gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(mariner): add support for CBL-Mariner (#1640)

Browse Source 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
Masahiro331
2022-01-30 05:53:07 +09:00
committed by GitHub
parent 9e903a1d88
commit 84dd33f7e9
44 changed files with 581 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
# Features
- Comprehensive vulnerability detection
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Misconfiguration detection (IaC scanning)
- A wide variety of built-in policies are provided **out of the box**

4
docs/getting-started/overview.md
View File

@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
## Features
- Comprehensive vulnerability detection
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Detect IaC misconfigurations
- A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -77,4 +77,4 @@ Please see [LICENSE][license] for Trivy licensing information.
[podman]: ../advanced/container/podman.md
[oci]: https://github.com/opencontainers/image-spec
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

2
docs/vulnerability/detection/data-source.md
View File

@@ -14,6 +14,7 @@
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| CBL-Mariner | [OVAL][mariner] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
@@ -58,6 +59,7 @@
[oracle]: https://linux.oracle.com/security/oval/
[suse]: http://ftp.suse.com/pub/projects/security/cvrf/
[photon]: https://packages.vmware.com/photon/photon_cve_metadata/
[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip

1
docs/vulnerability/detection/os.md
View File

@@ -11,6 +11,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
| AlmaLinux | 8 | Installed by yum/rpm | NO |
| Rocky Linux | 8 | Installed by yum/rpm | NO |
| Oracle Linux | 5, 6, 7, 8 | Installed by yum/rpm | NO |
| CBL-Mariner | 1.0, 2.0 | Installed by yum/rpm | YES |
| Amazon Linux | 1, 2 | Installed by yum/rpm | NO |
| openSUSE Leap | 42, 15 | Installed by zypper/rpm | NO |
| SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | NO |

4
go.mod
View File

@@ -7,13 +7,13 @@ require (
github.com/Masterminds/sprig v2.22.0+incompatible
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/fanal v0.0.0-20220128133114-3519fe6e6c21
github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57
github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
github.com/aquasecurity/trivy-db v0.0.0-20220128150422-5c53ef8a797d
github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069
github.com/caarlos0/env/v6 v6.0.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.0.3

8
go.sum
View File

@@ -243,8 +243,8 @@ github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz
github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
github.com/aquasecurity/fanal v0.0.0-20220128133114-3519fe6e6c21 h1:7nx6j3boy7oawbPvkp2Vma9OvovZWIGvzJw80w1e71E=
github.com/aquasecurity/fanal v0.0.0-20220128133114-3519fe6e6c21/go.mod h1:aU+dKT2D+DLsTEmy/axt19XEIXayz0V9giXCwiypCgQ=
github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57 h1:/xe+XRO1uQXebv6y1XIM9424XQXVnVZ1dr+V4clegHA=
github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57/go.mod h1:aU+dKT2D+DLsTEmy/axt19XEIXayz0V9giXCwiypCgQ=
github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff h1:JCKEV3TgUNh9fn+8hXyIdsF9yErA0rUbCkgt2flRKt4=
github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff/go.mod h1:8fJ//Ob6/03lxbn4xa1F+G/giVtiVLxnZNpBp5xOxNk=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -260,8 +260,8 @@ github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbp
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
github.com/aquasecurity/tfsec v0.63.1 h1:KH63HTcUoab7d3PKtqFO6T8K5AY7bzLw7Kiu+EY9U64=
github.com/aquasecurity/tfsec v0.63.1/go.mod h1:g5ZWmsfqW1FsCaPb9ux8Pzjcyss/WUB2XuRd5slqvnc=
github.com/aquasecurity/trivy-db v0.0.0-20220128150422-5c53ef8a797d h1:vwK774PmorLkSsL/K4WUa9Y9Tn/5Ksmolv8UGHh0Wjc=
github.com/aquasecurity/trivy-db v0.0.0-20220128150422-5c53ef8a797d/go.mod h1:BOulYmf+l2bd+Bjo3tTsdnbWCsh5UsJn1MqdiZzmm/Q=
github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069 h1:TYG76ClrtBiunB43Hme+ahszJfm0E+og+JQsEEMrHbk=
github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069/go.mod h1:BOulYmf+l2bd+Bjo3tTsdnbWCsh5UsJn1MqdiZzmm/Q=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=

7
integration/client_server_test.go
View File

@@ -203,6 +203,13 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/photon-30.json.golden",
},
{
name: "CBL-Mariner 1.0",
args: csArgs{
Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
},
golden: "testdata/mariner-1.0.json.golden",
},
{
name: "buxybox with Cargo.lock",
args: csArgs{

6
integration/docker_engine_test.go
View File

@@ -176,6 +176,12 @@ func TestDockerEngine(t *testing.T) {
input: "testdata/fixtures/images/photon-30.tar.gz",
golden: "testdata/photon-30.json.golden",
},
{
name: "CBL-Mariner 1.0",
imageTag: "cblmariner.azurecr.io/base/core:1.0",
input: "testdata/fixtures/images/mariner-1.0.tar.gz",
golden: "testdata/mariner-1.0.json.golden",
},
{
name: "busybox with Cargo.lock",
imageTag: "busy-cargo:latest",

10
integration/standalone_tar_test.go
View File

@@ -216,13 +216,21 @@ func TestTar(t *testing.T) {
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "photon 3.0 integration",
name: "photon 3.0",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/photon-30.tar.gz",
},
golden: "testdata/photon-30.json.golden",
},
{
name: "CBL-Mariner 1.0",
testArgs: args{
Format: "json",
Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
},
golden: "testdata/mariner-1.0.json.golden",
},
{
name: "buxybox with Cargo.lock integration",
testArgs: args{

10
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -85,16 +85,21 @@
},
"References": [
"http://www.openwall.com/lists/oss-security/2021/08/26/2",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
"https://access.redhat.com/security/cve/CVE-2021-3712",
"https://crates.io/crates/openssl-src",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
"https://linux.oracle.com/cve/CVE-2021-3712.html",
"https://linux.oracle.com/errata/ELSA-2021-9632.html",
"https://linux.oracle.com/errata/ELSA-2022-9023.html",
"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
"https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
"https://security.netapp.com/advisory/ntap-20210827-0010/",
"https://ubuntu.com/security/notices/USN-5051-1",
"https://ubuntu.com/security/notices/USN-5051-2",
@@ -105,8 +110,7 @@
"https://www.openssl.org/news/secadv/20210824.txt",
"https://www.oracle.com/security-alerts/cpuoct2021.html",
"https://www.tenable.com/security/tns-2021-16",
"https://www.tenable.com/security/tns-2022-02",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json"
"https://www.tenable.com/security/tns-2022-02"
],
"PublishedDate": "2021-08-24T15:15:00Z",
"LastModifiedDate": "2022-01-06T09:15:00Z"

4
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -93,6 +93,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -152,6 +153,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -217,6 +219,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -276,6 +279,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",

8
integration/testdata/alpine-310.gitlab.golden vendored
View File

@@ -33,6 +33,8 @@
}
],
"links": [{
"url": "https://access.redhat.com/security/cve/CVE-2019-1549"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
@@ -108,6 +110,8 @@
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},{
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://access.redhat.com/security/cve/CVE-2019-1551"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},{
@@ -197,6 +201,8 @@
}
],
"links": [{
"url": "https://access.redhat.com/security/cve/CVE-2019-1549"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
@@ -272,6 +278,8 @@
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},{
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://access.redhat.com/security/cve/CVE-2019-1551"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},{

4
integration/testdata/alpine-310.html.golden vendored
View File

@@ -99,6 +99,7 @@
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
<a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
@@ -129,6 +130,7 @@
<td class="links" data-more-links="off">
<a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
<a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
@@ -165,6 +167,7 @@
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
<a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
@@ -195,6 +198,7 @@
<td class="links" data-more-links="off">
<a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
<a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>

4
integration/testdata/alpine-310.json.golden vendored
View File

@@ -86,6 +86,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -144,6 +145,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -208,6 +210,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -266,6 +269,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",

2
integration/testdata/alpine-39-ignore-cveids.json.golden vendored
View File

@@ -88,6 +88,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -154,6 +155,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",

4
integration/testdata/alpine-39.json.golden vendored
View File

@@ -86,6 +86,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -144,6 +145,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -208,6 +210,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-1549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -266,6 +269,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",

1
integration/testdata/amazon-1.json.golden vendored
View File

@@ -87,6 +87,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://access.redhat.com/security/cve/CVE-2019-5481",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://linux.oracle.com/cve/CVE-2019-5481.html",

2
integration/testdata/amazon-2.json.golden vendored
View File

@@ -87,6 +87,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://access.redhat.com/security/cve/CVE-2019-5481",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://linux.oracle.com/cve/CVE-2019-5481.html",
@@ -142,6 +143,7 @@
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html",
"http://www.openwall.com/lists/oss-security/2019/09/11/6",
"https://access.redhat.com/security/cve/CVE-2019-5436",
"https://curl.haxx.se/docs/CVE-2019-5436.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436",
"https://linux.oracle.com/cve/CVE-2019-5436.html",

16
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -61,17 +61,11 @@
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://osv.dev/vulnerability/RUSTSEC-2019-0001",
"DataSource": {
"Name": "RustSec Advisory Database",
"URL": "https://github.com/RustSec/advisory-db"
},
"Title": "Uncontrolled recursion leads to abort in HTML serialization",
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
]
"Severity": "UNKNOWN"
},
{
"VulnerabilityID": "RUSTSEC-2021-0074",
@@ -81,17 +75,11 @@
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://osv.dev/vulnerability/RUSTSEC-2021-0074",
"DataSource": {
"Name": "RustSec Advisory Database",
"URL": "https://github.com/RustSec/advisory-db"
},
"Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
"Description": "Affected versions of this crate did not account for namespace-related parsing\ndifferences between HTML, SVG, and MathML. Even if the `svg` and `math` elements\nare not allowed, the underlying HTML parser still treats them differently.\nRunning cleanup without accounting for these differing namespaces resulted in an \"impossible\"\nDOM, which appeared \"safe\" when examining the DOM tree, but when serialized and deserialized,\ncould be exploited to inject abitrary markup.\n\nTo exploit this, the application using this library must allow a tag that is parsed as raw text in HTML.\nThese [elements] are:\n\n* title\n* textarea\n* xmp\n* iframe\n* noembed\n* noframes\n* plaintext\n* noscript\n* style\n* script\n\nApplications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.\n\n[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-ammonia/ammonia/pull/142"
]
"Severity": "UNKNOWN"
}
]
}

1
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

@@ -194,6 +194,7 @@
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"https://nvd.nist.gov/vuln/detail/CVE-2018-0734",
"https://security.netapp.com/advisory/ntap-20181105-0002/",
"https://security.netapp.com/advisory/ntap-20190118-0002/",
"https://security.netapp.com/advisory/ntap-20190423-0002/",

2
integration/testdata/centos-7.json.golden vendored
View File

@@ -99,6 +99,7 @@
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -236,6 +237,7 @@
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"https://nvd.nist.gov/vuln/detail/CVE-2018-0734",
"https://security.netapp.com/advisory/ntap-20181105-0002/",
"https://security.netapp.com/advisory/ntap-20190118-0002/",
"https://security.netapp.com/advisory/ntap-20190423-0002/",

1
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -90,6 +90,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
"https://access.redhat.com/security/cve/CVE-2019-18224",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",

2
integration/testdata/debian-buster.json.golden vendored
View File

@@ -91,6 +91,7 @@
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -136,6 +137,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
"https://access.redhat.com/security/cve/CVE-2019-18224",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",

9
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -91,6 +91,7 @@
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -134,12 +135,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -189,12 +192,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -244,12 +249,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -299,12 +306,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",

4
integration/testdata/distroless-base.json.golden vendored
View File

@@ -84,6 +84,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -157,6 +158,7 @@
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1563",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
@@ -226,6 +228,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -299,6 +302,7 @@
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1563",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",

4
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -101,6 +101,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -174,6 +175,7 @@
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1563",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
@@ -243,6 +245,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1551",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -316,6 +319,7 @@
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://access.redhat.com/security/cve/CVE-2019-1563",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",

8
integration/testdata/fixtures/db/mariner.yaml vendored Normal file
View File

@@ -0,0 +1,8 @@
- bucket: CBL-Mariner 1.0
pairs:
- bucket: vim
pairs:
- key: CVE-2022-0158
value:
FixedVersion: 0:8.2.4082-1.cm1
- key: CVE-2022-0261

88
integration/testdata/fixtures/db/vulnerability.yaml vendored
View File

@@ -24,6 +24,7 @@
- http://www.openwall.com/lists/oss-security/2016/11/17/9
- http://www.securityfocus.com/bid/94398
- https://access.redhat.com/errata/RHSA-2017:1931
- https://access.redhat.com/security/cve/CVE-2016-9401
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401
- https://linux.oracle.com/cve/CVE-2016-9401.html
- https://linux.oracle.com/errata/ELSA-2017-1931.html
@@ -75,6 +76,7 @@
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2018-0734
- https://security.netapp.com/advisory/ntap-20181105-0002/
- https://security.netapp.com/advisory/ntap-20190118-0002/
- https://security.netapp.com/advisory/ntap-20190423-0002/
@@ -95,6 +97,7 @@
VendorSeverity:
amazon: 2.0
arch-linux: 1.0
cbl-mariner: 2.0
nvd: 2.0
oracle-oval: 1.0
photon: 2.0
@@ -116,6 +119,7 @@
PublishedDate: 2019-07-26T00:15:00Z
References:
- https://access.redhat.com/errata/RHSA-2019:3024
- https://access.redhat.com/security/cve/CVE-2019-10744
- https://github.com/advisories/GHSA-jf85-cpcp-j695
- https://github.com/lodash/lodash/pull/4336
- https://nvd.nist.gov/vuln/detail/CVE-2019-10744
@@ -163,6 +167,7 @@
- https://access.redhat.com/errata/RHSA-2019:2587
- https://access.redhat.com/errata/RHSA-2019:3023
- https://access.redhat.com/errata/RHSA-2019:3024
- https://access.redhat.com/security/cve/CVE-2019-11358
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
@@ -278,6 +283,7 @@
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
- https://access.redhat.com/security/cve/CVE-2019-14806
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806
- https://github.com/advisories/GHSA-gq9m-qvpx-68hc
- "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168"
@@ -309,6 +315,7 @@
LastModifiedDate: 2020-10-20T22:15:00Z
PublishedDate: 2019-09-10T17:15:00Z
References:
- https://access.redhat.com/security/cve/CVE-2019-1549
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
- https://linux.oracle.com/cve/CVE-2019-1549.html
@@ -356,6 +363,7 @@
References:
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html
- http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html
- https://access.redhat.com/security/cve/CVE-2019-1551
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
@@ -484,6 +492,7 @@
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
- http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
- https://access.redhat.com/security/cve/CVE-2019-1563
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97
@@ -543,6 +552,7 @@
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html
- https://access.redhat.com/security/cve/CVE-2019-18224
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224
- https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c
@@ -585,12 +595,14 @@
- https://linux.oracle.com/cve/CVE-2019-18276.html
- https://linux.oracle.com/errata/ELSA-2021-1679.html
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2019-18276
- https://security.gentoo.org/glsa/202105-34
- https://security.netapp.com/advisory/ntap-20200430-0003/
- https://www.youtube.com/watch?v=-wGtxJ8opa8
Severity: HIGH
Title: "bash: when effective UID is not equal to its real UID the saved UID is not dropped"
VendorSeverity:
cbl-mariner: 3.0
nvd: 3.0
oracle-oval: 1.0
photon: 3.0
@@ -615,6 +627,7 @@
References:
- http://www.securityfocus.com/bid/106950
- https://access.redhat.com/errata/RHSA-2019:3701
- https://access.redhat.com/security/cve/CVE-2019-3823
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823
- https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf
- https://curl.haxx.se/docs/CVE-2019-3823.html
@@ -656,12 +669,14 @@
LastModifiedDate: 2021-01-11T19:21:00Z
PublishedDate: 2019-09-24T22:15:00Z
References:
- https://access.redhat.com/security/cve/CVE-2019-5094
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094
- https://linux.oracle.com/cve/CVE-2019-5094.html
- https://linux.oracle.com/errata/ELSA-2020-4011.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/
- https://nvd.nist.gov/vuln/detail/CVE-2019-5094
- https://seclists.org/bugtraq/2019/Sep/58
- https://security.gentoo.org/glsa/202003-05
- https://security.netapp.com/advisory/ntap-20200115-0002/
@@ -675,6 +690,7 @@
Title: "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write"
VendorSeverity:
amazon: 2.0
cbl-mariner: 2.0
nvd: 2.0
oracle-oval: 2.0
photon: 2.0
@@ -700,6 +716,7 @@
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html
- http://www.openwall.com/lists/oss-security/2019/09/11/6
- https://access.redhat.com/security/cve/CVE-2019-5436
- https://curl.haxx.se/docs/CVE-2019-5436.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436
- https://linux.oracle.com/cve/CVE-2019-5436.html
@@ -745,6 +762,7 @@
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html
- https://access.redhat.com/security/cve/CVE-2019-5481
- https://curl.haxx.se/docs/CVE-2019-5481.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481
- https://linux.oracle.com/cve/CVE-2019-5481.html
@@ -787,6 +805,7 @@
LastModifiedDate: 2020-12-01T16:05:00Z
PublishedDate: 2020-11-18T15:15:00Z
References:
- https://access.redhat.com/security/cve/CVE-2020-28724
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724
- https://github.com/advisories/GHSA-3p3h-qghp-hvh2
- https://github.com/pallets/flask/issues/1639
@@ -828,6 +847,7 @@
Severity: HIGH
Title: "glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern"
VendorSeverity:
amazon: 2.0
arch-linux: 2.0
nvd: 3.0
oracle-oval: 2.0
@@ -852,6 +872,7 @@
References:
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
- https://access.redhat.com/security/cve/CVE-2020-8165
- https://github.com/advisories/GHSA-2p68-f74v-9wc6
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
- "https://groups.google.com/forum/#!msg/rubyonrails-security/bv6fW4S0Y1c/KnkEqM7AAQAJ"
@@ -887,16 +908,21 @@
PublishedDate: 2021-08-24T15:15:00Z
References:
- http://www.openwall.com/lists/oss-security/2021/08/26/2
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json
- https://access.redhat.com/security/cve/CVE-2021-3712
- https://crates.io/crates/openssl-src
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://linux.oracle.com/cve/CVE-2021-3712.html
- https://linux.oracle.com/errata/ELSA-2021-9632.html
- https://linux.oracle.com/errata/ELSA-2022-9023.html
- https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-3712
- https://rustsec.org/advisories/RUSTSEC-2021-0098.html
- https://security.netapp.com/advisory/ntap-20210827-0010/
- https://ubuntu.com/security/notices/USN-5051-1
- https://ubuntu.com/security/notices/USN-5051-2
@@ -908,40 +934,64 @@
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-16
- https://www.tenable.com/security/tns-2022-02
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json
Severity: HIGH
Title: "openssl: Read buffer overruns processing ASN.1 strings"
VendorSeverity:
alma: 2.0
amazon: 2.0
arch-linux: 3.0
cbl-mariner: 3.0
nvd: 3.0
oracle-oval: 2.0
photon: 3.0
redhat: 2.0
rocky: 2.0
ubuntu: 2.0
- key: RUSTSEC-2019-0001
- key: CVE-2022-0158
value:
Description: |-
Affected versions of this crate did use recursion for serialization of HTML
DOM trees.
This allows an attacker to cause abort due to stack overflow by providing
a pathologically nested input.
The flaw was corrected by serializing the DOM tree iteratively instead.
CVSS:
nvd:
V2Score: 4.3
V2Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
V3Score: 3.3
V3Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
redhat:
V3Score: 3.3
V3Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CweIDs:
- CWE-122
Description: vim is vulnerable to Heap-based Buffer Overflow
LastModifiedDate: 2022-01-15T16:15:00Z
PublishedDate: 2022-01-10T16:15:00Z
References:
- "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
Severity: UNKNOWN
Title: Uncontrolled recursion leads to abort in HTML serialization
- key: RUSTSEC-2021-0074
- http://www.openwall.com/lists/oss-security/2022/01/15/1
- https://access.redhat.com/security/cve/CVE-2022-0158
- https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39
- https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b
- https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HD5S2FC2HF22A7XQXK2XXIR46EARVWIM/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0158
Severity: LOW
Title: "vim: heap-based read buffer overflow in compile_get_env()"
VendorSeverity:
cbl-mariner: 1.0
nvd: 1.0
redhat: 1.0
- key: CVE-2022-0261
value:
Description: "Affected versions of this crate did not account for namespace-related parsing\ndifferences between HTML, SVG, and MathML. Even if the `svg` and `math` elements\nare not allowed, the underlying HTML parser still treats them differently.\nRunning cleanup without accounting for these differing namespaces resulted in an \"impossible\"\nDOM, which appeared \"safe\" when examining the DOM tree, but when serialized and deserialized,\ncould be exploited to inject abitrary markup.\n\nTo exploit this, the application using this library must allow a tag that is parsed as raw text in HTML.\nThese [elements] are:\n\n* title\n* textarea\n* xmp\n* iframe\n* noembed\n* noframes\n* plaintext\n* noscript\n* style\n* script\n\nApplications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.\n\n[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs"
CweIDs:
- CWE-122
Description: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
LastModifiedDate: 2022-01-18T16:15:00Z
PublishedDate: 2022-01-18T16:15:00Z
References:
- https://github.com/rust-ammonia/ammonia/pull/142
Severity: UNKNOWN
Title: Incorrect handling of embedded SVG and MathML leads to mutation XSS
- https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc
- https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82
- https://nvd.nist.gov/vuln/detail/CVE-2022-0261
Severity: HIGH
Title: CVE-2022-0261 affecting package vim 8.2.4081
VendorSeverity:
cbl-mariner: 3.0
- key: openSUSE-SU-2020:0062-1
value:
Description: "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project."

2
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -143,6 +143,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
"https://access.redhat.com/security/cve/CVE-2019-18224",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
@@ -201,6 +202,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html",
"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html",
"https://access.redhat.com/security/cve/CVE-2020-8165",
"https://github.com/advisories/GHSA-2p68-f74v-9wc6",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml",
"https://groups.google.com/forum/#!msg/rubyonrails-security/bv6fW4S0Y1c/KnkEqM7AAQAJ",

105
integration/testdata/mariner-1.0.json.golden vendored Normal file
View File

@@ -0,0 +1,105 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/images/mariner-1.0.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "cbl-mariner",
"Name": "1.0.20220122"
},
"ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767",
"DiffIDs": [
"sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
],
"ImageConfig": {
"architecture": "amd64",
"created": "2022-01-27T01:19:38.526301656Z",
"docker_version": "20.10.12",
"history": [
{
"created": "2022-01-27T01:19:38.526301656Z",
"comment": "Imported from -"
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
]
},
"config": {}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
"Class": "os-pkgs",
"Type": "cbl-mariner",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-0261",
"PkgName": "vim",
"InstalledVersion": "8.2.4081-1.cm1",
"Layer": {
"DiffID": "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0261",
"Title": "CVE-2022-0261 affecting package vim 8.2.4081",
"Description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"Severity": "HIGH",
"CweIDs": [
"CWE-122"
],
"References": [
"https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc",
"https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82",
"https://nvd.nist.gov/vuln/detail/CVE-2022-0261"
],
"PublishedDate": "2022-01-18T16:15:00Z",
"LastModifiedDate": "2022-01-18T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2022-0158",
"PkgName": "vim",
"InstalledVersion": "8.2.4081-1.cm1",
"FixedVersion": "8.2.4082-1.cm1",
"Layer": {
"DiffID": "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0158",
"Title": "vim: heap-based read buffer overflow in compile_get_env()",
"Description": "vim is vulnerable to Heap-based Buffer Overflow",
"Severity": "LOW",
"CweIDs": [
"CWE-122"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"V2Score": 4.3,
"V3Score": 3.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"V3Score": 3.3
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2022/01/15/1",
"https://access.redhat.com/security/cve/CVE-2022-0158",
"https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39",
"https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b",
"https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HD5S2FC2HF22A7XQXK2XXIR46EARVWIM/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-0158"
],
"PublishedDate": "2022-01-10T16:15:00Z",
"LastModifiedDate": "2022-01-15T16:15:00Z"
}
]
}
]
}

2
integration/testdata/nodejs.json.golden vendored
View File

@@ -66,6 +66,7 @@
"https://access.redhat.com/errata/RHSA-2019:2587",
"https://access.redhat.com/errata/RHSA-2019:3023",
"https://access.redhat.com/errata/RHSA-2019:3024",
"https://access.redhat.com/security/cve/CVE-2019-11358",
"https://backdropcms.org/security/backdrop-sa-core-2019-009",
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
@@ -162,6 +163,7 @@
},
"References": [
"https://access.redhat.com/errata/RHSA-2019:3024",
"https://access.redhat.com/security/cve/CVE-2019-10744",
"https://github.com/advisories/GHSA-jf85-cpcp-j695",
"https://github.com/lodash/lodash/pull/4336",
"https://nvd.nist.gov/vuln/detail/CVE-2019-10744",

2
integration/testdata/oraclelinux-8-slim.json.golden vendored
View File

@@ -96,6 +96,7 @@
"References": [
"http://www.securityfocus.com/bid/106950",
"https://access.redhat.com/errata/RHSA-2019:3701",
"https://access.redhat.com/security/cve/CVE-2019-3823",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823",
"https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf",
"https://curl.haxx.se/docs/CVE-2019-3823.html",
@@ -150,6 +151,7 @@
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html",
"http://www.openwall.com/lists/oss-security/2019/09/11/6",
"https://access.redhat.com/security/cve/CVE-2019-5436",
"https://curl.haxx.se/docs/CVE-2019-5436.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436",
"https://linux.oracle.com/cve/CVE-2019-5436.html",

3
integration/testdata/photon-30.json.golden vendored
View File

@@ -102,6 +102,7 @@
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -144,6 +145,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://access.redhat.com/security/cve/CVE-2019-5481",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://linux.oracle.com/cve/CVE-2019-5481.html",
@@ -198,6 +200,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://access.redhat.com/security/cve/CVE-2019-5481",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://linux.oracle.com/cve/CVE-2019-5481.html",

2
integration/testdata/pip.json.golden vendored
View File

@@ -53,6 +53,7 @@
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
"https://access.redhat.com/security/cve/CVE-2019-14806",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
"https://github.com/advisories/GHSA-gq9m-qvpx-68hc",
"https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
@@ -95,6 +96,7 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-28724",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724",
"https://github.com/advisories/GHSA-3p3h-qghp-hvh2",
"https://github.com/pallets/flask/issues/1639",

14
integration/testdata/rockylinux-8.json.golden vendored
View File

@@ -18,11 +18,11 @@
"docker_version": "20.10.7",
"history": [
{
"created": "2021-12-15T20:22:36Z",
"created": "2021-12-15T20:22:36.373826081Z",
"created_by": "/bin/sh -c #(nop) ADD file:790b4c6a174560d4701baf59e884e7d07f50f0e193e545d6d5ed1d7390979d1a in / "
},
{
"created": "2021-12-15T20:22:37Z",
"created": "2021-12-15T20:22:37.180885096Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
@@ -85,16 +85,21 @@
},
"References": [
"http://www.openwall.com/lists/oss-security/2021/08/26/2",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
"https://access.redhat.com/security/cve/CVE-2021-3712",
"https://crates.io/crates/openssl-src",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
"https://linux.oracle.com/cve/CVE-2021-3712.html",
"https://linux.oracle.com/errata/ELSA-2021-9632.html",
"https://linux.oracle.com/errata/ELSA-2022-9023.html",
"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
"https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
"https://security.netapp.com/advisory/ntap-20210827-0010/",
"https://ubuntu.com/security/notices/USN-5051-1",
"https://ubuntu.com/security/notices/USN-5051-2",
@@ -105,8 +110,7 @@
"https://www.openssl.org/news/secadv/20210824.txt",
"https://www.oracle.com/security-alerts/cpuoct2021.html",
"https://www.tenable.com/security/tns-2021-16",
"https://www.tenable.com/security/tns-2022-02",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json"
"https://www.tenable.com/security/tns-2022-02"
],
"PublishedDate": "2021-08-24T15:15:00Z",
"LastModifiedDate": "2022-01-06T09:15:00Z"

1
integration/testdata/ubi-7.json.golden vendored
View File

@@ -110,6 +110,7 @@
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"

8
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -103,12 +103,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -155,12 +157,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -207,12 +211,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -259,12 +265,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",

9
integration/testdata/ubuntu-1804.json.golden vendored
View File

@@ -109,6 +109,7 @@
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -149,12 +150,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -201,12 +204,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -253,12 +258,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -305,12 +312,14 @@
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",

2
pkg/detector/ospkg/detect.go
View File

@@ -12,6 +12,7 @@ import (
"github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/photon"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat"
@@ -36,6 +37,7 @@ var (
fos.Alpine: alpine.NewScanner(),
fos.Alma: alma.NewScanner(),
fos.Amazon: amazon.NewScanner(),
fos.CBLMariner: mariner.NewScanner(),
fos.Debian: debian.NewScanner(),
fos.Ubuntu: ubuntu.NewScanner(),
fos.RedHat: redhat.NewScanner(),

82
pkg/detector/ospkg/mariner/mariner.go Normal file
View File

@@ -0,0 +1,82 @@
package mariner
import (
"strings"
version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
"github.com/aquasecurity/trivy/pkg/types"
)
// Scanner implements the CBL-Mariner scanner
type Scanner struct {
vs mariner.VulnSrc
}
// NewScanner is the factory method for Scanner
func NewScanner() *Scanner {
return &Scanner{
vs: mariner.NewVulnSrc(),
}
}
// Detect vulnerabilities in package using CBL-Mariner scanner
func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting CBL-Mariner vulnerabilities...")
// e.g. 1.0.20210127
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
log.Logger.Debugf("CBL-Mariner: os version: %s", osVer)
log.Logger.Debugf("CBL-Mariner: the number of packages: %d", len(pkgs))
var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
// CBL Mariner OVAL contains source package names only.
advisories, err := s.vs.Get(osVer, pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
}
installed := utils.FormatSrcVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
vuln := types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
Layer: pkg.Layer,
DataSource: adv.DataSource,
}
// Unpatched vulnerabilities
if adv.FixedVersion == "" {
vulns = append(vulns, vuln)
continue
}
// Patched vulnerabilities
fixedVersion := version.NewVersion(adv.FixedVersion)
if installedVersion.LessThan(fixedVersion) {
vuln.FixedVersion = fixedVersion.String()
vulns = append(vulns, vuln)
}
}
}
return vulns, nil
}
// IsSupportedVersion checks the OS version can be scanned using CBL-Mariner scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
// EOL is not in public at the moment.
return true
}

145
pkg/detector/ospkg/mariner/mariner_test.go Normal file
View File

@@ -0,0 +1,145 @@
package mariner_test
import (
"testing"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestScanner_Detect(t *testing.T) {
type args struct {
osVer string
pkgs []ftypes.Package
}
tests := []struct {
name string
args args
fixtures []string
want []types.DetectedVulnerability
wantErr string
}{
{
name: "happy path 1.0 SrcName and Name are different",
fixtures: []string{
"testdata/fixtures/mariner.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "1.0",
pkgs: []ftypes.Package{
{
Name: "bind-utils",
Epoch: 0,
Version: "9.16.14",
Release: "1.cm1",
Arch: "aarch64",
SrcName: "bind",
SrcEpoch: 0,
SrcVersion: "9.16.14",
SrcRelease: "1.cm1",
License: "ISC",
Layer: ftypes.Layer{},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "bind-utils",
VulnerabilityID: "CVE-2019-6470",
InstalledVersion: "9.16.14-1.cm1",
FixedVersion: "9.16.15-1.cm1",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
Name: "CBL-Mariner Vulnerability Data",
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
},
},
},
},
{
name: "happy path 2.0",
fixtures: []string{
"testdata/fixtures/mariner.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "2.0",
pkgs: []ftypes.Package{
{
Name: "vim",
Epoch: 0,
Version: "8.2.4081",
Release: "1.cm1",
Arch: "aarch64",
SrcName: "vim",
SrcEpoch: 0,
SrcVersion: "8.2.4081",
SrcRelease: "1.cm1",
License: "Vim",
Layer: ftypes.Layer{},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "vim",
VulnerabilityID: "CVE-2022-0261",
InstalledVersion: "8.2.4081-1.cm1",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
Name: "CBL-Mariner Vulnerability Data",
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
},
},
},
},
{
name: "broken advisory",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
args: args{
osVer: "1.0",
pkgs: []ftypes.Package{
{
Name: "bind-utils",
Epoch: 0,
Version: "9.16.14",
Release: "1.cm1",
Arch: "aarch64",
SrcName: "bind",
SrcEpoch: 0,
SrcVersion: "9.16.14",
SrcRelease: "1.cm1",
License: "ISC",
Layer: ftypes.Layer{},
},
},
},
wantErr: "failed to get CBL-Mariner advisories",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
s := mariner.NewScanner()
got, err := s.Detect(tt.args.osVer, tt.args.pkgs)
if tt.wantErr != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
}
assert.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}
}

12
pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml vendored Normal file
View File

@@ -0,0 +1,12 @@
- bucket: data-source
pairs:
- key: CBL-Mariner 1.0
value:
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- bucket: data-source
pairs:
- key: CBL-Mariner 2.0
value:
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"

9
pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml vendored Normal file
View File

@@ -0,0 +1,9 @@
- bucket: CBL-Mariner 1.0
pairs:
- bucket: bind
pairs:
- key: CVE-2021-25219
value:
FixedVersion:
- foo
- bar

16
pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml vendored Normal file
View File

@@ -0,0 +1,16 @@
- bucket: CBL-Mariner 1.0
pairs:
- bucket: bind
pairs:
- key: CVE-2020-8618
value:
FixedVersion: 0:9.16.3-2.cm1
- key: CVE-2019-6470
value:
FixedVersion: 0:9.16.15-1.cm1
- bucket: CBL-Mariner 2.0
pairs:
- bucket: vim
pairs:
- key: CVE-2022-0261