gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

refactor(vuln): don't remove VendorSeverity in JSON report (#5761)

Browse Source
This commit is contained in:
DmitriyLewen
2023-12-12 18:33:41 +06:00
committed by GitHub
parent be5a550491
commit 9b4bcedf0e
58 changed files with 751 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -76,6 +76,18 @@
"CweIDs": [
"CWE-125"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 3,
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 2,
"photon": 3,
"redhat": 2,
"rocky": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",

32
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -84,6 +84,14 @@
"CweIDs": [
"CWE-330"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -145,6 +153,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -216,6 +232,14 @@
"CweIDs": [
"CWE-330"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -277,6 +301,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",

32
integration/testdata/alpine-310.json.golden vendored
View File

@@ -78,6 +78,14 @@
"CweIDs": [
"CWE-330"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -139,6 +147,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -210,6 +226,14 @@
"CweIDs": [
"CWE-330"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -271,6 +295,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",

6
integration/testdata/alpine-39-high-critical.json.golden vendored
View File

@@ -77,6 +77,9 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"nvd": 4
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -116,6 +119,9 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"nvd": 4
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

16
integration/testdata/alpine-39-ignore-cveids.json.golden vendored
View File

@@ -78,6 +78,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -149,6 +157,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",

38
integration/testdata/alpine-39.json.golden vendored
View File

@@ -78,6 +78,14 @@
"CweIDs": [
"CWE-330"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -139,6 +147,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -210,6 +226,14 @@
"CweIDs": [
"CWE-330"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -271,6 +295,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -341,6 +373,9 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"nvd": 4
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -380,6 +415,9 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"nvd": 4
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

3
integration/testdata/alpine-distroless.json.golden vendored
View File

@@ -67,6 +67,9 @@
"CweIDs": [
"CWE-427"
],
"VendorSeverity": {
"ubuntu": 2
},
"References": [
"http://www.openwall.com/lists/oss-security/2022/04/12/7",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765",

9
integration/testdata/amazon-1.json.golden vendored
View File

@@ -77,6 +77,15 @@
"CweIDs": [
"CWE-415"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 4,
"oracle-oval": 2,
"photon": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

18
integration/testdata/amazon-2.json.golden vendored
View File

@@ -77,6 +77,15 @@
"CweIDs": [
"CWE-415"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 4,
"oracle-oval": 2,
"photon": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -136,6 +145,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 1,
"arch-linux": 3,
"nvd": 3,
"oracle-oval": 2,
"photon": 3,
"redhat": 1,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",

6
integration/testdata/amazonlinux2-gp2-x86-vm.json.golden vendored
View File

@@ -43,6 +43,12 @@
"Title": "bind: memory leak in ECDSA DNSSEC verification code",
"Description": "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.",
"Severity": "MEDIUM",
"VendorSeverity": {
"arch-linux": 2,
"nvd": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",

6
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -76,6 +76,9 @@
"CweIDs": [
"CWE-674"
],
"VendorSeverity": {
"nvd": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
@@ -115,6 +118,9 @@
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"nvd": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

16
integration/testdata/centos-6.json.golden vendored
View File

@@ -93,6 +93,14 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 3,
"oracle-oval": 2,
"photon": 3,
"redhat": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
@@ -139,6 +147,14 @@
"CweIDs": [
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

18
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

@@ -87,6 +87,14 @@
"CweIDs": [
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
@@ -169,6 +177,16 @@
"CweIDs": [
"CWE-327"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 1,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

8
integration/testdata/centos-7-medium.json.golden vendored
View File

@@ -87,6 +87,14 @@
"CweIDs": [
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

26
integration/testdata/centos-7.json.golden vendored
View File

@@ -83,6 +83,14 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -133,6 +141,14 @@
"CweIDs": [
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
@@ -215,6 +231,16 @@
"CweIDs": [
"CWE-327"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 1,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

3
integration/testdata/cocoapods.json.golden vendored
View File

@@ -41,6 +41,9 @@
"Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
"Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
"Severity": "MEDIUM",
"VendorSeverity": {
"ghsa": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",

3
integration/testdata/composer.lock.json.golden vendored
View File

@@ -78,6 +78,9 @@
"CweIDs": [
"CWE-20"
],
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",

42
integration/testdata/conda-spdx.json.golden vendored
View File

@@ -74,17 +74,6 @@
}
],
"files": [
{
"fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json",
"SPDXID": "SPDXRef-File-600e5e0110a84891",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "237db0da53131e4548cb1181337fa0f420299e1f"
}
],
"copyrightText": ""
},
{
"fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json",
"SPDXID": "SPDXRef-File-7eb62e2a3edddc0a",
@@ -95,6 +84,17 @@
}
],
"copyrightText": ""
},
{
"fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json",
"SPDXID": "SPDXRef-File-600e5e0110a84891",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "237db0da53131e4548cb1181337fa0f420299e1f"
}
],
"copyrightText": ""
}
],
"relationships": [
@@ -108,16 +108,6 @@
"relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-c75d9dc75200186f",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-195557cddf18e4a9",
@@ -127,6 +117,16 @@
"spdxElementId": "SPDXRef-Package-195557cddf18e4a9",
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-c75d9dc75200186f",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"relationshipType": "CONTAINS"
}
]
}

6
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -80,6 +80,12 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

15
integration/testdata/debian-buster.json.golden vendored
View File

@@ -76,6 +76,15 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"debian": 1,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -131,6 +140,12 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

45
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -77,6 +77,15 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"debian": 1,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -132,6 +141,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -193,6 +211,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -254,6 +281,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -315,6 +351,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",

32
integration/testdata/distroless-base.json.golden vendored
View File

@@ -75,6 +75,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -150,6 +158,14 @@
"CWE-327",
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 1,
"oracle-oval": 2,
"photon": 1,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
@@ -227,6 +243,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -302,6 +326,14 @@
"CWE-327",
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 1,
"oracle-oval": 2,
"photon": 1,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

32
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -92,6 +92,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -167,6 +175,14 @@
"CWE-327",
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 1,
"oracle-oval": 2,
"photon": 1,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
@@ -244,6 +260,14 @@
"CweIDs": [
"CWE-200"
],
"VendorSeverity": {
"amazon": 1,
"nvd": 2,
"oracle-oval": 1,
"photon": 2,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -319,6 +343,14 @@
"CWE-327",
"CWE-203"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 1,
"oracle-oval": 2,
"photon": 1,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

3
integration/testdata/dotnet.json.golden vendored
View File

@@ -54,6 +54,9 @@
"CweIDs": [
"CWE-755"
],
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",

11
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -133,6 +133,12 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -195,6 +201,11 @@
"CweIDs": [
"CWE-502"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

20
integration/testdata/fluentd-multiple-lockfiles.json.golden vendored
View File

@@ -45,6 +45,15 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"debian": 1,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -97,6 +106,12 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"nvd": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -157,6 +172,11 @@
"CweIDs": [
"CWE-502"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

3
integration/testdata/gomod-skip.json.golden vendored
View File

@@ -65,6 +65,9 @@
"CweIDs": [
"CWE-682"
],
"VendorSeverity": {
"nvd": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

3
integration/testdata/gomod.json.golden vendored
View File

@@ -65,6 +65,9 @@
"CweIDs": [
"CWE-682"
],
"VendorSeverity": {
"nvd": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

10
integration/testdata/gradle.json.golden vendored
View File

@@ -41,6 +41,11 @@
"CweIDs": [
"CWE-502"
],
"VendorSeverity": {
"ghsa": 4,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
@@ -97,6 +102,11 @@
"CweIDs": [
"CWE-502"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C",

8
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -60,6 +60,9 @@
"CweIDs": [
"CWE-122"
],
"VendorSeverity": {
"cbl-mariner": 3
},
"References": [
"https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc",
"https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82",
@@ -91,6 +94,11 @@
"CweIDs": [
"CWE-122"
],
"VendorSeverity": {
"cbl-mariner": 1,
"nvd": 1,
"redhat": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",

3
integration/testdata/minikube-kbom.json.golden vendored
View File

@@ -48,6 +48,9 @@
"Title": "Bypass of seccomp profile enforcement ",
"Description": "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement...",
"Severity": "LOW",
"VendorSeverity": {
"k8s": 1
},
"CVSS": {
"k8s": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",

3
integration/testdata/mix.lock.json.golden vendored
View File

@@ -161,6 +161,9 @@
"Title": "Phoenix before 1.6.14 mishandles check_origin wildcarding",
"Description": "socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",

12
integration/testdata/npm-with-dev.json.golden vendored
View File

@@ -257,6 +257,18 @@
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 2,
"ghsa": 2,
"nodejs-security-wg": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

12
integration/testdata/npm.json.golden vendored
View File

@@ -240,6 +240,18 @@
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 2,
"ghsa": 2,
"nodejs-security-wg": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

3
integration/testdata/nuget.json.golden vendored
View File

@@ -71,6 +71,9 @@
"CweIDs": [
"CWE-755"
],
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",

6
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -82,6 +82,9 @@
"Title": "Security update for openssl-1_1",
"Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"VendorSeverity": {
"suse-cvrf": 2
},
"References": [
"https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"https://www.suse.com/support/security/rating/"
@@ -108,6 +111,9 @@
"Title": "Security update for openssl-1_1",
"Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"VendorSeverity": {
"suse-cvrf": 2
},
"References": [
"https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"https://www.suse.com/support/security/rating/"

18
integration/testdata/oraclelinux-8.json.golden vendored
View File

@@ -86,6 +86,15 @@
"CweIDs": [
"CWE-125"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 3,
"nvd": 3,
"oracle-oval": 2,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
@@ -144,6 +153,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 1,
"arch-linux": 3,
"nvd": 3,
"oracle-oval": 2,
"photon": 3,
"redhat": 1,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",

3
integration/testdata/packagesprops.json.golden vendored
View File

@@ -50,6 +50,9 @@
"CweIDs": [
"CWE-755"
],
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",

26
integration/testdata/photon-30.json.golden vendored
View File

@@ -87,6 +87,14 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -139,6 +147,15 @@
"CweIDs": [
"CWE-415"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 4,
"oracle-oval": 2,
"photon": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -198,6 +215,15 @@
"CweIDs": [
"CWE-415"
],
"VendorSeverity": {
"amazon": 2,
"arch-linux": 2,
"nvd": 4,
"oracle-oval": 2,
"photon": 4,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",

12
integration/testdata/pip.json.golden vendored
View File

@@ -78,6 +78,12 @@
"CweIDs": [
"CWE-331"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -125,6 +131,12 @@
"CweIDs": [
"CWE-601"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N",

12
integration/testdata/pipenv.json.golden vendored
View File

@@ -54,6 +54,12 @@
"CweIDs": [
"CWE-331"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -101,6 +107,12 @@
"CweIDs": [
"CWE-601"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N",

17
integration/testdata/pnpm.json.golden vendored
View File

@@ -42,6 +42,18 @@
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 2,
"ghsa": 2,
"nodejs-security-wg": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
@@ -156,6 +168,11 @@
"Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
"Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
"Severity": "CRITICAL",
"VendorSeverity": {
"ghsa": 4,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P",

6
integration/testdata/poetry.json.golden vendored
View File

@@ -66,6 +66,12 @@
"CweIDs": [
"CWE-331"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",

10
integration/testdata/pom.json.golden vendored
View File

@@ -42,6 +42,11 @@
"CweIDs": [
"CWE-502"
],
"VendorSeverity": {
"ghsa": 4,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
@@ -99,6 +104,11 @@
"CweIDs": [
"CWE-502"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C",

3
integration/testdata/pubspec.lock.json.golden vendored
View File

@@ -57,6 +57,9 @@
"CweIDs": [
"CWE-74"
],
"VendorSeverity": {
"ghsa": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",

12
integration/testdata/rockylinux-8.json.golden vendored
View File

@@ -76,6 +76,18 @@
"CweIDs": [
"CWE-125"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 3,
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 2,
"photon": 3,
"redhat": 2,
"rocky": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",

5
integration/testdata/spring4shell-jre11.json.golden vendored
View File

@@ -218,6 +218,11 @@
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"ghsa": 4,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",

5
integration/testdata/spring4shell-jre8.json.golden vendored
View File

@@ -218,6 +218,11 @@
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"ghsa": 4,
"nvd": 4,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",

3
integration/testdata/swift.json.golden vendored
View File

@@ -59,6 +59,9 @@
"Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
"Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
"Severity": "MEDIUM",
"VendorSeverity": {
"ghsa": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",

6
integration/testdata/test-repo.json.golden vendored
View File

@@ -41,6 +41,9 @@
"CweIDs": [
"CWE-674"
],
"VendorSeverity": {
"nvd": 3
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
@@ -77,6 +80,9 @@
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"nvd": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

8
integration/testdata/ubi-7.json.golden vendored
View File

@@ -94,6 +94,14 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",

36
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -96,6 +96,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -154,6 +163,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -212,6 +230,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -270,6 +297,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",

44
integration/testdata/ubuntu-1804.json.golden vendored
View File

@@ -95,6 +95,14 @@
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -147,6 +155,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -205,6 +222,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -263,6 +289,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
@@ -321,6 +356,15 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",

7
integration/testdata/ubuntu-gp2-x86-vm.json.golden vendored
View File

@@ -40,6 +40,13 @@
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"cbl-mariner": 3,
"nvd": 3,
"photon": 3,
"redhat": 1,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",

12
integration/testdata/yarn.json.golden vendored
View File

@@ -59,6 +59,18 @@
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 2,
"ghsa": 2,
"nodejs-security-wg": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",

3
pkg/report/json_test.go
View File

@@ -55,6 +55,9 @@ func TestReportWriter_JSON(t *testing.T) {
Title: "foobar",
Description: "baz",
Severity: "HIGH",
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.NVD: dbTypes.SeverityHigh,
},
},
},
},

3
pkg/report/predicate/vuln_test.go
View File

@@ -64,6 +64,9 @@ func TestWriter_Write(t *testing.T) {
Title: "foobar",
Description: "baz",
Severity: "HIGH",
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.NVD: dbTypes.SeverityHigh,
},
},
},
},

17
pkg/types/report.go
View File

@@ -1,7 +1,6 @@
package types
import (
"encoding/json"
"time"
v1 "github.com/google/go-containerregistry/pkg/v1" // nolint: goimports
@@ -114,22 +113,6 @@ type Result struct {
CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"`
}
func (r *Result) MarshalJSON() ([]byte, error) {
// VendorSeverity includes all vendor severities.
// It would be noisy to users, so it should be removed from the JSON output.
for i := range r.Vulnerabilities {
r.Vulnerabilities[i].VendorSeverity = nil
}
// Notice the Alias struct prevents MarshalJSON being called infinitely
type ResultAlias Result
return json.Marshal(&struct {
*ResultAlias
}{
ResultAlias: (*ResultAlias)(r),
})
}
func (r *Result) IsEmpty() bool {
return len(r.Packages) == 0 && len(r.Vulnerabilities) == 0 && len(r.Misconfigurations) == 0 &&
len(r.Secrets) == 0 && len(r.Licenses) == 0 && len(r.CustomResources) == 0