gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
1f0d6290c33c95d5f213cc409a0ff6a53a2c888e
trivy/integration/testdata/ubuntu-1804.json.golden
Juan Ariza Toledano 1f0d6290c3 feat(vuln): include pkg identifier on detected vulnerabilities (#5439) 
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
2023-12-27 07:54:56 +00:00

421 lines
21 KiB
Plaintext
Raw Blame History

{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/images/ubuntu-1804.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "ubuntu",
"Name": "18.04",
"EOSL": true
},
"ImageID": "sha256:a2a15febcdf362f6115e801d37b5e60d6faaeedcb9896155e5fe9d754025be12",
"DiffIDs": [
"sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
"sha256:f7eae43028b334123c3a1d778f7bdf9783bbe651c8b15371df0120fd13ec35c5",
"sha256:7beb13bce073c21c9ee608acb13c7e851845245dc76ce81b418fdf580c45076b",
"sha256:122be11ab4a29e554786b4a1ec4764dd55656b59d6228a0a3de78eaf5c1f226c"
],
"ImageConfig": {
"architecture": "amd64",
"container": "41b694b9b42f9c5ef7fb40c24272927a727a6d6cb8120bb3eae5849ceb9bee77",
"created": "2019-08-15T07:28:14.830150536Z",
"docker_version": "18.06.1-ce",
"history": [
{
"created": "2019-08-15T07:28:12.433344678Z",
"created_by": "/bin/sh -c #(nop) ADD file:c477cb0e95c56b51e0b7353f3805165393689902b82a41bbe77dbef4b31667e1 in / "
},
{
"created": "2019-08-15T07:28:13.20852008Z",
"created_by": "/bin/sh -c [ -z \"$(apt-get indextargets)\" ]"
},
{
"created": "2019-08-15T07:28:13.964607567Z",
"created_by": "/bin/sh -c set -xe \t\t\u0026\u0026 echo '#!/bin/sh' \u003e /usr/sbin/policy-rc.d \t\u0026\u0026 echo 'exit 101' \u003e\u003e /usr/sbin/policy-rc.d \t\u0026\u0026 chmod +x /usr/sbin/policy-rc.d \t\t\u0026\u0026 dpkg-divert --local --rename --add /sbin/initctl \t\u0026\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \t\u0026\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \t\t\u0026\u0026 echo 'force-unsafe-io' \u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \t\t\u0026\u0026 echo 'DPkg::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'APT::Update::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'Dir::Cache::pkgcache \"\"; Dir::Cache::srcpkgcache \"\";' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\t\u0026\u0026 echo 'Acquire::Languages \"none\";' \u003e /etc/apt/apt.conf.d/docker-no-languages \t\t\u0026\u0026 echo 'Acquire::GzipIndexes \"true\"; Acquire::CompressionTypes::Order:: \"gz\";' \u003e /etc/apt/apt.conf.d/docker-gzip-indexes \t\t\u0026\u0026 echo 'Apt::AutoRemove::SuggestsImportant \"false\";' \u003e /etc/apt/apt.conf.d/docker-autoremove-suggests"
},
{
"created": "2019-08-15T07:28:14.64282638Z",
"created_by": "/bin/sh -c mkdir -p /run/systemd \u0026\u0026 echo 'docker' \u003e /run/systemd/container"
},
{
"created": "2019-08-15T07:28:14.830150536Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
"sha256:f7eae43028b334123c3a1d778f7bdf9783bbe651c8b15371df0120fd13ec35c5",
"sha256:7beb13bce073c21c9ee608acb13c7e851845245dc76ce81b418fdf580c45076b",
"sha256:122be11ab4a29e554786b4a1ec4764dd55656b59d6228a0a3de78eaf5c1f226c"
]
},
"config": {
"Cmd": [
"/bin/bash"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:bcbe079849fdbb50b3eb04798547e046bdbc82020b8b780d767cf29f7e60b396",
"ArgsEscaped": true
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/ubuntu-1804.tar.gz (ubuntu 18.04)",
"Class": "os-pkgs",
"Type": "ubuntu",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.4.18-2ubuntu1.2",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/bash@4.4.18-2ubuntu1.2?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "4.4.18-2ubuntu1.2",
"Status": "affected",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
"Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"Severity": "LOW",
"CweIDs": [
"CWE-273"
],
"VendorSeverity": {
"cbl-mariner": 3,
"nvd": 3,
"oracle-oval": 1,
"photon": 3,
"redhat": 1,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.2,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
"References": [
"http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html",
"https://access.redhat.com/security/cve/CVE-2019-18276",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276",
"https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
"https://linux.oracle.com/cve/CVE-2019-18276.html",
"https://linux.oracle.com/errata/ELSA-2021-1679.html",
"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
"https://security.gentoo.org/glsa/202105-34",
"https://security.netapp.com/advisory/ntap-20200430-0003/",
"https://www.youtube.com/watch?v=-wGtxJ8opa8"
],
"PublishedDate": "2019-11-28T01:15:00Z",
"LastModifiedDate": "2021-05-26T12:15:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "e2fsprogs@1.44.1-1ubuntu1.1",
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 6.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://ubuntu.com/security/notices/USN-4142-1",
"https://ubuntu.com/security/notices/USN-4142-2",
"https://usn.ubuntu.com/4142-1/",
"https://usn.ubuntu.com/4142-2/",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2021-01-11T19:21:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libcom-err2@1.44.1-1ubuntu1.1",
"PkgName": "libcom-err2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 6.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://ubuntu.com/security/notices/USN-4142-1",
"https://ubuntu.com/security/notices/USN-4142-2",
"https://usn.ubuntu.com/4142-1/",
"https://usn.ubuntu.com/4142-2/",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2021-01-11T19:21:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libext2fs2@1.44.1-1ubuntu1.1",
"PkgName": "libext2fs2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 6.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://ubuntu.com/security/notices/USN-4142-1",
"https://ubuntu.com/security/notices/USN-4142-2",
"https://usn.ubuntu.com/4142-1/",
"https://usn.ubuntu.com/4142-2/",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2021-01-11T19:21:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libss2@1.44.1-1ubuntu1.1",
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 2,
"nvd": 2,
"oracle-oval": 2,
"photon": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 4.6,
"V3Score": 6.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 6.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2019-5094",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
"https://linux.oracle.com/cve/CVE-2019-5094.html",
"https://linux.oracle.com/errata/ELSA-2020-4011.html",
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
"https://seclists.org/bugtraq/2019/Sep/58",
"https://security.gentoo.org/glsa/202003-05",
"https://security.netapp.com/advisory/ntap-20200115-0002/",
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
"https://ubuntu.com/security/notices/USN-4142-1",
"https://ubuntu.com/security/notices/USN-4142-2",
"https://usn.ubuntu.com/4142-1/",
"https://usn.ubuntu.com/4142-2/",
"https://www.debian.org/security/2019/dsa-4535"
],
"PublishedDate": "2019-09-24T22:15:00Z",
"LastModifiedDate": "2021-01-11T19:21:00Z"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink