gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-19 02:32:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.10.2
Branches Tags
gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-8f43369130 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.15.0
Branches Tags
gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-8f43369130 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

66 Commits
v0.10.2 ... v0.15.0

Author SHA1 Message Date
Johannes
08ca1b00b7 Feat: NuGet Scanner (#686) 
* Initial nuget advisory detector code.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>

* Added nuget package to scan.go

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>

* Removed nuget advisory file and instead added csharp/nuget as a driver in driver.go.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>

* Removed nuget package from driver. Added ghasnuget as a source in vulnerability.go

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>

* Updated nuget driver to use correct name and to initialize with the new generic scanner.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>

* refactor: cut out to a separate method

* chore(mod): update trivy-db

* fix(driver): add a general driver

* test(ghsa): add nuget

* chore: update README

Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2020-12-21 10:17:15 +02:00
Teppei Fukuda
7b86f81e29 feat(cache): support Redis (#770) 
* feat(config): add --cache-backend

* feat(operation): embed cache.Cache into operation.Cache

* feat(cache): support redis://

* test(integration): add redis test

* chore(README): add --cache-backend

* chore(mod): update

* chore: add disclaimer
 2020-12-21 08:26:19 +02:00
Masahiro331
8cd4afeaf1 fix(redhat): skip module packages (#776) 
* remove cbinding

* skip modular packages

* add debug log

* Fix clomatic complexity 11

* Add comment

* Fix test release

* chore(mod): update

* refactor(redhat): rename a method

* test(redhat): refactor

Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2020-12-18 07:52:13 +02:00
Teppei Fukuda
b606b621e5 chore: migrate from master to main (#778) 2020-12-17 17:27:36 +02:00
Teppei Fukuda
5c2b14b910 chore(circleci): remove gofmt (#777) 2020-12-17 15:35:11 +02:00
Teppei Fukuda
a19a023f1f chore(README): remove experimental (#775) 2020-12-16 06:06:17 +02:00
Simarpreet Singh
e6cef75162 NVD: Add timestamps. (#761) 
* (feat): Add NVD published and modified dates

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Fix golden files.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Fix registry_test.go golden files.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Fix distroless-base-ignore-unfixed.json.golden with ignore-unfixed option.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Fix fluentd-multiple-lockfiles.json.golden.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Fix alpine-310.html.golden file.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* fix(convert): fix disparency between standalone and client/server

* test(integration): update trivy.db

* test(integration): update golden files

* (test): Add a check for non nil date types.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Add a unit test for ConvertFromRPCResults.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (test): Add a nil date case for ConvertFromRPCResults.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* refactor: sort imports

Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2020-12-14 13:21:09 -08:00
Simarpreet Singh
1371f72cfb (fix): Make the table output less wide. (#763) 
* (fix): Make the table output less wide.

Currently the table outupt can be as long as 200 characters wide in some
images like nginx:1.16

This PR merges the Title and the URL columns to shorten it.

With this change the longest column has reduced from 200 -> 162 (-19%).

Signed-off-by: Simarpreet Singh <simar@linux.com>

* (fix): Remove Debian TEMP-* links.

These links are quite wide. Removing them makes it 200 -> 143 (-28.5%) shorter for table output.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* Revert "(fix): Remove Debian TEMP-* links."

This reverts commit 228540f7c3.
 2020-12-08 11:08:30 -08:00
Christian Zunker
8ecaa2f057 Add gitHubToken to prevent rate limit problems (#769) 
And remove unnecessary config parameters.

Fixes #768

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
 2020-12-08 09:39:22 +02:00
Christian Zunker
8132174754 Add helm chart to install trivy in server mode. (#751) 
Fixes #688

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
 2020-12-06 13:21:19 +02:00
Jack Kelly
bcc285095d chore(docs): add nix install (#762) 2020-12-04 14:45:31 -08:00
irrandon
cb369727cd HTML template (#567) 
* add html template

* test(integration): use JSONEq only for JSON folden files

Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2020-12-02 10:50:45 +02:00
Teppei Fukuda
9bdbeaba66 feat: remove rpm dependency (#753) 
* chore(docker): remove rpm

* chore(README): remove rpm

* fix(scanner): replace rpmcmd with rpm

* chore(goreleaser): remove rpm

* chore(mod): update fanal

* chore(mod): update fanal
 2020-12-02 07:24:43 +02:00
Teppei Fukuda
d85cb77123 fix(vulnerability): make an empty severity UNKNOWN (#759) 2020-12-02 07:24:02 +02:00
Teppei Fukuda
1bee83ccc4 chore(README): add TRIVY_INSECURE (#760) 
* chore(README): add TRIVY_INSECURE

* chore(README): replace server with registry
 2020-11-30 16:43:33 +02:00
Teppei Fukuda
4d1894327e feat(vulnerability): add primary URLs (#752) 
* refactor(vulnerability): rename a method

* feat(vulnerability): add primary url

* fix(templates): add primary links

* feat(writer): add url

* refactor(convert): remove an unnecessary function

* feat(rpc): add primary_url

* test(integration): update golden files
 2020-11-26 06:06:26 +02:00
Teppei Fukuda
1391b3bf47 fix(oracle): handle ksplice advisories (#745) 2020-11-18 20:14:01 +02:00
Teppei Fukuda
b6d5b82c48 fix: version comparison (#740) 
* feat: add comparer

* refactor: rename lang with ecosystem

* feat(bundler): add comparer

* feat(node): add comparer

* feat(bundler): integrate comparer

* feat(cargo): integrate comparer

* feat(composer): add comparer

* feat(ghsa): integrate comparer

* feat(node): integrate comparer

* feat(python): integrate comparer

* test(bundler): add tests

* test(cargo): add tests

* test(composer): add tests

* test(ghsa): add tests

* test(node): add tests

* test(python): add tests

* refactor(utils): remove unnecessary functions

* test(utils): add tests

* test: rename bucket prefixes

* fix(detect): use string

* chore: update dependencies

* docs: add comments

* fix(cargo): handle unpatched vulnerability

* test(db): update trivy-db for integration tests

* test(integration): update a golden file

* test(cargo): Add a case for missing patched version

Signed-off-by: Simarpreet Singh <simar@linux.com>

* refactor(advisory): update comments

* refactor(node/advisory): change the receiver

* chore(mod): update dependencies

* refactor(comparer): unexport MatchVersion

* refactor: fix maligned structs

* test(node): add empty value

* refactor

* refactor: sort imports

* chore(mod): update trivy-db

Co-authored-by: Simarpreet Singh <simar@linux.com>
 2020-11-17 11:38:58 +02:00
Gianni Carafa
9dfb0fe3a9 updated Readme.md (#737) 
removed unused env var TRIVY_AUTH_URL
 2020-11-12 21:16:42 -08:00
Dirk Mueller
455546975c Add suse sles 15.2 to the EOL list as well (#734) 
without that you get this arning:
  WARN	This OS version is not on the EOL list: suse linux enterprise server 15.2

which is actually misleading because 15.2 is the most current release,
we just don't know when it ends. we can however assume that it runs
for at least another year.

Signed-off-by: Dirk Mueller <dirk@dmllr.de>
Signed-off-by: Dirk Mueller <dmueller@suse.com>
 2020-10-30 16:42:48 -07:00
Sinith
c189aa6a0a Update README.md (#731) 2020-10-29 12:24:21 -07:00
Dax McDonald
8442528fa7 Warn when a user attempts to use trivy without a detectable lockfile (#729) 
* Warn when a user attempts to use trivy without a detectable lockfile

* Update pkg/scanner/local/scan.go

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2020-10-29 12:45:59 +02:00
Dax McDonald
d09787e150 Add back support for FreeBSD & OpenBSD (#728) 
Reverts 7fc94ad95c
 2020-10-29 07:21:49 +02:00
Carlos Eduardo
0285a89c7c Add support for ppc64le architecture (#724) 2020-10-26 17:08:14 -07:00
Evgeniy Kosov
7d7784fecb Skip packages from unsupported repository (remi) (#695) 
* Skip packages from unsupported repository (remi)

* Use HasSuffix instead of regexp match
 2020-10-26 13:14:46 +02:00
Huang Huang
ca6f196001 Skip downloading DB if a remote DB is not updated (#717) 
* Skip downloading DB if a remote DB is not updated

* Apply suggestions from code review

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

* update github.com/aquasecurity/trivy-db version

* fix lint

* Use UTC datetime

* display DownloadedAt info in debug log

* refactor(db): merge isLatestDB into isNewDB

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2020-10-26 09:07:30 +02:00
Huang Huang
e621cf2bc1 Sunsetting VendorVectors (#718) 2020-10-25 13:45:56 +02:00
Teppei Fukuda
906ab5483e Add GitHub Container Registry to README (#712) 2020-10-25 13:17:16 +02:00
Pascal Andy
1549c25709 update BUG_REPORT.md using H2 instead of bold formatting (#714) 2020-10-22 14:15:20 -07:00
Teppei Fukuda
fe1d07e58c fix(ci/deb): do not remove old packages for EOL versions (#706) 2020-10-22 06:52:42 +03:00
rahul2393
793a1aa3c8 Add linter check support (#679) 
* add linter supports

* add only minor version

* use latest version

* Fix println with format issue

* Fix test

* Fix tests

* For slice with unknown length, preallocating the array

* fix code-coverage

* Removed linter rules

* Reverting linter fixes, adding TODO for later

* Ignore linter error for import

* Remove another err var.

* Ignore shadow error

* Fixes

* Fix issue

* Add back goimports local-prefixes

* Update local prefixes

* Removed extra spaces and merge the imports

* more refactoring

* Update photon.go

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2020-10-20 15:20:04 +03:00
Jeff Rescignano
4a94477532 Optimize images (#696) 2020-10-20 08:13:33 +03:00
Teppei Fukuda
9bc2b1949c Update triage.md (#701) 2020-10-20 08:12:47 +03:00
Aron Moore
49691ba85e ci(circle): update remote docker version (#683) 2020-10-13 15:39:01 +03:00
Dirk Mueller
87ff0c1bbc suse: update end of life dates for SLES service packs (#676) 
All synced with https://www.suse.com/lifecycle/ as of today

Signed-off-by: Dirk Mueller <dirk@dmllr.de>
Signed-off-by: Dirk Mueller <dmueller@suse.com>
 2020-10-11 10:30:28 +03:00
Karan Thanvi
de30c3f8d6 update readme for parallel run issue (#660) 
* update readme for parallel run

* move to Q&A
 2020-10-11 10:24:19 +03:00
Neha Viswanathan
4c3bfb89a4 fix link for Clear images section in README (#659) 2020-10-05 13:59:01 -07:00
Neha Viswanathan
8b21cfe7eb add link to Gitlab CI pipeline in README (#658) 2020-10-05 13:47:49 -07:00
Teppei Fukuda
46700f7b74 test: add tests for mux (#645) 2020-09-30 09:10:33 +03:00
Teppei Fukuda
014be7e143 chore: bump up Go to 1.15 (#646) 
* chore: bump up Go to 1.15

* chore(goreleaser): ignore darwin/386
 2020-09-24 08:00:08 +03:00
Alexander Lauster
b3ff2c35ea Add contrib/ to the release chain for Docker (#638) 
* Add contrib/ to the release chain for Docker

Add the complete contrib/ folder to the release chain

* Include all template files to the tar.gz archives
 2020-09-23 10:49:22 +03:00
Huang Huang
9c786de8f9 Add health check endpoint to trivy server (#644) 2020-09-21 16:30:45 +03:00
Teppei Fukuda
188e108d7c fix(cli): show help for subcommands (#629) 2020-09-21 14:03:25 +03:00
Huang Huang
7d7842f2f3 Add --skip-update option to fs and repo subcommand (#641) 2020-09-18 14:49:47 -07:00
Manuel Rüger
901a3715cb goreleaser.yml: Add all templates to archive (#636) 
Fixes: https://github.com/aquasecurity/trivy/issues/631

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
 2020-09-15 16:09:38 -07:00
Masahiro331
095b5ce97c fix(cli): show help when no argument is passed (#628) 
* Fix subcommands help

* refactor: call ShowAppHelpAndExit

* refactor: remove an unused error

* test: remove exit cases

Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2020-09-08 17:32:20 +03:00
Teppei Fukuda
1d3f70e07f chore(image): push the official image to GitHub Container Registry as well (#627) 2020-09-08 15:06:32 +03:00
Teppei Fukuda
5e308da81a feat(cli): add --skip-files option (#624) 
* feat(cli): add --skip-files

* test(integration): add --skip-files and --skip-dirs

* chore(docs): update README

* chore(docs): correct a grammar mistake
 2020-09-08 15:04:56 +03:00
Teppei Fukuda
2231e4068d chore(docs): update comparison table (#623) 
* chore(docs): update README

* use
2020-09-02 16:56:30 +03:00
Simarpreet Singh
b3680f0016 logo: Add new Trivy logo (#615) 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-09-02 12:41:11 +03:00
Carol Valencia
89527796f6 fix(Readme) - Results using a template (#622) 
Co-authored-by: Carol Valencia <krol3@users.noreply.github.com>
 2020-09-02 12:40:05 +03:00
Chris Aumann
165d593fdb Improve Gitlab CI installation step in README (#621) 
This improves the installation step in `.gitlab-ci.yml`. 

- Removes unnecessary installation and use of `curl` (replaces it with `wget`)
- Removes storing the intermediate file by using a pipe to `tar`
 2020-09-02 12:39:05 +03:00
Teppei Fukuda
d8b09628f0 feat(rpc): add CWE-ID (#614) 2020-09-02 07:42:32 +03:00
Alexander Lauster
d35e8ec351 Add all templates to the docker image (#619) 
Before this change, only a subset of templates were included in the docker image.
Now all templates which are part of the git repo will be included when the docker image will be build, a future commit for every new template is not needed anymore
 2020-08-31 11:16:22 +03:00
Teppei Fukuda
f50b0ce8af feat(library): support a custom data source (#613) 
* chore(mod): update trivy-db

* refactor(detector/library): use programming language instead of package
manager

* feat(library): add general advisory

* test(utils): add a util function initializing DB

* test(advisory): add tests

* chore: use aquasecurity/bolt-fixtures

* refactor: add comments

* chore(mod): revert fanal version

* chore(mod): update trivy-db

* refactor: update the comment
 2020-08-30 10:11:32 +03:00
Teppei Fukuda
ed8607b710 fix(alpine): use source package (#607) 
* chore(mod): update fanal

* fix(integration): support -update flag

* fix(alpine): use source package for vulnerability detection

* test(integration): update golden files

* chore(mod): update fanal
 2020-08-25 13:01:49 +03:00
Teppei Fukuda
ea28d3b6f3 test(vulnerability): fix usages of new trivy-db refactor changes (#611) 
* mod: Update trivy-db

Signed-off-by: Simarpreet Singh <simar@linux.com>

* vulnerability_test: Fix usages of new trivy-db refactor changes

Signed-off-by: Simarpreet Singh <simar@linux.com>

* chore(mod): update trivy-db

Co-authored-by: Simarpreet Singh <simar@linux.com>
 2020-08-25 12:21:15 +03:00
Teppei Fukuda
827cea3245 refactor(bundler): remove unnecessary code (#610) 2020-08-24 13:22:11 +03:00
Simarpreet Singh
b2a0d83518 codecov: Move into root directory (#608) 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-08-20 10:21:52 -07:00
rahul2393
85e0139f32 Fix: fullDescription field in SARIF output is not correctly escaped (#605) 
* Fixed sarif template fullDescription escape

* Added fix to other possible places

* Added test for escaping character
 2020-08-19 10:23:04 -07:00
Teppei Fukuda
80d5df0ceb chore(docs): add AWS Security Hub (#598) 
* chore(docs): add AWS Security Hub

* Update docs/integration/security-hub.md

Co-authored-by: Simarpreet Singh <simar@linux.com>

* Update README.md

Co-authored-by: Liz Rice <liz@lizrice.com>

Co-authored-by: Simarpreet Singh <simar@linux.com>
Co-authored-by: Liz Rice <liz@lizrice.com>
 2020-08-19 13:19:24 +03:00
Teppei Fukuda
3a54e5b644 refactor(writer): define the constructor for TemplateWriter (#597) 2020-08-17 09:06:50 +03:00
Simarpreet Singh
acc6a9bd01 circleci: Allow coverage changes without a failure (#599) 
Ref: https://github.com/testground/testground/pull/430

Signed-off-by: Simarpreet Singh <simar@linux.com>
 2020-08-13 10:13:49 +03:00
Teppei Fukuda
96af6dc499 feat: add --skip-directories option (#595) 
* feat: add --skip-directories option

* chore(README): update

* refactor: rename skip-directories to skip-dirs

* Update internal/app.go

Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>

* refactor: add some context in the warning message

* chore(README): update

Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
 2020-08-12 14:03:12 +03:00
rahul2393
675e1b4118 Added test and support of ASFF template (#594) 
* Added test and support of ASFF template

* Improve test coverage

* Fixed/Improved tests

* Removed extra space

* Added NVD score/vectors, Added logic to trim description due to file size restriction

* Included quotations around AccountID
 2020-08-12 13:25:58 +03:00
Carol Valencia
8ca484f538 fix: remove error using no options (#539) 
* fix: remove error using no options

* chore: return error in Init

* chore: return custom error ErrNoTarget

* Update internal/config/artifact.go

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

* Update internal/config/artifact.go

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

* Update internal/artifact/image.go

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

* chore - remove error using no options

* fix(config): typo

* test(config): change the log level

* test(config): revert removed tests

Co-authored-by: Carol <krol3@users.noreply.github.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2020-08-09 10:39:27 +03:00
191 changed files with 71056 additions and 8838 deletions
Expand all files Collapse all files

8
.circleci/codecov.yml
View File

@@ -1,8 +0,0 @@
coverage:
status:
project:
default:
informational: true
patch:
default:
informational: true

17
.circleci/config.yml
View File

@@ -13,16 +13,6 @@ jobs:
<<: *defaults
steps:
- checkout
- run:
name: Check if there's anything to fix with gofmt
command: |
if test -z "$(gofmt -l .)"; then
echo "Congrats! There is nothing to fix."
else
echo "The following lines should be fixed."
gofmt -s -d .
exit 1
fi
- run:
name: Test
command: make test
@@ -34,10 +24,13 @@ jobs:
steps:
- checkout
- setup_remote_docker:
version: 18.06.0-ce
version: 19.03.13
- run:
name: setup docker
name: login to Docker Hub
command: echo $DOCKER_PASS | docker login --username $DOCKER_USER --password-stdin
- run:
name: login to GitHub Container Registry
command: echo $GITHUB_TOKEN | docker login ghcr.io -u $GITHUB_USER --password-stdin
- run:
name: Release
command: goreleaser --rm-dist

12
.github/ISSUE_TEMPLATE/BUG_REPORT.md vendored
View File

@@ -4,28 +4,28 @@ labels: kind/bug
about: If something isn't working as expected.
---
**Description**
## Description
<!--
Briefly describe the problem you are having in a few paragraphs.
-->
**What did you expect to happen?**
## What did you expect to happen?
**What happened instead?**
## What happened instead?
**Output of run with `-debug`:**
## Output of run with `-debug`:
```
(paste your output here)
```
**Output of `trivy -v`:**
## Output of `trivy -v`:
```
(paste your output here)
```
**Additional details (base image name, container registry info...):**
## Additional details (base image name, container registry info...):

16
.github/workflows/test.yaml vendored
View File

@@ -1,6 +1,17 @@
name: Test
on: pull_request
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: golangci-lint
uses: golangci/golangci-lint-action@v2
with:
version: v1.31
args: --deadline=30m
integration:
name: Integration Test
runs-on: ubuntu-latest
@@ -8,7 +19,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v1
with:
go-version: 1.14.x
go-version: 1.15.x
id: go
- name: Check out code into the Go module directory
@@ -27,10 +38,11 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v1
with:
go-version: 1.14.x
go-version: 1.15.x
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v1
with:
version: latest
args: release --snapshot --rm-dist --skip-publish

71
.golangci.yaml Normal file
View File

@@ -0,0 +1,71 @@
linters-settings:
errcheck:
check-type-assertions: true
check-blank: true
govet:
check-shadowing: false
gofmt:
simplify: false
golint:
min-confidence: 0
gocyclo:
min-complexity: 10
maligned:
suggest-new: true
dupl:
threshold: 100
goconst:
min-len: 3
min-occurrences: 3
misspell:
locale: US
goimports:
local-prefixes: github.com/aquasecurity
linters:
disable-all: true
enable:
- structcheck
- ineffassign
- typecheck
- govet
- errcheck
- varcheck
- deadcode
- golint
- gosec
- unconvert
- goconst
- gocyclo
- gofmt
- goimports
- maligned
- misspell
run:
skip-files:
- ".*._mock.go$"
- ".*._test.go$"
- "integration/*"
issues:
exclude-rules:
- linters:
- gosec
text: "G304: Potential file inclusion"
- linters:
- gosec
text: "Deferring unsafe method"
- linters:
- errcheck
text: "Close` is not checked"
- linters:
- errcheck
text: "os.*` is not checked"
- linters:
- golint
text: "a blank import should be only in a main or test package"
exclude:
- "should have a package comment, unless it's in another file for this package"
exclude-use-default: false
max-same-issues: 0

6
Dockerfile
View File

@@ -1,7 +1,5 @@
FROM alpine:3.12
RUN apk --no-cache add ca-certificates git rpm
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/gitlab.tpl contrib/gitlab.tpl
COPY contrib/junit.tpl contrib/junit.tpl
COPY contrib/sarif.tpl contrib/sarif.tpl
COPY contrib/*.tpl contrib/
ENTRYPOINT ["trivy"]

153
README.md
View File

@@ -4,9 +4,9 @@
[![GitHub release](https://img.shields.io/github/release/aquasecurity/trivy.svg)](https://github.com/aquasecurity/trivy/releases/latest)
[![CircleCI](https://circleci.com/gh/aquasecurity/trivy.svg?style=svg)](https://circleci.com/gh/aquasecurity/trivy)
[![Go Report Card](https://goreportcard.com/badge/github.com/aquasecurity/trivy)](https://goreportcard.com/report/github.com/aquasecurity/trivy)
[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/trivy/blob/master/LICENSE)
[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/trivy/blob/main/LICENSE)
[![Docker image](https://images.microbadger.com/badges/version/aquasec/trivy.svg)](https://microbadger.com/images/aquasec/trivy "Get your own version badge on microbadger.com")
[![codecov](https://codecov.io/gh/aquasecurity/trivy/branch/master/graph/badge.svg)](https://codecov.io/gh/aquasecurity/trivy)
[![codecov](https://codecov.io/gh/aquasecurity/trivy/branch/main/graph/badge.svg)](https://codecov.io/gh/aquasecurity/trivy)
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
@@ -23,6 +23,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
* [Debian/Ubuntu](#debianubuntu)
* [Arch Linux](#arch-linux)
* [Homebrew](#homebrew)
* [Nix/NixOS](#nixnixos)
* [Install Script](#install-script)
* [Binary](#binary)
* [From source](#from-source)
@@ -46,12 +47,15 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
+ [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
+ [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
+ [Filter the vulnerabilities by Open Policy Agent](#filter-the-vulnerabilities-by-open-policy-agent-policy)
+ [Skip traversal of the specific files](#skip-traversal-of-the-specific-files)
+ [Skip traversal in the specific directory](#skip-traversal-in-the-specific-directory)
+ [Skip update of vulnerability DB](#skip-update-of-vulnerability-db)
+ [Only download vulnerability database](#only-download-vulnerability-database)
+ [Ignore unfixed vulnerabilities](#ignore-unfixed-vulnerabilities)
+ [Specify exit code](#specify-exit-code)
+ [Ignore the specified vulnerabilities](#ignore-the-specified-vulnerabilities)
+ [Specify cache directory](#specify-cache-directory)
+ [Specify cache backend](#specify-cache-backend)
+ [Clear caches](#clear-caches)
+ [Reset](#reset)
+ [Use lightweight DB](#use-lightweight-db)
@@ -66,6 +70,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
* [CircleCI](#circleci)
* [GitLab CI](#gitlab-ci)
* [AWS CodePipeline](#aws-codepipeline)
* [AWS Security Hub](#aws-security-hub)
* [Authorization for Private Docker Registry](#authorization-for-private-docker-registry)
- [Vulnerability Detection](#vulnerability-detection)
* [OS Packages](#os-packages)
@@ -97,16 +102,16 @@ See [here](#continuous-integration-ci) for details.
- Detect comprehensive vulnerabilities
- OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)
- **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo and NuGet)
- Simple
- Specify only an image name or artifact name
- See [Quick Start](#quick-start) and [Examples](#examples)
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain the a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Easy installation
- `apt-get install`, `yum install` and `brew install` is possible (See [Installation](#installation))
- **No pre-requisites** such as installation of DB, libraries, etc. (The exception is that you need `rpm` installed to scan images based on RHEL/CentOS. This is automatically included if you use our installers or the Trivy container image. See [Vulnerability Detection](#vulnerability-detection) for background information.)
- **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
- **Especially Alpine Linux and RHEL/CentOS**
- Other OSes are also high
@@ -122,7 +127,7 @@ See [here](#continuous-integration-ci) for details.
- local filesystem
- remote git repository
Please see [LICENSE](https://github.com/aquasecurity/trivy/blob/master/LICENSE) for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
Please see [LICENSE](https://github.com/aquasecurity/trivy/blob/main/LICENSE) for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
# Installation
@@ -164,7 +169,6 @@ $ sudo apt-get install trivy
or
```
$ sudo apt-get install rpm
$ wget https://github.com/aquasecurity/trivy/releases/download/{TRIVY_VERSION}/trivy_{TRIVY_VERSION}_Linux-64bit.deb
$ sudo dpkg -i trivy_{TRIVY_VERSION}_Linux-64bit.deb
```
@@ -189,19 +193,30 @@ You can use homebrew on macOS and Linux.
$ brew install aquasecurity/trivy/trivy
```
## Nix/NixOS
You can use nix on Linux or macOS and on others unofficially.
Note that trivy is currently only in the unstable channels.
```
$ nix-env --install trivy
```
Or through your configuration on NixOS or with home-manager as usual
## Install Script
This script downloads Trivy binary based on your OS and architecture.
```
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
```
## Binary
Get the latest version from [this page](https://github.com/aquasecurity/trivy/releases/latest), and download the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your `$PATH` (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
You also need to install `rpm` command for scanning images based on RHEL/CentOS.
## From source
```sh
@@ -213,13 +228,11 @@ $ export GO111MODULE=on
$ go install
```
You also need to install `rpm` command for scanning images based on RHEL/CentOS.
# Quick Start
## Image
Simply specify an image name (and a tag). **The `latest` tag should be avoided as problems occur with the image cache.** See [Clear image caches](#clear-image-caches).
Simply specify an image name (and a tag). **The `latest` tag should be avoided as problems occur with the image cache.** See [Clear caches](#clear-caches).
### Basic
@@ -255,6 +268,7 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
</details>
### Docker
#### Docker Hub
Replace [YOUR_CACHE_DIR] with the cache directory on your machine.
@@ -298,6 +312,14 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
</details>
#### GitHub Container Registry
The same image is hosted on GitHub Container Registry as well.
https://github.com/orgs/aquasecurity/packages/container/package/trivy
```
$ docker pull ghcr.io/aquasecurity/trivy:latest
```
## Filesystem
Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
@@ -312,7 +334,7 @@ Scan your container from inside the container.
```
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
```
@@ -324,7 +346,7 @@ $ cat Dockerfile
FROM alpine:3.7
RUN apk add curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress /
$ docker build -t vulnerable-image .
@@ -623,7 +645,7 @@ $ trivy image --input /path/to/alpine
```
$ docker run --rm -it alpine:3.10.2
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
```
@@ -708,7 +730,7 @@ $ cat Dockerfile
FROM alpine:3.7
RUN apk add curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress /
$ docker build -t vulnerable-image .
@@ -721,7 +743,7 @@ $ docker build -t vulnerable-image .
Sending build context to Docker daemon 31.14MB
Step 1/2 : FROM alpine:3.7
---> 6d1ef012b567
Step 2/2 : RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy filesystem --exit-code 1 --no-progress /
Step 2/2 : RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy filesystem --exit-code 1 --no-progress /
---> Running in 27b004205da0
2020-06-01T14:10:41.261Z INFO Need to update DB
2020-06-01T14:10:41.262Z INFO Downloading DB...
@@ -878,6 +900,7 @@ $ trivy image --format template --template "{{ range . }} {{ .Target }} {{ end }
```
<details>
<summary>Result</summary>
```
2020-01-02T18:02:32.856+0100 INFO Detecting Alpine vulnerabilities...
golang:1.12-alpine (alpine 3.10.2)
@@ -899,7 +922,9 @@ In the following example using the template `sarif.tpl` [Sarif](https://docs.git
```
$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif golang:1.12-alpine
```
This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action](https://github.com/aquasecurity/trivy-action) for automating this process.
Trivy also supports an [ASFF template for reporting findings to AWS Security Hub](docs/integration/security-hub.md)
### Filter the vulnerabilities by severities
```
@@ -1134,6 +1159,20 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
</details>
### Skip traversal of the specific files
Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.
```
$ trivy image --skip-files "/Gemfile.lock,/app/Pipfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
### Skip traversal in the specific directory
Trivy traversals directories and look for all lock files by default. If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
```
$ trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge
```
### Skip update of vulnerability DB
@@ -1293,6 +1332,21 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9
```
### Specify cache backend
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.
Two options:
- `fs`
- the cache path can be specified by `--cache-dir`
- `redis://`
- `redis://[HOST]:[PORT]`
```
$ trivy server --cache-backend redis://localhost:6379
```
### Clear caches
The `--clear-cache` option removes caches. This option is useful if the image which has the same tag is updated (such as when using `latest` tag).
@@ -1435,7 +1489,7 @@ Since in automated scenarios such as CI/CD you are only interested in the end re
## GitHub Actions
- Here is the [Trivy Github Action](https://github.com/aquasecurity/trivy-action) (currently Experimental)
- Here is the [Trivy Github Action](https://github.com/aquasecurity/trivy-action)
- The Microsoft Azure team have written a [container-scan action](https://github.com/Azure/container-scan) that uses Trivy and Dockle
- For full control over the options specified to Trivy, this [blog post](https://blog.aquasec.com/devsecops-with-trivy-github-actions) describes adding Trivy into your own GitHub action workflows
@@ -1464,6 +1518,7 @@ cache:
```
Example: https://travis-ci.org/aquasecurity/trivy-ci-test
Repository: https://github.com/aquasecurity/trivy-ci-test
## CircleCI
@@ -1483,7 +1538,7 @@ jobs:
- run:
name: Install trivy
command: |
apk add --update-cache --upgrade curl rpm
apk add --update-cache --upgrade curl
VERSION=$(
curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
grep '"tag_name":' | \
@@ -1504,6 +1559,7 @@ workflows:
```
Example: https://circleci.com/gh/aquasecurity/trivy-ci-test
Repository: https://github.com/aquasecurity/trivy-ci-test
## GitLab CI
@@ -1527,11 +1583,9 @@ trivy:
DOCKER_TLS_CERTDIR: ""
IMAGE: trivy-ci-test:$CI_COMMIT_SHA
before_script:
- apk add --no-cache curl
- export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $VERSION
- wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
allow_failure: true
script:
# Build image
@@ -1551,10 +1605,18 @@ trivy:
container_scanning: gl-container-scanning-report.json
```
Example: https://gitlab.com/aquasecurity/trivy-ci-test/pipelines
Repository: https://github.com/aquasecurity/trivy-ci-test
## AWS CodePipeline
See [this blog post](https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/) for an example of using Trivy within AWS CodePipeline.
## AWS Security Hub
See [here](docs/integration/security-hub.md)
## Authorization for Private Docker Registry
Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
@@ -1565,11 +1627,10 @@ But, I can't recommend using ENV vars in your local machine to you.
### Docker Hub
Docker Hub needs `TRIVY_AUTH_URL`, `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
You don't need to set ENV vars when download from public repository.
```bash
export TRIVY_AUTH_URL=https://registry.hub.docker.com
export TRIVY_USERNAME={DOCKERHUB_USERNAME}
export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
```
@@ -1622,8 +1683,6 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
| Ubuntu | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 | Installed by apt/apt-get/dpkg | YES |
| Distroless | Any | Installed by apt/apt-get/dpkg | YES |
RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux and Photon OS package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available.
Distroless: https://github.com/GoogleContainerTools/distroless
## Application Dependencies
@@ -1642,10 +1701,12 @@ Distroless: https://github.com/GoogleContainerTools/distroless
- yarn.lock
- Rust
- Cargo.lock
- .NET
- packages.lock.json
The path of these files does not matter.
Example: https://github.com/aquasecurity/trivy-ci-test/blob/master/Dockerfile
Example: https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile
## Image Tar format
Trivy scans a tar image with the following format.
@@ -1673,6 +1734,8 @@ Trivy scans a tar image with the following format.
- https://github.com/advisories?query=ecosystem%3Anpm
- Rust
- https://github.com/RustSec/advisory-db
- .NET
- https://github.com/advisories?query=ecosystem%3Anuget
# Usage
Trivy has several sub commands, image, fs, repo, client and server.
@@ -1733,6 +1796,8 @@ OPTIONS:
--timeout value docker timeout (default: 2m0s) [$TRIVY_TIMEOUT]
--light light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability [$TRIVY_LIST_ALL_PKGS]
--skip-files value specify the file path to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
--help, -h show help (default: false)
```
@@ -1793,13 +1858,12 @@ See [here](docs/air-gap.md)
| Scanner | OS<br>Packages | Application<br>Dependencies | Easy to use | Accuracy | Suitable<br>for CI |
| -------------- | :-------------: | :-------------------------: | :----------: | :---------: | :-----------------: |
| Trivy | OK | OK | OK | Best | OK |
| Clair | OK | Not present | Good | OK | Good |
| Anchore Engine | OK | Good | Good | OK | Good |
| Quay | OK | Not present | OK | OK | Not present |
| MicroScanner | OK | Not present | OK | OK | OK |
| Docker Hub | OK | Not present | OK | Not present | Not present |
| GCR | OK | Not present | OK | OK | Not present |
| Trivy | | ✅<br>(5 languages) | ⭐ ⭐ ⭐ | ⭐ ⭐ ⭐ | ⭐ ⭐ ⭐ |
| Clair | | × | | ⭐ ⭐ | ⭐ ⭐ |
| Anchore Engine | | ✅<br>(4 languages) | ⭐ ⭐ | ⭐ ⭐ | ⭐ ⭐ ⭐ |
| Quay | | × | ⭐ ⭐ ⭐ | ⭐ ⭐ | × |
| Docker Hub | | × | ⭐ ⭐ ⭐ | | × |
| GCR | | × | ⭐ ⭐ ⭐ | ⭐ ⭐ | × |
## Blogs
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy](https://boxboat.com/2020/04/24/image-scanning-tech-compared/)
@@ -1812,7 +1876,7 @@ However, the purpose of this database is to make it possible to know what packag
As README says, it is not a complete database of all security issues in Alpine.
`Trivy` collects vulnerability information in Alpine Linux from [Alpine Linux aports repository](https://gitlab.alpinelinux.org/alpine/aports).
Then, those vulnerabilities will be saved on [vuln-list](https://github.com/aquasecurity/vuln-list/tree/master/alpine).
Then, those vulnerabilities will be saved on [vuln-list](https://github.com/aquasecurity/vuln-list/tree/main/alpine).
`alpine-secdb` has 6959 vulnerabilities (as of 2019/05/12).
`vuln-list` has 11101 vulnerabilities related to Alpine Linux (as of 2019/05/12).
@@ -1937,6 +2001,19 @@ $ brew unlink trivy && brew uninstall trivy
$ brew install aquasecurity/trivy/trivy
```
### Error: x509: certificate signed by unknown authority
`TRIVY_INSECURE` can be used to allow insecure connections to a container registry when using SSL.
```
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
```
### Running in parallel takes same time as series run
When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
This is because of a limitation of boltdb.
> Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
Reference : [boltdb: Opening a database](https://github.com/boltdb/bolt#opening-a-database).
## Others
### GitHub Rate limiting

2
ci/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM circleci/golang:1.13-buster
FROM circleci/golang:1.15-buster
RUN sudo apt-get -y update \
&& sudo apt-get -y install rpm reprepro createrepo distro-info

4
ci/deploy-deb.sh
View File

@@ -5,7 +5,7 @@ UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
cd trivy-repo/deb
for release in $(reprepro ls trivy | awk -F "|" '{print $3}' | sed 's/ //g'); do
for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
echo "Removing deb package of $release"
reprepro -A i386 remove $release trivy
reprepro -A amd64 remove $release trivy
@@ -19,4 +19,4 @@ done
git add .
git commit -m "Update deb packages"
git push origin master
git push origin main

2
ci/deploy-rpm.sh
View File

@@ -23,5 +23,5 @@ done
git add .
git commit -m "Update rpm packages"
git push origin master
git push origin main

12
codecov.yml Normal file
View File

@@ -0,0 +1,12 @@
coverage:
status:
project:
default:
informational: true
target: auto
threshold: 100%
patch:
default:
informational: true
target: auto
threshold: 100%

2
contrib/Trivy.gitlab-ci.yml
View File

@@ -13,7 +13,7 @@ Trivy_container_scanning:
- export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
- apk add --no-cache curl docker-cli
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
script:
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE

78
contrib/asff.tpl Normal file
View File

@@ -0,0 +1,78 @@
[
{{- $t_first := true -}}
{{- range . -}}
{{- $target := .Target -}}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{- else -}}
,
{{- end -}}
{{- $trivyProductSev := 0 -}}
{{- $trivyNormalizedSev := 0 -}}
{{- if eq .Severity "LOW" -}}
{{- $trivyProductSev = 1 -}}
{{- $trivyNormalizedSev = 10 -}}
{{- else if eq .Severity "MEDIUM" -}}
{{- $trivyProductSev = 4 -}}
{{- $trivyNormalizedSev = 40 -}}
{{- else if eq .Severity "HIGH" -}}
{{- $trivyProductSev = 7 -}}
{{- $trivyNormalizedSev = 70 -}}
{{- else if eq .Severity "CRITICAL" -}}
{{- $trivyProductSev = 9 -}}
{{- $trivyNormalizedSev = 90 -}}
{{- end }}
{{- $description := .Description -}}
{{- if gt (len $description ) 1021 -}}
{{- $description = (slice $description 0 1021) | printf "%v .." -}}
{{- end}}
{
"SchemaVersion": "2018-10-08",
"Id": "{{ $target }}/{{ .VulnerabilityID }}",
"ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "{{ getCurrentTime }}",
"UpdatedAt": "{{ getCurrentTime }}",
"Severity": {
"Product": {{ $trivyProductSev }},
"Normalized": {{ $trivyNormalizedSev }}
},
"Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
"Description": {{ escapeString $description | printf "%q" }},
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "{{ .PrimaryURL }}"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "{{ $target }}",
"Partition": "aws",
"Region": "{{ getEnv "AWS_REGION" }}",
"Details": {
"Container": { "ImageName": "{{ $target }}" },
"Other": {
"CVE ID": "{{ .VulnerabilityID }}",
"CVE Title": {{ .Title | printf "%q" }},
"PkgName": "{{ .PkgName }}",
"Installed Package": "{{ .InstalledVersion }}",
"Patched Package": "{{ .FixedVersion }}",
"NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
"NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
"NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
"NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
}
}
}
],
"RecordState": "ACTIVE"
}
{{- end -}}
{{- end }}
]

2
contrib/gitlab.tpl
View File

@@ -59,7 +59,7 @@
"type": "cve",
"name": "{{ .VulnerabilityID }}",
"value": "{{ .VulnerabilityID }}",
"url": ""
"url": "{{ .PrimaryURL }}"
}
],
"links": [

123
contrib/html.tpl Normal file
View File

@@ -0,0 +1,123 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
{{- if . }}
<style>
* {
font-family: Arial, Helvetica, sans-serif;
}
h1 {
text-align: center;
}
.group-header th {
font-size: 200%;
}
.sub-header th {
font-size: 150%;
}
table, th, td {
border: 1px solid black;
border-collapse: collapse;
white-space: nowrap;
padding: .3em;
}
table {
margin: 0 auto;
}
.severity {
text-align: center;
font-weight: bold;
color: #fafafa;
}
.severity-LOW .severity { background-color: #5fbb31; }
.severity-MEDIUM .severity { background-color: #e9c600; }
.severity-HIGH .severity { background-color: #ff8800; }
.severity-CRITICAL .severity { background-color: #e40000; }
.severity-UNKNOWN .severity { background-color: #747474; }
.severity-LOW { background-color: #5fbb3160; }
.severity-MEDIUM { background-color: #e9c60060; }
.severity-HIGH { background-color: #ff880060; }
.severity-CRITICAL { background-color: #e4000060; }
.severity-UNKNOWN { background-color: #74747460; }
table tr td:first-of-type {
font-weight: bold;
}
.links a,
.links[data-more-links=on] a {
display: block;
}
.links[data-more-links=off] a:nth-of-type(1n+5) {
display: none;
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
[].sort.apply(links, function(a, b) {
return a.href > b.href ? 1 : -1;
});
links.forEach(function(link, idx) {
if (links.length > 3 && 3 === idx) {
var toggleLink = document.createElement('a');
toggleLink.innerText = "Toggle more links";
toggleLink.href = "#toggleMore";
toggleLink.setAttribute("class", "toggle-more-links");
linkCell.appendChild(toggleLink);
}
linkCell.appendChild(link);
});
});
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
toggleLink.onclick = function() {
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
return false;
};
});
};
</script>
</head>
<body>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
<table>
{{- range . }}
<tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
{{- if (eq (len .Vulnerabilities) 0) }}
<tr><th colspan="6">No Vulnerabilities found</th></tr>
{{- else }}
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Links</th>
</tr>
{{- range .Vulnerabilities }}
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
<td>{{ escapeXML .VulnerabilityID }}</td>
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
<td>{{ escapeXML .FixedVersion }}</td>
<td class="links" data-more-links="off">
{{- range .Vulnerability.References }}
<a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
{{- end }}
</td>
</tr>
{{- end }}
{{- end }}
{{- end }}
</table>
{{- else }}
</head>
<body>
<h1>Trivy Returned Empty Report</h1>
{{- end }}
</body>
</html>

4
contrib/install.sh
View File

@@ -72,6 +72,7 @@ get_binaries() {
freebsd/armv7) BINARIES="trivy" ;;
linux/386) BINARIES="trivy" ;;
linux/amd64) BINARIES="trivy" ;;
linux/ppc64le) BINARIES="trivy" ;;
linux/arm64) BINARIES="trivy" ;;
linux/armv7) BINARIES="trivy" ;;
openbsd/386) BINARIES="trivy" ;;
@@ -110,6 +111,7 @@ adjust_os() {
amd64) OS=64bit ;;
arm) OS=ARM ;;
arm64) OS=ARM64 ;;
ppc64le) OS=PPC64LE ;;
darwin) OS=macOS ;;
dragonfly) OS=DragonFlyBSD ;;
freebsd) OS=FreeBSD ;;
@@ -126,6 +128,7 @@ adjust_arch() {
amd64) ARCH=64bit ;;
arm) ARCH=ARM ;;
arm64) ARCH=ARM64 ;;
ppc64le) OS=PPC64LE ;;
darwin) ARCH=macOS ;;
dragonfly) ARCH=DragonFlyBSD ;;
freebsd) ARCH=FreeBSD ;;
@@ -209,6 +212,7 @@ uname_arch() {
x86) arch="386" ;;
i686) arch="386" ;;
i386) arch="386" ;;
ppc64le) arch="ppc64le" ;;
aarch64) arch="arm64" ;;
armv5*) arch="armv5" ;;
armv6*) arch="armv6" ;;

10
contrib/sarif.tpl
View File

@@ -20,20 +20,20 @@
"id": "[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}",
"name": "dockerfile_scan",
"shortDescription": {
"text": "{{ .VulnerabilityID }} Package: {{ .PkgName }}"
"text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
},
"fullDescription": {
"text": "{{ endWithPeriod (escapeString .Title) }}"
"text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
},
"help": {
"text": "Vulnerability {{ .VulnerabilityID }}\nSeverity: {{ .Vulnerability.Severity }}\nPackage: {{ .PkgName }}\nInstalled Version: {{ .InstalledVersion }}\nFixed Version: {{ .FixedVersion }}\nLink: [{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})",
"markdown": "**Vulnerability {{ .VulnerabilityID }}**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|{{ .Vulnerability.Severity }}|{{ .PkgName }}|{{ .InstalledVersion }}|{{ .FixedVersion }}|[{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})|\n"
"text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
"markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
},
"properties": {
"tags": [
"vulnerability",
"{{ .Vulnerability.Severity }}",
"{{ .PkgName }}"
{{ .PkgName | printf "%q" }}
],
"precision": "very-high"
}

4
docs/contrib/triage.md
View File

@@ -185,11 +185,11 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
to identify issues that have been specially groomed for new contributors.
We have specific [guidelines](/docs/help-wanted.md)
We have specific [guidelines](/docs/contrib/help-wanted.md)
for how to use these labels. If you see an issue that satisfies these
guidelines, you can add the `help wanted` label and the `good first issue` label.
Please note that adding the `good first issue` label must also
add the `help wanted` label.
If an issue has these labels but does not satisfy the guidelines, please
ask for more details to be added to the issue or remove the labels.
ask for more details to be added to the issue or remove the labels.

29
docs/integration/security-hub.md Normal file
View File

@@ -0,0 +1,29 @@
# AWS Security Hub
## Upload findings to Security Hub
In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
```
$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
```
ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
Then, you can upload it with AWS CLI.
```
$ aws securityhub batch-import-findings --findings file://report.asff
```
## Customize
You can customize [asff.tpl](../../contrib/asff.tpl).
```
$ export AWS_REGION=us-west-1
$ export AWS_ACCOUNT_ID=123456789012
$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
```
## Reference
https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/

26
go.mod
View File

@@ -1,18 +1,22 @@
module github.com/aquasecurity/trivy
go 1.13
go 1.15
require (
github.com/Masterminds/semver/v3 v3.1.0
github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/fanal v0.0.0-20201218050947-981a0510f9cb
github.com/aquasecurity/go-dep-parser v0.0.0-20201028043324-889d4a92b8e0
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-version v0.0.0-20201115065329-578079e4ab05
github.com/aquasecurity/trivy-db v0.0.0-20201221070121-47d2cc0d7b58
github.com/caarlos0/env/v6 v6.0.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.0.3
github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7
github.com/docker/go-connections v0.4.0
github.com/golang/protobuf v1.3.3
github.com/go-redis/redis/v8 v8.4.0
github.com/golang/protobuf v1.4.2
github.com/google/go-containerregistry v0.0.0-20200331213917-3d03ed9b1ca2
github.com/google/go-github/v28 v28.1.1
github.com/google/wire v0.3.0
@@ -20,18 +24,18 @@ require (
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
github.com/kylelemons/godebug v1.1.0
github.com/mattn/go-colorable v0.1.4 // indirect
github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
github.com/open-policy-agent/opa v0.21.1
github.com/spf13/afero v1.2.2
github.com/stretchr/testify v1.6.1
github.com/testcontainers/testcontainers-go v0.3.1
github.com/twitchtv/twirp v5.10.1+incompatible
github.com/urfave/cli/v2 v2.2.0
github.com/urfave/cli/v2 v2.3.0
go.uber.org/atomic v1.5.1 // indirect
go.uber.org/multierr v1.4.0 // indirect
go.uber.org/zap v1.13.0
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
google.golang.org/protobuf v1.25.0
k8s.io/utils v0.0.0-20201005171033-6301aaf42dc7
)

429
go.sum
View File

@@ -2,16 +2,51 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
cloud.google.com/go v0.65.0 h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8=
cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v38.0.0+incompatible h1:3D2O4g8AwDwyWkM1HpMFVux/ccQJmGJHXsE004Wsu1Q=
github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
github.com/Azure/go-autorest/autorest v0.9.3 h1:OZEIaBbMdUE/Js+BQKlpO81XlISgipr6yDJ+PSwsgi4=
github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
github.com/Azure/go-autorest/autorest/adal v0.8.1 h1:pZdL8o72rK+avFWl+p9nE8RWi1JInZrWJYlnpfXJwHk=
github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSWlm5Ew6bxipnr/tbM=
github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
@@ -19,7 +54,9 @@ github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN
github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc=
github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA=
github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8=
github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY=
github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
github.com/Azure/go-autorest/tracing v0.5.0 h1:TRn4WjSnkcSy5AEG3pnbtFSwNtwzjr4VYyQflFE619k=
github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -27,8 +64,6 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64=
github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
github.com/Masterminds/semver/v3 v3.1.0 h1:Y2lUDsFKVRSYGojLJ1yLxSXdMmMYTYls0rCvoqmMUQk=
github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA=
@@ -48,16 +83,30 @@ github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBb
github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
github.com/alicebob/miniredis/v2 v2.14.1 h1:GjlbSeoJ24bzdLRs13HoMEeaRZx9kg5nHoRW7QV/nCs=
github.com/alicebob/miniredis/v2 v2.14.1/go.mod h1:uS970Sw5Gs9/iK3yBg0l9Uj9s25wXxSpQUE9EaJ/Blg=
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058 h1:vNAuJrimb3eqXSFMhZJNf0PVHfzHFnCRMDuhVi7z2Ok=
github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058/go.mod h1:omM/xBVqAPNzdV/MegrjayEkKEZzI+eUpyjCXpbTMG0=
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/fanal v0.0.0-20201218050947-981a0510f9cb h1:T48y/j2wvl/xPX2IyV0ogFq+GeCLY+3548awySrUaJU=
github.com/aquasecurity/fanal v0.0.0-20201218050947-981a0510f9cb/go.mod h1:arUN1lJnuAWLL0PUQ/UYrkAomU/Mby+gCXJMU90GHlA=
github.com/aquasecurity/go-dep-parser v0.0.0-20201028043324-889d4a92b8e0 h1:cLH3SebzhbJ+jU1GIad8A1N8p7m7OjHhtY6JePISiVc=
github.com/aquasecurity/go-dep-parser v0.0.0-20201028043324-889d4a92b8e0/go.mod h1:X42mTIRhgPalSm81Om2kD+3ydeunbC8TZtZj1bvgRo8=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0=
github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a h1:SMEtDBnLyP/EVOeJhj4yeR8GYPFpBsFBk3lSrpjZ8yI=
github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
github.com/aquasecurity/go-version v0.0.0-20201115065329-578079e4ab05 h1:q0ZpFBjwzDk1ofey7gJ2kfA6ZNi2PeBWxNzmRPrfetA=
github.com/aquasecurity/go-version v0.0.0-20201115065329-578079e4ab05/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a h1:hsw7PpiymXP64evn/K7gsj3hWzMqLrdoeE6JkqDocVg=
github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=
github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16 h1:Hh9MOUaJGI+PS9ZULxYqYQmsFfvtktt8jD7gMt43BA8=
github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16/go.mod h1:EiFA908RL0ACrbYo/9HfT7f9QcdC2bZoIO5XAAcvz9A=
github.com/aquasecurity/trivy-db v0.0.0-20201221070121-47d2cc0d7b58 h1:TQXXGc1pi2gdRhQYZxib3xBoV64ORC7yllCndZkrf80=
github.com/aquasecurity/trivy-db v0.0.0-20201221070121-47d2cc0d7b58/go.mod h1:+3+NEz0U0NCgO87Cyk0dy3SwH7CI6J4HUeCqqPj1fvQ=
github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
@@ -71,15 +120,20 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91 h1:GMmnK0dvr0Sf0gx3DvTbln0c8DE07B7sPVD9dgHOqo4=
github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91/go.mod h1:hw/JEQBIE+c/BLI4aKM8UU8v+ZqrD3h7HC27kKt8JQU=
github.com/briandowns/spinner v1.11.1 h1:OixPqDEcX3juo5AjQZAnFPbeUA0jvkp2qzB5gOZJ/L0=
github.com/briandowns/spinner v1.11.1/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
github.com/caarlos0/env/v6 v6.0.0 h1:NZt6FAoB8ieKO5lEwRdwCzYxWFx7ZYF2R7UcoyaWtyc=
github.com/caarlos0/env/v6 v6.0.0/go.mod h1:+wdyOmtjoZIW2GJOc2OYa5NoOFuWD/bIpWqm30NgtRk=
github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cheggaaa/pb/v3 v3.0.3 h1:8WApbyUmgMOz7WIxJVNK0IRDcRfAmTxcEdi0TuxjdP4=
github.com/cheggaaa/pb/v3 v3.0.3/go.mod h1:Pp35CDuiEpHa/ZLGCtBbM6CBwMstv1bJlG884V+73Yc=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
@@ -99,8 +153,9 @@ github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfc
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk=
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -111,6 +166,8 @@ github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9r
github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ=
github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017 h1:2HQmlpI3yI9deH18Q6xiSOIjXD4sLI55Y/gfpa8/558=
github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
@@ -132,24 +189,31 @@ github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZ
github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f h1:8GDPb0tCY8LQ+OJ3dbHb5sA6YZWXFORQYZx5sdsTlMs=
github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f h1:AUj1VoZUfhPhOPHULCQQDnGhRelpFWHMLhQVWDsS0v4=
github.com/elazarl/goproxy v0.0.0-20200809112317-0581fc3aee2d h1:rtM8HsT3NG37YPjz8sYSbUSdElP9lUsQENYzJDZDUBE=
github.com/elazarl/goproxy v0.0.0-20200809112317-0581fc3aee2d/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
github.com/elazarl/goproxy/ext v0.0.0-20200809112317-0581fc3aee2d h1:st1tmvy+4duoRj+RaeeJoECWCWM015fBtf/4aR+hhqk=
github.com/elazarl/goproxy/ext v0.0.0-20200809112317-0581fc3aee2d/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
@@ -166,6 +230,9 @@ github.com/go-git/go-git-fixtures/v4 v4.0.1 h1:q+IFMfLx200Q3scvt2hN79JsEzy4AmBTp
github.com/go-git/go-git-fixtures/v4 v4.0.1/go.mod h1:m+ICp2rF3jDhFgEZ/8yziagdT1C+ZpZcrJjappBCDSw=
github.com/go-git/go-git/v5 v5.0.0 h1:k5RWPm4iJwYtfWoxIJy4wJX9ON7ihPeZZYC1fLYDnpg=
github.com/go-git/go-git/v5 v5.0.0/go.mod h1:oYD8y9kWsGINPFJoLdaScGCN6dlKg23blmClfZwtUVA=
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
@@ -181,14 +248,25 @@ github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dp
github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no=
github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
github.com/go-redis/redis v6.15.7+incompatible h1:3skhDh95XQMpnqeqNftPkQD9jL9e5e36z/1SUm6dy1U=
github.com/go-redis/redis v6.15.7+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
github.com/go-redis/redis/v8 v8.4.0 h1:J5NCReIgh3QgUJu398hUncxDExN4gMOHI11NVbVicGQ=
github.com/go-redis/redis/v8 v8.4.0/go.mod h1:A1tbYoHSa1fXwN+//ljcCYYJeLmVrwL9hbQN45Jdy0M=
github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1 h1:LoN2wx/aN8JPGebG+2DaUyk4M+xRcqJXfuIbs8AWHdE=
github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk=
github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/goccy/go-yaml v1.8.1/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
github.com/goccy/go-yaml v1.8.2 h1:gDYrSN12XK/wQTFjxWIgcIqjNCV/Zb5V09M7cq+dbCs=
github.com/goccy/go-yaml v1.8.2/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -198,22 +276,46 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v0.0.0-20181025225059-d3de96c4c28e/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.3 h1:gyjaxf+svBWX08ZjK86iN9geUJF0H6gp2IRKX6Nf6/I=
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.3 h1:x95R7cp+rSeeqAMI2knLtQ0DKlaBhv2NrtrOvafPHRo=
github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-containerregistry v0.0.0-20200331213917-3d03ed9b1ca2 h1:k2YJ1fw6LwICNNUQHZNp9vTtHMuVqHJtMjZOc5SDIJo=
github.com/google/go-containerregistry v0.0.0-20200331213917-3d03ed9b1ca2/go.mod h1:pD1UFYs7MCAx+ZLShBdttcaOSbyc8F9Na/9IZLNwJeA=
github.com/google/go-github/v28 v28.1.1 h1:kORf5ekX5qwXO2mGzXXOjMe/g6ap8ahVe0sBEulhSxo=
@@ -223,7 +325,14 @@ github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO
github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -231,11 +340,13 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
github.com/google/wire v0.3.0 h1:imGQZGEVEHpje5056+K+cgdO72p0LQv2xIIFXNGUf60=
github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 h1:l5lAOZEym3oK3SQ2HBHWsJUfbNBiTXJDeW2QDxw9AQ0=
github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
github.com/gorilla/mux v0.0.0-20181024020800-521ea7b17d02/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
@@ -252,14 +363,16 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/go-version v1.2.1 h1:zEfKbn2+PDgroKdiOzqiE8rsmLqU2uwi5PB5pBJ3TkI=
github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -274,6 +387,7 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
@@ -282,14 +396,14 @@ github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM=
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc/go.mod h1:MrSSvdMpTSymaQWk1yFr9sxFSyQmKMj6jkbvGrchBV8=
github.com/knqyf263/go-rpmdb v0.0.0-20201215100354-a9e3110d8ee1 h1:sRDvjjWoHLWAxtPXBKYRJp8Ot4ugxYE/ZyADl3jzc1g=
github.com/knqyf263/go-rpmdb v0.0.0-20201215100354-a9e3110d8ee1/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -306,6 +420,8 @@ github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LE
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -314,20 +430,25 @@ github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10=
github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed/go.mod h1:SDJ4hurDYyQ9/7nc+eCYtXqdufgK4Cq9TJlwPklqEYA=
github.com/mattn/go-runewidth v0.0.0-20181025052659-b20a3daf6a39/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/mattn/go-runewidth v0.0.6 h1:V2iyH+aX9C5fsYCpK60U8BYIvmhqxuOL3JZcqc1NB7k=
github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -347,6 +468,8 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a h1:0LD5FJGQpEyD78OdhX97W75RjYmMjfLPp1ePrk5URxs=
@@ -354,12 +477,17 @@ github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a/go.mod h1
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M=
github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA=
github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
github.com/open-policy-agent/opa v0.21.1 h1:c4lUnB0mO2KssiUnyh6Y9IGhggvXI3EgObkmhVTvEqQ=
github.com/open-policy-agent/opa v0.21.1/go.mod h1:cZaTfhxsj7QdIiUI0U9aBtOLLTqVNe+XE60+9kZKLHw=
github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
@@ -419,10 +547,12 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.5.0 h1:1N5EYkVAPEywqZRJd7cwnRtCb6xJx7NH3T3WUTF980Q=
github.com/sirupsen/logrus v1.5.0/go.mod h1:+F7Ogzej0PZc/94MaYx/nvG9jOFMD2osvC3s+Squfpo=
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N3yZFZkDFs=
github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
github.com/sosedoff/gitkit v0.2.0 h1:cVre9QZvsDzS/v42PSOsf+GCaecvb/CWGX+diP232F8=
github.com/sosedoff/gitkit v0.2.0/go.mod h1:A+o6ZazfVJwetlcHz3ah6th66XcBdsyzLo+aBt/AsK4=
@@ -442,12 +572,12 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As=
github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
@@ -460,10 +590,13 @@ github.com/twitchtv/twirp v5.10.1+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3v
github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.22.4 h1:u7tSpNPPswAFymm8IehJhy4uJMlUuU/GmqSkvJ1InXA=
github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/urfave/cli/v2 v2.2.0 h1:JTTnM6wKzdA0Jqodd966MVj4vWbbquZykeX1sKbe2C4=
github.com/urfave/cli/v2 v2.2.0/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
github.com/vdemeester/k8s-pkg-credentialprovider v1.17.4/go.mod h1:inCTmtUdr5KJbreVojo06krnTgaeAz/Z7lynpPk/Q2c=
github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
@@ -472,11 +605,22 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b h1:vVRagRXf67ESqAb72hG2C/ZwI8NtJF2u2V76EsuOHGY=
github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co=
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/gopher-lua v0.0.0-20191220021717-ab39c6098bdb h1:ZkM6LRnq40pR1Ox0hTHlnpkcOTuFIDQpZ1IN8rKKhX0=
github.com/yuin/gopher-lua v0.0.0-20191220021717-ab39c6098bdb/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ=
go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg=
go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/bbolt v1.3.5 h1:XAzx9gjCb0Rxj7EoqcClPD1d5ZBxZJk0jbuoPHenBt0=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opentelemetry.io/otel v0.14.0 h1:YFBEfjCk9MTjaytCNSUkp9Q8lF7QJezA06T71FbQxLQ=
go.opentelemetry.io/otel v0.14.0/go.mod h1:vH5xEuwy7Rts0GNtsCW3HYQoZDY+OmBJ6t1bFGGlxgw=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
go.uber.org/atomic v1.5.1 h1:rsqfU5vBkVknbhUGbAUwQKR2H4ItV8tjJ+6kJX4cxHM=
@@ -496,28 +640,50 @@ golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnf
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM=
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
golang.org/x/lint v0.0.0-20181023182221-1baf3a9d7d67/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee h1:WG0RUwxtNT4qqaXX3DPA8zHFNm/D9xaBpxzHt1WcA/E=
golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -528,27 +694,49 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0 h1:wBouT66WTYFXdxfVdz9sVWARVd/2vfGcmI45D2gj45M=
golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 h1:ld7aEMNHoBnnDAX15v1T6z31v8HwR2A9FYOuAhWqkwc=
golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -556,6 +744,7 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -563,24 +752,53 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775 h1:TC0v2RSO1u2kn1ZugjrFXkRZAEaqMN/RW+OTZkBzmLE=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201006155630-ac719f4daadf h1:Bg47KQy0JhTHuf4sLiQwTMKwUMfSDwgSGatrxGR7nLM=
golang.org/x/sys v0.0.0-20201006155630-ac719f4daadf/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -600,53 +818,145 @@ golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191011211836-4c025a95b26e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200210192313-1ace956b0e17 h1:a/Fd23DJvg1CaeDH0dYHahE+hCI0v9rFgxSNIThoUcM=
golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200210192313-1ace956b0e17/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d h1:W07d4xkoAUSNOkOzdzXCdFGxT7o2rW4q8M34tB2i//k=
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4=
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 h1:PDIOdWxZ8eRizhKa1AAvY53xsvLB1cWorMjslvY3VA8=
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.28.0 h1:bO/TA4OxCOummhSf10siHuG7vJOiwh7SpRpFZDkOgl4=
google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI=
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
@@ -654,8 +964,12 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM=
gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
gopkg.in/go-playground/validator.v9 v9.30.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
gopkg.in/go-playground/validator.v9 v9.31.0 h1:bmXmP2RSNtFES+bn4uYuHT7iJFJv7Vj+an+ZQdDaD1M=
gopkg.in/go-playground/validator.v9 v9.31.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
@@ -669,11 +983,14 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools v0.0.0-20181223230014-1083505acf35/go.mod h1:R//lfYlUuTOTfblYI3lGoAAAebUdzjvbmQsuB7Ykd90=
gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
@@ -682,8 +999,10 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
k8s.io/apiserver v0.17.4/go.mod h1:5ZDQ6Xr5MNBxyi3iUZXS84QOhZl+W7Oq2us/29c0j9I=
@@ -697,11 +1016,12 @@ k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8
k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
k8s.io/legacy-cloud-providers v0.17.4/go.mod h1:FikRNoD64ECjkxO36gkDgJeiQWwyZTuBkhu+yxOc1Js=
k8s.io/utils v0.0.0-20191010214722-8d271d903fe4/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo=
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
k8s.io/utils v0.0.0-20201005171033-6301aaf42dc7 h1:XQ0OMFdRDkDIu0b1zqEKSZdWUD7I4bZ4d4nqr8CLKbQ=
k8s.io/utils v0.0.0-20201005171033-6301aaf42dc7/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=
@@ -709,6 +1029,9 @@ modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs
modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

22
goreleaser.yml
View File

@@ -12,21 +12,25 @@ builds:
goos:
- darwin
- linux
- freebsd
- openbsd
goarch:
- amd64
- 386
- arm
- arm64
- ppc64le
goarm:
- 7
ignore:
- goos: darwin
goarch: 386
nfpms:
-
formats:
- deb
- rpm
dependencies:
- rpm
vendor: "aquasecurity"
homepage: "https://github.com/aquasecurity"
maintainer: "Teppei Fukuda <knqyf263@gmail.com>"
@@ -38,6 +42,7 @@ nfpms:
386: 32bit
arm: ARM
arm64: ARM64
ppc64le: PPC64LE
darwin: macOS
linux: Linux
openbsd: OpenBSD
@@ -54,6 +59,7 @@ archives:
386: 32bit
arm: ARM
arm64: ARM64
ppc64le: PPC64LE
darwin: macOS
linux: Linux
openbsd: OpenBSD
@@ -63,15 +69,14 @@ archives:
files:
- README.md
- LICENSE
- contrib/gitlab.tpl
- contrib/*.tpl
brews:
-
github:
owner: aquasecurity
name: homebrew-trivy
dependencies:
- rpm
homepage: "https://github.com/aquasecurity/trivy"
description: ""
test: |
@@ -81,6 +86,8 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy:{{ .Version }}"
- "docker.io/aquasec/trivy:latest"
- "ghcr.io/aquasecurity/trivy:{{ .Version }}"
- "ghcr.io/aquasecurity/trivy:latest"
binaries:
- trivy
build_flag_templates:
@@ -93,6 +100,5 @@ dockers:
- "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
- "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
extra_files:
- contrib/gitlab.tpl
- contrib/junit.tpl
- contrib/sarif.tpl
- contrib/

22
helm/trivy/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

11
helm/trivy/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: trivy
version: 0.2.0
appVersion: "0.14.0"
description: Trivy helm chart
keywords:
- scanner
- trivy
- vulnerability
sources:
- https://github.com/aquasecurity/trivy

77
helm/trivy/README.md Normal file
View File

@@ -0,0 +1,77 @@
# Trivy Scanner
Trivy vulnerability scanner standalone installation.
## TL;DR;
```
$ helm install trivy . --namespace trivy --create-namespace
```
## Introduction
This chart bootstraps a Trivy deployment on a [Kubernetes](http://kubernetes.io) cluster using the
[Helm](https://helm.sh) package manager.
## Prerequisites
- Kubernetes 1.12+
- Helm 3+
## Installing the Chart
To install the chart with the release name `my-release`:
```
$ helm install my-release .
```
The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters](#parameters)
section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`.
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following table lists the configurable parameters of the Trivy chart and their default values.
| Parameter | Description | Default |
|---------------------------------------|-------------------------------------------------------------------------|----------------|
| `image.registry` | Image registry | `docker.io` |
| `image.repository` | Image name | `aquasec/trivy` |
| `image.tag` | Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB | |
| `trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes service port | `4954` |
| `httpProxy` | The URL of the HTTP proxy server | |
| `httpsProxy` | The URL of the HTTPS proxy server | |
| `noProxy` | The URLs that the proxy settings do not apply to | |
The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```
$ helm install my-release . \
--namespace my-namespace \
--set "service.port=9090" \
--set "trivy.vulnType=os\,library"
```
## Storage
This chart uses a PersistentVolumeClaim to reduce the number of database downloads between POD restarts or updates. The storageclass should have the reclaim policy `Retain`.

2
helm/trivy/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,2 @@
You should be able to access Trivy server installation within
the cluster at http://{{ include "trivy.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}

55
helm/trivy/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,55 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "trivy.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "trivy.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "trivy.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "trivy.labels" -}}
app.kubernetes.io/name: {{ include "trivy.name" . }}
helm.sh/chart: {{ include "trivy.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Return the proper imageRef as used by the container template spec.
*/}}
{{- define "trivy.imageRef" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}

35
helm/trivy/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "trivy.fullname" . -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: {{ include "trivy.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "trivy.labels" . | indent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
- path: /
backend:
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port -}}
{{- end }}
{{- end }}

38
helm/trivy/templates/podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'configMap'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'secret'
- 'projected'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
requiredDropCapabilities:
- ALL
{{- end }}

16
helm/trivy/templates/role.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
namespace: {{ .Release.Namespace }}
{{- if .Values.rbac.pspEnabled }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: [{{ include "trivy.fullname" . }}]
{{- end }}
{{- end }}

16
helm/trivy/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "trivy.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "trivy.fullname" . }}
{{- end }}

9
helm/trivy/templates/secret.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
type: Opaque
data:
gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}

17
helm/trivy/templates/service.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
spec:
type: {{ .Values.service.type | default "ClusterIP" }}
selector:
app.kubernetes.io/name: {{ include "trivy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ports:
- name: trivy-http
protocol: TCP
port: {{ .Values.service.port | default 4954 }}
targetPort: {{ .Values.service.port | default 4954 }}
sessionAffinity: ClientIP

7
helm/trivy/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
namespace: {{ .Release.Namespace }}

107
helm/trivy/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,107 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "trivy.fullname" . }}
labels:
{{ include "trivy.labels" . | indent 4 }}
spec:
podManagementPolicy: "Parallel"
serviceName: {{ include "trivy.fullname" . }}
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "trivy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
spec:
resources:
requests:
storage: {{ .Values.persistence.size }}
accessModes:
- {{ .Values.persistence.accessMode }}
storageClassName: {{ .Values.persistence.storageClass }}
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "trivy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "trivy.fullname" . }}
automountServiceAccountToken: false
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 8 }}
{{- end }}
containers:
- name: main
image: {{ template "trivy.imageRef" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext }}
securityContext:
{{ toYaml .Values.securityContext | indent 12 }}
{{- end }}
args:
- server
env:
- name: "TRIVY_LISTEN"
value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
- name: "TRIVY_CACHE_DIR"
value: "/home/scanner/.cache/trivy"
- name: "TRIVY_DEBUG"
value: {{ .Values.trivy.debugMode | default false | quote }}
- name: "TRIVY_SKIP_UPDATE"
value: {{ .Values.trivy.skipUpdate | default false | quote }}
- name: "TRIVY_GITHUB_TOKEN"
valueFrom:
secretKeyRef:
name: {{ include "trivy.fullname" . }}
key: gitHubToken
- name: "HTTP_PROXY"
value: {{ .Values.httpProxy | quote }}
- name: "HTTPS_PROXY"
value: {{ .Values.httpsProxy | quote }}
- name: "NO_PROXY"
value: {{ .Values.noProxy | quote }}
ports:
- name: trivy-http
containerPort: {{ .Values.service.port }}
livenessProbe:
httpGet:
scheme: HTTP
path: /healthz
port: trivy-http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
httpGet:
scheme: HTTP
path: /healthz
port: trivy-http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
volumeMounts:
- mountPath: /tmp
name: tmp-data
readOnly: false
- mountPath: /home/scanner/.cache
name: data
readOnly: false
{{- if .Values.resources }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
volumes:
- name: tmp-data
emptyDir: {}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- end }}

87
helm/trivy/values.yaml Normal file
View File

@@ -0,0 +1,87 @@
nameOverride: ""
fullnameOverride: ""
image:
registry: docker.io
repository: aquasec/trivy
tag: 0.14.0
pullPolicy: IfNotPresent
replicaCount: 1
persistence:
enabled: true
storageClass: ""
accessMode: ReadWriteOnce
size: 5Gi
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
rbac:
create: true
pspEnabled: true
podSecurityContext:
runAsUser: 65534
runAsNonRoot: true
fsGroup: 65534
securityContext:
privileged: false
readOnlyRootFilesystem: true
trivy:
# debugMode the flag to enable Trivy debug mode
debugMode: false
# gitHubToken the GitHub access token to download Trivy DB
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
# timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
# Currently, the database is updated every 12 hours and published as a new release to GitHub.
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
gitHubToken: ""
# skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to manually download the `trivy.db` file and mount it in the
# `/home/scanner/.cache/trivy/db/trivy.db` path (see `cacheDir`).
skipUpdate: false
service:
# type Kubernetes service type
type: ClusterIP
# port Kubernetes service port
port: 4954
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
hosts:
- host: trivy.example.com
tls: []
# - secretName: trivy-example-tls
# hosts:
# - trivy.example.com
# httpProxy the URL of the HTTP proxy server
httpProxy:
# httpsProxy the URL of the HTTPS proxy server
httpsProxy:
# noProxy the URLs that the proxy settings do not apply to
noProxy:

BIN
imgs/logo.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
imgs/usage.gif
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.9 MiB

After

Width:  |  Height:  |  Size: 3.6 MiB

123
integration/client_server_test.go
View File

@@ -12,11 +12,14 @@ import (
"testing"
"time"
"github.com/docker/go-connections/nat"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
testcontainers "github.com/testcontainers/testcontainers-go"
"github.com/urfave/cli/v2"
"github.com/aquasecurity/trivy/internal"
"github.com/aquasecurity/trivy/pkg/report"
)
type args struct {
@@ -309,12 +312,37 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/busybox-with-lockfile.json.golden",
},
{
name: "alpine 3.10 integration with ASFF template",
testArgs: args{
Format: "template",
TemplatePath: "@../contrib/asff.tpl",
Version: "dev",
Input: "testdata/fixtures/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.asff.golden",
},
{
name: "alpine 3.10 integration with html template",
testArgs: args{
Format: "template",
TemplatePath: "@../contrib/html.tpl",
Version: "dev",
Input: "testdata/fixtures/alpine-310.tar.gz",
},
golden: "testdata/alpine-310.html.golden",
},
}
app, addr, cacheDir := setup(t, "", "")
app, addr, cacheDir := setup(t, setupOptions{})
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
report.Now = func() time.Time {
return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
}
os.Setenv("AWS_REGION", "test-region")
os.Setenv("AWS_ACCOUNT_ID", "123456789012")
osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
defer cleanup()
@@ -368,7 +396,10 @@ func TestClientServerWithToken(t *testing.T) {
serverToken := "token"
serverTokenHeader := "Trivy-Token"
app, addr, cacheDir := setup(t, serverToken, serverTokenHeader)
app, addr, cacheDir := setup(t, setupOptions{
token: serverToken,
tokenHeader: serverTokenHeader,
})
defer os.RemoveAll(cacheDir)
for _, c := range cases {
@@ -392,7 +423,54 @@ func TestClientServerWithToken(t *testing.T) {
}
}
func setup(t *testing.T, token, tokenHeader string) (*cli.App, string, string) {
func TestClientServerWithRedis(t *testing.T) {
// Set up a Redis container
ctx := context.Background()
redisC, addr := setupRedis(t, ctx)
// Set up Trivy server
app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
defer os.RemoveAll(cacheDir)
// Test parameters
testArgs := args{
Version: "dev",
Input: "testdata/fixtures/centos-7.tar.gz",
}
golden := "testdata/centos-7.json.golden"
t.Run("centos 7", func(t *testing.T) {
osArgs, outputFile, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
defer cleanup()
// Run Trivy client
err := app.Run(osArgs)
require.NoError(t, err)
compare(t, golden, outputFile)
})
// Terminate the Redis container
require.NoError(t, redisC.Terminate(ctx))
t.Run("sad path", func(t *testing.T) {
osArgs, _, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
defer cleanup()
// Run Trivy client
err := app.Run(osArgs)
require.NotNil(t, err)
assert.Contains(t, err.Error(), "connect: connection refused")
})
}
type setupOptions struct {
token string
tokenHeader string
cacheBackend string
}
func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
t.Helper()
version := "dev"
@@ -408,7 +486,7 @@ func setup(t *testing.T, token, tokenHeader string) (*cli.App, string, string) {
// Setup CLI App
app := internal.NewApp(version)
app.Writer = ioutil.Discard
osArgs := setupServer(addr, token, tokenHeader, cacheDir)
osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)
// Run Trivy server
app.Run(osArgs)
@@ -425,11 +503,14 @@ func setup(t *testing.T, token, tokenHeader string) (*cli.App, string, string) {
return app, addr, cacheDir
}
func setupServer(addr, token, tokenHeader, cacheDir string) []string {
func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
osArgs := []string{"trivy", "server", "--skip-update", "--cache-dir", cacheDir, "--listen", addr}
if token != "" {
osArgs = append(osArgs, []string{"--token", token, "--token-header", tokenHeader}...)
}
if cacheBackend != "" {
osArgs = append(osArgs, "--cache-backend", cacheBackend)
}
return osArgs
}
@@ -493,6 +574,32 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
return osArgs, outputFile, cleanup
}
func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) {
t.Helper()
imageName := "redis:5.0"
port := "6379/tcp"
req := testcontainers.ContainerRequest{
Name: "redis",
Image: imageName,
ExposedPorts: []string{port},
}
redis, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
ContainerRequest: req,
Started: true,
})
require.NoError(t, err)
ip, err := redis.Host(ctx)
require.NoError(t, err)
p, err := redis.MappedPort(ctx, nat.Port(port))
require.NoError(t, err)
addr := fmt.Sprintf("redis://%s:%s", ip, p.Port())
return redis, addr
}
func compare(t *testing.T, wantFile, gotFile string) {
t.Helper()
// Compare want and got
@@ -501,5 +608,9 @@ func compare(t *testing.T, wantFile, gotFile string) {
got, err := ioutil.ReadFile(gotFile)
assert.NoError(t, err)
assert.JSONEq(t, string(want), string(got))
if strings.HasSuffix(wantFile, ".json.golden") {
assert.JSONEq(t, string(want), string(got))
} else {
assert.EqualValues(t, string(want), string(got))
}
}

7
integration/docker/docker.go
View File

@@ -15,12 +15,14 @@ import (
"github.com/docker/docker/api/types"
)
// RegistryConfig holds the config for docker registry
type RegistryConfig struct {
URL *url.URL
Username string
Password string
}
// GetAuthConfig returns the docker registry authConfig
func (c RegistryConfig) GetAuthConfig() types.AuthConfig {
return types.AuthConfig{
Username: c.Username,
@@ -29,6 +31,7 @@ func (c RegistryConfig) GetAuthConfig() types.AuthConfig {
}
}
// GetRegistryAuth returns the json encoded docker registry auth
func (c RegistryConfig) GetRegistryAuth() (string, error) {
authConfig := types.AuthConfig{
Username: c.Username,
@@ -41,10 +44,12 @@ func (c RegistryConfig) GetRegistryAuth() (string, error) {
return base64.URLEncoding.EncodeToString(encodedJSON), nil
}
// Docker returns docker client
type Docker struct {
cli *client.Client
}
// New is the factory method to return docker client
func New() (Docker, error) {
cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
if err != nil {
@@ -73,7 +78,7 @@ func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string,
if err != nil {
return err
}
if _, err := io.Copy(ioutil.Discard, resp.Body); err != nil {
if _, err = io.Copy(ioutil.Discard, resp.Body); err != nil {
return err
}
defer resp.Body.Close()

37
integration/registry_test.go
View File

@@ -188,7 +188,7 @@ func TestRegistry(t *testing.T) {
require.NoError(t, err)
// 2. Scan it
resultFile, err := scan(imageRef, baseDir, tc.option)
resultFile, cleanup, err := scan(imageRef, baseDir, tc.golden, tc.option)
if tc.wantErr != "" {
require.NotNil(t, err)
@@ -197,7 +197,7 @@ func TestRegistry(t *testing.T) {
} else {
require.NoError(t, err)
}
defer os.Remove(resultFile)
defer cleanup()
// 3. Compare want and got
golden, err := os.Open(tc.golden)
@@ -220,29 +220,36 @@ func TestRegistry(t *testing.T) {
}
}
func scan(imageRef name.Reference, baseDir string, opt registryOption) (string, error) {
func scan(imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, func(), error) {
cleanup := func() {}
// Copy DB file
cacheDir, err := gunzipDB()
if err != nil {
return "", err
return "", cleanup, err
}
defer os.RemoveAll(cacheDir)
// Setup the output file
var outputFile string
output, err := ioutil.TempFile("", "integration")
if err != nil {
return "", err
}
if err = output.Close(); err != nil {
return "", err
}
if *update && goldenFile != "" {
outputFile = goldenFile
} else {
output, err := ioutil.TempFile("", "integration")
if err != nil {
return "", cleanup, err
}
defer output.Close()
outputFile = output.Name()
outputFile = output.Name()
cleanup = func() {
os.Remove(outputFile)
}
}
// Setup env
if err = setupEnv(imageRef, baseDir, opt); err != nil {
return "", err
return "", cleanup, err
}
defer unsetEnv()
@@ -254,9 +261,9 @@ func scan(imageRef name.Reference, baseDir string, opt registryOption) (string,
// Run Trivy
if err = app.Run(osArgs); err != nil {
return "", err
return "", cleanup, err
}
return outputFile, nil
return outputFile, cleanup, nil
}
func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error {

27
integration/standalone_tar_test.go
View File

@@ -24,6 +24,8 @@ func TestRun_WithTar(t *testing.T) {
IgnoreIDs []string
Format string
Input string
SkipDirs []string
SkipFiles []string
}
cases := []struct {
name string
@@ -352,6 +354,22 @@ func TestRun_WithTar(t *testing.T) {
},
golden: "testdata/busybox-with-lockfile.json.golden",
},
{
name: "fluentd with multiple lock files",
testArgs: args{
Version: "dev",
SkipUpdate: true,
IgnoreUnfixed: true,
Format: "json",
Input: "testdata/fixtures/fluentd-multiple-lockfiles.tar.gz",
SkipFiles: []string{"/Gemfile.lock"},
SkipDirs: []string{
"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0",
"/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13",
},
},
golden: "testdata/fluentd-multiple-lockfiles.json.golden",
},
}
// Copy DB file
@@ -391,7 +409,14 @@ func TestRun_WithTar(t *testing.T) {
defer os.Remove(trivyIgnore)
}
if c.testArgs.Input != "" {
osArgs = append(osArgs, []string{"--input", c.testArgs.Input}...)
osArgs = append(osArgs, "--input", c.testArgs.Input)
}
if len(c.testArgs.SkipFiles) != 0 {
osArgs = append(osArgs, "--skip-files", strings.Join(c.testArgs.SkipFiles, ","))
}
if len(c.testArgs.SkipDirs) != 0 {
osArgs = append(osArgs, "--skip-dirs", strings.Join(c.testArgs.SkipDirs, ","))
}
// Setup the output file

125
integration/testdata/alpine-310-ignore-cveids.json.golden vendored
View File

@@ -5,18 +5,31 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -28,20 +41,36 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -52,7 +81,91 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}

241
integration/testdata/alpine-310-ignore-unfixed.json.golden vendored
View File

@@ -5,16 +5,30 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
@@ -22,22 +36,37 @@
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -49,20 +78,36 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -72,20 +117,36 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -96,7 +157,167 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}

181
integration/testdata/alpine-310-medium-high.json.golden vendored
View File

@@ -5,16 +5,30 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
@@ -22,22 +36,37 @@
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -49,20 +78,36 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -72,7 +117,127 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}
]
}

263
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -1,21 +1,35 @@
[
{
"Target": "localhost:5000/alpine:3.10 (alpine 3.10.2)",
"Target": "localhost:32799/alpine:3.10 (alpine 3.10.2)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
@@ -23,23 +37,38 @@
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -51,21 +80,37 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -75,21 +120,37 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -100,7 +161,171 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}

370
integration/testdata/alpine-310.asff.golden vendored Normal file
View File

@@ -0,0 +1,370 @@
[
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 4,
"Normalized": 40
},
"Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1549"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1549",
"CVE Title": "openssl: information disclosure in fork()",
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 4,
"Normalized": 40
},
"Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1551"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1551",
"CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r2",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 4,
"Normalized": 40
},
"Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1563",
"CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "4.3",
"NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 1,
"Normalized": 10
},
"Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1547",
"CVE Title": "openssl: side-channel weak encryption vulnerability",
"PkgName": "libcrypto1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "1.9",
"NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 4,
"Normalized": 40
},
"Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1549"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1549",
"CVE Title": "openssl: information disclosure in fork()",
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 4,
"Normalized": 40
},
"Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1551"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1551",
"CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r2",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "5",
"NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 4,
"Normalized": 40
},
"Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1563",
"CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "4.3",
"NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
},
{
"SchemaVersion": "2018-10-08",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
"ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "123456789012",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "2020-08-10T07:28:17.000958601Z",
"UpdatedAt": "2020-08-10T07:28:17.000958601Z",
"Severity": {
"Product": 1,
"Normalized": 10
},
"Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Remediation": {
"Recommendation": {
"Text": "More information on this vulnerability is provided in the hyperlink",
"Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
},
"ProductFields": { "Product Name": "Trivy" },
"Resources": [
{
"Type": "Container",
"Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
"Partition": "aws",
"Region": "test-region",
"Details": {
"Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
"Other": {
"CVE ID": "CVE-2019-1547",
"CVE Title": "openssl: side-channel weak encryption vulnerability",
"PkgName": "libssl1.1",
"Installed Package": "1.1.1c-r0",
"Patched Package": "1.1.1d-r0",
"NvdCvssScoreV3": "0",
"NvdCvssVectorV3": "",
"NvdCvssScoreV2": "1.9",
"NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
}
}
}
],
"RecordState": "ACTIVE"
}
]

232
integration/testdata/alpine-310.gitlab.golden vendored
View File

@@ -9,7 +9,7 @@
"cve": "CVE-2019-1549",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade openssl to 1.1.1d-r0",
"solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
@@ -17,7 +17,7 @@
"location": {
"dependency": {
"package": {
"name": "openssl"
"name": "libcrypto1.1"
},
"version": "1.1.1c-r0"
},
@@ -29,7 +29,7 @@
"type": "cve",
"name": "CVE-2019-1549",
"value": "CVE-2019-1549",
"url": ""
"url": "https://avd.aquasec.com/nvd/cve-2019-1549"
}
],
"links": [{
@@ -51,11 +51,11 @@
"id": "CVE-2019-1551",
"category": "container_scanning",
"message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"cve": "CVE-2019-1551",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade openssl to 1.1.1d-r2",
"solution": "Upgrade libcrypto1.1 to 1.1.1d-r2",
"scanner": {
"id": "trivy",
"name": "trivy"
@@ -63,7 +63,7 @@
"location": {
"dependency": {
"package": {
"name": "openssl"
"name": "libcrypto1.1"
},
"version": "1.1.1c-r0"
},
@@ -75,12 +75,10 @@
"type": "cve",
"name": "CVE-2019-1551",
"value": "CVE-2019-1551",
"url": ""
"url": "https://avd.aquasec.com/nvd/cve-2019-1551"
}
],
"links": [{
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},{
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
@@ -113,7 +111,7 @@
"cve": "CVE-2019-1563",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade openssl to 1.1.1d-r0",
"solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
@@ -121,7 +119,7 @@
"location": {
"dependency": {
"package": {
"name": "openssl"
"name": "libcrypto1.1"
},
"version": "1.1.1c-r0"
},
@@ -133,7 +131,7 @@
"type": "cve",
"name": "CVE-2019-1563",
"value": "CVE-2019-1563",
"url": ""
"url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
],
"links": [{
@@ -163,7 +161,7 @@
"cve": "CVE-2019-1547",
"severity": "Low",
"confidence": "Unknown",
"solution": "Upgrade openssl to 1.1.1d-r0",
"solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
@@ -171,7 +169,7 @@
"location": {
"dependency": {
"package": {
"name": "openssl"
"name": "libcrypto1.1"
},
"version": "1.1.1c-r0"
},
@@ -183,7 +181,211 @@
"type": "cve",
"name": "CVE-2019-1547",
"value": "CVE-2019-1547",
"url": ""
"url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://arxiv.org/abs/1909.01785"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
},{
"url": "https://seclists.org/bugtraq/2019/Sep/25"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
}
]
},
{
"id": "CVE-2019-1549",
"category": "container_scanning",
"message": "openssl: information disclosure in fork()",
"description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"cve": "CVE-2019-1549",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade libssl1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libssl1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1549",
"value": "CVE-2019-1549",
"url": "https://avd.aquasec.com/nvd/cve-2019-1549"
}
],
"links": [{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
},{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://support.f5.com/csp/article/K44070243"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
}
]
},
{
"id": "CVE-2019-1551",
"category": "container_scanning",
"message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"cve": "CVE-2019-1551",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade libssl1.1 to 1.1.1d-r2",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libssl1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1551",
"value": "CVE-2019-1551",
"url": "https://avd.aquasec.com/nvd/cve-2019-1551"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
},{
"url": "https://github.com/openssl/openssl/pull/10575"
},{
"url": "https://seclists.org/bugtraq/2019/Dec/39"
},{
"url": "https://seclists.org/bugtraq/2019/Dec/46"
},{
"url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
},{
"url": "https://www.debian.org/security/2019/dsa-4594"
},{
"url": "https://www.openssl.org/news/secadv/20191206.txt"
},{
"url": "https://www.tenable.com/security/tns-2019-09"
}
]
},
{
"id": "CVE-2019-1563",
"category": "container_scanning",
"message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"cve": "CVE-2019-1563",
"severity": "Medium",
"confidence": "Unknown",
"solution": "Upgrade libssl1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libssl1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1563",
"value": "CVE-2019-1563",
"url": "https://avd.aquasec.com/nvd/cve-2019-1563"
}
],
"links": [{
"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
},{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
},{
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
},{
"url": "https://seclists.org/bugtraq/2019/Sep/25"
},{
"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
},{
"url": "https://www.openssl.org/news/secadv/20190910.txt"
}
]
},
{
"id": "CVE-2019-1547",
"category": "container_scanning",
"message": "openssl: side-channel weak encryption vulnerability",
"description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"cve": "CVE-2019-1547",
"severity": "Low",
"confidence": "Unknown",
"solution": "Upgrade libssl1.1 to 1.1.1d-r0",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "libssl1.1"
},
"version": "1.1.1c-r0"
},
"operating_system": "Unknown",
"image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-1547",
"value": "CVE-2019-1547",
"url": "https://avd.aquasec.com/nvd/cve-2019-1547"
}
],
"links": [{

237
integration/testdata/alpine-310.html.golden vendored Normal file
View File

@@ -0,0 +1,237 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
* {
font-family: Arial, Helvetica, sans-serif;
}
h1 {
text-align: center;
}
.group-header th {
font-size: 200%;
}
.sub-header th {
font-size: 150%;
}
table, th, td {
border: 1px solid black;
border-collapse: collapse;
white-space: nowrap;
padding: .3em;
}
table {
margin: 0 auto;
}
.severity {
text-align: center;
font-weight: bold;
color: #fafafa;
}
.severity-LOW .severity { background-color: #5fbb31; }
.severity-MEDIUM .severity { background-color: #e9c600; }
.severity-HIGH .severity { background-color: #ff8800; }
.severity-CRITICAL .severity { background-color: #e40000; }
.severity-UNKNOWN .severity { background-color: #747474; }
.severity-LOW { background-color: #5fbb3160; }
.severity-MEDIUM { background-color: #e9c60060; }
.severity-HIGH { background-color: #ff880060; }
.severity-CRITICAL { background-color: #e4000060; }
.severity-UNKNOWN { background-color: #74747460; }
table tr td:first-of-type {
font-weight: bold;
}
.links a,
.links[data-more-links=on] a {
display: block;
}
.links[data-more-links=off] a:nth-of-type(1n+5) {
display: none;
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
[].sort.apply(links, function(a, b) {
return a.href > b.href ? 1 : -1;
});
links.forEach(function(link, idx) {
if (links.length > 3 && 3 === idx) {
var toggleLink = document.createElement('a');
toggleLink.innerText = "Toggle more links";
toggleLink.href = "#toggleMore";
toggleLink.setAttribute("class", "toggle-more-links");
linkCell.appendChild(toggleLink);
}
linkCell.appendChild(link);
});
});
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
toggleLink.onclick = function() {
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
return false;
};
});
};
</script>
</head>
<body>
<h1>testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</h1>
<table>
<tr class="group-header"><th colspan="6">alpine</th></tr>
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Links</th>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libcrypto1.1</td>
<td>CVE-2019-1549</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libcrypto1.1</td>
<td>CVE-2019-1551</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r2</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
<a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
<a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
<a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
<a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
<a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
<a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
<a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libcrypto1.1</td>
<td>CVE-2019-1563</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-LOW">
<td class="pkg-name">libcrypto1.1</td>
<td>CVE-2019-1547</td>
<td class="severity">LOW</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libssl1.1</td>
<td>CVE-2019-1549</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libssl1.1</td>
<td>CVE-2019-1551</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r2</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
<a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
<a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
<a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
<a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
<a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
<a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
<a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libssl1.1</td>
<td>CVE-2019-1563</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
<tr class="severity-LOW">
<td class="pkg-name">libssl1.1</td>
<td>CVE-2019-1547</td>
<td class="severity">LOW</td>
<td class="pkg-version">1.1.1c-r0</td>
<td>1.1.1d-r0</td>
<td class="links" data-more-links="off">
<a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
<a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
<a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
<a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
<a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
</td>
</tr>
</table>
</body>
</html>

241
integration/testdata/alpine-310.json.golden vendored
View File

@@ -5,16 +5,30 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
@@ -22,22 +36,37 @@
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -49,20 +78,36 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -72,20 +117,36 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -96,7 +157,167 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
}
]
}

202
integration/testdata/alpine-310.sarif.golden vendored
View File

@@ -12,20 +12,20 @@
"id": "[MEDIUM] CVE-2019-1549",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1549 Package: openssl"
"text": "CVE-2019-1549 Package: libcrypto1.1"
},
"fullDescription": {
"text": "openssl: information disclosure in fork()."
},
"help": {
"text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)",
"markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|openssl|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)|\n"
"text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
"markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
},
"properties": {
"tags": [
"vulnerability",
"MEDIUM",
"openssl"
"libcrypto1.1"
],
"precision": "very-high"
}
@@ -34,20 +34,20 @@
"id": "[MEDIUM] CVE-2019-1551",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1551 Package: openssl"
"text": "CVE-2019-1551 Package: libcrypto1.1"
},
"fullDescription": {
"text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
},
"help": {
"text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)",
"markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|openssl|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)|\n"
"text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
"markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
},
"properties": {
"tags": [
"vulnerability",
"MEDIUM",
"openssl"
"libcrypto1.1"
],
"precision": "very-high"
}
@@ -56,20 +56,20 @@
"id": "[MEDIUM] CVE-2019-1563",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1563 Package: openssl"
"text": "CVE-2019-1563 Package: libcrypto1.1"
},
"fullDescription": {
"text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
},
"help": {
"text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)",
"markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|openssl|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)|\n"
"text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
"markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
},
"properties": {
"tags": [
"vulnerability",
"MEDIUM",
"openssl"
"libcrypto1.1"
],
"precision": "very-high"
}
@@ -78,20 +78,108 @@
"id": "[LOW] CVE-2019-1547",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1547 Package: openssl"
"text": "CVE-2019-1547 Package: libcrypto1.1"
},
"fullDescription": {
"text": "openssl: side-channel weak encryption vulnerability."
},
"help": {
"text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)",
"markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|openssl|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)|\n"
"text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
"markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
},
"properties": {
"tags": [
"vulnerability",
"LOW",
"openssl"
"libcrypto1.1"
],
"precision": "very-high"
}
},
{
"id": "[MEDIUM] CVE-2019-1549",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1549 Package: libssl1.1"
},
"fullDescription": {
"text": "openssl: information disclosure in fork()."
},
"help": {
"text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
"markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
},
"properties": {
"tags": [
"vulnerability",
"MEDIUM",
"libssl1.1"
],
"precision": "very-high"
}
},
{
"id": "[MEDIUM] CVE-2019-1551",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1551 Package: libssl1.1"
},
"fullDescription": {
"text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
},
"help": {
"text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
"markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
},
"properties": {
"tags": [
"vulnerability",
"MEDIUM",
"libssl1.1"
],
"precision": "very-high"
}
},
{
"id": "[MEDIUM] CVE-2019-1563",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1563 Package: libssl1.1"
},
"fullDescription": {
"text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
},
"help": {
"text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
"markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
},
"properties": {
"tags": [
"vulnerability",
"MEDIUM",
"libssl1.1"
],
"precision": "very-high"
}
},
{
"id": "[LOW] CVE-2019-1547",
"name": "dockerfile_scan",
"shortDescription": {
"text": "CVE-2019-1547 Package: libssl1.1"
},
"fullDescription": {
"text": "openssl: side-channel weak encryption vulnerability."
},
"help": {
"text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
"markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
},
"properties": {
"tags": [
"vulnerability",
"LOW",
"libssl1.1"
],
"precision": "very-high"
}
@@ -124,7 +212,7 @@
"ruleIndex": 1,
"level": "error",
"message": {
"text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
"text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
},
"locations": [{
"physicalLocation": {
@@ -178,6 +266,86 @@
}
}
}]
},
{
"ruleId": "[MEDIUM] CVE-2019-1549",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endColumn": 1
}
}
}]
},
{
"ruleId": "[MEDIUM] CVE-2019-1551",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endColumn": 1
}
}
}]
},
{
"ruleId": "[MEDIUM] CVE-2019-1563",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endColumn": 1
}
}
}]
},
{
"ruleId": "[LOW] CVE-2019-1547",
"ruleIndex": 7,
"level": "error",
"message": {
"text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endColumn": 1
}
}
}]
}],
"columnKind": "utf16CodeUnits"
}

318
integration/testdata/alpine-39.json.golden vendored
View File

@@ -3,35 +3,32 @@
"Target": "testdata/fixtures/alpine-39.tar.gz (alpine 3.9.4)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "HIGH",
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://security.gentoo.org/glsa/202003-13",
"https://www.openwall.com/lists/musl/2019/08/06/1"
]
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
@@ -39,22 +36,37 @@
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -66,20 +78,36 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -89,20 +117,36 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -113,7 +157,227 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"Title": "openssl: information disclosure in fork()",
"Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-330"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://support.f5.com/csp/article/K44070243",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-19T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
"https://github.com/openssl/openssl/pull/10575",
"https://seclists.org/bugtraq/2019/Dec/39",
"https://seclists.org/bugtraq/2019/Dec/46",
"https://security.netapp.com/advisory/ntap-20191210-0001/",
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl-utils",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Layer": {
"DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2019/08/06/4",
"https://www.openwall.com/lists/musl/2019/08/06/1"
],
"PublishedDate": "2019-08-06T16:15:00Z",
"LastModifiedDate": "2019-08-14T17:28:00Z"
}
]
}

1125
integration/testdata/amazon-1.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1780
integration/testdata/amazon-2.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

75
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -7,11 +7,13 @@
"VulnerabilityID": "RUSTSEC-2019-0001",
"PkgName": "ammonia",
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
"Title": "Uncontrolled recursion leads to abort in HTML serialization",
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.\n",
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
@@ -21,53 +23,77 @@
"VulnerabilityID": "RUSTSEC-2016-0001",
"PkgName": "openssl",
"InstalledVersion": "0.8.3",
"FixedVersion": "\u003e= 0.9.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
"Title": "SSL/TLS MitM vulnerability due to insecure defaults",
"Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).\n",
"Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0010",
"PkgName": "openssl",
"InstalledVersion": "0.8.3",
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.3.1",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"Title": "Use after free in CMS Signing",
"Description": "Affected versions of the OpenSSL crate used structures after they'd been freed.",
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/sfackler/rust-openssl/pull/942"
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0003",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"VulnerabilityID": "RUSTSEC-2019-0035",
"PkgName": "rand_core",
"InstalledVersion": "0.4.0",
"FixedVersion": "\u003e= 0.4.2",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"Title": "Possible double free during unwinding in SmallVec::insert_many",
"Description": "If an iterator passed to `SmallVec::insert_many` panicked in `Iterator::next`,\ndestructors were run during unwinding while the vector was in an inconsistent\nstate, possibly causing a double free (a destructor running on two copies of\nthe same value).\n\nThis is fixed in smallvec 0.6.3 by ensuring that the vector's length is not\nupdated to include moved items until they have been removed from their\noriginal positions. Items may now be leaked if `Iterator::next` panics, but\nthey will not be dropped more than once.\n\nThank you to @Vurich for reporting this bug.\n",
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
"Title": "Unaligned memory access",
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/96"
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0018",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.13",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
"Title": "smallvec creates uninitialized value of any type",
"Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/126"
]
},
{
"VulnerabilityID": "RUSTSEC-2019-0009",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
"Title": "Double-free and use-after-free in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.\n",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/148"
@@ -77,15 +103,32 @@
"VulnerabilityID": "RUSTSEC-2019-0012",
"PkgName": "smallvec",
"InstalledVersion": "0.6.9",
"FixedVersion": "\u003e= 0.6.10",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
"Title": "Memory corruption in SmallVec::grow()",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.\n",
"Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/servo/rust-smallvec/issues/149"
]
},
{
"VulnerabilityID": "RUSTSEC-2018-0017",
"PkgName": "tempdir",
"InstalledVersion": "0.3.7",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
"Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
"Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
"Severity": "UNKNOWN",
"References": [
"https://github.com/rust-lang-deprecated/tempdir/pull/46"
]
}
]
}

13952
integration/testdata/centos-6.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

2319
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1266
integration/testdata/centos-7-low-high.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

15840
integration/testdata/centos-7.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

379
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -12,17 +12,35 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -33,17 +51,34 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -54,17 +89,35 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -75,17 +128,34 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -96,17 +166,35 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -117,17 +205,34 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
@@ -138,9 +243,23 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
@@ -148,8 +267,11 @@
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://usn.ubuntu.com/4168-1/"
]
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
@@ -160,16 +282,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
@@ -180,16 +318,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -200,17 +354,35 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -221,17 +393,34 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-15718",
@@ -242,9 +431,25 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
"Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
"Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"Severity": "LOW",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-284"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 2.1,
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-15718.html",
"http://linux.oracle.com/errata/ELSA-2019-3592.html",
@@ -253,8 +458,11 @@
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
"https://usn.ubuntu.com/usn/usn-4120-1"
],
"PublishedDate": "2019-09-04T12:15:00Z",
"LastModifiedDate": "2019-09-19T04:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
@@ -265,16 +473,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
@@ -285,16 +509,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-15718",
@@ -305,9 +545,25 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
"Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
"Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"Severity": "LOW",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-284"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 2.1,
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-15718.html",
"http://linux.oracle.com/errata/ELSA-2019-3592.html",
@@ -316,8 +572,11 @@
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
"https://usn.ubuntu.com/usn/usn-4120-1"
],
"PublishedDate": "2019-09-04T12:15:00Z",
"LastModifiedDate": "2019-09-19T04:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
@@ -328,16 +587,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
@@ -348,16 +623,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
@@ -368,16 +659,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
@@ -388,16 +695,32 @@
"DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
},
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "LOW",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
}
]
}

1907
integration/testdata/debian-buster.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

3547
integration/testdata/debian-stretch.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

36
integration/testdata/distroless-base-ignore-unfixed.json.golden vendored
View File

@@ -12,9 +12,23 @@
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -24,7 +38,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
@@ -35,9 +51,23 @@
"DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -47,7 +77,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
}
]
}

662
integration/testdata/distroless-base.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

3034
integration/testdata/distroless-python27.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

199
integration/testdata/fluentd-multiple-lockfiles.json.golden vendored Normal file
View File

@@ -0,0 +1,199 @@
[
{
"Target": "testdata/fixtures/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
"Type": "debian",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "e2fsprogs",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libcom-err2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libext2fs2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
"https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
"PkgName": "libss2",
"InstalledVersion": "1.44.5-1+deb10u2",
"FixedVersion": "1.44.5-1+deb10u3",
"Layer": {
"DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
}
]
}
]

48
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -19,22 +19,6 @@
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0381-1",
"PkgName": "glibc",
"InstalledVersion": "2.26-lp151.18.7",
"FixedVersion": "2.26-lp151.19.3.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for glibc",
"Description": "This update for glibc fixes the following issues:\n\n- CVE-2020-10029: Fixed a potential overflow in on-stack buffer \n during range reduction (bsc#1165784).\t \n- Fixed an issue where pthread were not always locked correctly (bsc#1164505).\n- Document mprotect and introduce section on memory protection (bsc#1163184).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "LOW",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0166-1",
"PkgName": "libcom_err2",
@@ -99,22 +83,6 @@
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0379-1",
"PkgName": "libnghttp2-14",
"InstalledVersion": "1.39.2-lp151.3.3.1",
"FixedVersion": "1.40.0-lp151.3.6.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for nghttp2",
"Description": "This update for nghttp2 fixes the following issues:\n\nnghttp2 was update to version 1.40.0 (bsc#1166481)\n\n- lib: Add nghttp2_check_authority as public API\n- lib: Fix the bug that stream is closed with wrong error code\n- lib: Faster huffman encoding and decoding\n- build: Avoid filename collision of static and dynamic lib\n- build: Add new flag ENABLE_STATIC_CRT for Windows\n- build: cmake: Support building nghttpx with systemd\n- third-party: Update neverbleed to fix memory leak\n- nghttpx: Fix bug that mruby is incorrectly shared between backends\n- nghttpx: Reconnect h1 backend if it lost connection before sending headers\n- nghttpx: Returns 408 if backend timed out before sending headers\n- nghttpx: Fix request stal\n\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00034.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgName": "libopenssl1_1",
@@ -291,22 +259,6 @@
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2020:0302-1",
"PkgName": "permissions",
"InstalledVersion": "20181116-lp151.4.6.1",
"FixedVersion": "20181116-lp151.4.12.1",
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"Title": "Security update for permissions",
"Description": "This update for permissions fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)\n- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).\n\nNon-security issues fixed:\n\n- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).\n- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html",
"https://www.suse.com/support/security/rating/"
]
},
{
"VulnerabilityID": "openSUSE-SU-2019:2551-1",
"PkgName": "terminfo-base",

323
integration/testdata/oraclelinux-6-slim.json.golden vendored
View File

@@ -4,50 +4,57 @@
"Type": "oracle",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-5482",
"PkgName": "curl",
"InstalledVersion": "7.19.7-53.0.2.el6_9",
"FixedVersion": "7.19.7-54.0.2.el6_10",
"VulnerabilityID": "CVE-2019-3862",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-2.0.1.el6_7.1",
"Layer": {
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "HIGH",
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
},
{
"VulnerabilityID": "CVE-2019-5482",
"PkgName": "libcurl",
"InstalledVersion": "7.19.7-53.0.2.el6_9",
"FixedVersion": "7.19.7-54.0.2.el6_10",
"Layer": {
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3862",
"Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
"Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 6.4,
"V3Score": 9.1
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"SeveritySource": "nvd",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "HIGH",
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"http://linux.oracle.com/cve/CVE-2019-3862.html",
"http://linux.oracle.com/errata/ELSA-2019-4693.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
"http://www.openwall.com/lists/oss-security/2019/03/18/3",
"http://www.securityfocus.com/bid/107485",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3862",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862",
"https://github.com/libssh2/libssh2/pull/316",
"https://libssh2.org/CVE-2019-3862.html",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://seclists.org/bugtraq/2019/Mar/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3862.html"
],
"PublishedDate": "2019-03-21T16:01:00Z",
"LastModifiedDate": "2019-04-15T12:31:00Z"
},
{
"VulnerabilityID": "CVE-2019-3855",
@@ -58,9 +65,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3855",
"Title": "libssh2: Integer overflow in transport read resulting in out of bounds write",
"Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V2Score": 9.3,
"V3Score": 8.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-3855.html",
"http://linux.oracle.com/errata/ELSA-2019-1652.html",
@@ -73,6 +96,7 @@
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855",
"https://github.com/libssh2/libssh2/pull/315",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
@@ -82,7 +106,9 @@
"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3855.html"
]
],
"PublishedDate": "2019-03-21T21:29:00Z",
"LastModifiedDate": "2019-05-14T21:29:00Z"
},
{
"VulnerabilityID": "CVE-2019-3856",
@@ -93,9 +119,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3856",
"Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write",
"Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"Severity": "MEDIUM",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V2Score": 6.8,
"V3Score": 8.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-3856.html",
"http://linux.oracle.com/errata/ELSA-2019-1652.html",
@@ -105,13 +147,16 @@
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3856",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856",
"https://github.com/libssh2/libssh2/pull/315",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3856.html"
]
],
"PublishedDate": "2019-03-25T19:29:00Z",
"LastModifiedDate": "2019-05-14T21:29:00Z"
},
{
"VulnerabilityID": "CVE-2019-3857",
@@ -122,9 +167,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3857",
"Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write",
"Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"Severity": "MEDIUM",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V2Score": 6.8,
"V3Score": 8.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-3857.html",
"http://linux.oracle.com/errata/ELSA-2019-1652.html",
@@ -134,46 +195,16 @@
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3857",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857",
"https://github.com/libssh2/libssh2/pull/315",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3857.html"
]
},
{
"VulnerabilityID": "CVE-2019-3862",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-2.0.1.el6_7.1",
"Layer": {
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
"Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"Severity": "MEDIUM",
"References": [
"http://linux.oracle.com/cve/CVE-2019-3862.html",
"http://linux.oracle.com/errata/ELSA-2019-4693.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
"http://www.openwall.com/lists/oss-security/2019/03/18/3",
"http://www.securityfocus.com/bid/107485",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3862",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://seclists.org/bugtraq/2019/Mar/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3862.html"
]
],
"PublishedDate": "2019-03-25T19:29:00Z",
"LastModifiedDate": "2019-05-14T21:29:00Z"
},
{
"VulnerabilityID": "CVE-2019-3863",
@@ -184,9 +215,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3863",
"Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes",
"Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.",
"Severity": "MEDIUM",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V2Score": 6.8,
"V3Score": 8.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-3863.html",
"http://linux.oracle.com/errata/ELSA-2019-1652.html",
@@ -196,13 +243,16 @@
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863",
"https://github.com/libssh2/libssh2/pull/315",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3863.html"
]
],
"PublishedDate": "2019-03-25T18:29:00Z",
"LastModifiedDate": "2019-05-14T21:29:00Z"
},
{
"VulnerabilityID": "CVE-2019-11745",
@@ -213,9 +263,23 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11745",
"Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate",
"Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V2Score": 6.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-11745.html",
"http://linux.oracle.com/errata/ELSA-2019-4190.html",
@@ -227,10 +291,18 @@
"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes",
"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes",
"https://usn.ubuntu.com/4241-1/",
"https://usn.ubuntu.com/usn/usn-4203-1",
"https://usn.ubuntu.com/usn/usn-4203-2",
"https://usn.ubuntu.com/usn/usn-4216-1",
"https://usn.ubuntu.com/usn/usn-4216-2",
"https://usn.ubuntu.com/usn/usn-4241-1",
"https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-11745",
"https://www.mozilla.org/security/advisories/mfsa2019-36/",
"https://www.mozilla.org/security/advisories/mfsa2019-37/",
"https://www.mozilla.org/security/advisories/mfsa2019-38/"
]
],
"PublishedDate": "2020-01-08T20:15:00Z",
"LastModifiedDate": "2020-01-16T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-11745",
@@ -241,9 +313,23 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11745",
"Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate",
"Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V2Score": 6.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-11745.html",
"http://linux.oracle.com/errata/ELSA-2019-4190.html",
@@ -255,10 +341,18 @@
"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes",
"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes",
"https://usn.ubuntu.com/4241-1/",
"https://usn.ubuntu.com/usn/usn-4203-1",
"https://usn.ubuntu.com/usn/usn-4203-2",
"https://usn.ubuntu.com/usn/usn-4216-1",
"https://usn.ubuntu.com/usn/usn-4216-2",
"https://usn.ubuntu.com/usn/usn-4241-1",
"https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-11745",
"https://www.mozilla.org/security/advisories/mfsa2019-36/",
"https://www.mozilla.org/security/advisories/mfsa2019-37/",
"https://www.mozilla.org/security/advisories/mfsa2019-38/"
]
],
"PublishedDate": "2020-01-08T20:15:00Z",
"LastModifiedDate": "2020-01-16T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1559",
@@ -269,9 +363,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
"Title": "openssl: 0-byte record padding oracle",
"Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 4.3,
"V3Score": 5.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"V3Score": 6.8
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-1559.html",
"http://linux.oracle.com/errata/ELSA-2019-2471.html",
@@ -292,12 +402,15 @@
"https://security.netapp.com/advisory/ntap-20190423-0002/",
"https://support.f5.com/csp/article/K18549143",
"https://usn.ubuntu.com/3899-1/",
"https://usn.ubuntu.com/usn/usn-3899-1",
"https://www.debian.org/security/2019/dsa-4400",
"https://www.openssl.org/news/secadv/20190226.txt",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.tenable.com/security/tns-2019-02",
"https://www.tenable.com/security/tns-2019-03"
]
],
"PublishedDate": "2019-02-27T23:29:00Z",
"LastModifiedDate": "2019-05-22T00:29:00Z"
},
{
"VulnerabilityID": "CVE-2018-20852",
@@ -308,9 +421,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20852",
"Title": "python: Cookie domain check returns incorrect results",
"Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2018-20852.html",
"http://linux.oracle.com/errata/ELSA-2019-4884.html",
@@ -319,8 +448,12 @@
"https://bugs.python.org/issue35121",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852",
"https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html",
"https://python-security.readthedocs.io/vuln/cookie-domain-check.html"
]
"https://python-security.readthedocs.io/vuln/cookie-domain-check.html",
"https://usn.ubuntu.com/usn/usn-4127-1",
"https://usn.ubuntu.com/usn/usn-4127-2"
],
"PublishedDate": "2019-07-13T21:15:00Z",
"LastModifiedDate": "2019-08-17T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2018-20852",
@@ -331,9 +464,25 @@
"DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20852",
"Title": "python: Cookie domain check returns incorrect results",
"Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2018-20852.html",
"http://linux.oracle.com/errata/ELSA-2019-4884.html",
@@ -342,8 +491,12 @@
"https://bugs.python.org/issue35121",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852",
"https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html",
"https://python-security.readthedocs.io/vuln/cookie-domain-check.html"
]
"https://python-security.readthedocs.io/vuln/cookie-domain-check.html",
"https://usn.ubuntu.com/usn/usn-4127-1",
"https://usn.ubuntu.com/usn/usn-4127-2"
],
"PublishedDate": "2019-07-13T21:15:00Z",
"LastModifiedDate": "2019-08-17T21:15:00Z"
}
]
}

1889
integration/testdata/oraclelinux-7-slim.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1097
integration/testdata/oraclelinux-8-slim.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

441
integration/testdata/photon-10.json.golden vendored
View File

@@ -12,14 +12,31 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
"Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-273"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"V2Score": 7.2
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276",
"https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
]
],
"PublishedDate": "2019-11-28T01:15:00Z",
"LastModifiedDate": "2020-01-22T14:27:00Z"
},
{
"VulnerabilityID": "CVE-2012-6711",
@@ -30,15 +47,33 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-6711",
"Title": "bash: heap-based buffer overflow during echo of unsupported characters",
"Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().",
"Severity": "HIGH",
"CweIDs": [
"CWE-119"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7
}
},
"References": [
"http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel\u0026id=863d31ae775d56b785dc5b0105b6d251515d81d5",
"http://www.securityfocus.com/bid/108824",
"https://bugzilla.redhat.com/show_bug.cgi?id=1721071",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711"
]
],
"PublishedDate": "2019-06-18T18:15:00Z",
"LastModifiedDate": "2019-06-20T09:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5481",
@@ -49,17 +84,34 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-415"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.7
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
@@ -70,19 +122,35 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18218",
@@ -93,9 +161,23 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18218",
"Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c",
"Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218",
@@ -105,8 +187,12 @@
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/",
"https://usn.ubuntu.com/4172-1/",
"https://usn.ubuntu.com/4172-2/",
"https://usn.ubuntu.com/usn/usn-4172-1",
"https://usn.ubuntu.com/usn/usn-4172-2",
"https://www.debian.org/security/2019/dsa-4550"
]
],
"PublishedDate": "2019-10-21T05:15:00Z",
"LastModifiedDate": "2019-10-26T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-20387",
@@ -117,15 +203,32 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20387",
"Title": "libsolv: out-of-bounds read in repodata_schema2id in repodata.c",
"Description": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.",
"Severity": "HIGH",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387",
"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da",
"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6)",
"https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6",
"https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html"
]
],
"PublishedDate": "2020-01-21T23:15:00Z",
"LastModifiedDate": "2020-01-30T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17498",
@@ -136,9 +239,23 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17498",
"Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c",
"Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html",
"https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/",
@@ -148,47 +265,9 @@
"https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94",
"https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/"
]
},
{
"VulnerabilityID": "CVE-2019-17594",
"PkgName": "ncurses",
"InstalledVersion": "6.0-9.ph1",
"FixedVersion": "6.0-10.ph1",
"Layer": {
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "HIGH",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
},
{
"VulnerabilityID": "CVE-2019-17595",
"PkgName": "ncurses",
"InstalledVersion": "6.0-9.ph1",
"FixedVersion": "6.0-10.ph1",
"Layer": {
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-21T22:15:00Z",
"LastModifiedDate": "2019-11-07T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
@@ -199,9 +278,23 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -212,7 +305,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -223,11 +318,24 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -239,7 +347,9 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
@@ -250,9 +360,23 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -262,7 +386,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19317",
@@ -273,14 +399,30 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19317",
"Title": "sqlite: omits bits from the colUsed bitmask in the case of a generated column",
"Description": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8",
"https://github.com/sqlite/sqlite/commit/73bacb7f93eab9f4bd5a65cbc4ae242acf63c9e3",
"https://security.netapp.com/advisory/ntap-20191223-0001/"
]
],
"PublishedDate": "2019-12-05T14:15:00Z",
"LastModifiedDate": "2020-01-07T21:36:00Z"
},
{
"VulnerabilityID": "CVE-2019-19603",
@@ -291,14 +433,28 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19603",
"Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS",
"Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.",
"Severity": "CRITICAL",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19603",
"https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13",
"https://security.netapp.com/advisory/ntap-20191223-0001/",
"https://www.sqlite.org/"
]
],
"PublishedDate": "2019-12-09T19:15:00Z",
"LastModifiedDate": "2020-02-03T14:22:00Z"
},
{
"VulnerabilityID": "CVE-2019-19646",
@@ -309,15 +465,31 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19646",
"Title": "sqlite: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns",
"Description": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-754"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3",
"https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd",
"https://security.netapp.com/advisory/ntap-20191223-0001/",
"https://www.sqlite.org/"
]
],
"PublishedDate": "2019-12-09T19:15:00Z",
"LastModifiedDate": "2019-12-23T05:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-20218",
@@ -328,13 +500,29 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20218",
"Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error",
"Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-755"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387",
"https://usn.ubuntu.com/4298-1/"
]
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20218",
"https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387"
],
"PublishedDate": "2020-01-02T14:16:00Z",
"LastModifiedDate": "2020-01-16T20:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-19244",
@@ -345,13 +533,31 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19244",
"Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage",
"Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244",
"https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348",
"https://usn.ubuntu.com/4205-1/"
]
"https://usn.ubuntu.com/4205-1/",
"https://usn.ubuntu.com/usn/usn-4205-1"
],
"PublishedDate": "2019-11-25T20:15:00Z",
"LastModifiedDate": "2019-12-04T16:11:00Z"
},
{
"VulnerabilityID": "CVE-2019-19880",
@@ -362,14 +568,30 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19880",
"Title": "sqlite: invalid pointer dereference in exprListAppendList in window.c",
"Description": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880",
"https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54",
"https://security.netapp.com/advisory/ntap-20200114-0001/"
]
],
"PublishedDate": "2019-12-18T06:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19923",
@@ -380,14 +602,30 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19923",
"Title": "sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference",
"Description": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923",
"https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-24T16:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19925",
@@ -398,14 +636,30 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19925",
"Title": "sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive",
"Description": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.",
"Severity": "HIGH",
"CweIDs": [
"CWE-434"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925",
"https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-24T17:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19926",
@@ -416,14 +670,30 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19926",
"Title": "sqlite: error mishandling because of incomplete fix of CVE-2019-19880",
"Description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926",
"https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-23T01:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19959",
@@ -434,14 +704,28 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19959",
"Title": "sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames",
"Description": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.",
"Severity": "HIGH",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19959",
"https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec",
"https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1",
"https://security.netapp.com/advisory/ntap-20200204-0001/"
]
],
"PublishedDate": "2020-01-03T22:15:00Z",
"LastModifiedDate": "2020-02-04T12:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19645",
@@ -452,13 +736,30 @@
"DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19645",
"Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements",
"Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-674"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 2.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645",
"https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06",
"https://security.netapp.com/advisory/ntap-20191223-0001/"
]
],
"PublishedDate": "2019-12-09T16:15:00Z",
"LastModifiedDate": "2019-12-23T05:15:00Z"
}
]
}

566
integration/testdata/photon-20.json.golden vendored
View File

@@ -12,14 +12,31 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
"Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-273"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"V2Score": 7.2
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276",
"https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
]
],
"PublishedDate": "2019-11-28T01:15:00Z",
"LastModifiedDate": "2020-01-22T14:27:00Z"
},
{
"VulnerabilityID": "CVE-2019-5481",
@@ -30,17 +47,34 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-415"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.7
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
@@ -51,19 +85,35 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2018-16890",
@@ -74,9 +124,25 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16890",
"Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
"Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"V3Score": 4.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2018-16890.html",
"http://linux.oracle.com/errata/ELSA-2019-3701.html",
@@ -88,10 +154,13 @@
"https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20190315-0001/",
"https://usn.ubuntu.com/3882-1/",
"https://usn.ubuntu.com/usn/usn-3882-1",
"https://www.debian.org/security/2019/dsa-4386",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
]
],
"PublishedDate": "2019-02-06T20:29:00Z",
"LastModifiedDate": "2019-07-23T23:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5481",
@@ -102,17 +171,34 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-415"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.7
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
@@ -123,19 +209,35 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2018-16890",
@@ -146,9 +248,25 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16890",
"Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
"Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"V3Score": 4.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2018-16890.html",
"http://linux.oracle.com/errata/ELSA-2019-3701.html",
@@ -160,10 +278,13 @@
"https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20190315-0001/",
"https://usn.ubuntu.com/3882-1/",
"https://usn.ubuntu.com/usn/usn-3882-1",
"https://www.debian.org/security/2019/dsa-4386",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
]
],
"PublishedDate": "2019-02-06T20:29:00Z",
"LastModifiedDate": "2019-07-23T23:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -174,17 +295,35 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -195,17 +334,34 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2018-20843",
@@ -216,9 +372,25 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20843",
"Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS",
"Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
"Severity": "HIGH",
"CweIDs": [
"CWE-611"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 7.8,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226",
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031",
@@ -232,8 +404,12 @@
"https://security.netapp.com/advisory/ntap-20190703-0001/",
"https://usn.ubuntu.com/4040-1/",
"https://usn.ubuntu.com/4040-2/",
"https://usn.ubuntu.com/usn/usn-4040-1",
"https://usn.ubuntu.com/usn/usn-4040-2",
"https://www.debian.org/security/2019/dsa-4472"
]
],
"PublishedDate": "2019-06-24T17:15:00Z",
"LastModifiedDate": "2019-06-26T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-20387",
@@ -244,15 +420,32 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20387",
"Title": "libsolv: out-of-bounds read in repodata_schema2id in repodata.c",
"Description": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.",
"Severity": "HIGH",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387",
"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da",
"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6)",
"https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6",
"https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html"
]
],
"PublishedDate": "2020-01-21T23:15:00Z",
"LastModifiedDate": "2020-01-30T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-13115",
@@ -263,9 +456,25 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-13115",
"Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write",
"Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"V2Score": 5.8,
"V3Score": 8.1
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
"V3Score": 6.8
}
},
"References": [
"https://blog.semmle.com/libssh2-integer-overflow/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115",
@@ -273,7 +482,9 @@
"https://github.com/libssh2/libssh2/pull/350",
"https://libssh2.org/changes.html",
"https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html"
]
],
"PublishedDate": "2019-07-16T18:15:00Z",
"LastModifiedDate": "2019-07-25T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17498",
@@ -284,9 +495,23 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17498",
"Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c",
"Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html",
"https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/",
@@ -296,7 +521,9 @@
"https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94",
"https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/"
]
],
"PublishedDate": "2019-10-21T22:15:00Z",
"LastModifiedDate": "2019-11-07T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17594",
@@ -307,16 +534,32 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
"Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "HIGH",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-26T15:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-17595",
@@ -327,16 +570,32 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
"Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
"Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"V3Score": 5.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
"https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
]
],
"PublishedDate": "2019-10-14T21:15:00Z",
"LastModifiedDate": "2019-12-23T19:26:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
@@ -347,9 +606,23 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -360,7 +633,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
@@ -371,9 +646,23 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -383,7 +672,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19317",
@@ -394,14 +685,30 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19317",
"Title": "sqlite: omits bits from the colUsed bitmask in the case of a generated column",
"Description": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8",
"https://github.com/sqlite/sqlite/commit/73bacb7f93eab9f4bd5a65cbc4ae242acf63c9e3",
"https://security.netapp.com/advisory/ntap-20191223-0001/"
]
],
"PublishedDate": "2019-12-05T14:15:00Z",
"LastModifiedDate": "2020-01-07T21:36:00Z"
},
{
"VulnerabilityID": "CVE-2019-19603",
@@ -412,14 +719,28 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19603",
"Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS",
"Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.",
"Severity": "CRITICAL",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19603",
"https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13",
"https://security.netapp.com/advisory/ntap-20191223-0001/",
"https://www.sqlite.org/"
]
],
"PublishedDate": "2019-12-09T19:15:00Z",
"LastModifiedDate": "2020-02-03T14:22:00Z"
},
{
"VulnerabilityID": "CVE-2019-19646",
@@ -430,15 +751,31 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19646",
"Title": "sqlite: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns",
"Description": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-754"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3",
"https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd",
"https://security.netapp.com/advisory/ntap-20191223-0001/",
"https://www.sqlite.org/"
]
],
"PublishedDate": "2019-12-09T19:15:00Z",
"LastModifiedDate": "2019-12-23T05:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-20218",
@@ -449,13 +786,29 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20218",
"Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error",
"Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-755"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387",
"https://usn.ubuntu.com/4298-1/"
]
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20218",
"https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387"
],
"PublishedDate": "2020-01-02T14:16:00Z",
"LastModifiedDate": "2020-01-16T20:35:00Z"
},
{
"VulnerabilityID": "CVE-2019-16168",
@@ -466,21 +819,39 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16168",
"Title": "sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c",
"Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
"Severity": "HIGH",
"CweIDs": [
"CWE-369"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 6.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/",
"https://security.netapp.com/advisory/ntap-20190926-0003/",
"https://security.netapp.com/advisory/ntap-20200122-0003/",
"https://usn.ubuntu.com/4205-1/",
"https://usn.ubuntu.com/usn/usn-4205-1",
"https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62",
"https://www.sqlite.org/src/timeline?c=98357d8c1263920b"
]
],
"PublishedDate": "2019-09-09T17:15:00Z",
"LastModifiedDate": "2020-01-15T20:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19244",
@@ -491,13 +862,31 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19244",
"Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage",
"Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244",
"https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348",
"https://usn.ubuntu.com/4205-1/"
]
"https://usn.ubuntu.com/4205-1/",
"https://usn.ubuntu.com/usn/usn-4205-1"
],
"PublishedDate": "2019-11-25T20:15:00Z",
"LastModifiedDate": "2019-12-04T16:11:00Z"
},
{
"VulnerabilityID": "CVE-2019-19880",
@@ -508,14 +897,30 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19880",
"Title": "sqlite: invalid pointer dereference in exprListAppendList in window.c",
"Description": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880",
"https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54",
"https://security.netapp.com/advisory/ntap-20200114-0001/"
]
],
"PublishedDate": "2019-12-18T06:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19923",
@@ -526,14 +931,30 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19923",
"Title": "sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference",
"Description": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923",
"https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-24T16:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19925",
@@ -544,14 +965,30 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19925",
"Title": "sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive",
"Description": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.",
"Severity": "HIGH",
"CweIDs": [
"CWE-434"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925",
"https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-24T17:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19926",
@@ -562,14 +999,30 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19926",
"Title": "sqlite: error mishandling because of incomplete fix of CVE-2019-19880",
"Description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926",
"https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-23T01:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19959",
@@ -580,14 +1033,28 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19959",
"Title": "sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames",
"Description": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.",
"Severity": "HIGH",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19959",
"https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec",
"https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1",
"https://security.netapp.com/advisory/ntap-20200204-0001/"
]
],
"PublishedDate": "2020-01-03T22:15:00Z",
"LastModifiedDate": "2020-02-04T12:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19645",
@@ -598,13 +1065,30 @@
"DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19645",
"Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements",
"Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-674"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 2.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645",
"https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06",
"https://security.netapp.com/advisory/ntap-20191223-0001/"
]
],
"PublishedDate": "2019-12-09T16:15:00Z",
"LastModifiedDate": "2019-12-23T05:15:00Z"
}
]
}

338
integration/testdata/photon-30.json.golden vendored
View File

@@ -12,14 +12,31 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
"Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-273"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"V2Score": 7.2
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276",
"https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
]
],
"PublishedDate": "2019-11-28T01:15:00Z",
"LastModifiedDate": "2020-01-22T14:27:00Z"
},
{
"VulnerabilityID": "CVE-2019-5481",
@@ -30,17 +47,34 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-415"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.7
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
@@ -51,19 +85,35 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5481",
@@ -74,17 +124,34 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"Title": "curl: double free due to subsequent call of realloc()",
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-415"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.7
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5481.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5482",
@@ -95,19 +162,35 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-120"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 6.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-5482.html",
"http://linux.oracle.com/errata/ELSA-2020-5562.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
"https://curl.haxx.se/docs/CVE-2019-5482.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
"https://usn.ubuntu.com/usn/usn-4129-1",
"https://usn.ubuntu.com/usn/usn-4129-2"
],
"PublishedDate": "2019-09-16T19:15:00Z",
"LastModifiedDate": "2019-09-18T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -118,17 +201,35 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -139,17 +240,34 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-20387",
@@ -160,15 +278,32 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20387",
"Title": "libsolv: out-of-bounds read in repodata_schema2id in repodata.c",
"Description": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.",
"Severity": "HIGH",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387",
"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da",
"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6)",
"https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6",
"https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html"
]
],
"PublishedDate": "2020-01-21T23:15:00Z",
"LastModifiedDate": "2020-01-30T21:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-17498",
@@ -179,9 +314,23 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17498",
"Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c",
"Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
"Severity": "HIGH",
"CweIDs": [
"CWE-190"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"V2Score": 5.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"V3Score": 6.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html",
"https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/",
@@ -191,7 +340,9 @@
"https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94",
"https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/"
]
],
"PublishedDate": "2019-10-21T22:15:00Z",
"LastModifiedDate": "2019-11-07T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1547",
@@ -202,9 +353,23 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
"Title": "openssl: side-channel weak encryption vulnerability",
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 1.9
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://arxiv.org/abs/1909.01785",
@@ -215,7 +380,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T16:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1551",
@@ -226,11 +393,24 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 4.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
@@ -242,7 +422,9 @@
"https://www.debian.org/security/2019/dsa-4594",
"https://www.openssl.org/news/secadv/20191206.txt",
"https://www.tenable.com/security/tns-2019-09"
]
],
"PublishedDate": "2019-12-06T18:15:00Z",
"LastModifiedDate": "2019-12-25T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-1563",
@@ -253,9 +435,23 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"Severity": "LOW",
"CweIDs": [
"CWE-311"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 3.7
}
},
"References": [
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
@@ -265,7 +461,9 @@
"https://seclists.org/bugtraq/2019/Sep/25",
"https://security.netapp.com/advisory/ntap-20190919-0002/",
"https://www.openssl.org/news/secadv/20190910.txt"
]
],
"PublishedDate": "2019-09-10T17:15:00Z",
"LastModifiedDate": "2019-09-12T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-16168",
@@ -276,21 +474,39 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16168",
"Title": "sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c",
"Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
"Severity": "HIGH",
"CweIDs": [
"CWE-369"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V2Score": 4.3
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 6.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/",
"https://security.netapp.com/advisory/ntap-20190926-0003/",
"https://security.netapp.com/advisory/ntap-20200122-0003/",
"https://usn.ubuntu.com/4205-1/",
"https://usn.ubuntu.com/usn/usn-4205-1",
"https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62",
"https://www.sqlite.org/src/timeline?c=98357d8c1263920b"
]
],
"PublishedDate": "2019-09-09T17:15:00Z",
"LastModifiedDate": "2020-01-15T20:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19244",
@@ -301,13 +517,31 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19244",
"Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage",
"Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244",
"https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348",
"https://usn.ubuntu.com/4205-1/"
]
"https://usn.ubuntu.com/4205-1/",
"https://usn.ubuntu.com/usn/usn-4205-1"
],
"PublishedDate": "2019-11-25T20:15:00Z",
"LastModifiedDate": "2019-12-04T16:11:00Z"
},
{
"VulnerabilityID": "CVE-2019-19923",
@@ -318,14 +552,30 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19923",
"Title": "sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference",
"Description": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923",
"https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-24T16:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19926",
@@ -336,14 +586,30 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19926",
"Title": "sqlite: error mishandling because of incomplete fix of CVE-2019-19880",
"Description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926",
"https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089",
"https://security.netapp.com/advisory/ntap-20200114-0003/"
]
],
"PublishedDate": "2019-12-23T01:15:00Z",
"LastModifiedDate": "2020-01-14T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-19959",
@@ -354,14 +620,28 @@
"DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
},
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19959",
"Title": "sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames",
"Description": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.",
"Severity": "HIGH",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"V2Score": 5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19959",
"https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec",
"https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1",
"https://security.netapp.com/advisory/ntap-20200204-0001/"
]
],
"PublishedDate": "2020-01-03T22:15:00Z",
"LastModifiedDate": "2020-02-04T12:15:00Z"
}
]
}

BIN
integration/testdata/trivy.db.gz vendored
View File

Binary file not shown.

14026
integration/testdata/ubi-7.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

3746
integration/testdata/ubuntu-1604.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

454
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -12,17 +12,35 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -33,17 +51,34 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -54,17 +89,35 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -75,17 +128,34 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -96,17 +166,35 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -117,17 +205,34 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-13627",
@@ -138,9 +243,23 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-13627",
"Title": "libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library",
"Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-362"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V2Score": 6.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"V3Score": 6.3
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html",
"http://www.openwall.com/lists/oss-security/2019/10/02/2",
@@ -149,8 +268,13 @@
"https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html",
"https://minerva.crocs.fi.muni.cz/",
"https://security-tracker.debian.org/tracker/CVE-2019-13627"
]
"https://security-tracker.debian.org/tracker/CVE-2019-13627",
"https://usn.ubuntu.com/usn/usn-4236-1",
"https://usn.ubuntu.com/usn/usn-4236-2",
"https://usn.ubuntu.com/usn/usn-4236-3"
],
"PublishedDate": "2019-09-25T15:15:00Z",
"LastModifiedDate": "2019-10-03T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-12290",
@@ -161,14 +285,28 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-12290",
"Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"V2Score": 5
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290",
"https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5",
"https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de",
"https://gitlab.com/libidn/libidn2/merge_requests/71",
"https://usn.ubuntu.com/4168-1/"
]
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-22T16:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-18224",
@@ -179,9 +317,23 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
"Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
@@ -189,8 +341,11 @@
"https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
"https://usn.ubuntu.com/4168-1/"
]
"https://usn.ubuntu.com/4168-1/",
"https://usn.ubuntu.com/usn/usn-4168-1"
],
"PublishedDate": "2019-10-21T17:15:00Z",
"LastModifiedDate": "2019-10-29T19:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
@@ -201,17 +356,35 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://usn.ubuntu.com/4142-2/",
"https://usn.ubuntu.com/usn/usn-4142-1",
"https://usn.ubuntu.com/usn/usn-4142-2",
"https://www.debian.org/security/2019/dsa-4535"
]
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2019-09-28T03:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5188",
@@ -222,17 +395,34 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
"Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c",
"Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V2Score": 4.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
"https://usn.ubuntu.com/4249-1/"
]
"https://usn.ubuntu.com/4249-1/",
"https://usn.ubuntu.com/usn/usn-4249-1"
],
"PublishedDate": "2020-01-08T16:15:00Z",
"LastModifiedDate": "2020-01-28T06:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-15718",
@@ -243,9 +433,25 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
"Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
"Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-284"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 2.1,
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-15718.html",
"http://linux.oracle.com/errata/ELSA-2019-3592.html",
@@ -254,8 +460,11 @@
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
"https://usn.ubuntu.com/usn/usn-4120-1"
],
"PublishedDate": "2019-09-04T12:15:00Z",
"LastModifiedDate": "2019-09-19T04:15:00Z"
},
{
"VulnerabilityID": "CVE-2020-1712",
@@ -266,12 +475,21 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1712",
"Title": "systemd: use-after-free when asynchronous polkit queries are performed",
"Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.",
"Severity": "MEDIUM",
"CVSS": {
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2020-1712.html",
"http://linux.oracle.com/errata/ELSA-2020-0575.html"
"http://linux.oracle.com/errata/ELSA-2020-0575.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1712",
"https://usn.ubuntu.com/usn/usn-4269-1"
]
},
{
@@ -283,15 +501,33 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20386",
"Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received",
"Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.",
"Severity": "LOW",
"CweIDs": [
"CWE-772"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 2.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 2.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20386",
"https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad",
"https://security.netapp.com/advisory/ntap-20200210-0002/",
"https://usn.ubuntu.com/4269-1/"
]
"https://usn.ubuntu.com/4269-1/",
"https://usn.ubuntu.com/usn/usn-4269-1"
],
"PublishedDate": "2020-01-21T06:15:00Z",
"LastModifiedDate": "2020-02-10T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-3843",
@@ -302,15 +538,36 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3843",
"Title": "systemd: services with DynamicUser can create SUID/SGID binaries",
"Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
"Severity": "LOW",
"CweIDs": [
"CWE-264"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 4.5
}
},
"References": [
"http://www.securityfocus.com/bid/108116",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3843",
"https://github.com/systemd/systemd-stable/pull/54 (backport for v241-stable)",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/",
"https://security.netapp.com/advisory/ntap-20190619-0002/"
]
"https://security.netapp.com/advisory/ntap-20190619-0002/",
"https://usn.ubuntu.com/usn/usn-4269-1"
],
"PublishedDate": "2019-04-26T21:29:00Z",
"LastModifiedDate": "2019-06-19T10:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-3844",
@@ -321,14 +578,34 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3844",
"Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries",
"Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
"Severity": "LOW",
"CweIDs": [
"CWE-264"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 4.5
}
},
"References": [
"http://www.securityfocus.com/bid/108096",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844",
"https://security.netapp.com/advisory/ntap-20190619-0002/"
]
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3844",
"https://security.netapp.com/advisory/ntap-20190619-0002/",
"https://usn.ubuntu.com/usn/usn-4269-1"
],
"PublishedDate": "2019-04-26T21:29:00Z",
"LastModifiedDate": "2019-06-19T10:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-15718",
@@ -339,9 +616,25 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
"Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
"Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-284"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"V2Score": 2.1,
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.3
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2019-15718.html",
"http://linux.oracle.com/errata/ELSA-2019-3592.html",
@@ -350,8 +643,11 @@
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/"
]
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
"https://usn.ubuntu.com/usn/usn-4120-1"
],
"PublishedDate": "2019-09-04T12:15:00Z",
"LastModifiedDate": "2019-09-19T04:15:00Z"
},
{
"VulnerabilityID": "CVE-2020-1712",
@@ -362,12 +658,21 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1712",
"Title": "systemd: use-after-free when asynchronous polkit queries are performed",
"Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.",
"Severity": "MEDIUM",
"CVSS": {
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"http://linux.oracle.com/cve/CVE-2020-1712.html",
"http://linux.oracle.com/errata/ELSA-2020-0575.html"
"http://linux.oracle.com/errata/ELSA-2020-0575.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1712",
"https://usn.ubuntu.com/usn/usn-4269-1"
]
},
{
@@ -379,15 +684,33 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-20386",
"Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received",
"Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.",
"Severity": "LOW",
"CweIDs": [
"CWE-772"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"V2Score": 2.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 2.4
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20386",
"https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad",
"https://security.netapp.com/advisory/ntap-20200210-0002/",
"https://usn.ubuntu.com/4269-1/"
]
"https://usn.ubuntu.com/4269-1/",
"https://usn.ubuntu.com/usn/usn-4269-1"
],
"PublishedDate": "2020-01-21T06:15:00Z",
"LastModifiedDate": "2020-02-10T11:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-3843",
@@ -398,15 +721,36 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3843",
"Title": "systemd: services with DynamicUser can create SUID/SGID binaries",
"Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
"Severity": "LOW",
"CweIDs": [
"CWE-264"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 4.5
}
},
"References": [
"http://www.securityfocus.com/bid/108116",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3843",
"https://github.com/systemd/systemd-stable/pull/54 (backport for v241-stable)",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/",
"https://security.netapp.com/advisory/ntap-20190619-0002/"
]
"https://security.netapp.com/advisory/ntap-20190619-0002/",
"https://usn.ubuntu.com/usn/usn-4269-1"
],
"PublishedDate": "2019-04-26T21:29:00Z",
"LastModifiedDate": "2019-06-19T10:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-3844",
@@ -417,14 +761,34 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3844",
"Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries",
"Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
"Severity": "LOW",
"CweIDs": [
"CWE-264"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 4.5
}
},
"References": [
"http://www.securityfocus.com/bid/108096",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844",
"https://security.netapp.com/advisory/ntap-20190619-0002/"
]
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3844",
"https://security.netapp.com/advisory/ntap-20190619-0002/",
"https://usn.ubuntu.com/usn/usn-4269-1"
],
"PublishedDate": "2019-04-26T21:29:00Z",
"LastModifiedDate": "2019-06-19T10:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-11922",
@@ -435,15 +799,31 @@
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11922",
"Description": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-362"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 6.8,
"V3Score": 8.1
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922",
"https://github.com/facebook/zstd/commit/3e5cdf1b6a85843e991d7d10f6a2567c15580da0",
"https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0",
"https://usn.ubuntu.com/usn/usn-4108-1",
"https://www.facebook.com/security/advisories/cve-2019-11922"
]
],
"PublishedDate": "2019-07-25T21:15:00Z",
"LastModifiedDate": "2019-08-12T21:15:00Z"
}
]
}

1690
integration/testdata/ubuntu-1804.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

54
internal/app.go
View File

@@ -20,6 +20,7 @@ import (
"github.com/aquasecurity/trivy/pkg/vulnerability"
)
// VersionInfo holds the trivy DB version Info
type VersionInfo struct {
Version string `json:",omitempty"`
VulnerabilityDB *db.Metadata `json:",omitempty"`
@@ -143,6 +144,13 @@ var (
EnvVars: []string{"TRIVY_CACHE_DIR"},
}
cacheBackendFlag = cli.StringFlag{
Name: "cache-backend",
Value: "fs",
Usage: "cache backend (e.g. redis://localhost:6379)",
EnvVars: []string{"TRIVY_CACHE_BACKEND"},
}
ignoreFileFlag = cli.StringFlag{
Name: "ignorefile",
Value: vulnerability.DefaultIgnoreFile,
@@ -188,6 +196,18 @@ var (
EnvVars: []string{"TRIVY_LIST_ALL_PKGS"},
}
skipFiles = cli.StringFlag{
Name: "skip-files",
Usage: "specify the file path to skip traversal",
EnvVars: []string{"TRIVY_SKIP_FILES"},
}
skipDirectories = cli.StringFlag{
Name: "skip-dirs",
Usage: "specify the directory where the traversal is skipped",
EnvVars: []string{"TRIVY_SKIP_DIRS"},
}
globalFlags = []cli.Flag{
&quietFlag,
&debugFlag,
@@ -214,6 +234,9 @@ var (
&lightFlag,
&ignorePolicy,
&listAllPackages,
&skipFiles,
&skipDirectories,
&cacheBackendFlag,
}
// deprecated options
@@ -236,6 +259,7 @@ var (
}
)
// NewApp is the factory method to return Trivy CLI
func NewApp(version string) *cli.App {
cli.VersionPrinter = func(c *cli.Context) {
showVersion(c.String("cache-dir"), c.String("format"), c.App.Version, c.App.Writer)
@@ -293,19 +317,20 @@ func setHidden(flags []cli.Flag, hidden bool) []cli.Flag {
func showVersion(cacheDir, outputFormat, version string, outputWriter io.Writer) {
var dbMeta *db.Metadata
metadata, _ := tdb.NewMetadata(afero.NewOsFs(), cacheDir).Get()
metadata, _ := tdb.NewMetadata(afero.NewOsFs(), cacheDir).Get() // nolint: errcheck
if !metadata.UpdatedAt.IsZero() && !metadata.NextUpdate.IsZero() && metadata.Version != 0 {
dbMeta = &db.Metadata{
Version: metadata.Version,
Type: metadata.Type,
NextUpdate: metadata.NextUpdate.UTC(),
UpdatedAt: metadata.UpdatedAt.UTC(),
Version: metadata.Version,
Type: metadata.Type,
NextUpdate: metadata.NextUpdate.UTC(),
UpdatedAt: metadata.UpdatedAt.UTC(),
DownloadedAt: metadata.DownloadedAt.UTC(),
}
}
switch outputFormat {
case "json":
b, _ := json.Marshal(VersionInfo{
b, _ := json.Marshal(VersionInfo{ // nolint: errcheck
Version: version,
VulnerabilityDB: dbMeta,
})
@@ -325,12 +350,14 @@ func showVersion(cacheDir, outputFormat, version string, outputWriter io.Writer)
Version: %d
UpdatedAt: %s
NextUpdate: %s
`, dbType, dbMeta.Version, dbMeta.UpdatedAt.UTC(), dbMeta.NextUpdate.UTC())
DownloadedAt: %s
`, dbType, dbMeta.Version, dbMeta.UpdatedAt.UTC(), dbMeta.NextUpdate.UTC(), dbMeta.DownloadedAt.UTC())
}
fmt.Fprintf(outputWriter, output)
}
}
// NewImageCommand is the factory method to add image command
func NewImageCommand() *cli.Command {
return &cli.Command{
Name: "image",
@@ -342,6 +369,7 @@ func NewImageCommand() *cli.Command {
}
}
// NewFilesystemCommand is the factory method to add filesystem command
func NewFilesystemCommand() *cli.Command {
return &cli.Command{
Name: "filesystem",
@@ -356,6 +384,7 @@ func NewFilesystemCommand() *cli.Command {
&severityFlag,
&outputFlag,
&exitCodeFlag,
&skipUpdateFlag,
&clearCacheFlag,
&quietFlag,
&ignoreUnfixedFlag,
@@ -364,14 +393,18 @@ func NewFilesystemCommand() *cli.Command {
&vulnTypeFlag,
&ignoreFileFlag,
&cacheDirFlag,
&cacheBackendFlag,
&timeoutFlag,
&noProgressFlag,
&ignorePolicy,
&listAllPackages,
&skipFiles,
&skipDirectories,
},
}
}
// NewRepositoryCommand is the factory method to add repository command
func NewRepositoryCommand() *cli.Command {
return &cli.Command{
Name: "repository",
@@ -386,6 +419,7 @@ func NewRepositoryCommand() *cli.Command {
&severityFlag,
&outputFlag,
&exitCodeFlag,
&skipUpdateFlag,
&clearCacheFlag,
&quietFlag,
&ignoreUnfixedFlag,
@@ -394,14 +428,18 @@ func NewRepositoryCommand() *cli.Command {
&vulnTypeFlag,
&ignoreFileFlag,
&cacheDirFlag,
&cacheBackendFlag,
&timeoutFlag,
&noProgressFlag,
&ignorePolicy,
&listAllPackages,
&skipFiles,
&skipDirectories,
},
}
}
// NewClientCommand is the factory method to add client command
func NewClientCommand() *cli.Command {
return &cli.Command{
Name: "client",
@@ -445,6 +483,7 @@ func NewClientCommand() *cli.Command {
}
}
// NewServerCommand is the factory method to add server command
func NewServerCommand() *cli.Command {
return &cli.Command{
Name: "server",
@@ -458,6 +497,7 @@ func NewServerCommand() *cli.Command {
&quietFlag,
&debugFlag,
&cacheDirFlag,
&cacheBackendFlag,
// original flags
&token,

21
internal/app_test.go
View File

@@ -42,6 +42,7 @@ Vulnerability DB:
Version: 42
UpdatedAt: 2020-03-16 23:40:20 +0000 UTC
NextUpdate: 2020-03-16 23:57:00 +0000 UTC
DownloadedAt: 2020-03-16 23:40:20 +0000 UTC
`,
createDB: true,
},
@@ -51,7 +52,7 @@ Vulnerability DB:
outputFormat: "json",
version: "1.2.3",
},
expectedOutput: `{"Version":"1.2.3","VulnerabilityDB":{"Version":42,"Type":1,"NextUpdate":"2020-03-16T23:57:00Z","UpdatedAt":"2020-03-16T23:40:20Z"}}
expectedOutput: `{"Version":"1.2.3","VulnerabilityDB":{"Version":42,"Type":1,"NextUpdate":"2020-03-16T23:57:00Z","UpdatedAt":"2020-03-16T23:40:20Z","DownloadedAt":"2020-03-16T23:40:20Z"}}
`,
createDB: true,
},
@@ -93,10 +94,11 @@ Vulnerability DB:
metadataFile := filepath.Join(cacheDir, "db", "metadata.json")
b, err := json.Marshal(db.Metadata{
Version: 42,
Type: 1,
NextUpdate: time.Unix(1584403020, 0),
UpdatedAt: time.Unix(1584402020, 0),
Version: 42,
Type: 1,
NextUpdate: time.Unix(1584403020, 0),
UpdatedAt: time.Unix(1584402020, 0),
DownloadedAt: time.Unix(1584402020, 0),
})
require.NoError(t, err)
err = afero.WriteFile(fs, metadataFile, b, 0600)
@@ -109,3 +111,12 @@ Vulnerability DB:
})
}
}
func TestNewCommands(t *testing.T) {
NewApp("test")
NewClientCommand()
NewFilesystemCommand()
NewImageCommand()
NewRepositoryCommand()
NewServerCommand()
}

36
internal/artifact/config/config.go
View File

@@ -7,12 +7,14 @@ import (
"github.com/aquasecurity/trivy/internal/config"
)
// Config holds the artifact config
type Config struct {
config.GlobalConfig
config.ArtifactConfig
config.DBConfig
config.ImageConfig
config.ReportConfig
config.CacheConfig
// deprecated
onlyUpdate string
@@ -22,6 +24,7 @@ type Config struct {
autoRefresh bool
}
// New is the factory method to return config
func New(c *cli.Context) (Config, error) {
gc, err := config.NewGlobalConfig(c)
if err != nil {
@@ -34,6 +37,7 @@ func New(c *cli.Context) (Config, error) {
DBConfig: config.NewDBConfig(c),
ImageConfig: config.NewImageConfig(c),
ReportConfig: config.NewReportConfig(c),
CacheConfig: config.NewCacheConfig(c),
onlyUpdate: c.String("only-update"),
refresh: c.Bool("refresh"),
@@ -41,24 +45,22 @@ func New(c *cli.Context) (Config, error) {
}, nil
}
// Init initializes the artifact config
func (c *Config) Init(image bool) error {
if err := c.ReportConfig.Init(c.Logger); err != nil {
return err
}
if c.onlyUpdate != "" || c.refresh || c.autoRefresh {
c.Logger.Warn("--only-update, --refresh and --auto-refresh are unnecessary and ignored now. These commands will be removed in the next version.")
}
if err := c.DBConfig.Init(); err != nil {
if err := c.initPreScanConfigs(); err != nil {
return err
}
// --clear-cache, --download-db-only and --reset don't conduct the scan
if c.ClearCache || c.DownloadDBOnly || c.Reset {
if c.skipScan() {
return nil
}
if err := c.ArtifactConfig.Init(c.Context.Args(), c.Logger); err != nil {
cli.ShowAppHelp(c.Context)
if err := c.ArtifactConfig.Init(c.Context, c.Logger); err != nil {
return err
}
@@ -70,3 +72,23 @@ func (c *Config) Init(image bool) error {
return nil
}
func (c *Config) initPreScanConfigs() error {
if err := c.ReportConfig.Init(c.Logger); err != nil {
return err
}
if err := c.DBConfig.Init(); err != nil {
return err
}
if err := c.CacheConfig.Init(); err != nil {
return err
}
return nil
}
func (c *Config) skipScan() bool {
if c.ClearCache || c.DownloadDBOnly || c.Reset {
return true
}
return false
}

7
internal/artifact/config/config_test.go
View File

@@ -184,13 +184,6 @@ func TestConfig_Init(t *testing.T) {
},
wantErr: "arguments error",
},
{
name: "sad: no image name",
logs: []string{
"trivy requires at least 1 argument or --input option",
},
wantErr: "arguments error",
},
{
name: "sad: invalid image name",
args: []string{`!"#$%&'()`},

1
internal/artifact/fs.go
View File

@@ -21,6 +21,7 @@ func filesystemScanner(ctx context.Context, dir string, ac cache.ArtifactCache,
return s, cleanup, nil
}
// FilesystemRun runs scan on filesystem
func FilesystemRun(cliCtx *cli.Context) error {
c, err := config.New(cliCtx)
if err != nil {

3
internal/artifact/image.go
View File

@@ -30,6 +30,7 @@ func dockerScanner(ctx context.Context, imageName string, ac cache.ArtifactCache
return s, cleanup, nil
}
// ImageRun runs scan on docker image
func ImageRun(cliCtx *cli.Context) error {
c, err := config.New(cliCtx)
if err != nil {
@@ -37,7 +38,7 @@ func ImageRun(cliCtx *cli.Context) error {
}
// initialize config
if err = c.Init(true); err != nil {
if err := c.Init(true); err != nil {
return xerrors.Errorf("failed to initialize options: %w", err)
}

1
internal/artifact/repository.go
View File

@@ -21,6 +21,7 @@ func repositoryScanner(ctx context.Context, dir string, ac cache.ArtifactCache,
return s, cleanup, nil
}
// RepositoryRun runs scan on repository
func RepositoryRun(cliCtx *cli.Context) error {
c, err := config.New(cliCtx)
if err != nil {

17
internal/artifact/run.go
View File

@@ -19,9 +19,12 @@ import (
"github.com/aquasecurity/trivy/pkg/utils"
)
// InitializeScanner type to define initialize function signature
type InitializeScanner func(context.Context, string, cache.ArtifactCache, cache.LocalArtifactCache, time.Duration) (
scanner.Scanner, func(), error)
// nolint: gocyclo
// TODO: refactror and fix cyclometic complexity
func run(c config.Config, initializeScanner InitializeScanner) error {
if err := log.InitLogger(c.Debug, c.Quiet); err != nil {
l.Fatal(err)
@@ -29,20 +32,18 @@ func run(c config.Config, initializeScanner InitializeScanner) error {
// configure cache dir
utils.SetCacheDir(c.CacheDir)
cacheClient, err := cache.NewFSCache(c.CacheDir)
cache, err := operation.NewCache(c.CacheBackend)
if err != nil {
return xerrors.Errorf("unable to initialize the cache: %w", err)
}
defer cacheClient.Close()
cacheOperation := operation.NewCache(cacheClient)
defer cache.Close()
log.Logger.Debugf("cache dir: %s", utils.CacheDir())
if c.Reset {
return cacheOperation.Reset()
return cache.Reset()
}
if c.ClearCache {
return cacheOperation.ClearImages()
return cache.ClearImages()
}
// download the database file
@@ -67,7 +68,7 @@ func run(c config.Config, initializeScanner InitializeScanner) error {
ctx, cancel := context.WithTimeout(context.Background(), c.Timeout)
defer cancel()
scanner, cleanup, err := initializeScanner(ctx, target, cacheClient, cacheClient, c.Timeout)
scanner, cleanup, err := initializeScanner(ctx, target, cache, cache, c.Timeout)
if err != nil {
return xerrors.Errorf("unable to initialize a scanner: %w", err)
}
@@ -77,6 +78,8 @@ func run(c config.Config, initializeScanner InitializeScanner) error {
VulnType: c.VulnType,
ScanRemovedPackages: c.ScanRemovedPkgs, // this is valid only for image subcommand
ListAllPackages: c.ListAllPkgs,
SkipFiles: c.SkipFiles,
SkipDirectories: c.SkipDirectories,
}
log.Logger.Debugf("Vulnerability type: %s", scanOptions.VulnType)

6
internal/client/config/config.go
View File

@@ -10,6 +10,7 @@ import (
"github.com/aquasecurity/trivy/internal/config"
)
// Config holds the Trivy client config
type Config struct {
config.GlobalConfig
config.ArtifactConfig
@@ -25,6 +26,7 @@ type Config struct {
CustomHeaders http.Header
}
// New is the factory method for Config
func New(c *cli.Context) (Config, error) {
gc, err := config.NewGlobalConfig(c)
if err != nil {
@@ -43,6 +45,7 @@ func New(c *cli.Context) (Config, error) {
}, nil
}
// Init initializes the config
func (c *Config) Init() (err error) {
// --clear-cache doesn't conduct the scan
if c.ClearCache {
@@ -60,12 +63,11 @@ func (c *Config) Init() (err error) {
return err
}
if err := c.ArtifactConfig.Init(c.Context.Args(), c.Logger); err != nil {
if err := c.ArtifactConfig.Init(c.Context, c.Logger); err != nil {
return err
}
if err := c.ImageConfig.Init(c.Context.Args(), c.Logger); err != nil {
cli.ShowAppHelp(c.Context)
return err
}

7
internal/client/config/config_test.go
View File

@@ -224,13 +224,6 @@ func TestConfig_Init(t *testing.T) {
},
wantErr: "arguments error",
},
{
name: "sad: no image name",
logs: []string{
"trivy requires at least 1 argument or --input option",
},
wantErr: "arguments error",
},
{
name: "sad: invalid image name",
args: []string{`!"#$%&'()`},

3
internal/client/run.go
View File

@@ -17,6 +17,7 @@ import (
"github.com/aquasecurity/trivy/pkg/utils"
)
// Run runs the scan
func Run(cliCtx *cli.Context) error {
c, err := config.New(cliCtx)
if err != nil {
@@ -25,6 +26,8 @@ func Run(cliCtx *cli.Context) error {
return run(c)
}
// nolint: gocyclo
// TODO: refactror and fix cyclometic complexity
func run(c config.Config) (err error) {
if err = log.InitLogger(c.Debug, c.Quiet); err != nil {
return xerrors.Errorf("failed to initialize a logger: %w", err)

39
internal/config/artifact.go
View File

@@ -1,6 +1,8 @@
package config
import (
"os"
"strings"
"time"
"github.com/urfave/cli/v2"
@@ -8,34 +10,53 @@ import (
"golang.org/x/xerrors"
)
// ArtifactConfig holds the config for a artifact scanning
type ArtifactConfig struct {
Input string
Timeout time.Duration
ClearCache bool
skipDirectories string
SkipDirectories []string
skipFiles string
SkipFiles []string
// this field is populated in Init()
Target string
}
// NewArtifactConfig is the factory method to return artifact config
func NewArtifactConfig(c *cli.Context) ArtifactConfig {
return ArtifactConfig{
Input: c.String("input"),
Timeout: c.Duration("timeout"),
ClearCache: c.Bool("clear-cache"),
Input: c.String("input"),
Timeout: c.Duration("timeout"),
ClearCache: c.Bool("clear-cache"),
skipFiles: c.String("skip-files"),
skipDirectories: c.String("skip-dirs"),
}
}
func (c *ArtifactConfig) Init(args cli.Args, logger *zap.SugaredLogger) (err error) {
if c.Input == "" && args.Len() == 0 {
logger.Error(`trivy requires at least 1 argument or --input option`)
return xerrors.New("arguments error")
} else if args.Len() > 1 {
// Init initialize the CLI context for artifact scanning
func (c *ArtifactConfig) Init(ctx *cli.Context, logger *zap.SugaredLogger) (err error) {
if c.Input == "" && ctx.Args().Len() == 0 {
logger.Debug(`trivy requires at least 1 argument or --input option`)
_ = cli.ShowSubcommandHelp(ctx) // nolint: errcheck
os.Exit(0)
} else if ctx.Args().Len() > 1 {
logger.Error(`multiple targets cannot be specified`)
return xerrors.New("arguments error")
}
if c.Input == "" {
c.Target = args.First()
c.Target = ctx.Args().First()
}
if c.skipDirectories != "" {
c.SkipDirectories = strings.Split(c.skipDirectories, ",")
}
if c.skipFiles != "" {
c.SkipFiles = strings.Split(c.skipFiles, ",")
}
return nil

11
internal/config/artifact_test.go
View File

@@ -35,17 +35,10 @@ func TestArtifactConfig_Init(t *testing.T) {
},
wantErr: "arguments error",
},
{
name: "sad: no image name",
logs: []string{
"trivy requires at least 1 argument or --input option",
},
wantErr: "arguments error",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
core, obs := observer.New(zap.InfoLevel)
core, obs := observer.New(zap.DebugLevel)
logger := zap.New(core)
app := cli.NewApp()
@@ -55,7 +48,7 @@ func TestArtifactConfig_Init(t *testing.T) {
c := config.NewArtifactConfig(ctx)
err := c.Init(ctx.Args(), logger.Sugar())
err := c.Init(ctx, logger.Sugar())
// tests log messages
var gotMessages []string

31
internal/config/cache.go Normal file
View File

@@ -0,0 +1,31 @@
package config
import (
"strings"
"github.com/urfave/cli/v2"
"golang.org/x/xerrors"
)
// CacheConfig holds the config for cache
type CacheConfig struct {
CacheBackend string
}
// NewCacheConfig returns an instance of CacheConfig
func NewCacheConfig(c *cli.Context) CacheConfig {
return CacheConfig{
CacheBackend: c.String("cache-backend"),
}
}
// Init initialize the CacheConfig
func (c *CacheConfig) Init() error {
// "redis://" or "fs" are allowed for now
// An empty value is also allowed for testability
if !strings.HasPrefix(c.CacheBackend, "redis://") &&
c.CacheBackend != "fs" && c.CacheBackend != "" {
return xerrors.Errorf("unsupported cache backend: %s", c.CacheBackend)
}
return nil
}

92
internal/config/cache_test.go Normal file
View File

@@ -0,0 +1,92 @@
package config_test
import (
"flag"
"testing"
"github.com/stretchr/testify/assert"
"github.com/urfave/cli/v2"
"github.com/aquasecurity/trivy/internal/config"
)
func TestNewCacheConfig(t *testing.T) {
tests := []struct {
name string
args []string
want config.CacheConfig
}{
{
name: "happy path",
args: []string{"--cache-backend", "redis://localhost:6379"},
want: config.CacheConfig{
CacheBackend: "redis://localhost:6379",
},
},
{
name: "default",
args: []string{},
want: config.CacheConfig{
CacheBackend: "fs",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
app := &cli.App{}
set := flag.NewFlagSet("test", 0)
set.String("cache-backend", "fs", "")
c := cli.NewContext(app, set, nil)
_ = set.Parse(tt.args)
got := config.NewCacheConfig(c)
assert.Equal(t, tt.want, got, tt.name)
})
}
}
func TestCacheConfig_Init(t *testing.T) {
type fields struct {
backend string
}
tests := []struct {
name string
fields fields
wantErr string
}{
{
name: "fs",
fields: fields{
backend: "fs",
},
},
{
name: "redis",
fields: fields{
backend: "redis://localhost:6379",
},
},
{
name: "sad path",
fields: fields{
backend: "unknown://",
},
wantErr: "unsupported cache backend: unknown://",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &config.CacheConfig{
CacheBackend: tt.fields.backend,
}
err := c.Init()
if tt.wantErr != "" {
assert.EqualError(t, err, tt.wantErr, err)
} else {
assert.NoError(t, err)
}
})
}
}

3
internal/config/db.go
View File

@@ -5,6 +5,7 @@ import (
"golang.org/x/xerrors"
)
// DBConfig holds the config for trivy DB
type DBConfig struct {
Reset bool
DownloadDBOnly bool
@@ -13,6 +14,7 @@ type DBConfig struct {
NoProgress bool
}
// NewDBConfig is the factory method to return the DBConfig
func NewDBConfig(c *cli.Context) DBConfig {
return DBConfig{
Reset: c.Bool("reset"),
@@ -23,6 +25,7 @@ func NewDBConfig(c *cli.Context) DBConfig {
}
}
// Init initialize the DBConfig
func (c *DBConfig) Init() (err error) {
if c.SkipUpdate && c.DownloadDBOnly {
return xerrors.New("--skip-update and --download-db-only options can not be specified both")

2
internal/config/global.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/aquasecurity/trivy/pkg/log"
)
// GlobalConfig holds the global config for trivy
type GlobalConfig struct {
Context *cli.Context
Logger *zap.SugaredLogger
@@ -18,6 +19,7 @@ type GlobalConfig struct {
CacheDir string
}
// NewGlobalConfig is the factory method to return GlobalConfig
func NewGlobalConfig(c *cli.Context) (GlobalConfig, error) {
quiet := c.Bool("quiet")
debug := c.Bool("debug")

3
internal/config/image.go
View File

@@ -7,11 +7,13 @@ import (
"golang.org/x/xerrors"
)
// ImageConfig holds the config for scanning images
type ImageConfig struct {
ScanRemovedPkgs bool
ListAllPkgs bool
}
// NewImageConfig is the factory method to return imageConfig
func NewImageConfig(c *cli.Context) ImageConfig {
return ImageConfig{
ScanRemovedPkgs: c.Bool("removed-pkgs"),
@@ -19,6 +21,7 @@ func NewImageConfig(c *cli.Context) ImageConfig {
}
}
// Init initializes the imageConfig
func (c *ImageConfig) Init(args cli.Args, logger *zap.SugaredLogger) (err error) {
imageName := args.First()

3
internal/config/report.go
View File

@@ -11,6 +11,7 @@ import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
)
// ReportConfig holds the config for reporting scan results
type ReportConfig struct {
Format string
Template string
@@ -31,6 +32,7 @@ type ReportConfig struct {
Severities []dbTypes.Severity
}
// NewReportConfig is the factory method to return ReportConfig
func NewReportConfig(c *cli.Context) ReportConfig {
return ReportConfig{
output: c.String("output"),
@@ -46,6 +48,7 @@ func NewReportConfig(c *cli.Context) ReportConfig {
}
}
// Init initializes the ReportConfig
func (c *ReportConfig) Init(logger *zap.SugaredLogger) (err error) {
if c.Template != "" {
if c.Format == "" {

37
internal/operation/operation.go
View File

@@ -3,10 +3,11 @@ package operation
import (
"context"
"os"
"strings"
"github.com/spf13/afero"
"github.com/go-redis/redis/v8"
"github.com/google/wire"
"github.com/spf13/afero"
"golang.org/x/xerrors"
"github.com/aquasecurity/fanal/cache"
@@ -15,20 +16,35 @@ import (
"github.com/aquasecurity/trivy/pkg/utils"
)
// SuperSet binds cache dependencies
var SuperSet = wire.NewSet(
cache.NewFSCache,
wire.Bind(new(cache.LocalArtifactCache), new(cache.FSCache)),
NewCache,
)
// Cache implements the local cache
type Cache struct {
client cache.LocalArtifactCache
cache.Cache
}
func NewCache(client cache.LocalArtifactCache) Cache {
return Cache{client: client}
// NewCache is the factory method for Cache
func NewCache(backend string) (Cache, error) {
if strings.HasPrefix(backend, "redis://") {
log.Logger.Info("Redis cache: %s", backend)
redisCache := cache.NewRedisCache(&redis.Options{
Addr: strings.TrimPrefix(backend, "redis://"),
})
return Cache{Cache: redisCache}, nil
}
fsCache, err := cache.NewFSCache(utils.CacheDir())
if err != nil {
return Cache{}, xerrors.Errorf("unable to initialize fs cache: %w", err)
}
return Cache{Cache: fsCache}, nil
}
// Reset resets the cache
func (c Cache) Reset() (err error) {
if err := c.ClearDB(); err != nil {
return xerrors.Errorf("failed to clear the database: %w", err)
@@ -39,6 +55,7 @@ func (c Cache) Reset() (err error) {
return nil
}
// ClearDB clears the DB cache
func (c Cache) ClearDB() (err error) {
log.Logger.Info("Removing DB file...")
if err = os.RemoveAll(utils.CacheDir()); err != nil {
@@ -47,14 +64,16 @@ func (c Cache) ClearDB() (err error) {
return nil
}
// ClearImages clears the cache images
func (c Cache) ClearImages() error {
log.Logger.Info("Removing image caches...")
if err := c.client.Clear(); err != nil {
if err := c.Clear(); err != nil {
return xerrors.Errorf("failed to remove the cache: %w", err)
}
return nil
}
// DownloadDB downloads the DB
func DownloadDB(appVersion, cacheDir string, quiet, light, skipUpdate bool) error {
client := initializeDBClient(cacheDir, quiet)
ctx := context.Background()
@@ -66,7 +85,7 @@ func DownloadDB(appVersion, cacheDir string, quiet, light, skipUpdate bool) erro
if needsUpdate {
log.Logger.Info("Need to update DB")
log.Logger.Info("Downloading DB...")
if err := client.Download(ctx, cacheDir, light); err != nil {
if err = client.Download(ctx, cacheDir, light); err != nil {
return xerrors.Errorf("failed to download vulnerability DB: %w", err)
}
if err = client.UpdateMetadata(cacheDir); err != nil {
@@ -87,7 +106,7 @@ func showDBInfo(cacheDir string) error {
if err != nil {
return xerrors.Errorf("something wrong with DB: %w", err)
}
log.Logger.Debugf("DB Schema: %d, Type: %d, UpdatedAt: %s, NextUpdate: %s",
metadata.Version, metadata.Type, metadata.UpdatedAt, metadata.NextUpdate)
log.Logger.Debugf("DB Schema: %d, Type: %d, UpdatedAt: %s, NextUpdate: %s, DownloadedAt: %s",
metadata.Version, metadata.Type, metadata.UpdatedAt, metadata.NextUpdate, metadata.DownloadedAt)
return nil
}

14
internal/server/config/config.go
View File

@@ -1,26 +1,30 @@
package config
import (
"github.com/aquasecurity/trivy/internal/config"
"github.com/urfave/cli/v2"
"github.com/aquasecurity/trivy/internal/config"
)
// Config holds the Trivy config
type Config struct {
config.GlobalConfig
config.DBConfig
config.CacheConfig
Listen string
Token string
TokenHeader string
}
// New is the factory method to return config
func New(c *cli.Context) Config {
// the error is ignored because logger is unnecessary
gc, _ := config.NewGlobalConfig(c)
gc, _ := config.NewGlobalConfig(c) // nolint: errcheck
return Config{
GlobalConfig: gc,
DBConfig: config.NewDBConfig(c),
CacheConfig: config.NewCacheConfig(c),
Listen: c.String("listen"),
Token: c.String("token"),
@@ -28,10 +32,14 @@ func New(c *cli.Context) Config {
}
}
// Init initializes the config
func (c *Config) Init() (err error) {
if err := c.DBConfig.Init(); err != nil {
return err
}
if err := c.CacheConfig.Init(); err != nil {
return err
}
return nil
}

18
internal/server/run.go
View File

@@ -4,7 +4,6 @@ import (
"github.com/urfave/cli/v2"
"golang.org/x/xerrors"
"github.com/aquasecurity/fanal/cache"
"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy/internal/operation"
"github.com/aquasecurity/trivy/internal/server/config"
@@ -13,6 +12,7 @@ import (
"github.com/aquasecurity/trivy/pkg/utils"
)
// Run runs the scan
func Run(ctx *cli.Context) error {
return run(config.New(ctx))
}
@@ -29,17 +29,15 @@ func run(c config.Config) (err error) {
// configure cache dir
utils.SetCacheDir(c.CacheDir)
cache, err := operation.NewCache(c.CacheBackend)
if err != nil {
return xerrors.Errorf("server cache error: %w", err)
}
defer cache.Close()
log.Logger.Debugf("cache dir: %s", utils.CacheDir())
fsCache, err := cache.NewFSCache(utils.CacheDir())
if err != nil {
return xerrors.Errorf("unable to initialize cache: %w", err)
}
// server doesn't have image cache
cacheOperation := operation.NewCache(fsCache)
if c.Reset {
return cacheOperation.ClearDB()
return cache.ClearDB()
}
// download the database file
@@ -55,5 +53,5 @@ func run(c config.Config) (err error) {
return xerrors.Errorf("error in vulnerability DB initialize: %w", err)
}
return server.ListenAndServe(c, fsCache)
return server.ListenAndServe(c, cache)
}

Some files were not shown because too many files have changed in this diff Show More