disturl": "obs://build.opensuse.org/openSUSE:Leap:15.1:Images/images/740264e3294afe7ca32a3ea9deb863d2-opensuse-leap-image:docker",
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" "org.opencontainers.image.created": "2019-11-05T15:54:10.571514200Z",
}, "org.opencontainers.image.description": "Image containing a minimal environment for containers based on openSUSE Leap 15.1.",
"Title": "Security update for e2fsprogs", "org.opencontainers.image.title": "openSUSE Leap 15.1 Base Container",
"Description": "This update for e2fsprogs fixes the following issues:\n\n- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "org.opencontainers.image.url": "https://www.opensuse.org/",
"Severity": "MEDIUM", "org.opencontainers.image.vendor": "openSUSE Project",
"References": [ "org.opencontainers.image.version": "15.1.3.67",
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", "org.opensuse.base.created": "2019-11-05T15:54:10.571514200Z",
"https://www.suse.com/support/security/rating/" "org.opensuse.base.description": "Image containing a minimal environment for containers based on openSUSE Leap 15.1.",
] "org.opensuse.base.disturl": "obs://build.opensuse.org/openSUSE:Leap:15.1:Images/images/740264e3294afe7ca32a3ea9deb863d2-opensuse-leap-image:docker",
}, "org.opensuse.base.reference": "registry.opensuse.org/opensuse/leap:15.1.3.67",
{ "org.opensuse.base.title": "openSUSE Leap 15.1 Base Container",
"VulnerabilityID": "openSUSE-SU-2020:0022-1", "org.opensuse.base.url": "https://www.opensuse.org/",
"PkgName": "libgcrypt20", "org.opensuse.base.vendor": "openSUSE Project",
"InstalledVersion": "1.8.2-lp151.9.4.1", "org.opensuse.base.version": "15.1.3.67",
"FixedVersion": "1.8.2-lp151.9.7.1", "org.opensuse.reference": "registry.opensuse.org/opensuse/leap:15.1.3.67"
"Layer": { }
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libgcrypt",
"Description": "This update for libgcrypt fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).\n\nBug fixes:\n\n- Added CMAC AES self test (bsc#1155339).\n- Added CMAC TDES self test missing (bsc#1155338).\n- Fix test dsa-rfc6979 in FIPS mode.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2611-1",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.4-lp151.2.3",
"FixedVersion": "2.2.0-lp151.3.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libidn2",
"Description": "This update for libidn2 to version 2.2.0 fixes the following issues:\n\n- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).\n- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "libncurses6",
"InstalledVersion": "6.1-lp151.5.41",
"FixedVersion": "6.1-lp151.6.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for ncurses",
"Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgName": "libopenssl1_1",
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for openssl-1_1",
"Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0255-1",
"PkgName": "libsolv-tools",
"InstalledVersion": "0.7.6-lp151.2.3.2",
"FixedVersion": "0.7.10-lp151.2.10.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libsolv, libzypp, zypper",
"Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2689-1",
"PkgName": "libssh4",
"InstalledVersion": "0.8.7-lp151.2.3.1",
"FixedVersion": "0.8.7-lp151.2.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libssh",
"Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0102-1",
"PkgName": "libssh4",
"InstalledVersion": "0.8.7-lp151.2.3.1",
"FixedVersion": "0.8.7-lp151.2.9.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libssh",
"Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0208-1",
"PkgName": "libsystemd0",
"InstalledVersion": "234-lp151.26.4.1",
"FixedVersion": "234-lp151.26.7.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for systemd",
"Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n Fix a heap use-after-free vulnerability, when asynchronous\n Polkit queries were performed while handling Dbus messages. A local\n unprivileged attacker could have abused this flaw to crash systemd services or\n potentially execute code and elevate their privileges, by sending specially\n crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n * shell-completion: systemctl: do not list template units in {re,}start\n * shell-completion: systemctl: pass current word to all list_unit*\n * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n * bash-completion: systemctl: use systemctl --no-pager\n * bash-completion: also suggest template unit files\n * bash-completion: systemctl: add missing options and verbs\n * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n (bsc#1092920)\n \nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0208-1",
"PkgName": "libudev1",
"InstalledVersion": "234-lp151.26.4.1",
"FixedVersion": "234-lp151.26.7.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for systemd",
"Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n Fix a heap use-after-free vulnerability, when asynchronous\n Polkit queries were performed while handling Dbus messages. A local\n unprivileged attacker could have abused this flaw to crash systemd services or\n potentially execute code and elevate their privileges, by sending specially\n crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n * shell-completion: systemctl: do not list template units in {re,}start\n * shell-completion: systemctl: pass current word to all list_unit*\n * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n * bash-completion: systemctl: use systemctl --no-pager\n * bash-completion: also suggest template unit files\n * bash-completion: systemctl: add missing options and verbs\n * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n (bsc#1092920)\n \nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2612-1",
"PkgName": "libxml2-2",
"InstalledVersion": "2.9.7-lp151.5.3.1",
"FixedVersion": "2.9.7-lp151.5.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libxml2",
"Description": "This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect\nall CVEs that have been fixed over the past.\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "UNKNOWN",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00010.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0255-1",
"PkgName": "libzypp",
"InstalledVersion": "17.15.0-lp151.2.3.2",
"FixedVersion": "17.19.0-lp151.2.10.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libsolv, libzypp, zypper",
"Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "ncurses-utils",
"InstalledVersion": "6.1-lp151.5.41",
"FixedVersion": "6.1-lp151.6.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for ncurses",
"Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgName": "openssl-1_1",
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for openssl-1_1",
"Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2672-1",
"PkgName": "permissions",
"InstalledVersion": "20181116-lp151.4.6.1",
"FixedVersion": "20181116-lp151.4.9.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for permissions",
"Description": "This update for permissions fixes the following issues:\n\n- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid\n which could have allowed a squid user to gain persistence by changing the \n binary (bsc#1093414).\n- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic \n links (bsc#1150734).\n- Fixed a regression which caused sagmentation fault (bsc#1157198).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "terminfo-base",
"InstalledVersion": "6.1-lp151.5.41",
"FixedVersion": "6.1-lp151.6.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for ncurses",
"Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0255-1",
"PkgName": "zypper",
"InstalledVersion": "1.14.30-lp151.2.3.1",
"FixedVersion": "1.14.33-lp151.2.10.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libsolv, libzypp, zypper",
"Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
"https://www.suse.com/support/security/rating/"
]
} }
] }
} },
] "Results": [
{
"Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
"Class": "os-pkgs",
"Type": "opensuse.leap",
"Vulnerabilities": [
{
"VulnerabilityID": "openSUSE-SU-2019:2596-1",
"PkgName": "cpio",
"InstalledVersion": "2.12-lp151.2.68",
"FixedVersion": "2.12-lp151.3.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for cpio",
"Description": "This update for cpio fixes the following issues:\n\n- CVE-2019-14866: Fixed an improper validation of the values written \n in the header of a TAR file through the to_oct() function which could \n have led to unexpected TAR generation (bsc#1155199).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0166-1",
"PkgName": "libcom_err2",
"InstalledVersion": "1.43.8-lp151.5.6.1",
"FixedVersion": "1.43.8-lp151.5.12.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for e2fsprogs",
"Description": "This update for e2fsprogs fixes the following issues:\n\n- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0022-1",
"PkgName": "libgcrypt20",
"InstalledVersion": "1.8.2-lp151.9.4.1",
"FixedVersion": "1.8.2-lp151.9.7.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libgcrypt",
"Description": "This update for libgcrypt fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).\n\nBug fixes:\n\n- Added CMAC AES self test (bsc#1155339).\n- Added CMAC TDES self test missing (bsc#1155338).\n- Fix test dsa-rfc6979 in FIPS mode.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2611-1",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.4-lp151.2.3",
"FixedVersion": "2.2.0-lp151.3.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libidn2",
"Description": "This update for libidn2 to version 2.2.0 fixes the following issues:\n\n- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).\n- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "libncurses6",
"InstalledVersion": "6.1-lp151.5.41",
"FixedVersion": "6.1-lp151.6.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for ncurses",
"Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgName": "libopenssl1_1",
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for openssl-1_1",
"Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0255-1",
"PkgName": "libsolv-tools",
"InstalledVersion": "0.7.6-lp151.2.3.2",
"FixedVersion": "0.7.10-lp151.2.10.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libsolv, libzypp, zypper",
"Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2689-1",
"PkgName": "libssh4",
"InstalledVersion": "0.8.7-lp151.2.3.1",
"FixedVersion": "0.8.7-lp151.2.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libssh",
"Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0102-1",
"PkgName": "libssh4",
"InstalledVersion": "0.8.7-lp151.2.3.1",
"FixedVersion": "0.8.7-lp151.2.9.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libssh",
"Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0208-1",
"PkgName": "libsystemd0",
"InstalledVersion": "234-lp151.26.4.1",
"FixedVersion": "234-lp151.26.7.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for systemd",
"Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n Fix a heap use-after-free vulnerability, when asynchronous\n Polkit queries were performed while handling Dbus messages. A local\n unprivileged attacker could have abused this flaw to crash systemd services or\n potentially execute code and elevate their privileges, by sending specially\n crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n * shell-completion: systemctl: do not list template units in {re,}start\n * shell-completion: systemctl: pass current word to all list_unit*\n * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n * bash-completion: systemctl: use systemctl --no-pager\n * bash-completion: also suggest template unit files\n * bash-completion: systemctl: add missing options and verbs\n * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n (bsc#1092920)\n \nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0208-1",
"PkgName": "libudev1",
"InstalledVersion": "234-lp151.26.4.1",
"FixedVersion": "234-lp151.26.7.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for systemd",
"Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n Fix a heap use-after-free vulnerability, when asynchronous\n Polkit queries were performed while handling Dbus messages. A local\n unprivileged attacker could have abused this flaw to crash systemd services or\n potentially execute code and elevate their privileges, by sending specially\n crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n * shell-completion: systemctl: do not list template units in {re,}start\n * shell-completion: systemctl: pass current word to all list_unit*\n * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n * bash-completion: systemctl: use systemctl --no-pager\n * bash-completion: also suggest template unit files\n * bash-completion: systemctl: add missing options and verbs\n * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n (bsc#1092920)\n \nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2612-1",
"PkgName": "libxml2-2",
"InstalledVersion": "2.9.7-lp151.5.3.1",
"FixedVersion": "2.9.7-lp151.5.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libxml2",
"Description": "This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect\nall CVEs that have been fixed over the past.\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "UNKNOWN",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00010.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0255-1",
"PkgName": "libzypp",
"InstalledVersion": "17.15.0-lp151.2.3.2",
"FixedVersion": "17.19.0-lp151.2.10.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libsolv, libzypp, zypper",
"Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "ncurses-utils",
"InstalledVersion": "6.1-lp151.5.41",
"FixedVersion": "6.1-lp151.6.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for ncurses",
"Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgName": "openssl-1_1",
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for openssl-1_1",
"Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2672-1",
"PkgName": "permissions",
"InstalledVersion": "20181116-lp151.4.6.1",
"FixedVersion": "20181116-lp151.4.9.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for permissions",
"Description": "This update for permissions fixes the following issues:\n\n- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid\n which could have allowed a squid user to gain persistence by changing the \n binary (bsc#1093414).\n- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic \n links (bsc#1150734).\n- Fixed a regression which caused sagmentation fault (bsc#1157198).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "terminfo-base",
"InstalledVersion": "6.1-lp151.5.41",
"FixedVersion": "6.1-lp151.6.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for ncurses",
"Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0255-1",
"PkgName": "zypper",
"InstalledVersion": "1.14.30-lp151.2.3.1",
"FixedVersion": "1.14.33-lp151.2.10.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for libsolv, libzypp, zypper",
"Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
"https://www.suse.com/support/security/rating/"
]
}
]
}
]
}

62
integration/testdata/opensuse-leap-423.json.golden vendored
View File

@@ -1,7 +1,55 @@
[ {
{ "SchemaVersion": 2,
"Target": "testdata/fixtures/images/opensuse-leap-423.tar.gz (opensuse.leap 42.3)", "ArtifactName": "testdata/fixtures/images/opensuse-leap-423.tar.gz",
"Class": "os-pkgs", "ArtifactType": "container_image",
"Type": "opensuse.leap" "Metadata": {
} "OS": {
] "Family": "opensuse.leap",
"Name": "42.3",
"EOSL": true
},
"ImageID": "sha256:8e098189cc8dcb9cf52438dded1403b802a5822acb22e44db027705a146fef7a",
"DiffIDs": [
"sha256:55e4cf12579297bd6b98a41e0f22e56241508b5f697dcc43ab9a3d7c546acb3c"
],
"ImageConfig": {
"architecture": "amd64",
"author": "SUSE Containers Team \u003ccontainers@suse.com\u003e",
"created": "2019-08-13T08:49:10Z",
"history": [
{
"created": "2019-08-13T08:48:40.372298552Z",
"created_by": "umoci config"
},
{
"author": "SUSE Containers Team \u003ccontainers@suse.com\u003e",
"created": "2019-08-13T08:49:10.375196393Z",
"created_by": "umoci config",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:55e4cf12579297bd6b98a41e0f22e56241508b5f697dcc43ab9a3d7c546acb3c"
]
},
"config": {
"Cmd": [
"/bin/bash"
],
"Labels": {
"org.openbuildservice.disturl": "'obs://build.opensuse.org/Virtualization:containers:images:openSUSE-Leap-42.3/containers/e855437d458198eb2a8cf9d551fc66c3-openSUSE-Leap-42.3-container-image:docker'"
}
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/opensuse-leap-423.tar.gz (opensuse.leap 42.3)",
"Class": "os-pkgs",
"Type": "opensuse.leap"
}
]
}

1055
integration/testdata/oraclelinux-6-slim.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

5472
integration/testdata/oraclelinux-7-slim.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

3500
integration/testdata/oraclelinux-8-slim.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1579
integration/testdata/photon-10.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

2237
integration/testdata/photon-20.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1343
integration/testdata/photon-30.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

247
integration/testdata/pip.json.golden vendored
View File

@@ -1,121 +1,138 @@
[ {
{ "SchemaVersion": 2,
"Target": "requirements.txt", "ArtifactName": "testdata/fixtures/fs/pip",
"Class": "lang-pkgs", "ArtifactType": "filesystem",
"Type": "pip", "Metadata": {
"Vulnerabilities": [ "ImageConfig": {
{ "architecture": "",
"VulnerabilityID": "CVE-2019-14806", "created": "0001-01-01T00:00:00Z",
"PkgName": "Werkzeug", "os": "",
"InstalledVersion": "0.11", "rootfs": {
"FixedVersion": "0.15.3", "type": "",
"Layer": { "diff_ids": null
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" },
}, "config": {}
"SeveritySource": "nvd", }
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806", },
"Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability", "Results": [
"Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.", {
"Severity": "HIGH", "Target": "requirements.txt",
"CweIDs": [ "Class": "lang-pkgs",
"CWE-331" "Type": "pip",
], "Vulnerabilities": [
"CVSS": { {
"nvd": { "VulnerabilityID": "CVE-2019-14806",
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "PkgName": "Werkzeug",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "InstalledVersion": "0.11",
"V2Score": 5, "FixedVersion": "0.15.3",
"V3Score": 7.5 "Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
}, },
"redhat": { "SeveritySource": "nvd",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
"V3Score": 7.5 "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
} "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
}, "Severity": "HIGH",
"References": [ "CweIDs": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html", "CWE-331"
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html", ],
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806", "CVSS": {
"https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168", "nvd": {
"https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246", "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"https://nvd.nist.gov/vuln/detail/CVE-2019-14806", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"https://palletsprojects.com/blog/werkzeug-0-15-3-released/" "V2Score": 5,
], "V3Score": 7.5
"PublishedDate": "2019-08-09T15:15:00Z", },
"LastModifiedDate": "2019-09-11T00:15:00Z" "redhat": {
}, "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
{ "V3Score": 7.5
"VulnerabilityID": "CVE-2016-10516", }
"PkgName": "Werkzeug",
"InstalledVersion": "0.11",
"FixedVersion": "0.11.11",
"Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
"Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
"Description": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
}, },
"redhat": { "References": [
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
"V3Score": 7.1 "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
} "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
"https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
"https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246",
"https://nvd.nist.gov/vuln/detail/CVE-2019-14806",
"https://palletsprojects.com/blog/werkzeug-0-15-3-released/"
],
"PublishedDate": "2019-08-09T15:15:00Z",
"LastModifiedDate": "2019-09-11T00:15:00Z"
}, },
"References": [ {
"http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/", "VulnerabilityID": "CVE-2016-10516",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516", "PkgName": "Werkzeug",
"https://github.com/pallets/werkzeug/pull/1001", "InstalledVersion": "0.11",
"https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html", "FixedVersion": "0.11.11",
"https://usn.ubuntu.com/usn/usn-3463-1" "Layer": {
], "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
"PublishedDate": "2017-10-23T16:29:00Z", },
"LastModifiedDate": "2018-02-04T02:29:00Z" "SeveritySource": "nvd",
}, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
{ "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
"VulnerabilityID": "CVE-2020-28724", "Description": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.",
"PkgName": "Werkzeug", "Severity": "MEDIUM",
"InstalledVersion": "0.11", "CweIDs": [
"FixedVersion": "0.11.6", "CWE-79"
"Layer": { ],
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" "CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"V3Score": 7.1
}
},
"References": [
"http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516",
"https://github.com/pallets/werkzeug/pull/1001",
"https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html",
"https://usn.ubuntu.com/usn/usn-3463-1"
],
"PublishedDate": "2017-10-23T16:29:00Z",
"LastModifiedDate": "2018-02-04T02:29:00Z"
}, },
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724", {
"Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.", "VulnerabilityID": "CVE-2020-28724",
"Severity": "UNKNOWN" "PkgName": "Werkzeug",
}, "InstalledVersion": "0.11",
{ "FixedVersion": "0.11.6",
"VulnerabilityID": "pyup.io-26435", "Layer": {
"PkgName": "Werkzeug", "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
"InstalledVersion": "0.11", },
"FixedVersion": "0.12", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
"Layer": { "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.",
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" "Severity": "UNKNOWN"
}, },
"Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.", {
"Severity": "UNKNOWN" "VulnerabilityID": "pyup.io-26435",
}, "PkgName": "Werkzeug",
{ "InstalledVersion": "0.11",
"VulnerabilityID": "pyup.io-36967", "FixedVersion": "0.12",
"PkgName": "Werkzeug", "Layer": {
"InstalledVersion": "0.11", "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
"FixedVersion": "0.15.0", },
"Layer": { "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" "Severity": "UNKNOWN"
}, },
"Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.", {
"Severity": "UNKNOWN" "VulnerabilityID": "pyup.io-36967",
} "PkgName": "Werkzeug",
] "InstalledVersion": "0.11",
} "FixedVersion": "0.15.0",
] "Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
"Severity": "UNKNOWN"
}
]
}
]
}

51280
integration/testdata/ubi-7.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

13899
integration/testdata/ubuntu-1604.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1711
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

6291
integration/testdata/ubuntu-1804.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

13
pkg/report/json.go
View File

@@ -4,11 +4,8 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
"os"
"golang.org/x/xerrors" "golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/log"
) )
// JSONWriter implements result Writer // JSONWriter implements result Writer
@@ -18,15 +15,7 @@ type JSONWriter struct {
// Write writes the results in JSON format // Write writes the results in JSON format
func (jw JSONWriter) Write(report Report) error { func (jw JSONWriter) Write(report Report) error {
var v interface{} = report output, err := json.MarshalIndent(report, "", " ")
if os.Getenv("TRIVY_NEW_JSON_SCHEMA") == "" {
// After migrating to the new JSON schema, TRIVY_NEW_JSON_SCHEMA will be removed.
log.Logger.Warnf("DEPRECATED: the current JSON schema is deprecated, check %s for more information.",
"https://github.com/aquasecurity/trivy/discussions/1050")
v = report.Results
}
output, err := json.MarshalIndent(v, "", " ")
if err != nil { if err != nil {
return xerrors.Errorf("failed to marshal json: %w", err) return xerrors.Errorf("failed to marshal json: %w", err)
} }

44
pkg/report/json_test.go
View File

@@ -16,7 +16,7 @@ func TestReportWriter_JSON(t *testing.T) {
testCases := []struct { testCases := []struct {
name string name string
detectedVulns []types.DetectedVulnerability detectedVulns []types.DetectedVulnerability
expectedJSON report.Results want report.Report
}{ }{
{ {
name: "happy path", name: "happy path",
@@ -34,20 +34,24 @@ func TestReportWriter_JSON(t *testing.T) {
}, },
}, },
}, },
expectedJSON: report.Results{ want: report.Report{
report.Result{ SchemaVersion: 2,
Target: "foojson", ArtifactName: "alpine:3.14",
Vulnerabilities: []types.DetectedVulnerability{ Results: report.Results{
{ report.Result{
VulnerabilityID: "CVE-2020-0001", Target: "foojson",
PkgName: "foo", Vulnerabilities: []types.DetectedVulnerability{
InstalledVersion: "1.2.3", {
FixedVersion: "3.4.5", VulnerabilityID: "CVE-2020-0001",
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-0001", PkgName: "foo",
Vulnerability: dbTypes.Vulnerability{ InstalledVersion: "1.2.3",
Title: "foobar", FixedVersion: "3.4.5",
Description: "baz", PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-0001",
Severity: "HIGH", Vulnerability: dbTypes.Vulnerability{
Title: "foobar",
Description: "baz",
Severity: "HIGH",
},
}, },
}, },
}, },
@@ -63,6 +67,8 @@ func TestReportWriter_JSON(t *testing.T) {
jw.Output = &jsonWritten jw.Output = &jsonWritten
inputResults := report.Report{ inputResults := report.Report{
SchemaVersion: 2,
ArtifactName: "alpine:3.14",
Results: report.Results{ Results: report.Results{
{ {
Target: "foojson", Target: "foojson",
@@ -77,11 +83,11 @@ func TestReportWriter_JSON(t *testing.T) {
}) })
assert.NoError(t, err) assert.NoError(t, err)
writtenResults := report.Results{} var got report.Report
err = json.Unmarshal([]byte(jsonWritten.String()), &writtenResults) err = json.Unmarshal(jsonWritten.Bytes(), &got)
assert.NoError(t, err, "invalid json written", tc.name) assert.NoError(t, err, "invalid json written")
assert.Equal(t, tc.expectedJSON, writtenResults, tc.name) assert.Equal(t, tc.want, got, tc.name)
}) })
} }
} }

12
pkg/rpc/convert.go
View File

@@ -372,6 +372,7 @@ func ConvertToRPCOS(fos *ftypes.OS) *common.OS {
return &common.OS{ return &common.OS{
Family: fos.Family, Family: fos.Family,
Name: fos.Name, Name: fos.Name,
Eosl: fos.Eosl,
} }
} }
@@ -476,14 +477,7 @@ func ConvertToMissingBlobsRequest(imageID string, layerIDs []string) *cache.Miss
} }
// ConvertToRPCScanResponse converts report.Result to ScanResponse // ConvertToRPCScanResponse converts report.Result to ScanResponse
func ConvertToRPCScanResponse(results report.Results, os *ftypes.OS) *scanner.ScanResponse { func ConvertToRPCScanResponse(results report.Results, fos *ftypes.OS) *scanner.ScanResponse {
rpcOS := &common.OS{}
if os != nil {
rpcOS.Family = os.Family
rpcOS.Name = os.Name
rpcOS.Eosl = os.Eosl
}
var rpcResults []*scanner.Result var rpcResults []*scanner.Result
for _, result := range results { for _, result := range results {
rpcResults = append(rpcResults, &scanner.Result{ rpcResults = append(rpcResults, &scanner.Result{
@@ -497,7 +491,7 @@ func ConvertToRPCScanResponse(results report.Results, os *ftypes.OS) *scanner.Sc
} }
return &scanner.ScanResponse{ return &scanner.ScanResponse{
Os: rpcOS, Os: ConvertToRPCOS(fos),
Results: rpcResults, Results: rpcResults,
} }
} }