gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-08 05:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.21.1
Branches Tags
gitea-mirror:main gitea-mirror:dependabot/go_modules/common-ba920034f2 gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-180b2af62a gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
...
compare: gitea-mirror:v0.24.1
Branches Tags
gitea-mirror:dependabot/go_modules/common-ba920034f2 gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-180b2af62a gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

113 Commits
v0.21.1 ... v0.24.1

Author SHA1 Message Date
afdesk
a423b99312 fix(python): correct handling pip package names with a hyphen (#1771) 2022-02-27 17:47:53 +02:00
benterris
a069ad7818 doc(docker): fix command to run trivy with docker on linux (#1761) 2022-02-25 10:56:47 +02:00
Edvin N
015055e1f5 feat(helm): Add support for custom labels (#1767) 
Solves #1766
 2022-02-25 09:07:25 +02:00
Edvin N
cbaa363990 chore(helm): bump chart to trivy 0.24.0 (#1762) 
Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
 2022-02-25 09:06:56 +02:00
Owen Rumney
bec02f098d docs: remove erroneous command (#1763) 2022-02-24 14:21:10 +02:00
dependabot[bot]
d7f8b92a27 chore(deps): bump github.com/spf13/afero from 1.6.0 to 1.8.1 (#1708) 2022-02-22 22:49:01 +02:00
Teppei Fukuda
59ea0d5781 fix(option): warn list-all-pkgs only with the table format (#1755) 2022-02-22 22:48:39 +02:00
DmitriyLewen
c788676f87 feat(option): warn "--list-all-pkgs" with "--format table" (#1632) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-22 18:41:25 +02:00
Masahiro331
58ade462b4 feat(report): add support for CycloneDX (#1081) 
Co-authored-by: tspearconquest <81998567+tspearconquest@users.noreply.github.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-22 18:01:15 +02:00
Owen Rumney
77cab6e0b9 chore(deps): update the defsec and tfsec versions (#1747) 2022-02-22 16:42:24 +02:00
AndreyLevchenko
2ede15d358 fix(scanner): fix skip of language-specific files when scanning rootf… (#1751) 2022-02-22 08:48:25 +02:00
dependabot[bot]
d266c74941 chore(deps): bump github.com/google/wire from 0.4.0 to 0.5.0 (#1712) 2022-02-21 18:46:55 +02:00
Guy Ben-Aharon
4423396bcc feat(report): considering App.Writer when printing results (#1722) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-21 16:47:42 +02:00
afdesk
356ae30c7e chore(deps): replace satori version and skipping examples folder (#1745) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-21 15:58:45 +02:00
skuethe
477dc7d5f9 build: add s390x container images (#1726) 
Signed-off-by: skuethe <56306041+skuethe@users.noreply.github.com>
 2022-02-21 11:31:07 +02:00
Oran Moshai
89b8d7ff30 feat(template) Add misconfigurations to junit report (#1724) 
Co-authored-by: oranmoshai <oran.moshai@aquasec.com>
 2022-02-20 11:54:24 +02:00
dependabot[bot]
219b71b4fd chore(deps): bump github.com/twitchtv/twirp (#1709) 2022-02-14 10:25:28 +02:00
Christian Zunker
aa6e1eb6f9 feat(client): configure TLS InsecureSkipVerify for server connection (#1287) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-13 11:34:34 +02:00
Ankush K
de6c3cbb6c fix(rpc): Supports RPC calls for new identifier CustomResource (#1605) 2022-02-13 11:20:51 +02:00
dependabot[bot]
b7d4d1ead4 chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 (#1705) 2022-02-13 11:18:07 +02:00
dependabot[bot]
e6c029d08a chore(deps): bump github.com/caarlos0/env/v6 from 6.0.0 to 6.9.1 (#1707) 2022-02-13 10:13:06 +02:00
Will Dowling
ec6cb1a642 feat(helm): Parameterise ServiceAccount annotations (#1677) 2022-02-13 09:48:01 +02:00
dependabot[bot]
7dfc16cf21 chore(deps): bump github.com/hashicorp/go-getter from 1.5.2 to 1.5.11 (#1710) 2022-02-13 09:47:11 +02:00
dependabot[bot]
42d8fd6638 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.3 to 3.0.8 (#1704) 2022-02-11 20:09:23 +02:00
dependabot[bot]
c3ef2035b5 chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.2 (#1711) 2022-02-11 18:04:44 +02:00
Teppei Fukuda
274103e883 chore(dependabot): enable gomod monthly (#1699) 2022-02-11 14:24:25 +02:00
Konstantinos Koukopoulos
e618d83dae fix(gitlab tpl): escape double quote (#1635) 2022-02-10 17:29:10 +02:00
Yuval Goldberg
3b0b2ed4ce build: Make make protoc be consistent (#1682) 
Signed-off-by: Yuval Goldberg <yuvigoldi@gmail.com>
 2022-02-10 11:07:30 +02:00
Masahiro331
5c8d098324 feat(purl): add generate purl package utilities (#1574) 2022-02-09 20:35:36 +02:00
Teppei Fukuda
11f4f81123 refactor: move result structs under types (#1696) 2022-02-09 19:31:12 +02:00
Teppei Fukuda
6db2092c72 feat(mariner): add support for CBL-Mariner 2.0 (#1694) 2022-02-09 14:45:39 +02:00
Sven Haardiek
8898bb0937 docs(gitlab-ci): fix Script in GitLab CI Example #1688 
This patch changes the command line order to still work with the latest version
of trivy.

Signed-off-by: Sven Haardiek <sven.haardiek@uni-muenster.de>
 2022-02-08 13:31:10 +02:00
Carol Valencia
33d0833717 chore: Upgrade helm chart version (#1683) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-02-08 12:45:11 +02:00
tspearconquest
13874d866c chore(mod): update Go dependencies (#1681) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-02-07 14:12:45 +02:00
Greg Myers
f26a06b980 docs: fix typos in markdown docs (#1674) 2022-02-04 22:05:30 +02:00
Rory McCune
e2821a4fba docs: update documentation for image scanning of tar files to use a tag present on Docker Hub (#1671) 2022-02-04 22:04:53 +02:00
Teppei Fukuda
ef8a1afcdb fix(repo): --no-progress suppresses git output (#1669) 2022-02-03 09:02:39 +02:00
Teppei Fukuda
449add24af docs: add ACR navigator (#1651) 2022-01-31 16:19:19 +02:00
John A Stevenson
cb9afc8441 fix: update example Rego files and docs (#1628) 2022-01-31 16:18:24 +02:00
Teppei Fukuda
78b2b899a0 feat(option): show a link to GitHub Discussions for --light deprecation (#1650) 2022-01-31 15:26:43 +02:00
afdesk
52fd3c2e0a fix(sarif): fix the warning message (#1647) 2022-01-31 10:11:27 +02:00
Teppei Fukuda
8d5882be03 refactor: migrate to prefixed buckets (#1644) 2022-01-31 10:05:38 +02:00
Masahiro331
84dd33f7e9 feat(mariner): add support for CBL-Mariner (#1640) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-29 22:53:07 +02:00
Teppei Fukuda
9e903a1d88 docs: commercial use available (#1641) 2022-01-29 21:26:16 +02:00
Christian Groschupp
f4c746a2d2 feat: support azure acr (#1611) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-28 22:50:28 +02:00
afdesk
420f8ab13e feat(os-pkg): add data sources (#1636) 2022-01-28 20:41:40 +02:00
Teppei Fukuda
d2827cba06 feat(redhat): support build info in RHEL (#807) 2022-01-28 18:35:00 +02:00
DmitriyLewen
ce703ce4a5 fix: change links in pull_request_template to static URLs (#1634) 2022-01-27 15:47:37 +02:00
Teppei Fukuda
50bb938a21 feat(lang-pkg): add data sources (#1625) 2022-01-27 14:22:06 +02:00
Teppei Fukuda
a31ddbe971 feat(detector): support custom detector (#1615) 2022-01-25 09:06:28 +02:00
AndreyLevchenko
3a4e18ac82 docs(contribution): change role who should resolve comments (#1618) 2022-01-24 15:11:03 +02:00
DmitriyLewen
8ba68361bd docs: add PR template (#1602) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-23 10:36:03 +02:00
MaineK00n
f5c5573936 feat(rocky): support Rocky Linux (#1570) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-20 11:43:43 +02:00
MarkusTeufelberger
eab2b425db Add the ability to set dockerhub credentials in the helm chart (#1569) 2022-01-20 07:51:07 +02:00
Taufik Mulyana
cabd18daae feat(cache): redis TLS support (#1297) 2022-01-18 15:16:00 +02:00
DmitriyLewen
02c3c3659d feat(java): add support for PAR files (#1599) 2022-01-18 13:26:46 +02:00
DmitriyLewen
4f7b768369 refactor(rust): move rust-advisory-db to OSV (#1591) 2022-01-17 15:38:35 +02:00
rethab
d754cb8c6f feat: log ignored vulnerabilities on debug (#1378) 
* feat: log ignored vulnerabilities

* feat: show IDs in an ignore file

Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-17 08:38:08 +02:00
AndreyLevchenko
a936e675c9 chore(mod): hcl2json deps update (#1585) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-16 21:09:04 +02:00
DmitriyLewen
af116d3c9e fix(rpm): do not ignore installed files via third-party rpm (#1594) 2022-01-16 20:34:19 +02:00
jerbob92
b507360075 feat(fs): allow scanning a single file (#1578) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-16 16:32:31 +02:00
Teppei Fukuda
7fcbf44bb8 refactor(python): drop Safety DB (#1580) 2022-01-16 15:23:49 +02:00
DmitriyLewen
478d279919 feat: added insecure tls skip to scan git repo (#1528) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-14 11:25:45 +02:00
Yuval Goldberg
33bd41b40f Supress git clone output (#1590) 2022-01-14 08:59:49 +02:00
MaineK00n
39a10089fc fix(alma): skip modular package because MODULARITYLABEL is not set (#1588) 2022-01-13 17:30:20 +02:00
DmitriyLewen
37abd612aa feat(photon os): added EOL dates check (#1587) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2022-01-13 16:20:32 +02:00
DmitriyLewen
78de33e8ea docs: update supported os (#1586) 2022-01-13 13:53:13 +02:00
Teppei Fukuda
22054626f3 BREAKING: remove root command (#1579) 2022-01-12 16:13:13 +02:00
MaineK00n
28ddcf1ae8 docs: add Rust to Language-specific Packages Table (#1577) 2022-01-12 15:42:48 +02:00
rizwan-kh
df134c73f8 docs: update int doc for gitlab ci (#1575) 2022-01-12 11:17:29 +02:00
afdesk
8da20c8c92 BREAKING: migrate the sarif template to Go code (#1437) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-01-12 08:49:47 +02:00
Teppei Fukuda
714b5ca246 refactor: remove unused field (#1567) 2022-01-11 19:47:52 +02:00
dependabot[bot]
51e152b01c chore(deps): bump helm/chart-testing-action from 2.1.0 to 2.2.0 (#1554) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com
 2022-01-11 14:58:23 +02:00
Stan0304
884daff429 docs: gitlab integration (#1381) 2022-01-10 15:38:32 +02:00
MaineK00n
2a8336b9aa feat(alma): support AlmaLinux (#1238) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2022-01-06 22:26:09 +02:00
Sourabh Gupta
1e171af165 docs: added note about default template path when Trivy installed using rpm (#1551) 2022-01-06 20:36:39 +02:00
Teppei Fukuda
e65274e0ef BREAKING: Trivy DB from GHCR (#1539) 2022-01-06 20:08:40 +02:00
Liam Galvin
db35450bbb feat(cli): Do not set default commands when a plugin is being run (#1549) 2022-01-06 19:10:16 +02:00
Maria Kotlyarevskaya
24254d19f6 fix: add fingerprint field to codequality template (#1541) 
Signed-off-by: Jasstkn <mariia.kotliarevskaia@gmail.com>
 2022-01-06 15:12:24 +02:00
afdesk
2ee074568c fix(image): correct handling of uncompressed layers (#1544) 
Fixes #1527
 2022-01-05 20:38:08 +02:00
Carol Valencia
0aef82c58e chore: helm chart app version 0.22.0 (#1535) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-01-04 22:24:39 +02:00
Teppei Fukuda
8b2a799721 test(integration): use fixtures (#1532) 2021-12-30 20:53:03 +02:00
Teppei Fukuda
42f795fa34 fix(java/pom): ignore unsupported requirements (#1514) 2021-12-24 23:37:28 +02:00
Teppei Fukuda
8f737cc6eb feat(cli): warning for root command (#1516) 2021-12-24 23:02:19 +02:00
Teppei Fukuda
76249bdcf0 BREAKING: disable JAR detection in fs/repo scanning (#1512) 
Co-authored-by: Andrey Levchenko <levchenko.andrey@gmail.com>
 2021-12-24 16:14:50 +02:00
Teppei Fukuda
59957d4c6b feat(scan): support --offline-scan option (#1511) 2021-12-24 12:20:21 +02:00
Teppei Fukuda
da8b72d2e7 fix: improve memory usage (#1509) 2021-12-24 08:33:43 +02:00
Teppei Fukuda
b713ad0fd3 feat(java): support pom.xml (#1501) 2021-12-23 16:45:38 +02:00
yuriShafet
56115e9d4f docs: fixing rust link to security advisory (#1504) 2021-12-22 17:52:35 +02:00
Owen Rumney
7f859afacb Add missing IacMetdata (#1505) 
- Provider and Service added to IacMetadata on misconfiguration
 2021-12-22 17:06:25 +02:00
Teppei Fukuda
628a7964d5 feat(jar): add file path (#1498) 2021-12-21 08:52:33 +02:00
Teppei Fukuda
82fba77141 feat(rpm): support NDB (#1497) 2021-12-21 07:57:06 +02:00
DmitriyLewen
d5269da5ee feat: added misconfiguration field for html.tpl (#1444) 
* feat: added misconfiguration field for html.tpl

* feat: added message field for html.tpl

* fix: fixed integration test error
 2021-12-20 17:14:00 +02:00
Chetan Goti
8e57dee86b fix(docs): typo (#1488) 2021-12-19 11:24:22 +02:00
Owen Rumney
8bfbc84a41 feat(plugin): Add option to update plugin (#1462) 
* Add option to update plugin

- add plugin update [pluginName] to update
- add supporting test

* refactor: wrap errors
 2021-12-16 13:30:19 +02:00
DmitriyLewen
1e811de263 fix: fixed skipFiles/skipDirs flags for relative path (#1482) 2021-12-16 13:21:22 +02:00
Owen Rumney
8b5796f770 feat (plugin): add list and info command for plugin (#1452) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2021-12-15 22:36:08 +02:00
afdesk
a2199bb417 fix: set up a vulnerability severity (#1458) 2021-12-15 21:28:29 +02:00
geyingqi
279e76f704 chore: add arm64 deb package (#1480) 2021-12-15 20:08:05 +02:00
Tomas Fernandez
5262590831 Link to trivy tutorial on Semaphore (#1449) 
* Link to trivy tutorial on Semaphore

* Move tutorial to Advanced > Community > Tools
 2021-12-12 05:33:00 +02:00
abdennour
c275a841fd refactor(helm): externalize env vars to configMap (#1345) 
\#1343

Signed-off-by: abdennour <mail@abdennoor.com>
 2021-12-08 08:37:05 +02:00
nobletrout
7beed30170 docs: provide more information on scanning Google's GCR (#1426) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2021-12-07 03:28:46 +02:00
DmitriyLewen
f50e1f42a1 docs(misconfiguration): added instruction for misconfiguration detection (#1428) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2021-12-06 13:56:41 +02:00
Guilherme Macedo
3ae4de5869 Update git-repository.md (#1430) 
Update instructions on how to scan private git repositories, as according to https://github.com/aquasecurity/fanal/pull/253 .
 2021-12-06 13:04:03 +02:00
AndreyLevchenko
6e35b8f53c fix(hooks): exclude unrelated lib types from system files filtering (#1431) 2021-12-06 10:53:34 +02:00
afdesk
beb60b05f3 chore: run go fmt (#1429) 2021-12-02 17:52:57 +09:00
afdesk
582e7fd1ba fix(sarif): change help field in the sarif template. (#1423) 2021-12-02 14:23:26 +09:00
Owen Rumney
11bc290111 Update fanal with cfsec version update (#1425) 
- new version of cfsec brought in with latest fanal
  - fixes issue where cfsec treats files as CloudFormation when they
    arent
  - fixes issuee where invalid content errors are surfaced to Trivy
- Gets addition of service and provider on the IaC results - this is not
  visible to others
 2021-12-01 04:15:26 +02:00
Nilushan Costa
392f68926c Replace deprecated option in goreleaser (#1406) 
* Replace deprecated docker.use_buildx with docker.use

* Bump goreleaser GitHub action to v0.183.0
 2021-11-29 05:31:16 +02:00
Huang Huang
101d576025 feat(alpine): support 3.15 (#1422) 2021-11-29 05:30:44 +02:00
Carol Valencia
bd3ba68cce chore: test the helm chart in the PR and used the commit hash (#1414) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2021-11-29 05:29:01 +02:00
dependabot[bot]
3860d6e4e9 chore(deps): bump alpine from 3.14 to 3.15.0 (#1417) 
Bumps alpine from 3.14 to 3.15.0.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-11-28 09:48:31 +02:00
afdesk
4f82673a61 chore(release): add ubuntu older versions to deploy script (#1416) 
* chore(release): add ubuntu older versions to deploy script

`ubuntu-distro-info --supported` returns only versions: `bionic`, `focal`, `hirsute`, `impish` and `jammy`.

`ubuntu-distro-info --supported-esm` returns another versions: `trusty`, `xenial`, `bionic`, `focal` and `jammy`.

for the release script we should use the union of these sets.

Fixes #1194

* change `uniq` command to `-u` parameter
 2021-11-28 09:43:07 +02:00
332 changed files with 13439 additions and 134641 deletions
Expand all files Collapse all files

21
.github/dependabot.yml vendored
View File

@@ -1,10 +1,15 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
- package-ecosystem: docker
directory: /
schedule:
interval: daily
- package-ecosystem: github-actions
directory: /
schedule:
interval: monthly
- package-ecosystem: docker
directory: /
schedule:
interval: monthly
- package-ecosystem: gomod
open-pull-requests-limit: 10
directory: /
schedule:
interval: monthly

18
.github/pull_request_template.md vendored Normal file
View File

@@ -0,0 +1,18 @@
## Description
## Related issues
- Close #XXX
## Related PRs
- [ ] #XXX
- [ ] #YYY
Remove this section if you don't have related PRs.
## Checklist
- [ ] I've read the [guidelines for contributing](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md) to this repository.
- [ ] I've followed the [conventions](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

51
.github/workflows/publish-chart.yaml vendored
View File

@@ -1,67 +1,82 @@
name: Publish Chart Helm
name: Publish Helm chart
on:
workflow_dispatch:
pull_request:
branches:
- main
paths:
- 'helm/trivy/**'
push:
branches: [main]
paths:
- 'helm/trivy/**'
workflow_dispatch:
env:
HELM_REP: helm-charts
GH_OWNER: aquasecurity
CHART_DIR: helm/trivy
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
jobs:
release:
test-chart:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@v1
uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
with:
version: v3.5.0
- name: Set up python
uses: actions/setup-python@v2
uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
with:
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@v2.1.0
uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/setup-kind@v0.5.0
uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
- name: Run chart-testing (w/Ingress)
- name: Run chart-testing
run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
- name: Run chart-testing (Ingress)
- name: Run chart-testing (Ingress enabled)
run: |
sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
ct lint-and-install --validate-maintainers=false --charts helm/trivy
publish-chart:
if: github.event_name == 'push'
needs:
- test-chart
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
with:
fetch-depth: 0
- name: Install chart-releaser
run: |
wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37 chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
- name: Package helm chart
run: |
./cr package ${{ env.CHART_DIR }}
- name: Upload helm chart
# Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
continue-on-error: true
## Upload the tar in the Releases repository
run: |
./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
- name: Index helm chart
run: |
./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
- name: Push index file
uses: dmnemec/copy_file_to_another_repo_action@v1.1.1
uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
env:
API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
with:

4
.github/workflows/scan.yaml vendored
View File

@@ -14,7 +14,7 @@ jobs:
scan-type: 'fs'
exit-code: '1'
severity: 'CRITICAL'
skip-dirs: integration
skip-dirs: integration,examples
- name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
uses: aquasecurity/trivy-action@master
@@ -22,4 +22,4 @@ jobs:
scan-type: 'fs'
exit-code: '0'
severity: 'HIGH,MEDIUM'
skip-dirs: integration
skip-dirs: integration,examples

2
.github/workflows/test.yaml vendored
View File

@@ -75,7 +75,7 @@ jobs:
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
with:
version: v0.164.0
version: v0.183.0
args: release --snapshot --rm-dist --skip-publish
build-documents:

3
.gitignore vendored
View File

@@ -27,3 +27,6 @@ integration/testdata/fixtures/images
# SBOMs generated during CI
/bom.json
# goreleaser output
dist

9
.golangci.yaml
View File

@@ -9,7 +9,7 @@ linters-settings:
revive:
ignore-generated-header: true
gocyclo:
min-complexity: 10
min-complexity: 20
dupl:
threshold: 100
goconst:
@@ -19,6 +19,10 @@ linters-settings:
locale: US
goimports:
local-prefixes: github.com/aquasecurity
gosec:
excludes:
- G204
- G402
linters:
disable-all: true
@@ -53,9 +57,6 @@ issues:
- linters:
- gosec
text: "Deferring unsafe method"
- linters:
- gosec
text: "G204: Subprocess launched with variable"
- linters:
- errcheck
text: "Close` is not checked"

92
CONTRIBUTING.md
View File

@@ -9,14 +9,89 @@ Thank you for taking interest in contributing to Trivy!
## Pull Requests
1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
1. Your PR is more likely to be accepted if it focuses on just one change.
1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
1. Please add the associated Issue in the PR description.
1. There's no need to add or tag reviewers.
1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
1. Please include a comment with the results before and after your change.
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
4. Please add the associated Issue link in the PR description.
2. Your PR is more likely to be accepted if it focuses on just one change.
5. There's no need to add or tag reviewers.
6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
7. Please include a comment with the results before and after your change.
8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
### Title
It is not that strict, but we use the title conventions in this repository.
Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
#### Format of the title
```
<type>(<scope>): <subject>
```
The `type` and `scope` should always be lowercase as shown below.
**Allowed `<type>` values:**
- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
- **docs** for changes to the documentation.
- **style** for formatting changes, missing semicolons, etc.
- **refactor** for refactoring production code, e.g. renaming a variable.
- **test** for adding missing tests, refactoring tests; no production code change.
- **build** for updating build configuration, development tools or other changes irrelevant to the user.
- **chore** for updates that do not apply to the above, such as dependency updates.
**Example `<scope>` values:**
- alpine
- redhat
- ruby
- python
- terraform
- report
- etc.
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
#### Example titles
```
feat(alma): add support for AlmaLinux
```
```
fix(oracle): handle advisories with ksplice versions
```
```
docs(misconf): add comparison with Conftest and TFsec
```
```
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
```
**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
```
$ make test
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ make test-integration
```
### Documentation
You can build the documents as below and view it at http://localhost:8000.
```
$ make mkdocs-serve
```
## Understand where your pull request belongs
@@ -25,4 +100,5 @@ Trivy is composed of several different repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.14
FROM alpine:3.15.0
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

12
Dockerfile.protoc Normal file
View File

@@ -0,0 +1,12 @@
FROM golang:1.17
# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
RUN apt-get update && apt-get install -y unzip
RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
&& unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
&& unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
&& rm -f $PROTOC_ZIP
RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1

6
Makefile
View File

@@ -54,7 +54,11 @@ build:
.PHONY: protoc
protoc:
find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
docker build -t trivy-protoc - < Dockerfile.protoc
docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
_protoc:
find ./rpc/ -name "*.proto" -type f -exec protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
.PHONY: install
install:

4
README.md
View File

@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
# Features
- Comprehensive vulnerability detection
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Misconfiguration detection (IaC scanning)
- A wide variety of built-in policies are provided **out of the box**
@@ -185,6 +185,8 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
- **Suitable for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
- Support multiple targets
- container image, local filesystem and remote git repository
- Supply chain security (SBOM support)
- Support CycloneDX
# Integrations
- [GitHub Actions][action]

4
ci/deploy-deb.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
DEBIAN_RELEASES=$(debian-distro-info --supported)
UBUNTU_RELEASES=$(ubuntu-distro-info --supported-esm)
UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
cd trivy-repo/deb
@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
echo "Removing deb package of $release"
reprepro -A i386 remove $release trivy
reprepro -A amd64 remove $release trivy
reprepro -A arm64 remove $release trivy
done
for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
echo "Adding deb package to $release"
reprepro includedeb $release ../../dist/*Linux-64bit.deb
reprepro includedeb $release ../../dist/*Linux-32bit.deb
reprepro includedeb $release ../../dist/*Linux-ARM64.deb
done
git add .

18
contrib/asff.tpl
View File

@@ -19,12 +19,12 @@
{
"SchemaVersion": "2018-10-08",
"Id": "{{ $target }}/{{ .VulnerabilityID }}",
"ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
"AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "{{ getCurrentTime }}",
"UpdatedAt": "{{ getCurrentTime }}",
"CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"Severity": {
"Label": "{{ $severity }}"
},
@@ -42,7 +42,7 @@
"Type": "Container",
"Id": "{{ $target }}",
"Partition": "aws",
"Region": "{{ getEnv "AWS_REGION" }}",
"Region": "{{ env "AWS_REGION" }}",
"Details": {
"Container": { "ImageName": "{{ $target }}" },
"Other": {
@@ -51,10 +51,10 @@
"PkgName": "{{ .PkgName }}",
"Installed Package": "{{ .InstalledVersion }}",
"Patched Package": "{{ .FixedVersion }}",
"NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
"NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
"NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
"NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
"NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
"NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
"NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
"NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
}
}
}

36
contrib/example_policy/advanced.rego
View File

@@ -5,30 +5,42 @@ import data.lib.trivy
default ignore = false
nvd_v3_vector = v {
v := input.CVSS.nvd.v3
v := input.CVSS.nvd.V3Vector
}
redhat_v3_vector = v {
v := input.CVSS.redhat.V3Vector
}
# Ignore a vulnerability which requires high privilege
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.PrivilegesRequired == "High"
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.PrivilegesRequired == "High"
# Check against RedHat scores as well as NVD
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.UserInteraction == "Required"
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.UserInteraction == "Required"
# Check against RedHat scores as well as NVD
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.UserInteraction == "Required"
}
ignore {
input.PkgName == "openssl"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local"}
cvss_vector.AttackVector == ignore_attack_vectors[_]
nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
}
ignore {
@@ -50,11 +62,11 @@ ignore {
input.PkgName == "bash"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
cvss_vector.AttackVector == ignore_attack_vectors[_]
nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
# Evaluate severity
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
input.PkgName == "django"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local"}
cvss_vector.AttackVector == ignore_attack_vectors[_]
nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
# Evaluate severity
input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
input.PkgName == "jquery"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate CWE-ID
deny_cwe_ids := {"CWE-79"} # XSS

27
contrib/example_policy/basic.rego
View File

@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
ignore_severities := {"LOW", "MEDIUM"}
nvd_v3_vector = v {
v := input.CVSS.nvd.v3
v := input.CVSS.nvd.V3Vector
}
redhat_v3_vector = v {
v := input.CVSS.redhat.V3Vector
}
ignore {
@@ -22,20 +26,29 @@ ignore {
# Ignore a vulnerability which is not remotely exploitable
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.AttackVector != "Network"
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.AttackVector != "Network"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.AttackVector != "Network"
}
# Ignore a vulnerability which requires high privilege
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.PrivilegesRequired == "High"
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.PrivilegesRequired == "High"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.UserInteraction == "Required"
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.UserInteraction == "Required"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.UserInteraction == "Required"
}
# Ignore CSRF

5
contrib/gitlab-codequality.tpl
View File

@@ -13,7 +13,8 @@
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "{{ .VulnerabilityID }}: {{ .Title }}",
"description": {{ list .VulnerabilityID .Title | join ": " | printf "%q" }},
"fingerprint": "{{ .VulnerabilityID | sha1sum }}",
"content": {{ .Description | printf "%q" }},
"severity": {{ if eq .Severity "LOW" -}}
"info"
@@ -35,4 +36,4 @@
}
{{- end -}}
{{- end }}
]
]

29
contrib/html.tpl
View File

@@ -52,7 +52,7 @@
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
</script>
</head>
<body>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
<table>
{{- range . }}
<tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
</tr>
{{- end }}
{{- end }}
{{- if (eq (len .Misconfigurations ) 0) }}
<tr><th colspan="6">No Misconfigurations found</th></tr>
{{- else }}
<tr class="sub-header">
<th>Type</th>
<th>Misconf ID</th>
<th>Check</th>
<th>Severity</th>
<th>Message</th>
</tr>
{{- range .Misconfigurations }}
<tr class="severity-{{ escapeXML .Severity }}">
<td class="misconf-type">{{ escapeXML .Type }}</td>
<td>{{ escapeXML .ID }}</td>
<td class="misconf-check">{{ escapeXML .Title }}</td>
<td class="severity">{{ escapeXML .Severity }}</td>
<td class="link" data-more-links="off" style="white-space:normal;"">
{{ escapeXML .Message }}
<br>
<a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
</br>
</td>
</tr>
{{- end }}
{{- end }}
{{- end }}
</table>
{{- else }}

13
contrib/junit.tpl
View File

@@ -14,5 +14,18 @@
</testcase>
{{- end }}
</testsuite>
{{- $failures := len .Misconfigurations }}
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- if not (eq .Type "") }}
<properties>
<property name="type" value="{{ .Type }}"></property>
</properties>
{{- end -}}
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
</testcase>
{{- end }}
</testsuite>
{{- end }}
</testsuites>

96
contrib/sarif.tpl
View File

@@ -1,96 +0,0 @@
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
{{- $rules := makeRuleMap }}
"runs": [
{
"tool": {
"driver": {
"name": "Trivy",
"informationUri": "https://github.com/aquasecurity/trivy",
"fullName": "Trivy Vulnerability Scanner",
"version": "0.15.0",
"rules": [
{{- $t_first := true }}
{{- range $result := . }}
{{- $vulnerabilityType := .Type }}
{{- range .Vulnerabilities -}}
{{- if indexRule $rules .VulnerabilityID -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"id": {{ .VulnerabilityID | toJson }},
"name": "{{ toSarifRuleName $vulnerabilityType }}",
"shortDescription": {
"text": {{ .VulnerabilityID | toJson }}
},
"fullDescription": {
"text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
},
"defaultConfiguration": {
"level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
}
{{- with $help_uri := .PrimaryURL -}}
,
{{ $help_uri | printf "\"helpUri\": %q," -}}
{{- else -}}
,
{{- end }}
"properties": {
"tags": [
"vulnerability",
"{{ .Vulnerability.Severity }}"
],
"precision": "very-high"
}
}
{{- end -}}
{{- end -}}
{{- end -}}
]
}
},
"results": [
{{- $t_first := true }}
{{- range $result := . }}
{{- $filePath := .Target }}
{{- range $index, $vulnerability := .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"ruleId": {{ .VulnerabilityID | toJson }},
"ruleIndex": {{ index $rules .VulnerabilityID }},
"level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
"message": {
"text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "{{ toPathUri $filePath }}",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
}
}
}]
}
{{- end -}}
{{- end -}}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}

96
docs/advanced/air-gap.md
View File

@@ -1,24 +1,27 @@
# Air-Gapped Environment
Trivy can be used in air-gapped environments.
Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
## Download the vulnerability database
## Air-Gapped Environment for vulnerabilities
### Download the vulnerability database
At first, you need to download the vulnerability database for use in air-gapped environments.
Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
Please follow [oras installation instruction][oras].
Download `db.tar.gz`:
```
$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
```
## Transfer the DB file into the air-gapped environment
### Transfer the DB file into the air-gapped environment
The way of transfer depends on the environment.
```
$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
```
## Put the DB file in Trivy's cache directory
### Put the DB file in Trivy's cache directory
You have to know where to put the DB file. The following command shows the default cache directory.
```
@@ -32,26 +35,79 @@ Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ mv /path/to/trivy-offline.db.tgz .
```
Then, decompress it.
`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
```
$ tar xvf trivy-offline.db.tgz
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm trivy-offline.db.tgz
$ rm /path/to/db.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
## Run Trivy with --skip-update option
### Run Trivy with --skip-update and --offline-scan option
In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
```
$ trivy image --skip-update alpine:3.12
$ trivy image --skip-update --offline-scan alpine:3.12
```
[trivy-db]: https://github.com/aquasecurity/trivy-db/releases
## Air-Gapped Environment for misconfigurations
### Download misconfiguration policies
At first, you need to download misconfiguration policies for use in air-gapped environments.
Please follow [oras installation instruction][oras].
Download `bundle.tar.gz`:
```
$ oras pull ghcr.io/aquasecurity/appshield:latest -a
```
### Transfer misconfiguration policies into the air-gapped environment
The way of transfer depends on the environment.
```
$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
```
### Put the misconfiguration policies in Trivy's cache directory
You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
Put the misconfiguration policies file in the cache directory + `/policy/content`.
```
$ mkdir -p /home/myuser/.cache/trivy/policy/content
$ cd /home/myuser/.cache/trivy/policy/content
$ mv /path/to/bundle.tar.gz .
```
Then, decompress it.
`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
```
$ tar xvf bundle.tar.gz
x ./docker/
...
x ./kubernetes/
...
x ./.manifest
$ rm bundle.tar.gz
```
In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations.
### Run Trivy with --skip-policy-update option
In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
```
$ trivy conf --skip-policy-update /path/to/conf
```
[allowlist]: ../getting-started/troubleshooting.md
[oras]: https://oras.land/cli/

10
docs/advanced/community/tools.md
View File

@@ -10,6 +10,13 @@ Have you created a tool thats not listed? Add the name and description of you
| [gitrivy][gitrivy] | GitHub Issue + Trivy |
| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
## Semaphore
| Name | Description |
| -------------------------------------------------------| ----------------------------------------- |
| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
## CircleCI
| Orb | Description |
@@ -26,4 +33,5 @@ Have you created a tool thats not listed? Add the name and description of you
[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
[gitrivy]: https://github.com/marketplace/actions/trivy-action
[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

2
docs/advanced/container/unpacked-filesystem.md
View File

@@ -1,6 +1,6 @@
# Unpacked Filesystem
Scan aan unpacked container image filesystem.
Scan an unpacked container image filesystem.
In this case, Trivy works the same way when scanning containers

2
docs/advanced/integrations/circleci.md
View File

@@ -19,7 +19,7 @@ jobs:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- run:
name: Scan the local image with trivy
command: trivy --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
command: trivy image --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
workflows:
version: 2
release:

18
docs/advanced/integrations/gitlab-ci.md
View File

@@ -32,11 +32,11 @@ trivy:
# Build image
- docker build -t $IMAGE .
# Build report
- ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
- ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
# Print report
- ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
- ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $IMAGE
# Fail on severe vulnerabilities
- ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
- ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $IMAGE
cache:
paths:
- .trivycache/
@@ -77,14 +77,14 @@ container_scanning:
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
- time trivy image --clear-cache
# update vulnerabilities db
- time trivy --download-db-only --no-progress --cache-dir .trivycache/
- time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
- time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
--output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
# Prints full report
- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
- time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress "$FULL_IMAGE_NAME"
# Fail on critical vulnerabilities
- time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
- time trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
cache:
paths:
- .trivycache/
@@ -135,14 +135,14 @@ trivy:
# Build image
- docker build -t $IMAGE .
# Build report
- ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab-codeclimate.tpl" -o gl-codeclimate.json $IMAGE
- ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate.json $IMAGE
cache:
paths:
- .trivycache/
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
artifacts:
paths:
gl-codeclimate.json
- gl-codeclimate.json
reports:
codequality: gl-codeclimate.json
```

2
docs/advanced/integrations/index.md
View File

@@ -1,4 +1,2 @@
# Integrations
Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.

4
docs/advanced/integrations/travis-ci.md
View File

@@ -15,8 +15,8 @@ before_install:
- wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
script:
- ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
- ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
- ./trivy image --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
- ./trivy image --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
cache:
directories:
- $HOME/.cache/trivy

27
docs/advanced/private-registries/acr.md Normal file
View File

@@ -0,0 +1,27 @@
# Requirements
None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
# Privileges
Service principal must have the `AcrPull` permissions.
## Creation of a service principal
```bash
export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
```
# Usage
```bash
# must set TRIVY_USERNAME empty char
export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
```
# Testing
You can test credentials in the following manner.
```bash
docker run -it --rm -v /tmp:/tmp\
-e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
-e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
```

37
docs/advanced/private-registries/gcr.md
View File

@@ -1,7 +1,40 @@
Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
# Requirements
None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
# Privileges
Credential file must have the `roles/storage.objectViewer` permissions.
More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
## JSON File Format
The JSON file specified should have the following format provided by google's service account mechanisms:
```json
{
"type": "service_account",
"project_id": "your_special_project",
"private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
"client_email": "somedude@your_special_project.iam.gserviceaccount.com",
"client_id": "1234567890",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
}
```
# Usage
If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
```bash
# must set TRIVY_USERNAME empty char
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
```
# Testing
You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
```bash
docker run -it --rm -v /tmp:/tmp\
-e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
```

175
docs/advanced/sbom/cyclonedx.md Normal file
View File

@@ -0,0 +1,175 @@
# CycloneDX
Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
Note that XML format is not supported at the moment.
You can specify `cyclonedx` with the `--format` option.
```
$ trivy image --format cyclonedx --output result.json alpine:3.15
```
<details>
<summary>Result</summary>
```
$ cat result.json | jq .
{
"bomFormat": "CycloneDX",
"specVersion": "1.3",
"serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
"version": 1,
"metadata": {
"timestamp": "2022-02-22T15:11:40.270597Z",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "dev"
}
],
"component": {
"bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
"type": "container",
"name": "alpine:3.15",
"version": "",
"purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
},
{
"name": "aquasecurity:trivy:ImageID",
"value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18"
},
{
"name": "aquasecurity:trivy:RepoDigest",
"value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"
},
{
"name": "aquasecurity:trivy:DiffID",
"value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
},
{
"name": "aquasecurity:trivy:RepoTag",
"value": "alpine:3.15"
}
]
}
},
"components": [
{
"bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
"type": "library",
"name": "alpine-baselayout",
"version": "3.2.0-r18",
"licenses": [
{
"expression": "GPL-2.0-only"
}
],
"purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
"properties": [
{
"name": "aquasecurity:trivy:SrcName",
"value": "alpine-baselayout"
},
{
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.2.0-r18"
},
{
"name": "aquasecurity:trivy:LayerDigest",
"value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
},
{
"name": "aquasecurity:trivy:LayerDiffID",
"value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
}
]
},
...(snip)...
{
"bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
"type": "library",
"name": "zlib",
"version": "1.2.11-r3",
"licenses": [
{
"expression": "Zlib"
}
],
"purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
"properties": [
{
"name": "aquasecurity:trivy:SrcName",
"value": "zlib"
},
{
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.2.11-r3"
},
{
"name": "aquasecurity:trivy:LayerDigest",
"value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
},
{
"name": "aquasecurity:trivy:LayerDiffID",
"value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
}
]
},
{
"bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
"type": "operating-system",
"name": "alpine",
"version": "3.15.0",
"properties": [
{
"name": "aquasecurity:trivy:Type",
"value": "alpine"
},
{
"name": "aquasecurity:trivy:Class",
"value": "os-pkgs"
}
]
}
],
"dependencies": [
{
"ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
"dependsOn": [
"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
"pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0",
"pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0",
"pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0",
"pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0",
"pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0",
"pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0",
"pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0",
"pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0",
"pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0",
"pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0",
"pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0",
"pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0",
"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0"
]
},
{
"ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
"dependsOn": [
"3da6a469-964d-4b4e-b67d-e94ec7c88d37"
]
}
]
}
```
</details>
!!! caution
It doesn't support vulnerabilities yet, but installed packages.
[cyclonedx]: https://cyclonedx.org/

3
docs/getting-started/cli/client.md
View File

@@ -9,7 +9,7 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
@@ -22,6 +22,7 @@ OPTIONS:
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--token value for authentication [$TRIVY_TOKEN]
--token-header value specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--remote value server address (default: "http://localhost:4954") [$TRIVY_REMOTE]

2
docs/getting-started/cli/config.md
View File

@@ -9,7 +9,7 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]

3
docs/getting-started/cli/fs.md
View File

@@ -9,7 +9,7 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -25,6 +25,7 @@ OPTIONS:
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

4
docs/getting-started/cli/image.md
View File

@@ -9,7 +9,7 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
@@ -24,9 +24,9 @@ OPTIONS:
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--light light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--skip-files value specify the file path to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]

4
docs/getting-started/cli/repo.md
View File

@@ -9,7 +9,7 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
@@ -23,8 +23,10 @@ OPTIONS:
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--skip-files value specify the file path to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
--help, -h show help (default: false)

3
docs/getting-started/cli/rootfs.md
View File

@@ -9,7 +9,7 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -25,6 +25,7 @@ OPTIONS:
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

3
docs/getting-started/installation.md
View File

@@ -118,13 +118,12 @@ Example:
=== "Linux"
``` bash
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} [YOUR_IMAGE_NAME]
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME]
```
=== "macOS"
``` bash
yay -Sy trivy-bin
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
```

9
docs/getting-started/overview.md
View File

@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
## Features
- Comprehensive vulnerability detection
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Detect IaC misconfigurations
- A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -55,12 +55,11 @@ See [Integrations][integrations] for details.
- An image directory compliant with [OCI Image Format][oci]
- local filesystem and rootfs
- remote git repository
- SBOM (Software Bill of Materials) support
- CycloneDX
Please see [LICENSE][license] for Trivy licensing information.
!!! note
Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
[vuln]: ../vulnerability/scanning/index.md
[misconf]: ../misconfiguration/index.md
[container]: ../vulnerability/scanning/image.md
@@ -80,4 +79,4 @@ Please see [LICENSE][license] for Trivy licensing information.
[podman]: ../advanced/container/podman.md
[oci]: https://github.com/opencontainers/image-spec
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

32
docs/getting-started/troubleshooting.md
View File

@@ -39,6 +39,22 @@ https://developer.github.com/v3/#rate-limiting
$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
```
### Maven rate limiting
!!! error
``` bash
$ trivy image ...
...
status 403 Forbidden from http://search.maven.org/solrsearch/select
```
Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
### Running in parallel takes same time as series run
When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
This is because of a limitation of boltdb.
@@ -53,11 +69,17 @@ Reference : [boltdb: Opening a database][boltdb].
!!! error
FATAL failed to download vulnerability DB
If trivy is running behind corporate firewall try to whitelist urls below:
If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
- api.github.com
- github.com
- github-releases.githubusercontent.com
- ghcr.io
- pkg-containers.githubusercontent.com
### Old DB schema
!!! error
--skip-update cannot be specified with the old DB schema.
Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
## Homebrew
### Scope error
@@ -107,3 +129,5 @@ Try again with `--reset` option:
```
$ trivy image --reset
```
[air-gapped]: ../advanced/air-gap.md

2
docs/misconfiguration/iac.md
View File

@@ -111,7 +111,7 @@ Failures: 9 (HIGH: 6, CRITICAL: 1)
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defauls to outdated |
| | | | | should include security_policy (defaults to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |

2
docs/misconfiguration/options/filter.md
View File

@@ -72,7 +72,7 @@ Failures: 8 (HIGH: 6, CRITICAL: 1)
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defauls to outdated |
| | | | | should include security_policy (defaults to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |

2
docs/misconfiguration/options/report.md
View File

@@ -3,4 +3,4 @@
See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
!!! caution
Misconfiguration scanning doesn't support default templates such as XML and SARIF for now.
Misconfiguration scanning doesn't support default templates such as XML for now.

43
docs/vulnerability/detection/data-source.md
View File

@@ -11,28 +11,31 @@
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] |
| | [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| CBL-Mariner | [OVAL][mariner] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
# Programming Language
| Language | Source | Commercial Use | Delay[^1]|
| ---------------------------- | -------------------------------------------------|:---------------:|:--------:|
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [Safety DB][python] | ❌ | 1 month |
| | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ✅ | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
| | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - |
| Java | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - |
| Go | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [The Go Vulnerability Database][go] | ✅ | - |
| Rust | [RustSec Advisory Database][rust] | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - |
| Language | Source | Commercial Use | Delay[^1]|
| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| | [Open Source Vulnerabilities (PyPI)][python-osv] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ✅ | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
| | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - |
| Java | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - |
| Go | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [The Go Vulnerability Database][go] | ✅ | - |
| Rust | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - |
[^1]: Intentional delay between vulnerability disclosure and registration in the DB
@@ -51,9 +54,12 @@
[ubuntu]: https://ubuntu.com/security/cve
[rhel-oval]: https://www.redhat.com/security/data/oval/v2/
[rhel-api]: https://www.redhat.com/security/data/metrics/
[alma]: https://errata.almalinux.org/
[rocky]: https://download.rockylinux.org/pub/rocky/
[oracle]: https://linux.oracle.com/security/oval/
[suse]: http://ftp.suse.com/pub/projects/security/cvrf/
[photon]: https://packages.vmware.com/photon/photon_cve_metadata/
[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -63,11 +69,12 @@
[dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
[php]: https://github.com/FriendsOfPHP/security-advisories
[python]: https://github.com/pyupio/safety-db
[ruby]: https://github.com/rubysec/ruby-advisory-db
[nodejs]: https://github.com/nodejs/security-wg
[gitlab]: https://gitlab.com/gitlab-org/advisories-community
[go]: https://github.com/golang/vulndb
[rust]: (https://github.com/RustSec/advisory-db)
[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
[nvd]: https://nvd.nist.gov/

51
docs/vulnerability/detection/language.md
View File

@@ -2,23 +2,25 @@
`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
| Language | File | Image[^6] | Rootfs[^7] | Filesystem[^8] | Repository[^9] |Dev dependencies |
|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
| Ruby | Gemfile.lock | - | - | | | included |
| | gemspec | ✅ | ✅ | - | - | included |
| Python | Pipfile.lock | - | - | | | excluded |
| | poetry.lock | - | - | | | included |
| | requirements.txt | - | - | | | included |
| | egg package[^1] | ✅ | ✅ | - | - | excluded |
| | wheel package[^2] | ✅ | ✅ | - | - | excluded |
| PHP | composer.lock | ✅ | ✅ | | | excluded |
| Node.js | package-lock.json | - | - | | | excluded |
| | yarn.lock | - | - | | | included |
| | package.json | ✅ | ✅ | - | - | excluded |
| .NET | packages.lock.json | ✅ | ✅ | | | included |
| Java | JAR/WAR/EAR[^3][^4] | ✅ | ✅ | | | included |
| Go | Binaries built by Go[^5] | ✅ | | - | - | excluded |
| | go.sum | - | - | ✅ | | included |
| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
| Ruby | Gemfile.lock | - | - | | | included |
| | gemspec | ✅ | ✅ | - | - | included |
| Python | Pipfile.lock | - | - | | | excluded |
| | poetry.lock | - | - | | | included |
| | requirements.txt | - | - | | | included |
| | egg package[^1] | ✅ | ✅ | - | - | excluded |
| | wheel package[^2] | ✅ | ✅ | - | - | excluded |
| PHP | composer.lock | ✅ | ✅ | | | excluded |
| Node.js | package-lock.json | - | - | | | excluded |
| | yarn.lock | - | - | | | included |
| | package.json | ✅ | ✅ | - | - | excluded |
| .NET | packages.lock.json | ✅ | ✅ | | | included |
| Java | JAR/WAR/PAR/EAR[^3][^4] | ✅ | ✅ | - | - | included |
| | pom.xml[^5] | - | - | | | excluded |
| Go | Binaries built by Go[^6] | ✅ | | - | - | excluded |
| | go.sum | - | - | ✅ | ✅ | included |
| Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ | included |
The path of these files does not matter.
@@ -26,10 +28,11 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
[^3]: `*.jar`, `*.war`, and `*.ear`
[^4]: It requires the Internet access
[^5]: UPX-compressed binaries don't work
[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
[^4]: It requires Internet access
[^5]: It requires Internet access when the POM doesn't exist in your local repository
[^6]: UPX-compressed binaries don't work
[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning

11
docs/vulnerability/detection/os.md
View File

@@ -4,16 +4,19 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
| OS | Supported Versions | Target Packages | Detection of unfixed vulnerabilities |
| -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
| Alpine Linux | 2.2 - 2.7, 3.0 - 3.13 | Installed by apk | NO |
| Alpine Linux | 2.2 - 2.7, 3.0 - 3.15 | Installed by apk | NO |
| Red Hat Universal Base Image[^1] | 7, 8 | Installed by yum/rpm | YES |
| Red Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | YES |
| CentOS | 6, 7 | Installed by yum/rpm | YES |
| CentOS | 6, 7, 8 | Installed by yum/rpm | YES |
| AlmaLinux | 8 | Installed by yum/rpm | NO |
| Rocky Linux | 8 | Installed by yum/rpm | NO |
| Oracle Linux | 5, 6, 7, 8 | Installed by yum/rpm | NO |
| CBL-Mariner | 1.0, 2.0 | Installed by yum/rpm | YES |
| Amazon Linux | 1, 2 | Installed by yum/rpm | NO |
| openSUSE Leap | 42, 15 | Installed by zypper/rpm | NO |
| SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | NO |
| Photon OS | 1.0, 2.0, 3.0 | Installed by tdnf/yum/rpm | NO |
| Debian GNU/Linux | wheezy, jessie, stretch, buster | Installed by apt/apt-get/dpkg | YES |
| Photon OS | 1.0, 2.0, 3.0, 4.0 | Installed by tdnf/yum/rpm | NO |
| Debian GNU/Linux | wheezy, jessie, stretch, buster, bullseye| Installed by apt/apt-get/dpkg | YES |
| Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | YES |
| Distroless[^2] | Any | Installed by apt/apt-get/dpkg | YES |

11
docs/vulnerability/examples/cache.md
View File

@@ -41,3 +41,14 @@ Two options:
```
$ trivy server --cache-backend redis://localhost:6379
```
Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
```
$ trivy server --cache-backend redis://localhost:6379 \
--redis-ca /path/to/ca-cert.pem \
--redis-cert /path/to/cert.pem \
--redis-key /path/to/key.pem
```
TLS option for redis is hidden from Trivy command-line flag, but you still can use it.

36
docs/vulnerability/examples/db.md
View File

@@ -36,39 +36,3 @@ This is useful to initialize workers in Continuous Integration systems.
```
$ trivy image --download-db-only
```
## Lightweight DB
The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
This option is useful when you don't need vulnerability details and is suitable for CI/CD.
To find the additional information, you can search vulnerability details on the NVD website.
https://nvd.nist.gov/vuln/search
```
$ trivy image --light alpine:3.10
```
`--light` option doesn't display titles like the following example.
<details>
<summary>Result</summary>
```
2019-11-14T10:21:01.553+0200 INFO Reopening vulnerability DB
2019-11-14T10:21:02.574+0200 INFO Detecting Alpine vulnerabilities...
alpine:3.10 (alpine 3.10.2)
===========================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+---------+------------------+----------+-------------------+---------------+
| openssl | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 |
+ +------------------+ + + +
| | CVE-2019-1563 | | | |
+ +------------------+----------+ + +
| | CVE-2019-1547 | LOW | | |
+---------+------------------+----------+-------------------+---------------+
```
</details>

57
docs/vulnerability/examples/filter.md
View File

@@ -294,25 +294,60 @@ There is a built-in Rego library with helper functions that you can import into
To get started, see the [example policy][policy].
```bash
$ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7
$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
```
<details>
<summary>Result</summary>
```bash
centos:7 (centos 7.8.2003)
centos:7 (centos 7.9.2009)
==========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| glib2 | CVE-2016-3191 | HIGH | 2.56.1-5.el7 | | pcre: workspace overflow |
| | | | | | for (*ACCEPT) with deeply |
| | | | | | nested parentheses (8.39/13, |
| | | | | | 10.22/12) |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
| glib2 | CVE-2015-8385 | HIGH | 2.56.1-7.el7 | | pcre: buffer overflow caused |
| | | | | | by named forward reference |
| | | | | | to duplicate group number... |
| | | | | | -->avd.aquasec.com/nvd/cve-2015-8385 |
+ +------------------+ + +-------------------+-----------------------------------------+
| | CVE-2016-3191 | | | | pcre: workspace overflow for |
| | | | | | (*ACCEPT) with deeply nested |
| | | | | | parentheses (8.39/13, 10.22/12) |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-3191 |
+ +------------------+ + +-------------------+-----------------------------------------+
| | CVE-2021-27219 | | | 2.56.1-9.el7_9 | glib: integer overflow in |
| | | | | | g_bytes_new function on |
| | | | | | 64-bit platforms due to an... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27219 |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
| glibc | CVE-2019-1010022 | CRITICAL | 2.17-317.el7 | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+--------------+ + + +-------------------+ +
| glibc-common | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+-------------------+-----------------------------------------+
| nss | CVE-2021-43527 | | 3.53.1-3.el7_9 | 3.67.0-4.el7_9 | nss: Memory corruption in |
| | | | | | decodeECorDsaSignature with |
| | | | | | DSA signatures (and RSA-PSS) |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43527 |
+--------------+ + + + + +
| nss-sysinit | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+ + + + + +
| nss-tools | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
| openssl-libs | CVE-2020-1971 | HIGH | 1:1.0.2k-19.el7 | 1:1.0.2k-21.el7_9 | openssl: EDIPARTYNAME |
| | | | | | NULL pointer de-reference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
```
</details>

27
docs/vulnerability/examples/report.md
View File

@@ -136,6 +136,15 @@ $ trivy image -f json -o results.json golang:1.12-alpine
`VulnerabilityID`, `PkgName`, `InstalledVersion`, and `Severity` in `Vulnerabilities` are always filled with values, but other fields might be empty.
## SARIF
[Sarif][sarif] can be generated with the `--format sarif` option.
```
$ trivy image --format sarif -o report.sarif golang:1.12-alpine
```
This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
## Template
### Custom Template
@@ -183,19 +192,16 @@ $ trivy image --format template --template "@/path/to/template" golang:1.12-alpi
```
### Default Templates
If Trivy is installed using rpm then default templates can be found at `/usr/local/share/trivy/templates`.
#### XML
In the following example using the template `junit.tpl` XML can be generated.
```
$ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml golang:1.12-alpine
```
#### SARIF
In the following example using the template `sarif.tpl` [Sarif][sarif] can be generated.
```
$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif golang:1.12-alpine
```
This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
#### ASFF
Trivy also supports an [ASFF template for reporting findings to AWS Security Hub][asff]
#### HTML
@@ -204,6 +210,13 @@ Trivy also supports an [ASFF template for reporting findings to AWS Security Hub
$ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
```
The following example shows use of default HTML template when Trivy is installed using rpm.
```
$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
```
[new-json]: https://github.com/aquasecurity/trivy/discussions/1050
[action]: https://github.com/aquasecurity/trivy-action
[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md

7
docs/vulnerability/scanning/filesystem.md
View File

@@ -47,3 +47,10 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
```
</details>
### Single file
It's also possible to scan a single file.
```
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
```

19
docs/vulnerability/scanning/git-repository.md
View File

@@ -6,8 +6,6 @@ Scan your remote git repository
$ trivy repo https://github.com/knqyf263/trivy-ci-test
```
Only public repositories are supported.
<details>
<summary>Result</summary>
@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
```
</details>
## Scanning Private Repositories
In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
For example:
```
$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
$
$ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>
```

73
docs/vulnerability/scanning/image.md
View File

@@ -38,49 +38,52 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
## Tar Files
```
$ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar
$ trivy image --input ruby-2.3.0.tar
$ docker pull ruby:3.1-alpine3.15
$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
$ trivy image --input ruby-3.1.tar
```
<details>
<summary>Result</summary>
```
2019-05-16T12:45:57.332+0900 INFO Updating vulnerability database...
2019-05-16T12:45:59.119+0900 INFO Detecting Debian vulnerabilities...
2022-02-03T10:08:19.127Z INFO Detected OS: alpine
2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15
2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities...
2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2
2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities...
2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities...
2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0
2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided
ruby-2.3.0.tar (debian 8.4)
===========================
Total: 7447 (UNKNOWN: 5, LOW: 326, MEDIUM: 5695, HIGH: 1316, CRITICAL: 105)
ruby-3.1.tar (alpine 3.15.0)
============================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the |
| | | | | | 302 redirect field in HTTP |
| | | | | | transport method of... |
+ +---------------------+----------+ +----------------------------------+-----------------------------------------------------+
| | CVE-2016-1252 | MEDIUM | | 1.0.9.8.4 | The apt package in Debian |
| | | | | | jessie before 1.0.9.8.4, in |
| | | | | | Debian unstable before... |
+ +---------------------+----------+ +----------------------------------+-----------------------------------------------------+
| | CVE-2011-3374 | LOW | | | |
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| bash | CVE-2016-7543 | HIGH | 4.3-11 | 4.3-11+deb8u1 | bash: Specially crafted |
| | | | | | SHELLOPTS+PS4 variables allows |
| | | | | | command substitution |
+ +---------------------+ + +----------------------------------+-----------------------------------------------------+
| | CVE-2019-9924 | | | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |
| | | | | | restricted bash shells |
+ +---------------------+----------+ +----------------------------------+-----------------------------------------------------+
| | CVE-2016-0634 | MEDIUM | | 4.3-11+deb8u1 | bash: Arbitrary code execution |
| | | | | | via malicious hostname |
+ +---------------------+----------+ +----------------------------------+-----------------------------------------------------+
| | CVE-2016-9401 | LOW | | 4.3-11+deb8u2 | bash: popd controlled free |
+ +---------------------+ + +----------------------------------+-----------------------------------------------------+
| | TEMP-0841856-B18BAF | | | | |
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------
...
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant |
| | | | | | buffer overflow via crafted input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |
+----------+ + + + + +
| gmp-dev | | | | | |
| | | | | | |
| | | | | | |
+----------+ + + + + +
| libgmpxx | | | | | |
| | | | | | |
| | | | | | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Node.js (node-pkg)
==================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Ruby (gemspec)
==============
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
```
</details>

2
examples/misconf/custom-policy/hcl/policy/full_open.rego
View File

@@ -11,6 +11,6 @@ __rego_input__ := {"selector": [{"type": "hcl"}]}
deny[msg] {
input.environment == "dev"
contains(input.service.http[name].listen_addr, "0.0.0.0")
contains(input.service.http[name][_].listen_addr, "0.0.0.0")
msg = sprintf("'%s' listens on 0.0.0.0 in dev environment", [name])
}

58
examples/misconf/custom-policy/hcl/policy/full_open_test.rego
View File

@@ -1,39 +1,43 @@
package user.hcl.ID004
test_denied {
msg := "'web_proxy' listens on 0.0.0.0 in dev environment"
deny[msg] with input as {
"environment": "dev",
"service": {
"http": {
"web_proxy": {
"listen_addr": "0.0.0.0:8080",
"process": {
"main": {
"command": ["/usr/local/bin/awesome-app", "server"],
},
},
},
},
},
"environment": "dev",
"service": {"http": {"web_proxy": [{
"listen_addr": "0.0.0.0:8080",
"process": {
"main": [{"command": [
"/usr/local/bin/awesome-app",
"server",
]}],
"mgmt": [{"command": [
"/usr/local/bin/awesome-app",
"mgmt",
]}],
},
}]}},
}
msg == "'web_proxy' listens on 0.0.0.0 in dev environment"
}
test_allowed {
r := deny with input as {
"environment": "dev",
"service": {
"http": {
"web_proxy": {
"listen_addr": "127.0.0.1:8080",
"process": {
"main": {
"command": ["/usr/local/bin/awesome-app", "server"],
},
},
},
},
},
"environment": "dev",
"service": {"http": {"web_proxy": [{
"listen_addr": "127.0.0.1:8080",
"process": {
"main": [{"command": [
"/usr/local/bin/awesome-app",
"server",
]}],
"mgmt": [{"command": [
"/usr/local/bin/awesome-app",
"mgmt",
]}],
},
}]}},
}
count(r) == 0
}

2
examples/misconf/mixed/README.md
View File

@@ -67,7 +67,7 @@ Failures: 8 (HIGH: 6, CRITICAL: 1)
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defauls to outdated |
| | | | | should include security_policy (defaults to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |

49
go.mod
View File

@@ -3,51 +3,64 @@ module github.com/aquasecurity/trivy
go 1.16
require (
github.com/CycloneDX/cyclonedx-go v0.4.0
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/sprig v2.22.0+incompatible
github.com/Microsoft/hcsshim v0.9.2 // indirect
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
github.com/aquasecurity/fanal v0.0.0-20220225095822-ef150f781751
github.com/aquasecurity/go-dep-parser v0.0.0-20220224134419-e4f58c60089e
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b
github.com/caarlos0/env/v6 v6.0.0
github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4
github.com/caarlos0/env/v6 v6.9.1
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.0.3
github.com/containerd/containerd v1.5.7 // indirect
github.com/docker/cli v20.10.9+incompatible // indirect
github.com/docker/docker v20.10.10+incompatible
github.com/cheggaaa/pb/v3 v3.0.8
github.com/containerd/cgroups v1.0.3 // indirect
github.com/containerd/containerd v1.5.9 // indirect
github.com/containerd/continuity v0.2.2 // indirect
github.com/docker/docker v20.10.12+incompatible
github.com/docker/go-connections v0.4.0
github.com/fatih/color v1.10.0
github.com/fatih/color v1.13.0
github.com/go-redis/redis/v8 v8.11.4
github.com/goccy/go-yaml v1.8.2 // indirect
github.com/golang/protobuf v1.5.2
github.com/google/go-containerregistry v0.6.0
github.com/google/go-github/v33 v33.0.0
github.com/google/wire v0.4.0
github.com/hashicorp/go-getter v1.5.2
github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
github.com/google/uuid v1.3.0
github.com/google/wire v0.5.0
github.com/hashicorp/go-getter v1.5.11
github.com/huandu/xstrings v1.3.2 // indirect
github.com/klauspost/compress v1.14.2 // indirect
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
github.com/mitchellh/copystructure v1.1.1 // indirect
github.com/moby/sys/mountinfo v0.6.0 // indirect
github.com/olekukonko/tablewriter v0.0.5
github.com/open-policy-agent/opa v0.34.0
github.com/spf13/afero v1.6.0
github.com/open-policy-agent/opa v0.37.2
github.com/opencontainers/runc v1.1.0 // indirect
github.com/owenrumney/go-sarif/v2 v2.0.17
github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
github.com/spf13/afero v1.8.1
github.com/stretchr/objx v0.3.0 // indirect
github.com/stretchr/testify v1.7.0
github.com/testcontainers/testcontainers-go v0.11.1
github.com/twitchtv/twirp v8.1.0+incompatible
github.com/twitchtv/twirp v8.1.1+incompatible
github.com/urfave/cli/v2 v2.3.0
go.uber.org/zap v1.19.1
golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
go.uber.org/zap v1.21.0
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
google.golang.org/genproto v0.0.0-20220204002441-d6cc3cc0770e // indirect
google.golang.org/protobuf v1.27.1
gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
k8s.io/utils v0.0.0-20201110183641-67b214c5f920
)
// To resolve CVE-2021-3538. Note that it is used only for testing.
replace github.com/satori/go.uuid v1.2.0 => github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102

777
go.sum
View File

File diff suppressed because it is too large Load Diff

41
goreleaser.yml
View File

@@ -13,19 +13,22 @@ builds:
- darwin
- linux
- freebsd
- openbsd
goarch:
- amd64
- 386
- arm
- arm64
- ppc64le
- s390x
goarm:
- 7
ignore:
- goos: darwin
goarch: 386
# modernc.org/sqlite doesn't support the following pairs
- goos: freebsd
goarch: arm
- goos: freebsd
goarch: arm64
release:
extra_files:
@@ -99,7 +102,7 @@ dockers:
- "ghcr.io/aquasecurity/trivy:latest-amd64"
- "public.ecr.aws/aquasecurity/trivy:latest-amd64"
- "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
use_buildx: true
use: buildx
goos: linux
goarch: amd64
ids:
@@ -123,7 +126,7 @@ dockers:
- "ghcr.io/aquasecurity/trivy:latest-arm64"
- "public.ecr.aws/aquasecurity/trivy:latest-arm64"
- "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
use_buildx: true
use: buildx
goos: linux
goarch: arm64
ids:
@@ -140,29 +143,59 @@ dockers:
- "--platform=linux/arm64"
extra_files:
- contrib/
- image_templates:
- "docker.io/aquasec/trivy:{{ .Version }}-s390x"
- "docker.io/aquasec/trivy:latest-s390x"
- "ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x"
- "ghcr.io/aquasecurity/trivy:latest-s390x"
- "public.ecr.aws/aquasecurity/trivy:latest-s390x"
- "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x"
use: buildx
goos: linux
goarch: s390x
ids:
- trivy
build_flag_templates:
- "--label=org.label-schema.schema-version=1.0"
- "--label=org.label-schema.name={{ .ProjectName }}"
- "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
- "--label=org.label-schema.vendor=Aqua Security"
- "--label=org.label-schema.version={{ .Version }}"
- "--label=org.label-schema.build-date={{ .Date }}"
- "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
- "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
- "--platform=linux/s390x"
extra_files:
- contrib/
docker_manifests:
- name_template: 'aquasec/trivy:{{ .Version }}'
image_templates:
- 'aquasec/trivy:{{ .Version }}-amd64'
- 'aquasec/trivy:{{ .Version }}-arm64'
- 'aquasec/trivy:{{ .Version }}-s390x'
- name_template: 'ghcr.io/aquasecurity/trivy:{{ .Version }}'
image_templates:
- 'ghcr.io/aquasecurity/trivy:{{ .Version }}-amd64'
- 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
- 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
- name_template: 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}'
image_templates:
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
- name_template: 'aquasec/trivy:latest'
image_templates:
- 'aquasec/trivy:{{ .Version }}-amd64'
- 'aquasec/trivy:{{ .Version }}-arm64'
- 'aquasec/trivy:{{ .Version }}-s390x'
- name_template: 'ghcr.io/aquasecurity/trivy:latest'
image_templates:
- 'ghcr.io/aquasecurity/trivy:{{ .Version }}-amd64'
- 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
- 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
- name_template: 'public.ecr.aws/aquasecurity/trivy:latest'
image_templates:
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'

4
helm/trivy/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
version: 0.4.7
appVersion: "0.21.0"
version: 0.4.11
appVersion: 0.24.0
description: Trivy helm chart
keywords:
- scanner

4
helm/trivy/README.md
View File

@@ -64,6 +64,10 @@ The following table lists the configurable parameters of the Trivy chart and the
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |

2
helm/trivy/templates/_helpers.tpl
View File

@@ -50,6 +50,6 @@ Return the proper imageRef as used by the container template spec.
{{- define "trivy.imageRef" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}

23
helm/trivy/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
data:
TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
{{- if .Values.trivy.cache.redis.enabled }}
TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
{{- end }}
TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
{{- if .Values.httpProxy }}
HTTP_PROXY: {{ .Values.httpProxy | quote }}
{{- end }}
{{- if .Values.httpsProxy }}
HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
{{- end }}
{{- if .Values.noProxy }}
NO_PROXY: {{ .Values.noProxy | quote }}
{{- end }}

6
helm/trivy/templates/secret.yaml
View File

@@ -6,4 +6,8 @@ metadata:
{{ include "trivy.labels" . | indent 4 }}
type: Opaque
data:
gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
{{- if not .Values.trivy.registryCredentialsExistingSecret }}
TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
{{- end -}}

4
helm/trivy/templates/serviceaccount.yaml
View File

@@ -4,4 +4,8 @@ metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
{{- if (.Values.trivy.serviceAccount).annotations }}
annotations:
{{ toYaml .Values.trivy.serviceAccount.annotations | indent 8 }}
{{- end }}
namespace: {{ .Release.Namespace }}

42
helm/trivy/templates/statefulset.yaml
View File

@@ -4,6 +4,9 @@ metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
{{- with .Values.trivy.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
podManagementPolicy: "Parallel"
serviceName: {{ include "trivy.fullname" . }}
@@ -29,6 +32,9 @@ spec:
labels:
app.kubernetes.io/name: {{ include "trivy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.trivy.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "trivy.fullname" . }}
automountServiceAccountToken: false
@@ -62,30 +68,24 @@ spec:
{{- end }}
args:
- server
{{- if .Values.trivy.registryCredentialsExistingSecret }}
env:
- name: "TRIVY_LISTEN"
value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
- name: "TRIVY_CACHE_DIR"
value: "/home/scanner/.cache/trivy"
{{- if .Values.trivy.cache.redis.enabled }}
- name: "TRIVY_CACHE_BACKEND"
value: {{ .Values.trivy.cache.redis.url | quote }}
{{- end }}
- name: "TRIVY_DEBUG"
value: {{ .Values.trivy.debugMode | default false | quote }}
- name: "TRIVY_SKIP_UPDATE"
value: {{ .Values.trivy.skipUpdate | default false | quote }}
- name: "GITHUB_TOKEN"
- name: TRIVY_USERNAME
valueFrom:
secretKeyRef:
name: {{ include "trivy.fullname" . }}
key: gitHubToken
- name: "HTTP_PROXY"
value: {{ .Values.httpProxy | quote }}
- name: "HTTPS_PROXY"
value: {{ .Values.httpsProxy | quote }}
- name: "NO_PROXY"
value: {{ .Values.noProxy | quote }}
name: {{ .Values.trivy.registryCredentialsExistingSecret }}
key: TRIVY_USERNAME
- name: TRIVY_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.trivy.registryCredentialsExistingSecret }}
key: TRIVY_PASSWORD
{{- end }}
envFrom:
- configMapRef:
name: {{ include "trivy.fullname" . }}
- secretRef:
name: {{ include "trivy.fullname" . }}
ports:
- name: trivy-http
containerPort: {{ .Values.service.port }}

27
helm/trivy/values.yaml
View File

@@ -4,7 +4,9 @@ fullnameOverride: ""
image:
registry: docker.io
repository: aquasec/trivy
tag: 0.21.0
# tag is an override of the image tag, which is by default set by the
# appVersion field in Chart.yaml.
tag: ""
pullPolicy: IfNotPresent
pullSecret: ""
@@ -68,6 +70,24 @@ trivy:
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
gitHubToken: ""
# Docker registry credentials
# See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
#
# Either
# Directly in this file
#
# TRIVY_USERNAME
registryUsername: ""
# TRIVY_PASSWORD
registryPassword: ""
#
# Or
# From an existing secret
#
# The secret must be Opaque and just contain "TRIVY_USERNAME: your_user" and "TRIVY_PASSWORD: your_password" as k/v pairs.
# NOTE: When this is set the previous parameters are ignored.
#
# registryCredentialsExistingSecret: name-of-existing-secret
# skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
@@ -86,6 +106,11 @@ trivy:
redis:
enabled: false
url: "" # e.g. redis://redis.redis.svc:6379
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
# If you want to add custom labels to your statefulset and podTemplate
labels: {}
service:
# type Kubernetes service type

292
integration/client_server_test.go
View File

@@ -5,6 +5,7 @@ package integration
import (
"context"
"encoding/json"
"fmt"
"io"
"os"
@@ -13,6 +14,7 @@ import (
"testing"
"time"
cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/docker/go-connections/nat"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -32,6 +34,7 @@ type csArgs struct {
Input string
ClientToken string
ClientTokenHeader string
ListAllPackages bool
}
func TestClientServer(t *testing.T) {
@@ -42,54 +45,46 @@ func TestClientServer(t *testing.T) {
wantErr string
}{
{
name: "alpine 3.10 integration",
args: csArgs{
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "alpine 3.10 integration with --ignore-unfixed option",
args: csArgs{
IgnoreUnfixed: true,
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310-ignore-unfixed.json.golden",
},
{
name: "alpine 3.10 integration with medium and high severity",
args: csArgs{
IgnoreUnfixed: true,
Severity: []string{"MEDIUM", "HIGH"},
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310-medium-high.json.golden",
},
{
name: "alpine 3.10 integration with .trivyignore",
args: csArgs{
IgnoreUnfixed: false,
IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"},
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310-ignore-cveids.json.golden",
},
{
name: "alpine 3.9 integration",
name: "alpine 3.9",
args: csArgs{
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39.json.golden",
},
{
name: "debian buster integration",
name: "alpine 3.9 with high and critical severity",
args: csArgs{
IgnoreUnfixed: true,
Severity: []string{"HIGH", "CRITICAL"},
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39-high-critical.json.golden",
},
{
name: "alpine 3.9 with .trivyignore",
args: csArgs{
IgnoreUnfixed: false,
IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39-ignore-cveids.json.golden",
},
{
name: "alpine 3.10",
args: csArgs{
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "debian buster/10",
args: csArgs{
Input: "testdata/fixtures/images/debian-buster.tar.gz",
},
golden: "testdata/debian-buster.json.golden",
},
{
name: "debian buster integration with --ignore-unfixed option",
name: "debian buster/10 with --ignore-unfixed option",
args: csArgs{
IgnoreUnfixed: true,
Input: "testdata/fixtures/images/debian-buster.tar.gz",
@@ -97,43 +92,28 @@ func TestClientServer(t *testing.T) {
golden: "testdata/debian-buster-ignore-unfixed.json.golden",
},
{
name: "debian stretch integration",
name: "debian stretch/9",
args: csArgs{
Input: "testdata/fixtures/images/debian-stretch.tar.gz",
},
golden: "testdata/debian-stretch.json.golden",
},
{
name: "ubuntu 18.04 integration",
name: "ubuntu 18.04",
args: csArgs{
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
},
golden: "testdata/ubuntu-1804.json.golden",
},
{
name: "ubuntu 18.04 integration with --ignore-unfixed option",
args: csArgs{
IgnoreUnfixed: true,
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
},
golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
},
{
name: "ubuntu 16.04 integration",
args: csArgs{
Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
},
golden: "testdata/ubuntu-1604.json.golden",
},
{
name: "centos 7 integration",
name: "centos 7",
args: csArgs{
Input: "testdata/fixtures/images/centos-7.tar.gz",
},
golden: "testdata/centos-7.json.golden",
},
{
name: "centos 7 integration with --ignore-unfixed option",
name: "centos 7 with --ignore-unfixed option",
args: csArgs{
IgnoreUnfixed: true,
Input: "testdata/fixtures/images/centos-7.tar.gz",
@@ -141,122 +121,100 @@ func TestClientServer(t *testing.T) {
golden: "testdata/centos-7-ignore-unfixed.json.golden",
},
{
name: "centos 7 integration with low and high severity",
name: "centos 7 with medium severity",
args: csArgs{
IgnoreUnfixed: true,
Severity: []string{"LOW", "HIGH"},
Severity: []string{"MEDIUM"},
Input: "testdata/fixtures/images/centos-7.tar.gz",
},
golden: "testdata/centos-7-low-high.json.golden",
golden: "testdata/centos-7-medium.json.golden",
},
{
name: "centos 6 integration",
name: "centos 6",
args: csArgs{
Input: "testdata/fixtures/images/centos-6.tar.gz",
},
golden: "testdata/centos-6.json.golden",
},
{
name: "ubi 7 integration",
name: "ubi 7",
args: csArgs{
Input: "testdata/fixtures/images/ubi-7.tar.gz",
},
golden: "testdata/ubi-7.json.golden",
},
{
name: "distroless base integration",
name: "almalinux 8",
args: csArgs{
Input: "testdata/fixtures/images/almalinux-8.tar.gz",
},
golden: "testdata/almalinux-8.json.golden",
},
{
name: "rocky linux 8",
args: csArgs{
Input: "testdata/fixtures/images/rockylinux-8.tar.gz",
},
golden: "testdata/rockylinux-8.json.golden",
},
{
name: "distroless base",
args: csArgs{
Input: "testdata/fixtures/images/distroless-base.tar.gz",
},
golden: "testdata/distroless-base.json.golden",
},
{
name: "distroless base integration with --ignore-unfixed option",
args: csArgs{
IgnoreUnfixed: true,
Input: "testdata/fixtures/images/distroless-base.tar.gz",
},
golden: "testdata/distroless-base-ignore-unfixed.json.golden",
},
{
name: "distroless python27 integration",
name: "distroless python27",
args: csArgs{
Input: "testdata/fixtures/images/distroless-python27.tar.gz",
},
golden: "testdata/distroless-python27.json.golden",
},
{
name: "amazon 1 integration",
name: "amazon 1",
args: csArgs{
Input: "testdata/fixtures/images/amazon-1.tar.gz",
},
golden: "testdata/amazon-1.json.golden",
},
{
name: "amazon 2 integration",
name: "amazon 2",
args: csArgs{
Input: "testdata/fixtures/images/amazon-2.tar.gz",
},
golden: "testdata/amazon-2.json.golden",
},
{
name: "oracle 6 integration",
args: csArgs{
Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
},
golden: "testdata/oraclelinux-6-slim.json.golden",
},
{
name: "oracle 7 integration",
args: csArgs{
Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
},
golden: "testdata/oraclelinux-7-slim.json.golden",
},
{
name: "oracle 8 integration",
name: "oracle 8",
args: csArgs{
Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
},
golden: "testdata/oraclelinux-8-slim.json.golden",
},
{
name: "opensuse leap 15.1 integration",
name: "opensuse leap 15.1",
args: csArgs{
Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
},
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "opensuse leap 42.3 integration",
args: csArgs{
Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
},
golden: "testdata/opensuse-leap-423.json.golden",
},
{
name: "photon 1.0 integration",
args: csArgs{
Input: "testdata/fixtures/images/photon-10.tar.gz",
},
golden: "testdata/photon-10.json.golden",
},
{
name: "photon 2.0 integration",
args: csArgs{
Input: "testdata/fixtures/images/photon-20.tar.gz",
},
golden: "testdata/photon-20.json.golden",
},
{
name: "photon 3.0 integration",
name: "photon 3.0",
args: csArgs{
Input: "testdata/fixtures/images/photon-30.tar.gz",
},
golden: "testdata/photon-30.json.golden",
},
{
name: "buxybox with Cargo.lock integration",
name: "CBL-Mariner 1.0",
args: csArgs{
Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
},
golden: "testdata/mariner-1.0.json.golden",
},
{
name: "buxybox with Cargo.lock",
args: csArgs{
Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
},
@@ -286,7 +244,7 @@ func TestClientServerWithTemplate(t *testing.T) {
golden string
}{
{
name: "alpine 3.10 integration with gitlab template",
name: "alpine 3.10 with gitlab template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/gitlab.tpl",
@@ -295,7 +253,7 @@ func TestClientServerWithTemplate(t *testing.T) {
golden: "testdata/alpine-310.gitlab.golden",
},
{
name: "alpine 3.10 integration with gitlab-codequality template",
name: "alpine 3.10 with gitlab-codequality template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/gitlab-codequality.tpl",
@@ -304,16 +262,15 @@ func TestClientServerWithTemplate(t *testing.T) {
golden: "testdata/alpine-310.gitlab-codequality.golden",
},
{
name: "alpine 3.10 integration with sarif template",
name: "alpine 3.10 with sarif format",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/sarif.tpl",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
Format: "sarif",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.sarif.golden",
},
{
name: "alpine 3.10 integration with ASFF template",
name: "alpine 3.10 with ASFF template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/asff.tpl",
@@ -322,7 +279,7 @@ func TestClientServerWithTemplate(t *testing.T) {
golden: "testdata/alpine-310.asff.golden",
},
{
name: "alpine 3.10 integration with html template",
name: "alpine 3.10 with html template",
args: csArgs{
Format: "template",
TemplatePath: "@../contrib/html.tpl",
@@ -332,13 +289,23 @@ func TestClientServerWithTemplate(t *testing.T) {
},
}
report.CustomTemplateFuncMap = map[string]interface{}{
"now": func() time.Time {
return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
},
"date": func(format string, t time.Time) string {
return t.Format(format)
},
}
t.Cleanup(func() {
report.CustomTemplateFuncMap = map[string]interface{}{}
})
app, addr, cacheDir := setup(t, setupOptions{})
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
report.Now = func() time.Time {
return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
}
t.Setenv("AWS_REGION", "test-region")
t.Setenv("AWS_ACCOUNT_ID", "123456789012")
osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
@@ -358,6 +325,55 @@ func TestClientServerWithTemplate(t *testing.T) {
}
}
func TestClientServerWithCycloneDX(t *testing.T) {
tests := []struct {
name string
args csArgs
wantComponentsCount int
wantDependenciesCount int
wantDependsOnCount []int
}{
{
name: "fluentd with RubyGems with CycloneDX format",
args: csArgs{
Format: "cyclonedx",
Input: "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
},
wantComponentsCount: 161,
wantDependenciesCount: 2,
wantDependsOnCount: []int{
105,
56,
},
},
}
app, addr, cacheDir := setup(t, setupOptions{})
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, "")
// Run Trivy client
err := app.Run(osArgs)
require.NoError(t, err)
f, err := os.Open(outputFile)
require.NoError(t, err)
defer f.Close()
var got cdx.BOM
err = json.NewDecoder(f).Decode(&got)
require.NoError(t, err)
assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
for i, dep := range *got.Dependencies {
assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
}
})
}
}
func TestClientServerWithToken(t *testing.T) {
cases := []struct {
name string
@@ -366,13 +382,13 @@ func TestClientServerWithToken(t *testing.T) {
wantErr string
}{
{
name: "alpine 3.10 integration with token",
name: "alpine 3.9 with token",
args: csArgs{
Input: "testdata/fixtures/images/alpine-310.tar.gz",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
ClientToken: "token",
ClientTokenHeader: "Trivy-Token",
},
golden: "testdata/alpine-310.json.golden",
golden: "testdata/alpine-39.json.golden",
},
{
name: "invalid token",
@@ -387,8 +403,8 @@ func TestClientServerWithToken(t *testing.T) {
name: "invalid token header",
args: csArgs{
Input: "testdata/fixtures/images/distroless-base.tar.gz",
ClientToken: "valid-token",
ClientTokenHeader: "Trivy-Token",
ClientToken: "token",
ClientTokenHeader: "Unknown-Header",
},
wantErr: "twirp error unauthenticated: invalid token",
},
@@ -428,15 +444,15 @@ func TestClientServerWithRedis(t *testing.T) {
// Set up Trivy server
app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
defer os.RemoveAll(cacheDir)
t.Cleanup(func() { os.RemoveAll(cacheDir) })
// Test parameters
testArgs := csArgs{
Input: "testdata/fixtures/images/centos-7.tar.gz",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
}
golden := "testdata/centos-7.json.golden"
golden := "testdata/alpine-39.json.golden"
t.Run("centos 7", func(t *testing.T) {
t.Run("alpine 3.9", func(t *testing.T) {
osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
// Run Trivy client
@@ -470,7 +486,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
version := "dev"
// Set up testing DB
cacheDir := gunzipDB(t)
cacheDir := initDB(t)
port, err := getFreePort()
assert.NoError(t, err)
@@ -526,7 +542,7 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
}
if len(c.Severity) != 0 {
osArgs = append(osArgs,
[]string{"--severity", strings.Join(c.Severity, ",")}...,
"--severity", strings.Join(c.Severity, ","),
)
}
@@ -534,22 +550,22 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
require.NoError(t, err, "failed to write .trivyignore")
osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
osArgs = append(osArgs, "--ignorefile", trivyIgnore)
}
if c.ClientToken != "" {
osArgs = append(osArgs, []string{"--token", c.ClientToken, "--token-header", c.ClientTokenHeader}...)
osArgs = append(osArgs, "--token", c.ClientToken, "--token-header", c.ClientTokenHeader)
}
if c.Input != "" {
osArgs = append(osArgs, []string{"--input", c.Input}...)
osArgs = append(osArgs, "--input", c.Input)
}
// Setup the output file
// Set up the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
outputFile = golden
}
osArgs = append(osArgs, []string{"--output", outputFile}...)
osArgs = append(osArgs, "--output", outputFile)
return osArgs, outputFile
}

116
integration/docker/docker.go
View File

@@ -1,116 +0,0 @@
package docker
import (
"context"
"encoding/base64"
"encoding/json"
"fmt"
"io"
"net/url"
"os"
"github.com/docker/docker/client"
"github.com/docker/docker/api/types"
)
// RegistryConfig holds the config for docker registry
type RegistryConfig struct {
URL *url.URL
Username string
Password string
}
// GetAuthConfig returns the docker registry authConfig
func (c RegistryConfig) GetAuthConfig() types.AuthConfig {
return types.AuthConfig{
Username: c.Username,
Password: c.Password,
ServerAddress: c.URL.Host,
}
}
// GetRegistryAuth returns the json encoded docker registry auth
func (c RegistryConfig) GetRegistryAuth() (string, error) {
authConfig := types.AuthConfig{
Username: c.Username,
Password: c.Password,
}
encodedJSON, err := json.Marshal(authConfig)
if err != nil {
return "", err
}
return base64.URLEncoding.EncodeToString(encodedJSON), nil
}
// Docker returns docker client
type Docker struct {
cli *client.Client
}
// New is the factory method to return docker client
func New() (Docker, error) {
cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
if err != nil {
return Docker{}, err
}
return Docker{
cli: cli,
}, nil
}
// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string, dest RegistryConfig) error {
// remove existing Image if any
_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
testfile, err := os.Open(imagePath)
if err != nil {
return err
}
// load image into docker engine
resp, err := d.cli.ImageLoad(ctx, testfile, true)
if err != nil {
return err
}
if _, err = io.Copy(io.Discard, resp.Body); err != nil {
return err
}
defer resp.Body.Close()
targetImageRef := fmt.Sprintf("%s/%s", dest.URL.Host, imageRef)
if err = d.cli.ImageTag(ctx, imageRef, targetImageRef); err != nil {
return err
}
defer func() {
_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
_, _ = d.cli.ImageRemove(ctx, targetImageRef, types.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
}()
auth, err := dest.GetRegistryAuth()
if err != nil {
return err
}
pushOut, err := d.cli.ImagePush(ctx, targetImageRef, types.ImagePushOptions{RegistryAuth: auth})
if err != nil {
return err
}
defer pushOut.Close()
if _, err = io.Copy(io.Discard, pushOut); err != nil {
return err
}
return nil
}

350
integration/docker_engine_test.go
View File

@@ -19,235 +19,185 @@ import (
"github.com/aquasecurity/trivy/pkg/commands"
)
func TestRun_WithDockerEngine(t *testing.T) {
testCases := []struct {
name string
withImageSubcommand bool
imageTag string
invalidImage bool
ignoreUnfixed bool
severity []string
ignoreIDs []string
testfile string
wantOutputFile string
wantError string
func TestDockerEngine(t *testing.T) {
tests := []struct {
name string
imageTag string
invalidImage bool
ignoreUnfixed bool
severity []string
ignoreIDs []string
input string
golden string
wantErr string
}{
// All of these cases should pass for either
// $ trivy <args>
// $ trivy image <args>
{
name: "happy path, valid image path, alpine:3.10",
imageTag: "alpine:3.10",
wantOutputFile: "testdata/alpine-310.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz",
name: "alpine:3.9",
imageTag: "alpine:3.9",
input: "testdata/fixtures/images/alpine-39.tar.gz",
golden: "testdata/alpine-39.json.golden",
},
{
name: "happy path, valid image path, with image subcommand, alpine:3.10",
withImageSubcommand: true,
imageTag: "alpine:3.10",
wantOutputFile: "testdata/alpine-310.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz",
name: "alpine:3.9, with high and critical severity",
severity: []string{"HIGH", "CRITICAL"},
imageTag: "alpine:3.9",
input: "testdata/fixtures/images/alpine-39.tar.gz",
golden: "testdata/alpine-39-high-critical.json.golden",
},
{
name: "happy path, valid image path, alpine:3.10, ignore unfixed",
ignoreUnfixed: true,
imageTag: "alpine:3.10",
wantOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz",
name: "alpine:3.9, with .trivyignore",
imageTag: "alpine:3.9",
ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
input: "testdata/fixtures/images/alpine-39.tar.gz",
golden: "testdata/alpine-39-ignore-cveids.json.golden",
},
{
name: "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
ignoreUnfixed: true,
severity: []string{"MEDIUM", "HIGH"},
imageTag: "alpine:3.10",
wantOutputFile: "testdata/alpine-310-medium-high.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz",
name: "alpine:3.10",
imageTag: "alpine:3.10",
input: "testdata/fixtures/images/alpine-310.tar.gz",
golden: "testdata/alpine-310.json.golden",
},
{
name: "happy path, valid image path, alpine:3.10, with .trivyignore",
imageTag: "alpine:3.10",
ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"},
wantOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
testfile: "testdata/fixtures/images/alpine-310.tar.gz",
name: "amazonlinux:1",
imageTag: "amazonlinux:1",
input: "testdata/fixtures/images/amazon-1.tar.gz",
golden: "testdata/amazon-1.json.golden",
},
{
name: "happy path, valid image path, alpine:3.9",
imageTag: "alpine:3.9",
wantOutputFile: "testdata/alpine-39.json.golden",
testfile: "testdata/fixtures/images/alpine-39.tar.gz",
name: "amazonlinux:2",
imageTag: "amazonlinux:2",
input: "testdata/fixtures/images/amazon-2.tar.gz",
golden: "testdata/amazon-2.json.golden",
},
{
name: "happy path, valid image path, amazonlinux:1",
imageTag: "amazonlinux:1",
wantOutputFile: "testdata/amazon-1.json.golden",
testfile: "testdata/fixtures/images/amazon-1.tar.gz",
name: "almalinux 8",
imageTag: "almalinux:8",
input: "testdata/fixtures/images/almalinux-8.tar.gz",
golden: "testdata/almalinux-8.json.golden",
},
{
name: "happy path, valid image path, amazonlinux:2",
imageTag: "amazonlinux:2",
wantOutputFile: "testdata/amazon-2.json.golden",
testfile: "testdata/fixtures/images/amazon-2.tar.gz",
name: "rocky linux 8",
imageTag: "rockylinux:8",
input: "testdata/fixtures/images/rockylinux-8.tar.gz",
golden: "testdata/rockylinux-8.json.golden",
},
{
name: "happy path, valid image path, centos:6",
imageTag: "centos:6",
wantOutputFile: "testdata/centos-6.json.golden",
testfile: "testdata/fixtures/images/centos-6.tar.gz",
name: "centos 6",
imageTag: "centos:6",
input: "testdata/fixtures/images/centos-6.tar.gz",
golden: "testdata/centos-6.json.golden",
},
{
name: "happy path, valid image path, centos:7",
imageTag: "centos:7",
wantOutputFile: "testdata/centos-7.json.golden",
testfile: "testdata/fixtures/images/centos-7.tar.gz",
name: "centos 7",
imageTag: "centos:7",
input: "testdata/fixtures/images/centos-7.tar.gz",
golden: "testdata/centos-7.json.golden",
},
{
name: "happy path, valid image path, centos:7, with --ignore-unfixed option",
imageTag: "centos:7",
ignoreUnfixed: true,
wantOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/centos-7.tar.gz",
name: "centos 7, with --ignore-unfixed option",
imageTag: "centos:7",
ignoreUnfixed: true,
input: "testdata/fixtures/images/centos-7.tar.gz",
golden: "testdata/centos-7-ignore-unfixed.json.golden",
},
{
name: "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
imageTag: "centos:7",
ignoreUnfixed: true,
severity: []string{"LOW", "HIGH"},
wantOutputFile: "testdata/centos-7-low-high.json.golden",
testfile: "testdata/fixtures/images/centos-7.tar.gz",
name: "centos 7, with --ignore-unfixed option, with medium severity",
imageTag: "centos:7",
ignoreUnfixed: true,
severity: []string{"MEDIUM"},
input: "testdata/fixtures/images/centos-7.tar.gz",
golden: "testdata/centos-7-medium.json.golden",
},
{
name: "happy path, valid image path, debian:buster",
imageTag: "debian:buster",
wantOutputFile: "testdata/debian-buster.json.golden",
testfile: "testdata/fixtures/images/debian-buster.tar.gz",
name: "registry.redhat.io/ubi7",
imageTag: "registry.redhat.io/ubi7",
input: "testdata/fixtures/images/ubi-7.tar.gz",
golden: "testdata/ubi-7.json.golden",
},
{
name: "happy path, valid image path, debian:buster, with --ignore-unfixed option",
ignoreUnfixed: true,
imageTag: "debian:buster",
wantOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/debian-buster.tar.gz",
name: "debian buster/10",
imageTag: "debian:buster",
input: "testdata/fixtures/images/debian-buster.tar.gz",
golden: "testdata/debian-buster.json.golden",
},
{
name: "happy path, valid image path, debian:stretch",
imageTag: "debian:stretch",
wantOutputFile: "testdata/debian-stretch.json.golden",
testfile: "testdata/fixtures/images/debian-stretch.tar.gz",
name: "debian buster/10, with --ignore-unfixed option",
ignoreUnfixed: true,
imageTag: "debian:buster",
input: "testdata/fixtures/images/debian-buster.tar.gz",
golden: "testdata/debian-buster-ignore-unfixed.json.golden",
},
{
name: "happy path, valid image path, distroless:base",
imageTag: "gcr.io/distroless/base:latest",
wantOutputFile: "testdata/distroless-base.json.golden",
testfile: "testdata/fixtures/images/distroless-base.tar.gz",
name: "debian stretch/9",
imageTag: "debian:stretch",
input: "testdata/fixtures/images/debian-stretch.tar.gz",
golden: "testdata/debian-stretch.json.golden",
},
{
name: "happy path, valid image path, distroless:base",
imageTag: "gcr.io/distroless/base:latest",
wantOutputFile: "testdata/distroless-base.json.golden",
testfile: "testdata/fixtures/images/distroless-base.tar.gz",
name: "distroless base",
imageTag: "gcr.io/distroless/base:latest",
input: "testdata/fixtures/images/distroless-base.tar.gz",
golden: "testdata/distroless-base.json.golden",
},
{
name: "happy path, valid image path, distroless:base, with --ignore-unfixed option",
imageTag: "gcr.io/distroless/base:latest",
ignoreUnfixed: true,
wantOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/distroless-base.tar.gz",
name: "distroless python2.7",
imageTag: "gcr.io/distroless/python2.7:latest",
input: "testdata/fixtures/images/distroless-python27.tar.gz",
golden: "testdata/distroless-python27.json.golden",
},
{
name: "happy path, valid image path, distroless:python2.7",
imageTag: "gcr.io/distroless/python2.7:latest",
wantOutputFile: "testdata/distroless-python27.json.golden",
testfile: "testdata/fixtures/images/distroless-python27.tar.gz",
name: "oracle linux 8",
imageTag: "oraclelinux:8-slim",
input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
golden: "testdata/oraclelinux-8-slim.json.golden",
},
{
name: "happy path, valid image path, oraclelinux:6-slim",
imageTag: "oraclelinux:6-slim",
wantOutputFile: "testdata/oraclelinux-6-slim.json.golden",
testfile: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
name: "ubuntu 18.04",
imageTag: "ubuntu:18.04",
input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
golden: "testdata/ubuntu-1804.json.golden",
},
{
name: "happy path, valid image path, oraclelinux:7-slim",
imageTag: "oraclelinux:7-slim",
wantOutputFile: "testdata/oraclelinux-7-slim.json.golden",
testfile: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
name: "ubuntu 18.04, with --ignore-unfixed option",
imageTag: "ubuntu:18.04",
ignoreUnfixed: true,
input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
},
{
name: "happy path, valid image path, oraclelinux:8-slim",
imageTag: "oraclelinux:8-slim",
wantOutputFile: "testdata/oraclelinux-8-slim.json.golden",
testfile: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
name: "opensuse leap 15.1",
imageTag: "opensuse/leap:latest",
input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "happy path, valid image path, ubuntu:16.04",
imageTag: "ubuntu:16.04",
wantOutputFile: "testdata/ubuntu-1604.json.golden",
testfile: "testdata/fixtures/images/ubuntu-1604.tar.gz",
name: "photon 3.0",
imageTag: "photon:3.0-20190823",
input: "testdata/fixtures/images/photon-30.tar.gz",
golden: "testdata/photon-30.json.golden",
},
{
name: "happy path, valid image path, ubuntu:18.04",
imageTag: "ubuntu:18.04",
wantOutputFile: "testdata/ubuntu-1804.json.golden",
testfile: "testdata/fixtures/images/ubuntu-1804.tar.gz",
name: "CBL-Mariner 1.0",
imageTag: "cblmariner.azurecr.io/base/core:1.0",
input: "testdata/fixtures/images/mariner-1.0.tar.gz",
golden: "testdata/mariner-1.0.json.golden",
},
{
name: "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
imageTag: "ubuntu:18.04",
ignoreUnfixed: true,
wantOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
testfile: "testdata/fixtures/images/ubuntu-1804.tar.gz",
},
{
name: "happy path, valid image path, registry.redhat.io/ubi7",
imageTag: "registry.redhat.io/ubi7",
wantOutputFile: "testdata/ubi-7.json.golden",
testfile: "testdata/fixtures/images/ubi-7.tar.gz",
},
{
name: "happy path, valid image path, opensuse leap 15.1",
imageTag: "opensuse/leap:latest",
wantOutputFile: "testdata/opensuse-leap-151.json.golden",
testfile: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
},
{
name: "happy path, valid image path, opensuse leap 42.3",
imageTag: "opensuse/leap:42.3",
wantOutputFile: "testdata/opensuse-leap-423.json.golden",
testfile: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
},
{
name: "happy path, valid image path, photon 1.0",
imageTag: "photon:1.0-20190823",
wantOutputFile: "testdata/photon-10.json.golden",
testfile: "testdata/fixtures/images/photon-10.tar.gz",
},
{
name: "happy path, valid image path, photon 2.0",
imageTag: "photon:2.0-20190726",
wantOutputFile: "testdata/photon-20.json.golden",
testfile: "testdata/fixtures/images/photon-20.tar.gz",
},
{
name: "happy path, valid image path, photon 3.0",
imageTag: "photon:3.0-20190823",
wantOutputFile: "testdata/photon-30.json.golden",
testfile: "testdata/fixtures/images/photon-30.tar.gz",
},
{
name: "buxybox with Cargo.lock integration",
imageTag: "busy-cargo:latest",
wantOutputFile: "testdata/busybox-with-lockfile.json.golden",
testfile: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
name: "busybox with Cargo.lock",
imageTag: "busy-cargo:latest",
input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
golden: "testdata/busybox-with-lockfile.json.golden",
},
{
name: "sad path, invalid image",
invalidImage: true,
testfile: "badimage:latest",
wantError: "unable to inspect the image (index.docker.io/library/badimage:latest)",
input: "badimage:latest",
wantErr: "unable to inspect the image (index.docker.io/library/badimage:latest)",
},
}
// Set up testing DB
cacheDir := gunzipDB(t)
cacheDir := initDB(t)
ctx := context.Background()
defer ctx.Done()
@@ -255,26 +205,26 @@ func TestRun_WithDockerEngine(t *testing.T) {
cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
require.NoError(t, err)
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
if !tc.invalidImage {
testfile, err := os.Open(tc.testfile)
require.NoError(t, err, tc.name)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if !tt.invalidImage {
testfile, err := os.Open(tt.input)
require.NoError(t, err, tt.name)
// ensure image doesnt already exists
_, _ = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
// load image into docker engine
res, err := cli.ImageLoad(ctx, testfile, true)
require.NoError(t, err, tc.name)
require.NoError(t, err, tt.name)
io.Copy(io.Discard, res.Body)
// tag our image to something unique
err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
require.NoError(t, err, tc.name)
err = cli.ImageTag(ctx, tt.imageTag, tt.input)
require.NoError(t, err, tt.name)
}
tmpDir := t.TempDir()
@@ -282,55 +232,47 @@ func TestRun_WithDockerEngine(t *testing.T) {
// run trivy
app := commands.NewApp("dev")
trivyArgs := []string{"trivy"}
trivyArgs = append(trivyArgs, "--cache-dir", cacheDir)
if tc.withImageSubcommand {
trivyArgs = append(trivyArgs, "image")
}
trivyArgs := []string{"trivy", "--cache-dir", cacheDir, "image",
"--skip-update", "--format=json", "--output", output}
trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", output}...)
if tc.ignoreUnfixed {
if tt.ignoreUnfixed {
trivyArgs = append(trivyArgs, "--ignore-unfixed")
}
if len(tc.severity) != 0 {
if len(tt.severity) != 0 {
trivyArgs = append(trivyArgs,
[]string{"--severity", strings.Join(tc.severity, ",")}...,
[]string{"--severity", strings.Join(tt.severity, ",")}...,
)
}
if len(tc.ignoreIDs) != 0 {
if len(tt.ignoreIDs) != 0 {
trivyIgnore := ".trivyignore"
err := os.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
err = os.WriteFile(trivyIgnore, []byte(strings.Join(tt.ignoreIDs, "\n")), 0444)
assert.NoError(t, err, "failed to write .trivyignore")
defer os.Remove(trivyIgnore)
}
trivyArgs = append(trivyArgs, tc.testfile)
trivyArgs = append(trivyArgs, tt.input)
err = app.Run(trivyArgs)
switch {
case tc.wantError != "":
if tt.wantErr != "" {
require.NotNil(t, err)
assert.Contains(t, err.Error(), tc.wantError, tc.name)
assert.Contains(t, err.Error(), tt.wantErr, tt.name)
return
default:
assert.NoError(t, err, tc.name)
}
assert.NoError(t, err, tt.name)
// check for vulnerability output info
got := readReport(t, output)
want := readReport(t, tc.wantOutputFile)
assert.Equal(t, want, got)
compareReports(t, tt.golden, output)
// cleanup
_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
_, err = cli.ImageRemove(ctx, tc.imageTag, types.ImageRemoveOptions{
_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
assert.NoError(t, err, tc.name)
assert.NoError(t, err, tt.name)
})
}
}

27
integration/fs_test.go
View File

@@ -22,6 +22,7 @@ func TestFilesystem(t *testing.T) {
ignoreIDs []string
policyPaths []string
namespaces []string
listAllPkgs bool
input string
}
tests := []struct {
@@ -41,10 +42,19 @@ func TestFilesystem(t *testing.T) {
name: "pip",
args: args{
securityChecks: "vuln",
listAllPkgs: true,
input: "testdata/fixtures/fs/pip",
},
golden: "testdata/pip.json.golden",
},
{
name: "pom",
args: args{
securityChecks: "vuln",
input: "testdata/fixtures/fs/pom",
},
golden: "testdata/pom.json.golden",
},
{
name: "dockerfile",
args: args{
@@ -85,12 +95,12 @@ func TestFilesystem(t *testing.T) {
}
// Set up testing DB
cacheDir := gunzipDB(t)
cacheDir := initDB(t)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := []string{"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
"--format", "json", "--security-checks", tt.args.securityChecks}
"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks}
if len(tt.args.policyPaths) != 0 {
for _, policyPath := range tt.args.policyPaths {
@@ -105,9 +115,7 @@ func TestFilesystem(t *testing.T) {
}
if len(tt.args.severity) != 0 {
osArgs = append(osArgs,
[]string{"--severity", strings.Join(tt.args.severity, ",")}...,
)
osArgs = append(osArgs, "--severity", strings.Join(tt.args.severity, ","))
}
if len(tt.args.ignoreIDs) != 0 {
@@ -123,6 +131,10 @@ func TestFilesystem(t *testing.T) {
outputFile = tt.golden
}
if tt.args.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs")
}
osArgs = append(osArgs, "--output", outputFile)
osArgs = append(osArgs, tt.args.input)
@@ -134,10 +146,7 @@ func TestFilesystem(t *testing.T) {
assert.Nil(t, app.Run(osArgs))
// Compare want and got
want := readReport(t, tt.golden)
got := readReport(t, outputFile)
assert.Equal(t, want, got)
compareReports(t, tt.golden, outputFile)
})
}
}

57
integration/integration_test.go
View File

@@ -4,11 +4,9 @@
package integration
import (
"compress/gzip"
"context"
"encoding/json"
"flag"
"io"
"net"
"os"
"path/filepath"
@@ -19,44 +17,43 @@ import (
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy-db/pkg/metadata"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/types"
)
var update = flag.Bool("update", false, "update golden files")
func gunzipDB(t *testing.T) string {
gz, err := os.Open("testdata/trivy.db.gz")
func initDB(t *testing.T) string {
fixtureDir := filepath.Join("testdata", "fixtures", "db")
entries, err := os.ReadDir(fixtureDir)
require.NoError(t, err)
zr, err := gzip.NewReader(gz)
require.NoError(t, err)
var fixtures []string
for _, entry := range entries {
if entry.IsDir() {
continue
}
fixtures = append(fixtures, filepath.Join(fixtureDir, entry.Name()))
}
tmpDir := t.TempDir()
dbPath := db.Path(tmpDir)
dbDir := filepath.Dir(dbPath)
err = os.MkdirAll(dbDir, 0700)
require.NoError(t, err)
cacheDir := dbtest.InitDB(t, fixtures)
defer db.Close()
file, err := os.Create(dbPath)
require.NoError(t, err)
defer file.Close()
_, err = io.Copy(file, zr)
require.NoError(t, err)
dbDir := filepath.Dir(db.Path(cacheDir))
metadataFile := filepath.Join(dbDir, "metadata.json")
b, err := json.Marshal(db.Metadata{
Version: 1,
Type: 1,
NextUpdate: time.Time{},
UpdatedAt: time.Time{},
f, err := os.Create(metadataFile)
require.NoError(t, err)
err = json.NewEncoder(f).Encode(metadata.Metadata{
Version: db.SchemaVersion,
NextUpdate: time.Now().Add(24 * time.Hour),
UpdatedAt: time.Now(),
})
require.NoError(t, err)
err = os.WriteFile(metadataFile, b, 0600)
require.NoError(t, err)
return tmpDir
return cacheDir
}
func getFreePort() (int, error) {
@@ -88,14 +85,14 @@ func waitPort(ctx context.Context, addr string) error {
}
}
func readReport(t *testing.T, filePath string) report.Report {
func readReport(t *testing.T, filePath string) types.Report {
t.Helper()
f, err := os.Open(filePath)
require.NoError(t, err, filePath)
defer f.Close()
var res report.Report
var res types.Report
err = json.NewDecoder(f).Decode(&res)
require.NoError(t, err, filePath)
@@ -105,6 +102,8 @@ func readReport(t *testing.T, filePath string) report.Report {
// We don't compare repo tags because the archive doesn't support it
res.Metadata.RepoTags = nil
res.Metadata.RepoDigests = nil
return res
}

64
integration/registry_test.go
View File

@@ -4,6 +4,8 @@
package integration
import (
"bytes"
"compress/gzip"
"context"
"crypto/tls"
"crypto/x509"
@@ -17,19 +19,20 @@ import (
"testing"
"github.com/docker/go-connections/nat"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/google/go-containerregistry/pkg/v1/tarball"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
testcontainers "github.com/testcontainers/testcontainers-go"
"github.com/testcontainers/testcontainers-go/wait"
_ "github.com/aquasecurity/fanal/analyzer"
testdocker "github.com/aquasecurity/trivy/integration/docker"
"github.com/aquasecurity/trivy/pkg/commands"
)
const (
registryImage = "registry:2"
registryImage = "registry:2.7.0"
registryPort = "5443/tcp"
authImage = "cesanta/docker_auth:1"
@@ -52,6 +55,7 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
"REGISTRY_AUTH_TOKEN_SERVICE": "registry.docker.io",
"REGISTRY_AUTH_TOKEN_ISSUER": "Trivy auth server",
"REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE": "/certs/cert.pem",
"REGISTRY_AUTH_TOKEN_AUTOREDIRECT": "false",
},
BindMounts: map[string]string{
filepath.Join(baseDir, "data", "certs"): "/certs",
@@ -133,13 +137,12 @@ func TestRegistry(t *testing.T) {
registryURL, err := getURL(ctx, registryC, registryPort)
require.NoError(t, err)
config := testdocker.RegistryConfig{
URL: registryURL,
auth := &authn.Basic{
Username: authUsername,
Password: authPassword,
}
testCases := []struct {
tests := []struct {
name string
imageName string
imageFile string
@@ -178,29 +181,25 @@ func TestRegistry(t *testing.T) {
},
}
for _, tc := range testCases {
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
d, err := testdocker.New()
require.NoError(t, err)
s := fmt.Sprintf("%s/%s", registryURL.Host, tc.imageName)
imageRef, err := name.ParseReference(s)
require.NoError(t, err)
// 1. Load a test image from the tar file, tag it and push to the test registry.
err = d.ReplicateImage(ctx, tc.imageName, tc.imageFile, config)
err = replicateImage(imageRef, tc.imageFile, auth)
require.NoError(t, err)
// 2. Scan it
resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
if tc.wantErr != "" {
require.NotNil(t, err)
require.Error(t, err)
require.Contains(t, err.Error(), tc.wantErr, err)
return
} else {
require.NoError(t, err)
}
require.NoError(t, err)
// 3. Read want and got
want := readReport(t, tc.golden)
@@ -211,9 +210,6 @@ func TestRegistry(t *testing.T) {
for i := range want.Results {
want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
}
want.Metadata.RepoDigests = []string{
fmt.Sprintf("%s/alpine@sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f", registryURL.Host),
}
// 5. Compare want and got
assert.Equal(t, want, got)
@@ -223,7 +219,7 @@ func TestRegistry(t *testing.T) {
func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
// Set up testing DB
cacheDir := gunzipDB(t)
cacheDir := initDB(t)
// Setup the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
@@ -240,7 +236,8 @@ func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt
app := commands.NewApp("dev")
app.Writer = io.Discard
osArgs := []string{"trivy", "--cache-dir", cacheDir, "--format", "json", "--skip-update", "--output", outputFile, imageRef.Name()}
osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
"--output", outputFile, imageRef.Name()}
// Run Trivy
if err := app.Run(osArgs); err != nil {
@@ -316,3 +313,32 @@ func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryO
return r.AccessToken, nil
}
// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
func replicateImage(imageRef name.Reference, imagePath string, auth authn.Authenticator) error {
img, err := tarball.Image(func() (io.ReadCloser, error) {
b, err := os.ReadFile(imagePath)
if err != nil {
return nil, err
}
gr, err := gzip.NewReader(bytes.NewReader(b))
if err != nil {
return nil, err
}
return io.NopCloser(gr), nil
}, nil)
if err != nil {
return err
}
t := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
err = remote.Write(imageRef, img, remote.WithAuth(auth), remote.WithTransport(t))
if err != nil {
return err
}
return nil
}

416
integration/standalone_tar_test.go
View File

@@ -15,105 +15,84 @@ import (
"github.com/aquasecurity/trivy/pkg/commands"
)
func TestRun_WithTar(t *testing.T) {
func TestTar(t *testing.T) {
type args struct {
Version string
WithImageSubcommand bool
SkipUpdate bool
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Format string
Input string
SkipDirs []string
SkipFiles []string
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Format string
Input string
SkipDirs []string
SkipFiles []string
}
cases := []struct {
tests := []struct {
name string
testArgs args
golden string
}{
{
name: "alpine 3.10 integration",
name: "alpine 3.9",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "alpine 3.10 integration with image subcommand",
testArgs: args{
Version: "dev",
WithImageSubcommand: true,
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "alpine 3.10 integration with --ignore-unfixed option",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310-ignore-unfixed.json.golden",
},
{
name: "alpine 3.10 integration with medium and high severity",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Severity: []string{"MEDIUM", "HIGH"},
Format: "json",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310-medium-high.json.golden",
},
{
name: "alpine 3.10 integration with .trivyignore",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: false,
IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-1563"},
Format: "json",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310-ignore-cveids.json.golden",
},
{
name: "alpine 3.9 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39.json.golden",
},
{
name: "debian buster integration",
name: "alpine 3.9 with high and critical severity",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/debian-buster.tar.gz",
IgnoreUnfixed: true,
Severity: []string{"HIGH", "CRITICAL"},
Format: "json",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39-high-critical.json.golden",
},
{
name: "alpine 3.9 with .trivyignore",
testArgs: args{
IgnoreUnfixed: false,
IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
Format: "json",
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39-ignore-cveids.json.golden",
},
{
name: "alpine 3.10",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.json.golden",
},
{
name: "amazon linux 1",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/amazon-1.tar.gz",
},
golden: "testdata/amazon-1.json.golden",
},
{
name: "amazon linux 2",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/amazon-2.tar.gz",
},
golden: "testdata/amazon-2.json.golden",
},
{
name: "debian buster/10",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/debian-buster.tar.gz",
},
golden: "testdata/debian-buster.json.golden",
},
{
name: "debian buster integration with --ignore-unfixed option",
name: "debian buster/10 with --ignore-unfixed option",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/images/debian-buster.tar.gz",
@@ -121,30 +100,24 @@ func TestRun_WithTar(t *testing.T) {
golden: "testdata/debian-buster-ignore-unfixed.json.golden",
},
{
name: "debian stretch integration",
name: "debian stretch/9",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/debian-stretch.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/debian-stretch.tar.gz",
},
golden: "testdata/debian-stretch.json.golden",
},
{
name: "ubuntu 18.04 integration",
name: "ubuntu 18.04",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
},
golden: "testdata/ubuntu-1804.json.golden",
},
{
name: "ubuntu 18.04 integration with --ignore-unfixed option",
name: "ubuntu 18.04 with --ignore-unfixed option",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
@@ -152,30 +125,16 @@ func TestRun_WithTar(t *testing.T) {
golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
},
{
name: "ubuntu 16.04 integration",
name: "centos 7",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
},
golden: "testdata/ubuntu-1604.json.golden",
},
{
name: "centos 7 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/centos-7.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/centos-7.tar.gz",
},
golden: "testdata/centos-7.json.golden",
},
{
name: "centos 7 integration with --ignore-unfixed option",
name: "centos 7with --ignore-unfixed option",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/images/centos-7.tar.gz",
@@ -183,249 +142,158 @@ func TestRun_WithTar(t *testing.T) {
golden: "testdata/centos-7-ignore-unfixed.json.golden",
},
{
name: "centos 7 integration with low and high severity",
name: "centos 7 with medium severity",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Severity: []string{"LOW", "HIGH"},
Severity: []string{"MEDIUM"},
Format: "json",
Input: "testdata/fixtures/images/centos-7.tar.gz",
},
golden: "testdata/centos-7-low-high.json.golden",
golden: "testdata/centos-7-medium.json.golden",
},
{
name: "centos 6 integration",
name: "centos 6",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/centos-6.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/centos-6.tar.gz",
},
golden: "testdata/centos-6.json.golden",
},
{
name: "ubi 7 integration",
name: "ubi 7",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/ubi-7.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/ubi-7.tar.gz",
},
golden: "testdata/ubi-7.json.golden",
},
{
name: "distroless base integration",
name: "almalinux 8",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/distroless-base.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/almalinux-8.tar.gz",
},
golden: "testdata/almalinux-8.json.golden",
},
{
name: "rocky linux 8",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/rockylinux-8.tar.gz",
},
golden: "testdata/rockylinux-8.json.golden",
},
{
name: "distroless base",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/distroless-base.tar.gz",
},
golden: "testdata/distroless-base.json.golden",
},
{
name: "distroless base integration with --ignore-unfixed option",
name: "distroless python27",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/images/distroless-base.tar.gz",
},
golden: "testdata/distroless-base-ignore-unfixed.json.golden",
},
{
name: "distroless python27 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/distroless-python27.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/distroless-python27.tar.gz",
},
golden: "testdata/distroless-python27.json.golden",
},
{
name: "amazon 1 integration",
name: "oracle linux 8",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/amazon-1.tar.gz",
},
golden: "testdata/amazon-1.json.golden",
},
{
name: "amazon 2 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/amazon-2.tar.gz",
},
golden: "testdata/amazon-2.json.golden",
},
{
name: "oracle 6 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
},
golden: "testdata/oraclelinux-6-slim.json.golden",
},
{
name: "oracle 7 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
},
golden: "testdata/oraclelinux-7-slim.json.golden",
},
{
name: "oracle 8 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
},
golden: "testdata/oraclelinux-8-slim.json.golden",
},
{
name: "opensuse leap 15.1 integration",
name: "opensuse leap 15.1",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
},
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "opensuse leap 42.3 integration",
name: "photon 3.0",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
},
golden: "testdata/opensuse-leap-423.json.golden",
},
{
name: "photon 1.0 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/photon-10.tar.gz",
},
golden: "testdata/photon-10.json.golden",
},
{
name: "photon 2.0 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/photon-20.tar.gz",
},
golden: "testdata/photon-20.json.golden",
},
{
name: "photon 3.0 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/photon-30.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/photon-30.tar.gz",
},
golden: "testdata/photon-30.json.golden",
},
{
name: "CBL-Mariner 1.0",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
},
golden: "testdata/mariner-1.0.json.golden",
},
{
name: "buxybox with Cargo.lock integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
Format: "json",
Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
},
golden: "testdata/busybox-with-lockfile.json.golden",
},
{
name: "fluentd with multiple lock files",
name: "fluentd with RubyGems",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
SkipFiles: []string{"/Gemfile.lock"},
SkipDirs: []string{
"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0",
"/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13",
},
},
golden: "testdata/fluentd-multiple-lockfiles.json.golden",
golden: "testdata/fluentd-gems.json.golden",
},
}
// Set up testing DB
cacheDir := gunzipDB(t)
cacheDir := initDB(t)
// Setup CLI App
app := commands.NewApp("dev")
app.Writer = io.Discard
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
osArgs := []string{"trivy"}
osArgs = append(osArgs, "--cache-dir", cacheDir)
if c.testArgs.WithImageSubcommand {
osArgs = append(osArgs, "image")
}
osArgs = append(osArgs, "--format", c.testArgs.Format)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", tt.testArgs.Format, "--skip-update"}
if c.testArgs.SkipUpdate {
osArgs = append(osArgs, "--skip-update")
}
if c.testArgs.IgnoreUnfixed {
if tt.testArgs.IgnoreUnfixed {
osArgs = append(osArgs, "--ignore-unfixed")
}
if len(c.testArgs.Severity) != 0 {
osArgs = append(osArgs,
[]string{"--severity", strings.Join(c.testArgs.Severity, ",")}...,
)
if len(tt.testArgs.Severity) != 0 {
osArgs = append(osArgs, "--severity", strings.Join(tt.testArgs.Severity, ","))
}
if len(c.testArgs.IgnoreIDs) != 0 {
if len(tt.testArgs.IgnoreIDs) != 0 {
trivyIgnore := ".trivyignore"
err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.testArgs.IgnoreIDs, "\n")), 0444)
assert.NoError(t, err, "failed to write .trivyignore")
defer os.Remove(trivyIgnore)
}
if c.testArgs.Input != "" {
osArgs = append(osArgs, "--input", c.testArgs.Input)
if tt.testArgs.Input != "" {
osArgs = append(osArgs, "--input", tt.testArgs.Input)
}
if len(c.testArgs.SkipFiles) != 0 {
for _, skipFile := range c.testArgs.SkipFiles {
// TODO: test skip files/dirs
if len(tt.testArgs.SkipFiles) != 0 {
for _, skipFile := range tt.testArgs.SkipFiles {
osArgs = append(osArgs, "--skip-files", skipFile)
}
}
if len(c.testArgs.SkipDirs) != 0 {
for _, skipDir := range c.testArgs.SkipDirs {
if len(tt.testArgs.SkipDirs) != 0 {
for _, skipDir := range tt.testArgs.SkipDirs {
osArgs = append(osArgs, "--skip-dirs", skipDir)
}
}
// Setup the output file
// Set up the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
outputFile = c.golden
outputFile = tt.golden
}
osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -434,7 +302,7 @@ func TestRun_WithTar(t *testing.T) {
assert.Nil(t, app.Run(osArgs))
// Compare want and got
compareReports(t, c.golden, outputFile)
compareReports(t, tt.golden, outputFile)
})
}
}

122
integration/testdata/almalinux-8.json.golden vendored Normal file
View File

@@ -0,0 +1,122 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/almalinux-8.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alma",
"Name": "8.5"
},
"ImageID": "sha256:4ca63ce1d8a90da2ed4f2d5e93e8e9db2f32d0fabf0718a2edebbe0e70826622",
"DiffIDs": [
"sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
],
"ImageConfig": {
"architecture": "amd64",
"container": "a467f67a48d469e1975b7414f33f2cf87121d4cc59d2ee029ea58e6b81774769",
"created": "2021-11-13T12:10:27.09871973Z",
"docker_version": "20.10.7",
"history": [
{
"created": "2021-11-13T12:10:26.29818864Z",
"created_by": "/bin/sh -c #(nop) ADD file:2e002305ccb9d8a4dcef52509c4c50b9a15e76c9c49ca6abda3e0d7091c63fa7 in / "
},
{
"created": "2021-11-13T12:10:27.09871973Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
]
},
"config": {
"Cmd": [
"/bin/bash"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:d38d2eac03bc19e080df596d6148863a0f8293f3a277a7524f378da79a1feb0f"
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
"Class": "os-pkgs",
"Type": "alma",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-3712",
"PkgName": "openssl-libs",
"InstalledVersion": "1:1.1.1k-4.el8",
"FixedVersion": "1:1.1.1k-5.el8_5",
"Layer": {
"DiffID": "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
},
"SeveritySource": "alma",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
"DataSource": {
"ID": "alma",
"Name": "AlmaLinux Product Errata",
"URL": "https://errata.almalinux.org/"
},
"Title": "openssl: Read buffer overruns processing ASN.1 strings",
"Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 5.8,
"V3Score": 7.4
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V3Score": 7.4
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2021/08/26/2",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
"https://access.redhat.com/security/cve/CVE-2021-3712",
"https://crates.io/crates/openssl-src",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
"https://linux.oracle.com/cve/CVE-2021-3712.html",
"https://linux.oracle.com/errata/ELSA-2022-9023.html",
"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
"https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
"https://security.netapp.com/advisory/ntap-20210827-0010/",
"https://ubuntu.com/security/notices/USN-5051-1",
"https://ubuntu.com/security/notices/USN-5051-2",
"https://ubuntu.com/security/notices/USN-5051-3",
"https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)",
"https://ubuntu.com/security/notices/USN-5088-1",
"https://www.debian.org/security/2021/dsa-4963",
"https://www.openssl.org/news/secadv/20210824.txt",
"https://www.oracle.com/security-alerts/cpuoct2021.html",
"https://www.tenable.com/security/tns-2021-16",
"https://www.tenable.com/security/tns-2022-02"
],
"PublishedDate": "2021-08-24T15:15:00Z",
"LastModifiedDate": "2022-01-06T09:15:00Z"
}
]
}
]
}

223
integration/testdata/alpine-310-ignore-cveids.json.golden vendored
View File

@@ -1,223 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.2",
"EOSL": true
},
"ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"DiffIDs": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
},
{
"created": "2019-08-20T20:19:55.211423266Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}
]
}

375
integration/testdata/alpine-310-ignore-unfixed.json.golden vendored
View File

@@ -1,375 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.2",
"EOSL": true
},
"ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"DiffIDs": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
},
{
"created": "2019-08-20T20:19:55.211423266Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}
]
}

295
integration/testdata/alpine-310-medium-high.json.golden vendored
View File

@@ -1,295 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.2",
"EOSL": true
},
"ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
"DiffIDs": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
"created": "2019-08-20T20:19:55.211423266Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-20T20:19:55.062606894Z",
"created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
},
{
"created": "2019-08-20T20:19:55.211423266Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}
]
}
]
}

306
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -1,6 +1,6 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
"ArtifactName": "localhost:63577/alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
@@ -12,6 +12,12 @@
"DiffIDs": [
"sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
],
"RepoTags": [
"localhost:63577/alpine:3.10"
],
"RepoDigests": [
"localhost:63577/alpine@sha256:d9b1a0d4fab413443a22e550cb8720de487295cebca3f9b2fcbf8882192a9bf9"
],
"ImageConfig": {
"architecture": "amd64",
"container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
@@ -49,7 +55,7 @@
},
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
@@ -59,11 +65,16 @@
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
@@ -73,7 +84,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -81,15 +94,29 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
"https://linux.oracle.com/errata/ELSA-2020-1840.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
"https://seclists.org/bugtraq/2019/Oct/1",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
"https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://usn.ubuntu.com/4376-1/",
"https://www.debian.org/security/2019/dsa-4539",
"https://www.openssl.org/news/secadv/20190910.txt",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -97,13 +124,18 @@
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
@@ -111,109 +143,49 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
"LastModifiedDate": "2021-07-21T11:39:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
@@ -221,11 +193,16 @@
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
@@ -235,7 +212,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -243,15 +222,29 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
"https://linux.oracle.com/errata/ELSA-2020-1840.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
"https://seclists.org/bugtraq/2019/Oct/1",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
"https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://usn.ubuntu.com/4376-1/",
"https://www.debian.org/security/2019/dsa-4539",
"https://www.openssl.org/news/secadv/20190910.txt",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -259,13 +252,18 @@
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
@@ -273,109 +271,49 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
"LastModifiedDate": "2021-07-21T11:39:00Z"
}
]
}

200
integration/testdata/alpine-310.asff.golden vendored
View File

@@ -34,8 +34,8 @@
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV3": "5.3",
"NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
@@ -57,7 +57,7 @@
"Label": "MEDIUM"
},
"Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
@@ -79,8 +79,8 @@
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r2",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV3": "5.3",
"NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
@@ -89,96 +89,6 @@
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Label": "MEDIUM"
},
"Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1563",
"CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "4.3",
"NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Label": "LOW"
},
"Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1547",
"CVE Title": "openssl: side-channel weak encryption vulnerability",
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "1.9",
"NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
@@ -214,8 +124,8 @@
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV3": "5.3",
"NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
@@ -237,7 +147,7 @@
"Label": "MEDIUM"
},
"Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
@@ -259,8 +169,8 @@
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r2",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV3": "5.3",
"NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
@@ -268,95 +178,5 @@
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Label": "MEDIUM"
},
"Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1563",
"CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "4.3",
"NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Label": "LOW"
},
"Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1547",
"CVE Title": "openssl: side-channel weak encryption vulnerability",
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "1.9",
"NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
}
]

66
integration/testdata/alpine-310.gitlab-codequality.golden vendored
View File

@@ -4,6 +4,7 @@
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1549: openssl: information disclosure in fork()",
"fingerprint": "4fd5aebc601a7127e0a012b91569675cd8566e15",
"content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"severity": "minor",
"location": {
@@ -18,7 +19,8 @@
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"fingerprint": "7a6f161c388588da3cca874c3aba98a296a1ebf4",
"content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"severity": "minor",
"location": {
"path": "libcrypto1.1-1.1.1c-r0",
@@ -27,39 +29,12 @@
}
}
},
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"severity": "minor",
"location": {
"path": "libcrypto1.1-1.1.1c-r0",
"lines": {
"begin": 1
}
}
},
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
"content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"severity": "info",
"location": {
"path": "libcrypto1.1-1.1.1c-r0",
"lines": {
"begin": 1
}
}
},
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1549: openssl: information disclosure in fork()",
"fingerprint": "4fd5aebc601a7127e0a012b91569675cd8566e15",
"content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"severity": "minor",
"location": {
@@ -74,7 +49,8 @@
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"fingerprint": "7a6f161c388588da3cca874c3aba98a296a1ebf4",
"content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"severity": "minor",
"location": {
"path": "libssl1.1-1.1.1c-r0",
@@ -82,33 +58,5 @@
"begin": 1
}
}
},
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"severity": "minor",
"location": {
"path": "libssl1.1-1.1.1c-r0",
"lines": {
"begin": 1
}
}
},
{
"type": "issue",
"check_name": "container_scanning",
"categories": [ "Security" ],
"description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
"content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"severity": "info",
"location": {
"path": "libssl1.1-1.1.1c-r0",
"lines": {
"begin": 1
}
}
}
]
]

328
integration/testdata/alpine-310.gitlab.golden vendored
View File

@@ -33,17 +33,45 @@
}
],
"links": [{
"url": "https://access.redhat.com/security/cve/CVE-2019-1549"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
},{
"url": "https://linux.oracle.com/cve/CVE-2019-1549.html"
},{
"url": "https://linux.oracle.com/errata/ELSA-2020-1840.html"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
},{
"url": "https://seclists.org/bugtraq/2019/Oct/1"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://support.f5.com/csp/article/K44070243"
},{
"url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;utm_medium=RSS"
},{
"url": "https://ubuntu.com/security/notices/USN-4376-1"
},{
"url": "https://usn.ubuntu.com/4376-1/"
},{
"url": "https://www.debian.org/security/2019/dsa-4539"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
},{
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},{
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
]
},
@@ -51,7 +79,7 @@
"id": "CVE-2019-1551",
"category": "container_scanning",
"message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"cve": "CVE-2019-1551",
"severity": "Medium",
"confidence": "Unknown",
@@ -79,7 +107,11 @@
}
],
"links": [{
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},{
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://access.redhat.com/security/cve/CVE-2019-1551"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},{
@@ -88,120 +120,52 @@
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
},{
"url": "https://github.com/openssl/openssl/pull/10575"
},{
"url": "https://linux.oracle.com/cve/CVE-2019-1551.html"
},{
"url": "https://linux.oracle.com/errata/ELSA-2020-4514.html"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
},{
"url": "https://seclists.org/bugtraq/2019/Dec/39"
},{
"url": "https://seclists.org/bugtraq/2019/Dec/46"
},{
"url": "https://security.gentoo.org/glsa/202004-10"
},{
"url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
},{
"url": "https://ubuntu.com/security/notices/USN-4376-1"
},{
"url": "https://ubuntu.com/security/notices/USN-4504-1"
},{
"url": "https://usn.ubuntu.com/4376-1/"
},{
"url": "https://usn.ubuntu.com/4504-1/"
},{
"url": "https://www.debian.org/security/2019/dsa-4594"
},{
"url": "https://www.debian.org/security/2021/dsa-4855"
},{
"url": "https://www.openssl.org/news/secadv/20191206.txt"
},{
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},{
"url": "https://www.tenable.com/security/tns-2019-09"
}
]
},
{
"id": "CVE-2019-1563",
"category": "container_scanning",
"message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"cve": "CVE-2019-1563",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libcrypto1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1563",
"value": "CVE-2019-1563",
"url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
"url": "https://www.tenable.com/security/tns-2020-03"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
"url": "https://www.tenable.com/security/tns-2020-11"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
},{
"url": "https://seclists.org/bugtraq/2019/Sep/25"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
}
]
},
{
"id": "CVE-2019-1547",
"category": "container_scanning",
"message": "openssl: side-channel weak encryption vulnerability",
"description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"cve": "CVE-2019-1547",
"severity": "Low",
"confidence": "Unknown",
"solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libcrypto1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1547",
"value": "CVE-2019-1547",
"url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://arxiv.org/abs/1909.01785"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
},{
"url": "https://seclists.org/bugtraq/2019/Sep/25"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
"url": "https://www.tenable.com/security/tns-2021-10"
}
]
},
@@ -237,17 +201,45 @@
}
],
"links": [{
"url": "https://access.redhat.com/security/cve/CVE-2019-1549"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
},{
"url": "https://linux.oracle.com/cve/CVE-2019-1549.html"
},{
"url": "https://linux.oracle.com/errata/ELSA-2020-1840.html"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
},{
"url": "https://seclists.org/bugtraq/2019/Oct/1"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://support.f5.com/csp/article/K44070243"
},{
"url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;utm_medium=RSS"
},{
"url": "https://ubuntu.com/security/notices/USN-4376-1"
},{
"url": "https://usn.ubuntu.com/4376-1/"
},{
"url": "https://www.debian.org/security/2019/dsa-4539"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
},{
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},{
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
]
},
@@ -255,7 +247,7 @@
"id": "CVE-2019-1551",
"category": "container_scanning",
"message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"cve": "CVE-2019-1551",
"severity": "Medium",
"confidence": "Unknown",
@@ -283,7 +275,11 @@
}
],
"links": [{
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},{
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://access.redhat.com/security/cve/CVE-2019-1551"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},{
@@ -292,120 +288,52 @@
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
},{
"url": "https://github.com/openssl/openssl/pull/10575"
},{
"url": "https://linux.oracle.com/cve/CVE-2019-1551.html"
},{
"url": "https://linux.oracle.com/errata/ELSA-2020-4514.html"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
},{
"url": "https://seclists.org/bugtraq/2019/Dec/39"
},{
"url": "https://seclists.org/bugtraq/2019/Dec/46"
},{
"url": "https://security.gentoo.org/glsa/202004-10"
},{
"url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
},{
"url": "https://ubuntu.com/security/notices/USN-4376-1"
},{
"url": "https://ubuntu.com/security/notices/USN-4504-1"
},{
"url": "https://usn.ubuntu.com/4376-1/"
},{
"url": "https://usn.ubuntu.com/4504-1/"
},{
"url": "https://www.debian.org/security/2019/dsa-4594"
},{
"url": "https://www.debian.org/security/2021/dsa-4855"
},{
"url": "https://www.openssl.org/news/secadv/20191206.txt"
},{
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},{
"url": "https://www.tenable.com/security/tns-2019-09"
}
]
},
{
"id": "CVE-2019-1563",
"category": "container_scanning",
"message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"cve": "CVE-2019-1563",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade libssl1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libssl1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1563",
"value": "CVE-2019-1563",
"url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
"url": "https://www.tenable.com/security/tns-2020-03"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
"url": "https://www.tenable.com/security/tns-2020-11"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
},{
"url": "https://seclists.org/bugtraq/2019/Sep/25"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
}
]
},
{
"id": "CVE-2019-1547",
"category": "container_scanning",
"message": "openssl: side-channel weak encryption vulnerability",
"description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"cve": "CVE-2019-1547",
"severity": "Low",
"confidence": "Unknown",
"solution": "Upgrade libssl1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libssl1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1547",
"value": "CVE-2019-1547",
"url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://arxiv.org/abs/1909.01785"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
},{
"url": "https://seclists.org/bugtraq/2019/Sep/25"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
"url": "https://www.tenable.com/security/tns-2021-10"
}
]
}

141
integration/testdata/alpine-310.html.golden vendored
View File

@@ -51,7 +51,7 @@
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</title>
<title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC </title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -81,7 +81,7 @@
</script>
</head>
<body>
<h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</h1>
<h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC</h1>
<table>
<tr class="group-header"><th colspan="6">alpine</th></tr>
<tr class="sub-header">
@@ -99,12 +99,26 @@
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
<a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2020-1840.html">https://linux.oracle.com/errata/ELSA-2020-1840.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/</a>
<a href="https://seclists.org/bugtraq/2019/Oct/1">https://seclists.org/bugtraq/2019/Oct/1</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
<a href="https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS">https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS</a>
<a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
<a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
<a href="https://www.debian.org/security/2019/dsa-4539">https://www.debian.org/security/2019/dsa-4539</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
<a href="https://www.oracle.com/security-alerts/cpuapr2020.html">https://www.oracle.com/security-alerts/cpuapr2020.html</a>
<a href="https://www.oracle.com/security-alerts/cpujan2020.html">https://www.oracle.com/security-alerts/cpujan2020.html</a>
<a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
<a href="https://www.oracle.com/security-alerts/cpuoct2020.html">https://www.oracle.com/security-alerts/cpuoct2020.html</a>
<a href="https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html">https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</a>
</td>
</tr>
<tr class="severity-MEDIUM">
@@ -114,52 +128,36 @@
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r2</td>
<td class="links" data-more-links="off">
<a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
<a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
<a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
<a href="https://linux.oracle.com/cve/CVE-2019-1551.html">https://linux.oracle.com/cve/CVE-2019-1551.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2020-4514.html">https://linux.oracle.com/errata/ELSA-2020-4514.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/</a>
<a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
<a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
<a href="https://security.gentoo.org/glsa/202004-10">https://security.gentoo.org/glsa/202004-10</a>
<a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
<a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
<a href="https://ubuntu.com/security/notices/USN-4504-1">https://ubuntu.com/security/notices/USN-4504-1</a>
<a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
<a href="https://usn.ubuntu.com/4504-1/">https://usn.ubuntu.com/4504-1/</a>
<a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
<a href="https://www.debian.org/security/2021/dsa-4855">https://www.debian.org/security/2021/dsa-4855</a>
<a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
<a href="https://www.oracle.com/security-alerts/cpuApr2021.html">https://www.oracle.com/security-alerts/cpuApr2021.html</a>
<a href="https://www.oracle.com/security-alerts/cpujan2021.html">https://www.oracle.com/security-alerts/cpujan2021.html</a>
<a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
<a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libcrypto1.1</td>
<td>CVE-2019-1563</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-LOW">
<td class="pkg-name">libcrypto1.1</td>
<td>CVE-2019-1547</td>
<td class="severity">LOW</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
<a href="https://www.tenable.com/security/tns-2020-03">https://www.tenable.com/security/tns-2020-03</a>
<a href="https://www.tenable.com/security/tns-2020-11">https://www.tenable.com/security/tns-2020-11</a>
<a href="https://www.tenable.com/security/tns-2021-10">https://www.tenable.com/security/tns-2021-10</a>
</td>
</tr>
<tr class="severity-MEDIUM">
@@ -169,12 +167,26 @@
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
<a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2020-1840.html">https://linux.oracle.com/errata/ELSA-2020-1840.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/</a>
<a href="https://seclists.org/bugtraq/2019/Oct/1">https://seclists.org/bugtraq/2019/Oct/1</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
<a href="https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS">https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS</a>
<a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
<a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
<a href="https://www.debian.org/security/2019/dsa-4539">https://www.debian.org/security/2019/dsa-4539</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
<a href="https://www.oracle.com/security-alerts/cpuapr2020.html">https://www.oracle.com/security-alerts/cpuapr2020.html</a>
<a href="https://www.oracle.com/security-alerts/cpujan2020.html">https://www.oracle.com/security-alerts/cpujan2020.html</a>
<a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
<a href="https://www.oracle.com/security-alerts/cpuoct2020.html">https://www.oracle.com/security-alerts/cpuoct2020.html</a>
<a href="https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html">https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</a>
</td>
</tr>
<tr class="severity-MEDIUM">
@@ -184,54 +196,39 @@
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r2</td>
<td class="links" data-more-links="off">
<a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
<a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
<a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
<a href="https://linux.oracle.com/cve/CVE-2019-1551.html">https://linux.oracle.com/cve/CVE-2019-1551.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2020-4514.html">https://linux.oracle.com/errata/ELSA-2020-4514.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/</a>
<a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
<a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
<a href="https://security.gentoo.org/glsa/202004-10">https://security.gentoo.org/glsa/202004-10</a>
<a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
<a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
<a href="https://ubuntu.com/security/notices/USN-4504-1">https://ubuntu.com/security/notices/USN-4504-1</a>
<a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
<a href="https://usn.ubuntu.com/4504-1/">https://usn.ubuntu.com/4504-1/</a>
<a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
<a href="https://www.debian.org/security/2021/dsa-4855">https://www.debian.org/security/2021/dsa-4855</a>
<a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
<a href="https://www.oracle.com/security-alerts/cpuApr2021.html">https://www.oracle.com/security-alerts/cpuApr2021.html</a>
<a href="https://www.oracle.com/security-alerts/cpujan2021.html">https://www.oracle.com/security-alerts/cpujan2021.html</a>
<a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
<a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
<a href="https://www.tenable.com/security/tns-2020-03">https://www.tenable.com/security/tns-2020-03</a>
<a href="https://www.tenable.com/security/tns-2020-11">https://www.tenable.com/security/tns-2020-11</a>
<a href="https://www.tenable.com/security/tns-2021-10">https://www.tenable.com/security/tns-2021-10</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libssl1.1</td>
<td>CVE-2019-1563</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-LOW">
<td class="pkg-name">libssl1.1</td>
<td>CVE-2019-1547</td>
<td class="severity">LOW</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr><th colspan="6">No Misconfigurations found</th></tr>
</table>
</body>
</html>

284
integration/testdata/alpine-310.json.golden vendored
View File

@@ -63,6 +63,11 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
@@ -72,7 +77,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -80,15 +87,29 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
"https://linux.oracle.com/errata/ELSA-2020-1840.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
"https://seclists.org/bugtraq/2019/Oct/1",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
"https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://usn.ubuntu.com/4376-1/",
"https://www.debian.org/security/2019/dsa-4539",
"https://www.openssl.org/news/secadv/20190910.txt",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -100,8 +121,13 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
@@ -109,107 +135,49 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
"LastModifiedDate": "2021-07-21T11:39:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
@@ -221,6 +189,11 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
@@ -230,7 +203,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -238,15 +213,29 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
"https://linux.oracle.com/errata/ELSA-2020-1840.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
"https://seclists.org/bugtraq/2019/Oct/1",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
"https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://usn.ubuntu.com/4376-1/",
"https://www.debian.org/security/2019/dsa-4539",
"https://www.openssl.org/news/secadv/20190910.txt",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -258,8 +247,13 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
@@ -267,107 +261,49 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
"LastModifiedDate": "2021-07-21T11:39:00Z"
}
]
}

314
integration/testdata/alpine-310.sarif.golden vendored
View File

@@ -1,99 +1,70 @@
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"name": "Trivy",
"informationUri": "https://github.com/aquasecurity/trivy",
"fullName": "Trivy Vulnerability Scanner",
"version": "0.15.0",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "CVE-2019-1549",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1549"
},
"fullDescription": {
"text": "openssl: information disclosure in fork()."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-1551",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1551"
},
"fullDescription": {
"text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-1563",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1563"
},
"fullDescription": {
"text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-1547",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1547"
},
"fullDescription": {
"text": "openssl: side-channel weak encryption vulnerability."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
"properties": {
"tags": [
"vulnerability",
"LOW"
],
"precision": "very-high"
}
}]
{
"id": "CVE-2019-1549",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1549"
},
"fullDescription": {
"text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
"help": {
"text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
},
"properties": {
"precision": "very-high",
"security-severity": "5.3",
"tags": [
"vulnerability",
"security",
"MEDIUM"
]
}
},
{
"id": "CVE-2019-1551",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1551"
},
"fullDescription": {
"text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
"help": {
"text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
},
"properties": {
"precision": "very-high",
"security-severity": "5.3",
"tags": [
"vulnerability",
"security",
"MEDIUM"
]
}
}
],
"version": "dev"
}
},
"results": [
@@ -102,153 +73,86 @@
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
"text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
}]
]
},
{
"ruleId": "CVE-2019-1551",
"ruleIndex": 1,
"level": "warning",
"message": {
"text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
"text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
}]
},
{
"ruleId": "CVE-2019-1563",
"ruleIndex": 2,
"level": "warning",
"message": {
"text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
}
}
}]
},
{
"ruleId": "CVE-2019-1547",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
}
}
}]
]
},
{
"ruleId": "CVE-2019-1549",
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
"text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
}]
]
},
{
"ruleId": "CVE-2019-1551",
"ruleIndex": 1,
"level": "warning",
"message": {
"text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
"text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
}]
},
{
"ruleId": "CVE-2019-1563",
"ruleIndex": 2,
"level": "warning",
"message": {
"text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
}
}
}]
},
{
"ruleId": "CVE-2019-1547",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "testdata/fixtures/images/alpine-310.tar.gz",
"uriBaseId": "ROOTPATH"
},
"region" : {
"startLine": 1
}
}
}]
}],
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {

131
integration/testdata/alpine-39-high-critical.json.golden vendored Normal file
View File

@@ -0,0 +1,131 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.9.4",
"EOSL": true
},
"ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
"DiffIDs": [
"sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
],
"ImageConfig": {
"architecture": "amd64",
"container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
"created": "2019-05-11T00:07:03.510395965Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-05-11T00:07:03.358250803Z",
"created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
},
{
"created": "2019-05-11T00:07:03.510395965Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://security.gentoo.org/glsa/202003-13",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2020-03-14T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl-utils",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://security.gentoo.org/glsa/202003-13",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2020-03-14T19:15:00Z"
}
]
}
]
}

195
integration/testdata/alpine-39-ignore-cveids.json.golden vendored Normal file
View File

@@ -0,0 +1,195 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.9.4",
"EOSL": true
},
"ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
"DiffIDs": [
"sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
],
"ImageConfig": {
"architecture": "amd64",
"container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
"created": "2019-05-11T00:07:03.510395965Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-05-11T00:07:03.358250803Z",
"created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
},
{
"created": "2019-05-11T00:07:03.510395965Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2021-07-21T11:39:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2021-07-21T11:39:00Z"
}
]
}
]
}

300
integration/testdata/alpine-39.json.golden vendored
View File

@@ -63,6 +63,11 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
@@ -72,7 +77,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -80,15 +87,29 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
"https://linux.oracle.com/errata/ELSA-2020-1840.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
"https://seclists.org/bugtraq/2019/Oct/1",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
"https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://usn.ubuntu.com/4376-1/",
"https://www.debian.org/security/2019/dsa-4539",
"https://www.openssl.org/news/secadv/20190910.txt",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -100,8 +121,13 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
@@ -109,107 +135,49 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
"LastModifiedDate": "2021-07-21T11:39:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
@@ -221,6 +189,11 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
@@ -230,7 +203,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -238,15 +213,29 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
"https://linux.oracle.com/errata/ELSA-2020-1840.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
"https://seclists.org/bugtraq/2019/Oct/1",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
"https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://usn.ubuntu.com/4376-1/",
"https://www.debian.org/security/2019/dsa-4539",
"https://www.openssl.org/news/secadv/20190910.txt",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -258,8 +247,13 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
@@ -267,107 +261,49 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://linux.oracle.com/cve/CVE-2019-1551.html",
"https://linux.oracle.com/errata/ELSA-2020-4514.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.gentoo.org/glsa/202004-10",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://ubuntu.com/security/notices/USN-4376-1",
"https://ubuntu.com/security/notices/USN-4504-1",
"https://usn.ubuntu.com/4376-1/",
"https://usn.ubuntu.com/4504-1/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.debian.org/security/2021/dsa-4855",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.tenable.com/security/tns-2019-09",
"https://www.tenable.com/security/tns-2020-03",
"https://www.tenable.com/security/tns-2020-11",
"https://www.tenable.com/security/tns-2021-10"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
"LastModifiedDate": "2021-07-21T11:39:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
@@ -379,6 +315,11 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
@@ -394,10 +335,11 @@
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://security.gentoo.org/glsa/202003-13",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
"LastModifiedDate": "2020-03-14T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
@@ -409,6 +351,11 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
@@ -424,10 +371,11 @@
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://security.gentoo.org/glsa/202003-13",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
"LastModifiedDate": "2020-03-14T19:15:00Z"
}
]
}

647
integration/testdata/amazon-1.json.golden vendored
View File

@@ -62,6 +62,11 @@
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"DataSource": {
"ID": "amazon",
"Name": "Amazon Linux Security Center",
"URL": "https://alas.aws.amazon.com/"
},
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "MEDIUM",
@@ -71,7 +76,9 @@
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
@@ -81,637 +88,25 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://access.redhat.com/security/cve/CVE-2019-5481",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://linux.oracle.com/cve/CVE-2019-5481.html",
"https://linux.oracle.com/errata/ELSA-2020-1792.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
"https://seclists.org/bugtraq/2020/Feb/36",
"https://security.gentoo.org/glsa/202003-29",
"https://security.netapp.com/advisory/ntap-20191004-0003/",
"https://ubuntu.com/security/notices/USN-4129-1",
"https://www.debian.org/security/2020/dsa-4633",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
"PkgName": "curl",
"InstalledVersion": "7.61.1-11.91.amzn1",
"FixedVersion": "7.61.1-12.93.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18218",
"PkgName": "file-libs",
"InstalledVersion": "5.34-3.37.amzn1",
"FixedVersion": "5.37-8.48.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18218",
"Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c",
"Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218",
"https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84",
"https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/",
"https://usn.ubuntu.com/4172-1/",
"https://usn.ubuntu.com/4172-2/",
"https://usn.ubuntu.com/usn/usn-4172-1",
"https://usn.ubuntu.com/usn/usn-4172-2",
"https://www.debian.org/security/2019/dsa-4550"
],
"PublishedDate": "2019-10-21T05:15:00Z",
"LastModifiedDate": "2019-10-26T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2016-10739",
"PkgName": "glibc",
"InstalledVersion": "2.17-260.175.amzn1",
"FixedVersion": "2.17-292.178.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10739",
"Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
"Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V2Score": 4.6,
"V3Score": 5.3
},
"redhat": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2016-10739.html",
"http://linux.oracle.com/errata/ELSA-2019-3513.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
"http://www.securityfocus.com/bid/106672",
"https://access.redhat.com/errata/RHSA-2019:2118",
"https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
"https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
],
"PublishedDate": "2019-01-21T19:29:00Z",
"LastModifiedDate": "2019-08-06T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2016-10739",
"PkgName": "glibc-common",
"InstalledVersion": "2.17-260.175.amzn1",
"FixedVersion": "2.17-292.178.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10739",
"Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
"Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V2Score": 4.6,
"V3Score": 5.3
},
"redhat": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2016-10739.html",
"http://linux.oracle.com/errata/ELSA-2019-3513.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
"http://www.securityfocus.com/bid/106672",
"https://access.redhat.com/errata/RHSA-2019:2118",
"https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
"https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
],
"PublishedDate": "2019-01-21T19:29:00Z",
"LastModifiedDate": "2019-08-06T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5481",
"PkgName": "libcurl",
"InstalledVersion": "7.61.1-11.91.amzn1",
"FixedVersion": "7.61.1-12.93.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-415"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.7
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
"PkgName": "libcurl",
"InstalledVersion": "7.61.1-11.91.amzn1",
"FixedVersion": "7.61.1-12.93.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-12290",
"PkgName": "libidn2",
"InstalledVersion": "0.16-1.2.amzn1",
"FixedVersion": "2.3.0-1.4.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-12290",
"Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"V2Score": 5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290",
"https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5",
"https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de",
"https://gitlab.com/libidn/libidn2/merge_requests/71",
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-22T16:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
"PkgName": "libidn2",
"InstalledVersion": "0.16-1.2.amzn1",
"FixedVersion": "2.3.0-1.4.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-9511",
"PkgName": "libnghttp2",
"InstalledVersion": "1.21.1-1.4.amzn1",
"FixedVersion": "1.31.1-2.5.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9511",
"Title": "HTTP/2: large amount of data requests leads to denial of service",
"Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
"Severity": "HIGH",
"CweIDs": [
"CWE-400"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 7.8,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 6.5
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-9511.html",
"http://linux.oracle.com/errata/ELSA-2019-2925.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511",
"https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
"https://kb.cert.org/vuls/id/605641/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/",
"https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
"https://seclists.org/bugtraq/2019/Aug/40",
"https://security.netapp.com/advisory/ntap-20190823-0002/",
"https://security.netapp.com/advisory/ntap-20190823-0005/",
"https://support.f5.com/csp/article/K02591030",
"https://usn.ubuntu.com/4099-1/",
"https://usn.ubuntu.com/usn/usn-4099-1",
"https://www.debian.org/security/2019/dsa-4505",
"https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
"https://www.synology.com/security/advisory/Synology_SA_19_33"
],
"PublishedDate": "2019-08-13T21:15:00Z",
"LastModifiedDate": "2019-08-23T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-9513",
"PkgName": "libnghttp2",
"InstalledVersion": "1.21.1-1.4.amzn1",
"FixedVersion": "1.31.1-2.5.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9513",
"Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
"Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
"Severity": "HIGH",
"CweIDs": [
"CWE-400"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 7.8,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-9513.html",
"http://linux.oracle.com/errata/ELSA-2019-2925.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513",
"https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
"https://kb.cert.org/vuls/id/605641/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
"https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/",
"https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
"https://seclists.org/bugtraq/2019/Aug/40",
"https://security.netapp.com/advisory/ntap-20190823-0002/",
"https://security.netapp.com/advisory/ntap-20190823-0005/",
"https://support.f5.com/csp/article/K02591030",
"https://usn.ubuntu.com/4099-1/",
"https://usn.ubuntu.com/usn/usn-4099-1",
"https://www.debian.org/security/2019/dsa-4505",
"https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
"https://www.synology.com/security/advisory/Synology_SA_19_33"
],
"PublishedDate": "2019-08-13T21:15:00Z",
"LastModifiedDate": "2019-08-23T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"InstalledVersion": "1:1.0.2k-16.150.amzn1",
"FixedVersion": "1:1.0.2k-16.151.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-16056",
"PkgName": "python27",
"InstalledVersion": "2.7.16-1.129.amzn1",
"FixedVersion": "2.7.16-1.130.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16056",
"Title": "python: email.utils.parseaddr wrongly parses email addresses",
"Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"https://bugs.python.org/issue34155",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056",
"https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/",
"https://usn.ubuntu.com/usn/usn-4151-1",
"https://usn.ubuntu.com/usn/usn-4151-2"
],
"PublishedDate": "2019-09-06T18:15:00Z",
"LastModifiedDate": "2019-09-11T05:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-16935",
"PkgName": "python27",
"InstalledVersion": "2.7.16-1.129.amzn1",
"FixedVersion": "2.7.16-1.131.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16935",
"Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
"Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V3Score": 6.1
}
},
"References": [
"https://bugs.python.org/issue38243",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935",
"https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897",
"https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213",
"https://github.com/python/cpython/pull/16373",
"https://security.netapp.com/advisory/ntap-20191017-0004/",
"https://usn.ubuntu.com/4151-1/",
"https://usn.ubuntu.com/4151-2/",
"https://usn.ubuntu.com/usn/usn-4151-1",
"https://usn.ubuntu.com/usn/usn-4151-2"
],
"PublishedDate": "2019-09-28T02:15:00Z",
"LastModifiedDate": "2019-10-09T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-16056",
"PkgName": "python27-libs",
"InstalledVersion": "2.7.16-1.129.amzn1",
"FixedVersion": "2.7.16-1.130.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16056",
"Title": "python: email.utils.parseaddr wrongly parses email addresses",
"Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"https://bugs.python.org/issue34155",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056",
"https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/",
"https://usn.ubuntu.com/usn/usn-4151-1",
"https://usn.ubuntu.com/usn/usn-4151-2"
],
"PublishedDate": "2019-09-06T18:15:00Z",
"LastModifiedDate": "2019-09-11T05:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-16935",
"PkgName": "python27-libs",
"InstalledVersion": "2.7.16-1.129.amzn1",
"FixedVersion": "2.7.16-1.131.amzn1",
"Layer": {
"DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
},
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16935",
"Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
"Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V3Score": 6.1
}
},
"References": [
"https://bugs.python.org/issue38243",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935",
"https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897",
"https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213",
"https://github.com/python/cpython/pull/16373",
"https://security.netapp.com/advisory/ntap-20191017-0004/",
"https://usn.ubuntu.com/4151-1/",
"https://usn.ubuntu.com/4151-2/",
"https://usn.ubuntu.com/usn/usn-4151-1",
"https://usn.ubuntu.com/usn/usn-4151-2"
],
"PublishedDate": "2019-09-28T02:15:00Z",
"LastModifiedDate": "2019-10-09T16:15:00Z"
"LastModifiedDate": "2020-10-20T22:15:00Z"
}
]
}

3476
integration/testdata/amazon-2.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

164
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -54,131 +54,77 @@
"Type": "cargo",
"Vulnerabilities": [
{
"VulnerabilityID": "RUSTSEC-2019-0001",
"VulnerabilityID": "CVE-2019-15542",
"PkgName": "ammonia",
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542",
"DataSource": {
"Name": "RustSec Advisory Database",
"URL": "https://github.com/RustSec/advisory-db"
},
"Title": "Uncontrolled recursion leads to abort in HTML serialization",
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
"Severity": "UNKNOWN",
"Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
"Severity": "HIGH",
"CweIDs": [
"CWE-674"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
}
},
"References": [
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
]
"https://crates.io/crates/ammonia",
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210",
"https://rustsec.org/advisories/RUSTSEC-2019-0001.html"
],
"PublishedDate": "2019-08-26T18:15:00Z",
"LastModifiedDate": "2020-08-24T17:37:00Z"
},
{
"VulnerabilityID": "RUSTSEC-2016-0001",
"PkgName": "openssl",
"InstalledVersion": "0.8.3",
"FixedVersion": "\u003e= 0.9.0",
"VulnerabilityID": "CVE-2021-38193",
"PkgName": "ammonia",
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
"Title": "SSL/TLS MitM vulnerability due to insecure defaults",
"Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.3.1",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38193",
"DataSource": {
"Name": "RustSec Advisory Database",
"URL": "https://github.com/RustSec/advisory-db"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.4.0",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
"Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
"Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
}
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0018",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.13",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
"Title": "smallvec creates uninitialized value of any type",
"Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/126"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0009",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
"Title": "Double-free and use-after-free in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/148"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0012",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
"Title": "Memory corruption in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/149"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0017",
"PkgName": "tempdir",
"InstalledVersion": "0.3.7",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
"Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
"Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-lang-deprecated/tempdir/pull/46"
]
"https://crates.io/crates/ammonia",
"https://github.com/rust-ammonia/ammonia/pull/142",
"https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md",
"https://rustsec.org/advisories/RUSTSEC-2021-0074.html"
],
"PublishedDate": "2021-08-08T06:15:00Z",
"LastModifiedDate": "2021-08-16T16:37:00Z"
}
]
}

27215
integration/testdata/centos-6.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

4610
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

2588
integration/testdata/centos-7-low-high.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

149
integration/testdata/centos-7-medium.json.golden vendored Normal file
View File

@@ -0,0 +1,149 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/centos-7.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "centos",
"Name": "7.6.1810"
},
"ImageID": "sha256:9f38484d220fa527b1fb19747638497179500a1bed8bf0498eb788229229e6e1",
"DiffIDs": [
"sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
],
"ImageConfig": {
"architecture": "amd64",
"container": "958baf5225f586da9c70a21e911a0a875402dd22d83133d78b3b3aa6130e7892",
"created": "2019-03-14T21:19:53.361167852Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-03-14T21:19:52.66982152Z",
"created_by": "/bin/sh -c #(nop) ADD file:074f2c974463ab38cf3532134e8ba2c91c9e346457713f2e8b8e2ac0ee9fd83d in / "
},
{
"created": "2019-03-14T21:19:53.099141434Z",
"created_by": "/bin/sh -c #(nop) LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20190305",
"empty_layer": true
},
{
"created": "2019-03-14T21:19:53.361167852Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
]
},
"config": {
"Cmd": [
"/bin/bash"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:294e8d8145287e70f07328cc09d840fad8980b801223321b983442f097aff0d8",
"Labels": {
"org.label-schema.build-date": "20190305",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
},
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1559",
"VendorIDs": [
"RHSA-2019:2304"
],
"PkgName": "openssl-libs",
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
"Layer": {
"DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
},
"SeveritySource": "redhat",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
"Title": "openssl: 0-byte record padding oracle",
"Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-203"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 4.3,
"V3Score": 5.9
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.9
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html",
"http://www.securityfocus.com/bid/107174",
"https://access.redhat.com/errata/RHSA-2019:2304",
"https://access.redhat.com/errata/RHSA-2019:2437",
"https://access.redhat.com/errata/RHSA-2019:2439",
"https://access.redhat.com/errata/RHSA-2019:2471",
"https://access.redhat.com/errata/RHSA-2019:3929",
"https://access.redhat.com/errata/RHSA-2019:3931",
"https://access.redhat.com/security/cve/CVE-2019-1559",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
"https://github.com/RUB-NDS/TLS-Padding-Oracles",
"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
"https://linux.oracle.com/cve/CVE-2019-1559.html",
"https://linux.oracle.com/errata/ELSA-2019-2471.html",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
"https://security.gentoo.org/glsa/201903-10",
"https://security.netapp.com/advisory/ntap-20190301-0001/",
"https://security.netapp.com/advisory/ntap-20190301-0002/",
"https://security.netapp.com/advisory/ntap-20190423-0002/",
"https://support.f5.com/csp/article/K18549143",
"https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS",
"https://ubuntu.com/security/notices/USN-3899-1",
"https://ubuntu.com/security/notices/USN-4376-2",
"https://usn.ubuntu.com/3899-1/",
"https://usn.ubuntu.com/4376-2/",
"https://www.debian.org/security/2019/dsa-4400",
"https://www.openssl.org/news/secadv/20190226.txt",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"https://www.tenable.com/security/tns-2019-02",
"https://www.tenable.com/security/tns-2019-03"
],
"PublishedDate": "2019-02-27T23:29:00Z",
"LastModifiedDate": "2021-01-20T15:15:00Z"
}
]
}
]
}

29257
integration/testdata/centos-7.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

702
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -52,239 +52,11 @@
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-5094",
"PkgName": "e2fsprogs",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "e2fsprogs",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgName": "libcom-err2",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libcom-err2",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgName": "libext2fs2",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libext2fs2",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
"VendorIDs": [
"DSA-4613-1"
],
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
@@ -293,16 +65,23 @@
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "HIGH",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
@@ -310,466 +89,23 @@
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
"https://access.redhat.com/security/cve/CVE-2019-18224",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://seclists.org/bugtraq/2020/Feb/4",
"https://security.gentoo.org/glsa/202003-63",
"https://ubuntu.com/security/notices/USN-4168-1",
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
"https://www.debian.org/security/2020/dsa-4613"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
"PkgName": "libncursesw6",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
"PkgName": "libncursesw6",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgName": "libss2",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libss2",
"InstalledVersion": "1.44.5-1+deb10u1",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-15718",
"PkgName": "libsystemd0",
"InstalledVersion": "241-7~deb10u1",
"FixedVersion": "241-7~deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
"Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
"Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-284"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 2.1,
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-15718.html",
"http://linux.oracle.com/errata/ELSA-2019-3592.html",
"http://www.openwall.com/lists/oss-security/2019/09/03/1",
"https://bugzilla.redhat.com/show_bug.cgi?id=1746057",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
"https://usn.ubuntu.com/usn/usn-4120-1"
],
"PublishedDate": "2019-09-04T12:15:00Z",
"LastModifiedDate": "2019-09-19T04:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
"PkgName": "libtinfo6",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
"PkgName": "libtinfo6",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-15718",
"PkgName": "libudev1",
"InstalledVersion": "241-7~deb10u1",
"FixedVersion": "241-7~deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
"Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
"Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-284"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 2.1,
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-15718.html",
"http://linux.oracle.com/errata/ELSA-2019-3592.html",
"http://www.openwall.com/lists/oss-security/2019/09/03/1",
"https://bugzilla.redhat.com/show_bug.cgi?id=1746057",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
"https://usn.ubuntu.com/usn/usn-4120-1"
],
"PublishedDate": "2019-09-04T12:15:00Z",
"LastModifiedDate": "2019-09-19T04:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
"PkgName": "ncurses-base",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
"PkgName": "ncurses-base",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
"PkgName": "ncurses-bin",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
"PkgName": "ncurses-bin",
"InstalledVersion": "6.1+20181013-2+deb10u1",
"FixedVersion": "6.1+20181013-2+deb10u2",
"Layer": {
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
}
]
}

3218
integration/testdata/debian-buster.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

5710
integration/testdata/debian-stretch.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

134
integration/testdata/distroless-base-ignore-unfixed.json.golden vendored
View File

@@ -1,134 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/distroless-base.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "debian",
"Name": "9.9"
},
"ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
"DiffIDs": [
"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
],
"ImageConfig": {
"architecture": "amd64",
"author": "Bazel",
"created": "1970-01-01T00:00:00Z",
"history": [
{
"author": "Bazel",
"created": "1970-01-01T00:00:00Z",
"created_by": "bazel build ..."
},
{
"author": "Bazel",
"created": "1970-01-01T00:00:00Z",
"created_by": "bazel build ..."
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
]
},
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
]
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Layer": {
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Layer": {
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}
]
}
]
}

1136
integration/testdata/distroless-base.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More