feat(report): add fingerprint generation for vulnerabilities (#9794)

Signed-off-by: knqyf263 <knqyf263@gmail.com>

integration/client_server_test.go

@@ -333,7 +333,7 @@ func TestClientServer(t *testing.T) {
 			}
 
 			runTest(t, osArgs, tt.golden, types.FormatJSON, runOptions{
-				override: overrideFuncs(overrideUID, tt.override),
+				override: overrideFuncs(overrideUID, overrideFingerprint, tt.override),
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
 			})
 		})

integration/docker_engine_test.go

@@ -283,7 +283,7 @@ func TestDockerEngine(t *testing.T) {
 				wantErr:  tt.wantErr,
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
 				// Image config fields were removed
-				override: overrideFuncs(overrideUID, overrideDockerRemovedFields, func(t *testing.T, want, got *types.Report) {
+				override: overrideFuncs(overrideUID, overrideFingerprint, overrideDockerRemovedFields, func(t *testing.T, want, got *types.Report) {
 					// Override ArtifactName to match the archive file path
 					got.ArtifactName = tt.input
 

integration/integration_test.go

@@ -498,6 +498,25 @@ func overrideUID(t *testing.T, want, got *types.Report) {
 	}
 }
 
+// overrideFingerprint only checks for the presence of the fingerprint and clears it;
+// the fingerprint is calculated from artifactID, target, pkgID, and vulnerabilityID,
+// but may not match as the artifactID can vary depending on the scanning context.
+func overrideFingerprint(t *testing.T, want, got *types.Report) {
+	for i, result := range got.Results {
+		for j, vuln := range result.Vulnerabilities {
+			assert.NotEmptyf(t, vuln.Fingerprint, "Fingerprint is empty: %s", vuln.VulnerabilityID)
+			assert.Lenf(t, vuln.Fingerprint, 71, "Fingerprint should be 71 characters (sha256: + 64 hex chars): %s", vuln.VulnerabilityID)
+			// Do not compare Fingerprint as the artifactID varies between tests
+			got.Results[i].Vulnerabilities[j].Fingerprint = ""
+		}
+	}
+	for i, result := range want.Results {
+		for j := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].Fingerprint = ""
+		}
+	}
+}
+
 // overrideDockerRemovedFields clears image config fields that were removed from Docker API
 // cf. https://github.com/moby/moby/blob/d0ad1357a141c795e1e0490e3fed00ddabcb91b9/docs/api/version-history.md
 func overrideDockerRemovedFields(_ *testing.T, want, got *types.Report) {

integration/registry_test.go

@@ -250,7 +250,7 @@ func TestRegistry(t *testing.T) {
 			runTest(t, osArgs, tt.golden, types.FormatJSON, runOptions{
 				wantErr:  tt.wantErr,
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
-				override: overrideFuncs(overrideUID, func(t *testing.T, want, got *types.Report) {
+				override: overrideFuncs(overrideUID, overrideFingerprint, func(t *testing.T, want, got *types.Report) {
 					// Exclude ArtifactID from comparison because registry tests use random ports
 					// (e.g., localhost:54321/alpine:3.10), which causes RepoTags and the calculated
 					// Artifact ID to vary on each test run.

integration/sbom_test.go

@@ -243,7 +243,7 @@ func TestSBOMEquivalence(t *testing.T) {
 
 			// Run "trivy sbom"
 			runTest(t, osArgs, tt.golden, types.Format(tt.args.format), runOptions{
-				override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override),
+				override: overrideFuncs(overrideSBOMReport, overrideUID, overrideFingerprint, tt.override),
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
 			})
 		})

integration/standalone_tar_test.go

@@ -506,7 +506,7 @@ func TestTarWithOverride(t *testing.T) {
 			// Run Trivy
 			runTest(t, osArgs, tt.golden, types.FormatJSON, runOptions{
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
-				override: overrideFuncs(overrideUID, tt.override),
+				override: overrideFuncs(overrideUID, overrideFingerprint, tt.override),
 			})
 		})
 	}

integration/testdata/almalinux-8.json.golden

@@ -88,6 +88,7 @@
             "Name": "AlmaLinux Product Errata",
             "URL": "https://errata.almalinux.org/"
           },
+          "Fingerprint": "sha256:423564f47df066642faca6be8d949f2e201e2578173845e6ee2673ecf9229861",
           "Title": "openssl: Read buffer overruns processing ASN.1 strings",
           "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are represented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
           "Severity": "MEDIUM",

integration/testdata/alpine-310.json.golden

@@ -90,6 +90,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:6843bc8bcd09d2629416906fb83f17f31dde9a2702183571f9d447c3185814ca",
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -163,6 +164,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:692932c929e26ea1116ebcaf2ca427771924d31272883401dedb3381d825063a",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -246,6 +248,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:70c608adcc518d4c4bd9a183e0181da83ba22ba8b0d3a462573a72c8e6ad7362",
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -319,6 +322,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:7327b4ce6851d27db6528dfec9b6ea312143eb7e77e1f7ada4f567a64e567663",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",

integration/testdata/alpine-39-high-critical.json.golden

@@ -90,6 +90,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:294b2f8c416dd7b50971286b95e1f2685d7daf3c18957237fa7dc666178b6183",
           "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
           "Severity": "CRITICAL",
           "CweIDs": [
@@ -136,6 +137,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:fae2ab3e458f1237c8202860ac513a204cdc999c3283eba49665d0f1b3b79856",
           "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
           "Severity": "CRITICAL",
           "CweIDs": [

integration/testdata/alpine-39-ignore-cveids.json.golden

@@ -90,6 +90,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:3dee09788d3e7607e0f6e4be151b5588fd339556441786d03efe99d73f92ada3",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -173,6 +174,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:ddf71a0dc7fcaa5777046af6e5c12587fe24223e5ef5c6b020047b5e7297c041",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",

integration/testdata/alpine-39.json.golden

@@ -90,6 +90,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:04e4bf2b8440c9c264b01802ec2f574e5aa5d3a9494a8910b51f0e2ff332d0ed",
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -163,6 +164,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:3dee09788d3e7607e0f6e4be151b5588fd339556441786d03efe99d73f92ada3",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -246,6 +248,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:5f8a6a0ec0df8088bbbeb7b5e4e8d495a5801ee295223c3493cb06de2baaaf2e",
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -319,6 +322,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:ddf71a0dc7fcaa5777046af6e5c12587fe24223e5ef5c6b020047b5e7297c041",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -402,6 +406,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:294b2f8c416dd7b50971286b95e1f2685d7daf3c18957237fa7dc666178b6183",
           "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
           "Severity": "CRITICAL",
           "CweIDs": [
@@ -448,6 +453,7 @@
             "Name": "Alpine Secdb",
             "URL": "https://secdb.alpinelinux.org/"
           },
+          "Fingerprint": "sha256:fae2ab3e458f1237c8202860ac513a204cdc999c3283eba49665d0f1b3b79856",
           "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
           "Severity": "CRITICAL",
           "CweIDs": [

integration/testdata/alpine-distroless.json.golden

@@ -79,6 +79,7 @@
             "DiffID": "sha256:89da7cc836da4b53ab1ceb572576458c005e7e444b8bb79abda196668a2f0c92"
           },
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24765",
+          "Fingerprint": "sha256:07e9315f491c021347b65547ff629f3f2e8179f1b8ff646070390c4919e1a837",
           "Title": "Git for Windows is a fork of Git containing Windows-specific patches.  ...",
           "Description": "Git for Windows is a fork of Git containing Windows-specific patches.",
           "Severity": "MEDIUM",

integration/testdata/amazon-1.json.golden

@@ -89,6 +89,7 @@
             "Name": "Amazon Linux Security Center",
             "URL": "https://alas.aws.amazon.com/"
           },
+          "Fingerprint": "sha256:6d5df637f78490e5091381186a322db8c42a7018fb2cfae27aaa084906e65f02",
           "Title": "curl: double free due to subsequent call of realloc()",
           "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
           "Severity": "MEDIUM",

integration/testdata/amazon-2.json.golden

@@ -89,6 +89,7 @@
             "Name": "Amazon Linux Security Center",
             "URL": "https://alas.aws.amazon.com/"
           },
+          "Fingerprint": "sha256:4b87e2eef59ac046b40959211c0a4c52437e121ee2fedb34552c3bbf5ae51842",
           "Title": "curl: double free due to subsequent call of realloc()",
           "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
           "Severity": "MEDIUM",
@@ -161,6 +162,7 @@
             "Name": "Amazon Linux Security Center",
             "URL": "https://alas.aws.amazon.com/"
           },
+          "Fingerprint": "sha256:b489925a382f52a2f2e1a58e0e68b1c78ada14ccc2927003d2ac6de327d3aa31",
           "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
           "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
           "Severity": "LOW",

integration/testdata/bun.json.golden

@@ -62,6 +62,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:b7d2e6c655945265efa1caa0b5aaab246390ffc7e2f64938c9e0a6c21d69b6b6",
           "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
           "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
           "Severity": "MEDIUM",

integration/testdata/busybox-with-lockfile.json.golden

@@ -93,6 +93,7 @@
             "Name": "RustSec Advisory Database",
             "URL": "https://github.com/RustSec/advisory-db"
           },
+          "Fingerprint": "sha256:bfae72d3823b3bfdea9a6be46c5615a187df54835c8d0884e4e228be9ccea9df",
           "Title": "Uncontrolled recursion leads to abort in HTML serialization",
           "Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
           "Severity": "HIGH",
@@ -139,6 +140,7 @@
             "Name": "RustSec Advisory Database",
             "URL": "https://github.com/RustSec/advisory-db"
           },
+          "Fingerprint": "sha256:88b962523a98404a7807da75a3d208735778884a634ea21067683084a258c0bc",
           "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
           "Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.",
           "Severity": "MEDIUM",

integration/testdata/centos-6.json.golden

@@ -105,6 +105,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-29573",
+          "Fingerprint": "sha256:62a496897de8943df9f21f55ef389d695bc52f72b4f61228527e732c6aeecf32",
           "Title": "glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern",
           "Description": "sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of \"Fixed for glibc 2.33\" in the 26649 reference.",
           "Severity": "MEDIUM",
@@ -163,6 +164,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
+          "Fingerprint": "sha256:b78bc648b47d435c3e7a2edeb44addc0e2919d0607b86c4348291c6fc5eceb4e",
           "Title": "openssl: 0-byte record padding oracle",
           "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
           "Severity": "MEDIUM",

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -99,6 +99,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
+          "Fingerprint": "sha256:638871deb7cddea2771313ab3cff2b012e60f6c4346567d35bd9ceee1d9226c3",
           "Title": "openssl: 0-byte record padding oracle",
           "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
           "Severity": "MEDIUM",
@@ -193,6 +194,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-0734",
+          "Fingerprint": "sha256:73f7b1753e4dcaa7edff2d6f81e8373c85c2be4c1e1c5b04e8f56d1811c0aa1c",
           "Title": "openssl: timing side channel attack in the DSA signature algorithm",
           "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
           "Severity": "LOW",

integration/testdata/centos-7-medium.json.golden

@@ -99,6 +99,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
+          "Fingerprint": "sha256:638871deb7cddea2771313ab3cff2b012e60f6c4346567d35bd9ceee1d9226c3",
           "Title": "openssl: 0-byte record padding oracle",
           "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
           "Severity": "MEDIUM",

integration/testdata/centos-7.json.golden

@@ -95,6 +95,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "Fingerprint": "sha256:df06395185e8c9e2e8c36ae96ab18505e0b22b76734cae6322207b8aebe57b7d",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",
@@ -157,6 +158,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
+          "Fingerprint": "sha256:638871deb7cddea2771313ab3cff2b012e60f6c4346567d35bd9ceee1d9226c3",
           "Title": "openssl: 0-byte record padding oracle",
           "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
           "Severity": "MEDIUM",
@@ -251,6 +253,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-0734",
+          "Fingerprint": "sha256:73f7b1753e4dcaa7edff2d6f81e8373c85c2be4c1e1c5b04e8f56d1811c0aa1c",
           "Title": "openssl: timing side channel attack in the DSA signature algorithm",
           "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
           "Severity": "LOW",

integration/testdata/cocoapods.json.golden

@@ -33,6 +33,7 @@
           "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
           "Status": "fixed",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3215",
+          "Fingerprint": "sha256:21aa7836213a6a8eb3937e503b3b0cba4c68648574a148349574f22c1fdd9c0a",
           "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
           "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
           "Severity": "MEDIUM",

integration/testdata/composer.lock.json.golden

@@ -72,6 +72,7 @@
             "Name": "GitHub Security Advisory Composer",
             "URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
           },
+          "Fingerprint": "sha256:59ce4eb8bdfe3bbdf3187ec7d5fd51beb0ce398c8377a3be0d811b002df8ec0b",
           "Title": "Improper Input Validation in guzzlehttp/psr7",
           "Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
           "Severity": "HIGH",

integration/testdata/composer.vendor.json.golden

@@ -88,6 +88,7 @@
             "Name": "GitHub Security Advisory Composer",
             "URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
           },
+          "Fingerprint": "sha256:b6d44694486405fbbfd232d7722681bc06d79a81a79a2da11b5bc01364aa84fb",
           "Title": "Improper Input Validation in guzzlehttp/psr7",
           "Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
           "Severity": "HIGH",

integration/testdata/conan.json.golden

@@ -154,6 +154,7 @@
           "Status": "fixed",
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-14155",
+          "Fingerprint": "sha256:5169c33c7fbcb3f6d281b9c8d4b4ffe49a7d7b79c52e1810f35353d1bcc79f26",
           "Title": "pcre: Integer overflow when parsing callout numeric arguments",
           "Description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.",
           "Severity": "MEDIUM",

integration/testdata/debian-buster-ignore-unfixed.json.golden

@@ -92,6 +92,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:96ec45ab3d0cc9ab034c0ce21ce0bf7692ea49979b4844ab9e97a7e5db629fd4",
           "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
           "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
           "Severity": "CRITICAL",

integration/testdata/debian-buster.json.golden

@@ -88,6 +88,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:cafe98610a3a511390be596c1d90dc529b57bb1159885872be88e33a85bb2a15",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",
@@ -156,6 +157,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:96ec45ab3d0cc9ab034c0ce21ce0bf7692ea49979b4844ab9e97a7e5db629fd4",
           "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
           "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
           "Severity": "CRITICAL",

integration/testdata/debian-stretch.json.golden

@@ -88,6 +88,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:9adeadcf67c2ffed3f4c77a699667e96cdd0f638621e4568a0b7f369542b7ac9",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",
@@ -156,6 +157,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:b04aa895da3f042ac6507dc4f0d156f9531360f187d074e96880eda78471c3af",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -230,6 +232,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:477209bbac3b7f0ec8eea382a6778a9f14448185bf37500315bf47dfd1c2d619",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -304,6 +307,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:4013e70d72539f72c0bb62e9d041adea27f65ba5e3a6740f9b2522cac9fa7c5a",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -378,6 +382,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:cbb54b0273c282fd61899d8d6ed57065a8815e6856e1dc72f02362a4a985fc12",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",

integration/testdata/distroless-base.json.golden

@@ -91,6 +91,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:988273935622ab69d9fc3f6ec47784680e2c038a9f43c7256bc7ae9533fee128",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -177,6 +178,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:0fd47b00a9b5903c69e544845f4c525af5c9aad5fee07976949c8091607b3029",
           "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
           "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
           "Severity": "LOW",
@@ -267,6 +269,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:322d845429d01a4d5c814cf25fdc290de542001c5d71eb8aedd7056ba0c7a00c",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -353,6 +356,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:731634fea1bbf46b1bf7da40f0bfd9fae4c4ec2bebc48a32172a42c78ad0eb53",
           "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
           "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
           "Severity": "LOW",

integration/testdata/distroless-python27.json.golden

@@ -118,6 +118,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:621cf3bfcafb7e4e0e8a6d4e46b56e4ccf7e55c5383cb1a7eaaa179776acfbbc",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -204,6 +205,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:43cbe4454d144da8fe2039fe6c6eafb8348fe278401934232f989393107473a2",
           "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
           "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
           "Severity": "LOW",
@@ -294,6 +296,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:26e7213b994b38ec9b2b1208220057c5a93c2d0eef0f175f8c275d2fdbe7563b",
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
           "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
@@ -380,6 +383,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:d819fbc64a73608da70e6b6fa147954c1325f34448c10e7df60efef770dbcb08",
           "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
           "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
           "Severity": "LOW",

integration/testdata/dotnet.json.golden

@@ -61,6 +61,7 @@
             "Name": "GitHub Security Advisory Nuget",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
           },
+          "Fingerprint": "sha256:d64b86877361f584534af31e69d7974ef7da7fdebbc024fef7d2fcc8a0b90a1a",
           "Title": "Improper Handling of Exceptional Conditions in Newtonsoft.Json",
           "Description": "Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage.",
           "Severity": "HIGH",

integration/testdata/fluentd-gems.json.golden

@@ -170,6 +170,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:45d3cfb43101cb3984ae8671cc6104e42b47a8ec1fa9c320295df4c661c708cc",
           "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
           "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
           "Severity": "CRITICAL",
@@ -242,6 +243,7 @@
             "Name": "GitHub Security Advisory RubyGems",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
           },
+          "Fingerprint": "sha256:0bf18943adff42d16e0d020edb1c408ccf61081e1cea6476005dd1018102d24a",
           "Title": "rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
           "Description": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.",
           "Severity": "HIGH",

integration/testdata/fluentd-multiple-lockfiles.json.golden

@@ -47,6 +47,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:34e0d0620913b03c4e279d15e6afe937d836fbec36ae505ac3e32418cdcf32b3",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",
@@ -116,6 +117,7 @@
             "Name": "Debian Security Tracker",
             "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
           },
+          "Fingerprint": "sha256:be3b0333e02ee8f2a565ebd4dfe0f73e215072536d5791d989f98c511c5bd336",
           "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
           "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
           "Severity": "CRITICAL",
@@ -190,6 +192,7 @@
             "Name": "GitHub Security Advisory RubyGems",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
           },
+          "Fingerprint": "sha256:6af93df86a454ee80626db94b3fc0d8af052f5c9ca10406bf0fdc9515255df92",
           "Title": "rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
           "Description": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.",
           "Severity": "HIGH",

integration/testdata/gomod-skip.json.golden

@@ -26,6 +26,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:64b5011ff630ca20a45001519f1ab3614d52a70f8c635f5b443d8e7b559bf8e7",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",
@@ -54,6 +55,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:a654f7b9edfe2608ebc91a0f5eb3fd7053cd26e0a89941b89f4b6290492884b8",
           "Title": "Incorrect Calculation",
           "Description": "OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse and compare web paths. **All of these** three conditions have to be met to create an adverse effect: 1. An AST of Rego had to be **created programmatically** such that it ends up containing terms without a location (such as wildcard variables). 2. The AST had to be **pretty-printed** using the `github.com/open-policy-agent/opa/format` package. 3. The result of the pretty-printing had to be **parsed and evaluated again** via an OPA instance using the bundles, or the Golang packages. If any of these three conditions are not met, you are not affected. Notably, all three would be true if using **optimized bundles**, i.e. bundles created with `opa build -O=1` or higher. In that case, the optimizer would fulfil condition (1.), the result of that would be pretty-printed when writing the bundle to disk, fulfilling (2.). When the bundle was then used, we'd satisfy (3.). As a workaround users may disable optimization when creating bundles.",
           "Severity": "MEDIUM",
@@ -99,6 +101,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:a07e93bf36df24f3dabb58febefbf2977347f381a8ea8350457425f679943800",
           "Description": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
           "Severity": "UNKNOWN",
           "References": [
@@ -130,6 +133,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:0a441ad53c8c37db9775897e0a2fb656b45e52c36018df47cdc3c5ffecee5bd8",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",

integration/testdata/gomod-vex.json.golden

@@ -26,6 +26,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:64b5011ff630ca20a45001519f1ab3614d52a70f8c635f5b443d8e7b559bf8e7",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",
@@ -53,6 +54,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:a07e93bf36df24f3dabb58febefbf2977347f381a8ea8350457425f679943800",
           "Description": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
           "Severity": "UNKNOWN",
           "References": [
@@ -84,6 +86,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:0a441ad53c8c37db9775897e0a2fb656b45e52c36018df47cdc3c5ffecee5bd8",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",
@@ -117,6 +120,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:c7b56b9d670deeed8f902fefcfb8897991e363b00e41393fa1733e9d50d44900",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",

integration/testdata/gomod.json.golden

@@ -26,6 +26,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:64b5011ff630ca20a45001519f1ab3614d52a70f8c635f5b443d8e7b559bf8e7",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",
@@ -54,6 +55,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:a654f7b9edfe2608ebc91a0f5eb3fd7053cd26e0a89941b89f4b6290492884b8",
           "Title": "Incorrect Calculation",
           "Description": "OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse and compare web paths. **All of these** three conditions have to be met to create an adverse effect: 1. An AST of Rego had to be **created programmatically** such that it ends up containing terms without a location (such as wildcard variables). 2. The AST had to be **pretty-printed** using the `github.com/open-policy-agent/opa/format` package. 3. The result of the pretty-printing had to be **parsed and evaluated again** via an OPA instance using the bundles, or the Golang packages. If any of these three conditions are not met, you are not affected. Notably, all three would be true if using **optimized bundles**, i.e. bundles created with `opa build -O=1` or higher. In that case, the optimizer would fulfil condition (1.), the result of that would be pretty-printed when writing the bundle to disk, fulfilling (2.). When the bundle was then used, we'd satisfy (3.). As a workaround users may disable optimization when creating bundles.",
           "Severity": "MEDIUM",
@@ -99,6 +101,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:a07e93bf36df24f3dabb58febefbf2977347f381a8ea8350457425f679943800",
           "Description": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
           "Severity": "UNKNOWN",
           "References": [
@@ -130,6 +133,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:0a441ad53c8c37db9775897e0a2fb656b45e52c36018df47cdc3c5ffecee5bd8",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",
@@ -163,6 +167,7 @@
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
+          "Fingerprint": "sha256:c7b56b9d670deeed8f902fefcfb8897991e363b00e41393fa1733e9d50d44900",
           "Title": "OCI Manifest Type Confusion Issue",
           "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
           "Severity": "UNKNOWN",

integration/testdata/gradle.json.golden

@@ -28,6 +28,7 @@
             "Name": "GitHub Security Advisory Maven",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
           },
+          "Fingerprint": "sha256:cdb3d2e8310a150c61839c59650fbd98a5b07d4b1725cf7544b9f47e11dcca92",
           "Title": "jackson-databind: Serialization gadgets in anteros-core",
           "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
           "Severity": "CRITICAL",
@@ -93,6 +94,7 @@
             "Name": "GitLab Advisory Database Community",
             "URL": "https://gitlab.com/gitlab-org/advisories-community"
           },
+          "Fingerprint": "sha256:db114c2fd4b8fd2872a737aa11bb5347f570c90793aeb00940421a514cfca41a",
           "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing",
           "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
           "Severity": "HIGH",

integration/testdata/mariner-1.0.json.golden

@@ -72,6 +72,7 @@
             "Name": "CBL-Mariner Vulnerability Data",
             "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
           },
+          "Fingerprint": "sha256:734110094f55c15456105c9c03b2a591208a8675c5f37f89e1ee1ac67feb639f",
           "Title": "CVE-2022-0261 affecting package vim 8.2.4081",
           "Description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
           "Severity": "HIGH",
@@ -110,6 +111,7 @@
             "Name": "CBL-Mariner Vulnerability Data",
             "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
           },
+          "Fingerprint": "sha256:82a2bac425b237b1470e50583c70c71974812e56d734774897201c0a80256d82",
           "Title": "vim: heap-based read buffer overflow in compile_get_env()",
           "Description": "vim is vulnerable to Heap-based Buffer Overflow",
           "Severity": "LOW",

integration/testdata/minikube-kbom.json.golden

@@ -40,6 +40,7 @@
             "Name": "Official Kubernetes CVE Feed",
             "URL": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"
           },
+          "Fingerprint": "sha256:65f2ed2ea3842a48189cbecd06b84ffa5b0eefc79e81032dcf99ce4e8d9fde46",
           "Title": "Bypass of seccomp profile enforcement ",
           "Description": "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement...",
           "Severity": "LOW",

integration/testdata/mix.lock.json.golden

@@ -180,6 +180,7 @@
             "Name": "GitHub Security Advisory Erlang",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aerlang"
           },
+          "Fingerprint": "sha256:1bb1e08039e33e804cc2999cb56244081c7a90c486e8337344d4f0263f1c28dc",
           "Title": "Phoenix before 1.6.14 mishandles check_origin wildcarding",
           "Description": "socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.",
           "Severity": "HIGH",

integration/testdata/npm-ubuntu-severity.json.golden

@@ -28,6 +28,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:3952ef90d8606b4067901c413142af693504f820972f5b017a6fdb627ba56af0",
           "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
           "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
           "Severity": "LOW",

integration/testdata/npm-with-dev.json.golden

@@ -269,6 +269,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:3952ef90d8606b4067901c413142af693504f820972f5b017a6fdb627ba56af0",
           "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
           "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
           "Severity": "MEDIUM",

integration/testdata/npm.json.golden

@@ -250,6 +250,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:3952ef90d8606b4067901c413142af693504f820972f5b017a6fdb627ba56af0",
           "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
           "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
           "Severity": "MEDIUM",

integration/testdata/nuget.json.golden

@@ -65,6 +65,7 @@
             "Name": "GitHub Security Advisory Nuget",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
           },
+          "Fingerprint": "sha256:dbba4d559d9826c440ebd1085313e0499718066bb7ea694fcd20ff8d63c51310",
           "Title": "Improper Handling of Exceptional Conditions in Newtonsoft.Json",
           "Description": "Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage.",
           "Severity": "HIGH",

integration/testdata/opensuse-leap-151.json.golden

@@ -97,6 +97,7 @@
             "Name": "SUSE CVRF",
             "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
           },
+          "Fingerprint": "sha256:20fab639050347334f826ff7d076eb534ae2291198f36c46914e3291f2e60320",
           "Title": "Security update for openssl-1_1",
           "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
           "Severity": "MEDIUM",
@@ -130,6 +131,7 @@
             "Name": "SUSE CVRF",
             "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
           },
+          "Fingerprint": "sha256:af7aebe9d7dd2e4d00a9495e5417b647dba0aac27bb49fdf9bc86f76fab8273d",
           "Title": "Security update for openssl-1_1",
           "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
           "Severity": "MEDIUM",

integration/testdata/opensuse-tumbleweed.json.golden

@@ -93,6 +93,7 @@
             "Digest": "sha256:427d16a14c45614f51357aeebee0dfe209a1cebfc044b3b724b6ea35663b3111",
             "DiffID": "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
           },
+          "Fingerprint": "sha256:a2b4e178fa87fb6e4f6f965e69b0b1134812d02f62acc2fc5bfc6cfaed68b9f7",
           "Title": "libopenssl-3-devel-3.1.1-3.1 on GA media",
           "Description": "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed.",
           "Severity": "MEDIUM",

integration/testdata/oraclelinux-8.json.golden

@@ -98,6 +98,7 @@
             "Name": "Oracle Linux OVAL definitions",
             "URL": "https://linux.oracle.com/security/oval/"
           },
+          "Fingerprint": "sha256:6b218febe29fe60b77e69f6473825cf7d94ac09603d635af21b281a08b0dc1b0",
           "Title": "curl: SMTP end-of-response out-of-bounds read",
           "Description": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.",
           "Severity": "MEDIUM",
@@ -169,6 +170,7 @@
             "Name": "Oracle Linux OVAL definitions",
             "URL": "https://linux.oracle.com/security/oval/"
           },
+          "Fingerprint": "sha256:6a1430f0c4d3c46a331ce7517353e3c41b50c653176ab2a78f1d8a56f3f77c45",
           "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
           "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
           "Severity": "MEDIUM",

integration/testdata/packagesprops.json.golden

@@ -39,6 +39,7 @@
             "Name": "GitHub Security Advisory Nuget",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
           },
+          "Fingerprint": "sha256:e13b3b0cb6475415aa4e65e77e3ebb7b3455dc20f1e5e9b0544864f596c71e98",
           "Title": "Improper Handling of Exceptional Conditions in Newtonsoft.Json",
           "Description": "Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage.",
           "Severity": "HIGH",

integration/testdata/photon-30.json.golden

@@ -99,6 +99,7 @@
             "Name": "Photon OS CVE metadata",
             "URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
           },
+          "Fingerprint": "sha256:4e81b35fc699744ea7b1f01c4d40f4be024599b0b89bc703b5d96118537d214b",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "HIGH",
@@ -163,6 +164,7 @@
             "Name": "Photon OS CVE metadata",
             "URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
           },
+          "Fingerprint": "sha256:12a8a4ae7fd278f8aeb8001707801d38ca7ccea68430208692a2b7d40860f590",
           "Title": "curl: double free due to subsequent call of realloc()",
           "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
           "Severity": "CRITICAL",
@@ -235,6 +237,7 @@
             "Name": "Photon OS CVE metadata",
             "URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
           },
+          "Fingerprint": "sha256:8625bdfcbb7eeaffcef1af0571c227ca2c742411ee81cb598749dbfdc4a40d8c",
           "Title": "curl: double free due to subsequent call of realloc()",
           "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
           "Severity": "CRITICAL",

integration/testdata/pip.json.golden

@@ -127,6 +127,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:9c1631587034d298dcb56b2f2a7d70c5111500ff661917a8b9e74c04163bf987",
           "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
           "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
           "Severity": "HIGH",
@@ -183,6 +184,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:300309b8c04811de9465c6d286bffac243e6ff8a73e44228301621b573bb0496",
           "Title": "python-werkzeug: open redirect via double slash in the URL",
           "Description": "Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.",
           "Severity": "MEDIUM",

integration/testdata/pipenv.json.golden

@@ -43,6 +43,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:2fd97e5070563e83de609aa96428cd65ae1c91b8a010d51684946273d361594c",
           "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
           "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
           "Severity": "HIGH",
@@ -99,6 +100,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:ac2fd70194b69ef5db6a0f32d726fc67aa5c0d0f71fe71f5dcb3f26bc573e048",
           "Title": "python-werkzeug: open redirect via double slash in the URL",
           "Description": "Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.",
           "Severity": "MEDIUM",

integration/testdata/pnpm.json.golden

@@ -56,6 +56,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:b224983d08f6952e8e045d27f01129e92af0c21d1b26ca2e60dd7f5a5e20541c",
           "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
           "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
           "Severity": "MEDIUM",
@@ -188,6 +189,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:3621fc78d65c2c488364cb190536be9cc41896291bf1a3d8c1874a392a5c9e40",
           "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
           "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
           "Severity": "CRITICAL",

integration/testdata/poetry.json.golden

@@ -64,6 +64,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:384f3c3504a17ae835c015e5cab33befe675700289119a47182dd7102165eb2c",
           "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
           "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
           "Severity": "HIGH",

integration/testdata/pom.json.golden

@@ -28,6 +28,7 @@
             "Name": "GitHub Security Advisory Maven",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
           },
+          "Fingerprint": "sha256:68e4f9ccb3a897341f76048401e88a22f2d9251a88eef44abdf7b9c2af70f2e4",
           "Title": "jackson-databind: Serialization gadgets in anteros-core",
           "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
           "Severity": "CRITICAL",
@@ -93,6 +94,7 @@
             "Name": "GitLab Advisory Database Community",
             "URL": "https://gitlab.com/gitlab-org/advisories-community"
           },
+          "Fingerprint": "sha256:b7e077da6366be5eebc967119b377ac75bf9c1f0b0fb63f07ee1cfdec931506e",
           "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing",
           "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
           "Severity": "HIGH",

integration/testdata/pubspec.lock.json.golden

@@ -51,6 +51,7 @@
             "Name": "GitHub Security Advisory Pub",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apub"
           },
+          "Fingerprint": "sha256:0ec48cdcd118d8d131695d33df58c350289079a51fcfd6e9e53d48c3b5b623cc",
           "Title": "http before 0.13.3 vulnerable to header injection",
           "Description": "An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating request methods.",
           "Severity": "MEDIUM",

integration/testdata/rockylinux-8.json.golden

@@ -88,6 +88,7 @@
             "Name": "Rocky Linux updateinfo",
             "URL": "https://download.rockylinux.org/pub/rocky/"
           },
+          "Fingerprint": "sha256:ec40d326eb53ea2b209aeca6f61763f4d2f93f26821899c0642bd84aca475149",
           "Title": "openssl: Read buffer overruns processing ASN.1 strings",
           "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are represented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
           "Severity": "MEDIUM",

integration/testdata/sbt.json.golden

@@ -28,6 +28,7 @@
             "Name": "GitHub Security Advisory Maven",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
           },
+          "Fingerprint": "sha256:5041dfe19323df2a9efd7b1330da7e17d55b6a3e7677fb33f456cdba6fa1c130",
           "Title": "jackson-databind: Serialization gadgets in anteros-core",
           "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
           "Severity": "CRITICAL",
@@ -93,6 +94,7 @@
             "Name": "GitLab Advisory Database Community",
             "URL": "https://gitlab.com/gitlab-org/advisories-community"
           },
+          "Fingerprint": "sha256:bccb32c5dccac94eda00dcd6c75ef35b85bb9aa07503c4b717295f49f00146af",
           "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing",
           "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
           "Severity": "HIGH",

integration/testdata/spring4shell-jre11.json.golden

@@ -270,6 +270,7 @@
             "Name": "GitHub Security Advisory Maven",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
           },
+          "Fingerprint": "sha256:cf84a68b74dc2edf3ffe5f8c5bc3b401b54272268c332d9a041dde1d8c90e25b",
           "Title": "spring-framework: RCE via Data Binding on JDK 9+",
           "Description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.",
           "Severity": "CRITICAL",

integration/testdata/spring4shell-jre8.json.golden

@@ -270,6 +270,7 @@
             "Name": "GitHub Security Advisory Maven",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
           },
+          "Fingerprint": "sha256:8e22111721ea457f88428647e12e4eaf9eb1a9f37bfd809796390baf262685ff",
           "Title": "spring-framework: RCE via Data Binding on JDK 9+",
           "Description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.",
           "Severity": "LOW",

integration/testdata/swift.json.golden

@@ -54,6 +54,7 @@
           "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
           "Status": "fixed",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3215",
+          "Fingerprint": "sha256:5e6d347d902170f39ce0bb9c580cadecc025cbd132fa3a99e171ec1fdaba6a91",
           "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
           "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
           "Severity": "MEDIUM",

integration/testdata/test-repo.json.golden

@@ -36,6 +36,7 @@
             "Name": "RustSec Advisory Database",
             "URL": "https://github.com/RustSec/advisory-db"
           },
+          "Fingerprint": "sha256:f2b941fc60acd755d2c6a7e168e6b45422ea44a089d689f5c0a4971470acd837",
           "Title": "Uncontrolled recursion leads to abort in HTML serialization",
           "Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
           "Severity": "HIGH",
@@ -78,6 +79,7 @@
             "Name": "RustSec Advisory Database",
             "URL": "https://github.com/RustSec/advisory-db"
           },
+          "Fingerprint": "sha256:4b40d82614bc892f89dcd47e6ae81700c23b0bfb15a000ed2738451831bd1f72",
           "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
           "Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.",
           "Severity": "MEDIUM",

integration/testdata/ubi-7-comprehensive.json.golden

@@ -111,6 +111,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "Fingerprint": "sha256:d88ec8270470584c0d7d9b5355fb694ac6896c1249c5c27ec68aaac30733a95b",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",
@@ -182,6 +183,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:064ee0c0b2bd92abb75fe4a4462ba20b783dc75e4f59d2e2a5542df962456566",
           "Title": "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py",
           "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
           "Severity": "HIGH",

integration/testdata/ubi-7.json.golden

@@ -111,6 +111,7 @@
           },
           "SeveritySource": "redhat",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "Fingerprint": "sha256:d88ec8270470584c0d7d9b5355fb694ac6896c1249c5c27ec68aaac30733a95b",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",

integration/testdata/ubuntu-1804-ignore-unfixed.json.golden

@@ -122,6 +122,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:3c6011602650271fbca4f60c65fa4d645ac120eda6d795daff77eb375b7906a5",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -193,6 +194,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:80978831d19a7e127e628d949a2c1b4baf2056414c20dd9998ffe351950b75e4",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -264,6 +266,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:e25514120e2898fc5f15127980590681a6fb0c456804ecaad641fed404a63fe3",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -335,6 +338,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:5a234eae518954cb5f92cd1afbf9021e8e82874442d9188508907a913cd51183",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",

integration/testdata/ubuntu-1804.json.golden

@@ -121,6 +121,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:3eb059eaf0d15c3b12577858405b74958ba73745fe7b4ae1bc0eb0ae30dc7adf",
           "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
           "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
           "Severity": "LOW",
@@ -185,6 +186,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:3c6011602650271fbca4f60c65fa4d645ac120eda6d795daff77eb375b7906a5",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -256,6 +258,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:80978831d19a7e127e628d949a2c1b4baf2056414c20dd9998ffe351950b75e4",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -327,6 +330,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:e25514120e2898fc5f15127980590681a6fb0c456804ecaad641fed404a63fe3",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",
@@ -398,6 +402,7 @@
             "Name": "Ubuntu CVE Tracker",
             "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
           },
+          "Fingerprint": "sha256:5a234eae518954cb5f92cd1afbf9021e8e82874442d9188508907a913cd51183",
           "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
           "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
           "Severity": "MEDIUM",

integration/testdata/uv.json.golden

@@ -78,6 +78,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:aa64e889de7c75491704abe3a427c786acb12261fbffaaa93547c2e67d13c344",
           "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
           "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
           "Severity": "HIGH",
@@ -135,6 +136,7 @@
             "Name": "GitHub Security Advisory Pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
+          "Fingerprint": "sha256:18bbe0c4a1942e5d43645bba04a0067358adccbaa71922ba4d269c78100cd018",
           "Title": "python-werkzeug: open redirect via double slash in the URL",
           "Description": "Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.",
           "Severity": "MEDIUM",

integration/testdata/yarn.json.golden

@@ -65,6 +65,7 @@
             "Name": "GitHub Security Advisory Npm",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
           },
+          "Fingerprint": "sha256:23bbddd3e1db8191a5b07ecf31200cab4d339681264b902ac86b334501d10d8f",
           "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
           "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
           "Severity": "MEDIUM",

integration/vm_test.go

@@ -99,7 +99,7 @@ func TestVM(t *testing.T) {
 
 			// Run "trivy vm"
 			runTest(t, osArgs, tt.golden, types.FormatJSON, runOptions{
-				override: overrideFuncs(overrideUID, func(t *testing.T, _, got *types.Report) {
+				override: overrideFuncs(overrideUID, overrideFingerprint, func(t *testing.T, _, got *types.Report) {
 					got.ArtifactName = "disk.img"
 					for i := range got.Results {
 						lastIndex := strings.LastIndex(got.Results[i].Target, "/")

pkg/digest/digest.go

@@ -3,6 +3,7 @@ package digest
 import (
 	"crypto/sha1" // nolint
 	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"hash"
 	"io"
@@ -70,7 +71,14 @@ func CalcSHA1(r io.ReadSeeker) (Digest, error) {
 	return NewDigest(SHA1, h), nil
 }
 
-func CalcSHA256(r io.ReadSeeker) (Digest, error) {
+// CalcSHA256 calculates the SHA256 hash of the given data
+func CalcSHA256(data []byte) Digest {
+	h := sha256.Sum256(data)
+	return NewDigestFromString(SHA256, hex.EncodeToString(h[:]))
+}
+
+// CalcSHA256FromReader calculates the SHA256 hash from a reader
+func CalcSHA256FromReader(r io.ReadSeeker) (Digest, error) {
 	defer r.Seek(0, io.SeekStart)
 
 	h := sha256.New()

pkg/fanal/analyzer/executable/executable.go

@@ -28,7 +28,7 @@ func (a executableAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisIn
 		return nil, nil
 	}
 
-	dig, err := digest.CalcSHA256(input.Content)
+	dig, err := digest.CalcSHA256FromReader(input.Content)
 	if err != nil {
 		return nil, xerrors.Errorf("sha256 error: %w", err)
 	}

pkg/fingerprint/fingerprint.go

@@ -0,0 +1,57 @@
+package fingerprint
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/trivy/pkg/digest"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+// Fill generates and fills fingerprints for all findings in the report
+func Fill(report *types.Report) {
+	artifactID := report.ArtifactID
+
+	for i := range report.Results {
+		result := &report.Results[i]
+		target := result.Target
+
+		// Fill vulnerability fingerprints
+		fillVulnerabilities(artifactID, target, result.Vulnerabilities)
+
+		// TODO: Future implementation
+		// fillMisconfigurations(artifactID, target, result.Misconfigurations)
+		// fillSecrets(artifactID, target, result.Secrets)
+		// fillLicenses(artifactID, target, result.Licenses)
+	}
+}
+
+// fillVulnerabilities generates and assigns fingerprints to all vulnerabilities in the slice.
+// Each vulnerability is processed in place to ensure the fingerprint is added to the original
+// vulnerability object in the report.
+func fillVulnerabilities(artifactID, target string, vulns []types.DetectedVulnerability) {
+	for i := range vulns {
+		vulns[i].Fingerprint = generateVulnFingerprint(artifactID, target, &vulns[i])
+	}
+}
+
+// generateVulnFingerprint creates a unique fingerprint for a vulnerability.
+// The fingerprint is a SHA256 hash of the concatenation of:
+//   - artifact ID: Unique identifier for the scanned artifact (e.g., image digest with registry/repository)
+//   - target: Scan target path (e.g., "app/package.json" or "alpine 3.18.0")
+//   - package ID: Package identifier with version (e.g., "lodash@4.17.0" or "libssl3@3.0.8-r0")
+//   - vulnerability ID: CVE or vulnerability identifier (e.g., "CVE-2021-1234")
+//
+// The fingerprint is deterministic - the same inputs always produce the same hash.
+// This allows external systems to track and deduplicate vulnerabilities across multiple scans.
+//
+// Example: For a vulnerability in lodash@4.17.0 found in app/package.json of sha256:abc123,
+// the fingerprint would be SHA256("sha256:abc123:app/package.json:lodash@4.17.0:CVE-2021-1234")
+// resulting in "sha256:..." format.
+func generateVulnFingerprint(artifactID, target string, vuln *types.DetectedVulnerability) string {
+	data := fmt.Sprintf("%s:%s:%s:%s",
+		artifactID,
+		target,
+		vuln.PkgID,
+		vuln.VulnerabilityID)
+	return digest.CalcSHA256([]byte(data)).String()
+}

pkg/fingerprint/fingerprint_test.go

@@ -0,0 +1,281 @@
+package fingerprint
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+func TestFill(t *testing.T) {
+	tests := []struct {
+		name       string
+		report     *types.Report
+		wantReport *types.Report
+	}{
+		{
+			name: "single vulnerability",
+			report: &types.Report{
+				ArtifactID: "sha256:abc123",
+				Results: []types.Result{
+					{
+						Target: "app/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgID:           "lodash@4.17.0",
+								VulnerabilityID: "CVE-2021-1234",
+							},
+						},
+					},
+				},
+			},
+			wantReport: &types.Report{
+				ArtifactID: "sha256:abc123",
+				Results: []types.Result{
+					{
+						Target: "app/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgID:           "lodash@4.17.0",
+								VulnerabilityID: "CVE-2021-1234",
+								Fingerprint:     "sha256:7bf63097f9e930e203cfcb74b3ae9cf51c52cc016fa81da297a4d695dadd728f", // hash(sha256:abc123:app/package.json:lodash@4.17.0:CVE-2021-1234)
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "multiple vulnerabilities in multiple results",
+			report: &types.Report{
+				ArtifactID: "sha256:def456",
+				Results: []types.Result{
+					{
+						Target: "app1/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgID:           "express@4.17.0",
+								VulnerabilityID: "CVE-2021-5678",
+							},
+							{
+								PkgID:           "lodash@4.17.0",
+								VulnerabilityID: "CVE-2021-1234",
+							},
+						},
+					},
+					{
+						Target: "app2/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgID:           "lodash@4.17.0",
+								VulnerabilityID: "CVE-2021-1234",
+							},
+						},
+					},
+				},
+			},
+			wantReport: &types.Report{
+				ArtifactID: "sha256:def456",
+				Results: []types.Result{
+					{
+						Target: "app1/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgID:           "express@4.17.0",
+								VulnerabilityID: "CVE-2021-5678",
+								Fingerprint:     "sha256:6666c513c31c1155541e73f806edccb717773e0839d2631e8758de34ed4bf9f7", // hash(sha256:def456:app1/package.json:express@4.17.0:CVE-2021-5678)
+							},
+							{
+								PkgID:           "lodash@4.17.0",
+								VulnerabilityID: "CVE-2021-1234",
+								Fingerprint:     "sha256:c4d943760ae3cd4b8782bff29a44f67823b7579bae83e2abce1fdd2f11516527", // hash(sha256:def456:app1/package.json:lodash@4.17.0:CVE-2021-1234)
+							},
+						},
+					},
+					{
+						Target: "app2/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgID:           "lodash@4.17.0",
+								VulnerabilityID: "CVE-2021-1234",
+								Fingerprint:     "sha256:1e0a807019aeeecabf004de2bb1bf22646752e7905be5a742377f4760d852520", // hash(sha256:def456:app2/package.json:lodash@4.17.0:CVE-2021-1234)
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "empty report",
+			report: &types.Report{
+				ArtifactID: "sha256:empty",
+				Results:    []types.Result{},
+			},
+			wantReport: &types.Report{
+				ArtifactID: "sha256:empty",
+				Results:    []types.Result{},
+			},
+		},
+		{
+			name: "result without vulnerabilities",
+			report: &types.Report{
+				ArtifactID: "sha256:novulns",
+				Results: []types.Result{
+					{
+						Target:          "app/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{},
+					},
+				},
+			},
+			wantReport: &types.Report{
+				ArtifactID: "sha256:novulns",
+				Results: []types.Result{
+					{
+						Target:          "app/package.json",
+						Vulnerabilities: []types.DetectedVulnerability{},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			Fill(tt.report)
+
+			// Verify the entire report matches expected
+			assert.Equal(t, tt.wantReport, tt.report)
+		})
+	}
+}
+
+func Test_fillVulnerabilities(t *testing.T) {
+	tests := []struct {
+		name       string
+		artifactID string
+		target     string
+		vulns      []types.DetectedVulnerability
+		wantVulns  []types.DetectedVulnerability
+	}{
+		{
+			name:       "multiple vulnerabilities with unique fingerprints",
+			artifactID: "sha256:test123",
+			target:     "test-target",
+			vulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "pkg1@1.0.0",
+					VulnerabilityID: "CVE-2021-0001",
+				},
+				{
+					PkgID:           "pkg2@2.0.0",
+					VulnerabilityID: "CVE-2021-0002",
+				},
+				{
+					PkgID:           "pkg3@3.0.0",
+					VulnerabilityID: "CVE-2021-0003",
+				},
+			},
+			wantVulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "pkg1@1.0.0",
+					VulnerabilityID: "CVE-2021-0001",
+					Fingerprint:     "sha256:099e52439185c144012d07bff4d3e6a840b6d0366c175da12308fd7e82c49f4b", // hash(sha256:test123:test-target:pkg1@1.0.0:CVE-2021-0001)
+				},
+				{
+					PkgID:           "pkg2@2.0.0",
+					VulnerabilityID: "CVE-2021-0002",
+					Fingerprint:     "sha256:7afdba1b87fb21abfac82517a4fbaf6a472761af1c2376405580040da998e3b9", // hash(sha256:test123:test-target:pkg2@2.0.0:CVE-2021-0002)
+				},
+				{
+					PkgID:           "pkg3@3.0.0",
+					VulnerabilityID: "CVE-2021-0003",
+					Fingerprint:     "sha256:0eea75192d06f745c4a22e85159747984dd6f6014aeb5e341f4108b2bd12db18", // hash(sha256:test123:test-target:pkg3@3.0.0:CVE-2021-0003)
+				},
+			},
+		},
+		{
+			name:       "same vulnerability in different targets produces different fingerprints",
+			artifactID: "sha256:abc",
+			target:     "app1/package.json",
+			vulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "lodash@4.17.0",
+					VulnerabilityID: "CVE-2021-1234",
+				},
+			},
+			wantVulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "lodash@4.17.0",
+					VulnerabilityID: "CVE-2021-1234",
+					Fingerprint:     "sha256:f1616ffbc37b9762a217e36f926137a5dd1bcdfa203f5d8f8cd67b787dee969d", // hash(sha256:abc:app1/package.json:lodash@4.17.0:CVE-2021-1234)
+				},
+			},
+		},
+		{
+			name:       "same vulnerability different artifact produces different fingerprints",
+			artifactID: "sha256:xyz",
+			target:     "app1/package.json",
+			vulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "lodash@4.17.0",
+					VulnerabilityID: "CVE-2021-1234",
+				},
+			},
+			wantVulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "lodash@4.17.0",
+					VulnerabilityID: "CVE-2021-1234",
+					Fingerprint:     "sha256:2ec939f202e5187422d4bdfe2d9f5677d5caefab26713168e238f63d682700dd", // hash(sha256:xyz:app1/package.json:lodash@4.17.0:CVE-2021-1234)
+				},
+			},
+		},
+		{
+			name:       "same CVE different package version produces different fingerprints",
+			artifactID: "sha256:test",
+			target:     "app/package.json",
+			vulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "lodash@4.17.0",
+					VulnerabilityID: "CVE-2021-1234",
+				},
+				{
+					PkgID:           "lodash@4.17.1",
+					VulnerabilityID: "CVE-2021-1234",
+				},
+			},
+			wantVulns: []types.DetectedVulnerability{
+				{
+					PkgID:           "lodash@4.17.0",
+					VulnerabilityID: "CVE-2021-1234",
+					Fingerprint:     "sha256:31a2f37866b537085b9f9bb341e943f079b0c1457a30fc4864d9355e9c84bc72", // hash(sha256:test:app/package.json:lodash@4.17.0:CVE-2021-1234)
+				},
+				{
+					PkgID:           "lodash@4.17.1",
+					VulnerabilityID: "CVE-2021-1234",
+					Fingerprint:     "sha256:b1efc0cce609f418597be82f5c9840c53ae8ae592ba1672c4f07297d86dbfe7b", // hash(sha256:test:app/package.json:lodash@4.17.1:CVE-2021-1234)
+				},
+			},
+		},
+		{
+			name:       "empty vulnerabilities",
+			artifactID: "sha256:empty",
+			target:     "target",
+			vulns:      []types.DetectedVulnerability{},
+			wantVulns:  []types.DetectedVulnerability{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fillVulnerabilities(tt.artifactID, tt.target, tt.vulns)
+
+			require.Len(t, tt.vulns, len(tt.wantVulns))
+			for i, vuln := range tt.vulns {
+				// Verify the entire vulnerability object matches expected
+				assert.Equal(t, tt.wantVulns[i], vuln, "vulnerability %d mismatch", i)
+			}
+		})
+	}
+}

pkg/scan/service.go

@@ -11,6 +11,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/clock"
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/fingerprint"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/report"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -82,7 +83,7 @@ func (s Service) ScanArtifact(ctx context.Context, options types.ScanOptions) (t
 		return types.Report{}, xerrors.Errorf("failed to generate ReportID: %w", err)
 	}
 
-	return types.Report{
+	r := types.Report{
 		SchemaVersion: report.SchemaVersion,
 		ReportID:      reportID.String(),
 		CreatedAt:     clock.Now(ctx),
@@ -113,7 +114,12 @@ func (s Service) ScanArtifact(ctx context.Context, options types.ScanOptions) (t
 		},
 		Results: scanResponse.Results,
 		BOM:     artifactInfo.BOM,
-	}, nil
+	}
+
+	// Fill fingerprints for all findings
+	fingerprint.Fill(&r)
+
+	return r, nil
 }
 
 // generateArtifactID generates a unique ID for the artifact based on its type

pkg/scan/service_test.go

@@ -130,7 +130,8 @@ func TestScanner_ScanArtifact(t *testing.T) {
 								Layer: ftypes.Layer{
 									DiffID: "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203",
 								},
-								PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-9999",
+								PrimaryURL:  "https://avd.aquasec.com/nvd/cve-2020-9999",
+								Fingerprint: "sha256:36d448cc18b4acd7ccc868fc1865f7dc97694d1e7e4fa55cfabec91990866926", // hash(sha256:574abdaf07824449b1277ec1e7e67659cc869bbf97fd95447812b55644350a21:../fanal/test/testdata/alpine-311.tar.gz (alpine 3.11.5):musl@1.1.24-r2:CVE-2020-9999)
 								PkgIdentifier: ftypes.PkgIdentifier{
 									UID: "dfd35f110ec8c525",
 									PURL: &packageurl.PackageURL{
@@ -166,7 +167,8 @@ func TestScanner_ScanArtifact(t *testing.T) {
 								Layer: ftypes.Layer{
 									DiffID: "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203",
 								},
-								PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-9999",
+								PrimaryURL:  "https://avd.aquasec.com/nvd/cve-2020-9999",
+								Fingerprint: "sha256:5b28a2608ccc60c031066a4809cdb5c4ed7eb331e1136b413883c562a7e7aa55", // hash(sha256:574abdaf07824449b1277ec1e7e67659cc869bbf97fd95447812b55644350a21:../fanal/test/testdata/alpine-311.tar.gz (alpine 3.11.5):musl-utils@1.1.24-r2:CVE-2020-9999)
 								PkgIdentifier: ftypes.PkgIdentifier{
 									UID: "989eac0ec741e708",
 									PURL: &packageurl.PackageURL{

pkg/types/vulnerability.go

@@ -23,6 +23,10 @@ type DetectedVulnerability struct {
 	// DataSource holds where the advisory comes from
 	DataSource *types.DataSource `json:",omitempty"`
 
+	// Fingerprint is a unique identifier for the vulnerability based on
+	// ArtifactID, Target, PkgID, and VulnerabilityID
+	Fingerprint string `json:",omitempty"`
+
 	// Custom is for extensibility and not supposed to be used in OSS
 	Custom any `json:",omitempty"`