From 8f19134a611e047ff6593b9ab18865c3c10385fb Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Thu, 17 Mar 2022 18:07:36 -0400 Subject: [PATCH] Remove SARIF processing (#148) --- dist/index.js | 384 +--- index.js | 384 +--- package.json | 2 +- tests/__snapshots__/sarif_output.test.js.snap | 1621 ++++++++--------- tests/grype_command.test.js | 4 +- tests/sarif_output.test.js | 21 +- 6 files changed, 815 insertions(+), 1601 deletions(-) diff --git a/dist/index.js b/dist/index.js index cca12f9d..3bb352ef 100644 --- a/dist/index.js +++ b/dist/index.js @@ -12,313 +12,7 @@ const fs = __webpack_require__(747); const stream = __webpack_require__(413); const grypeBinary = "grype"; -const grypeVersion = "0.27.3"; - -// sarif code -function convert_severity_to_acs_level(input_severity, severity_cutoff_param) { - // The `severity_cutoff_param` has been lowercased for case-insensitivity at this point, but the - // severity from the vulnerability will be capitalized, so this must be capitalized again to calculate - // using the same object - let param = - severity_cutoff_param[0].toUpperCase() + severity_cutoff_param.substring(1); - var ret = "error"; - const severityLevels = { - Unknown: 0, - Negligible: 1, - Low: 2, - Medium: 3, - High: 4, - Critical: 5, - }; - - if (severityLevels[input_severity] < severityLevels[param]) { - ret = "warning"; - } - - return ret; -} - -function getLocation(v) { - if (v.artifact.locations.length) { - // If the scan was against a directory, the location will be a string - var location = v.artifact.locations[0]; - if (typeof location === "string") { - return location; - } - // Otherwise it is an object with "path" and "layer" keys - return location["path"]; - } - // XXX there is room for improvement here, trying to mimick previous behavior - // If no `dockerfile-path` was provided, and in the improbable situation where there - // are no locations for the artifact, return 'Dockerfile' - return "Dockerfile"; -} - -function textMessage(v) { - const path = getLocation(v); - var scheme = sourceScheme(); - let prefix = `The path ${path} reports ${v.artifact.name} at version ${v.artifact.version} `; - - if (["dir", "tar"].includes(scheme)) { - return `${prefix} which would result in a vulnerable (${v.artifact.type}) package installed`; - } else { - return `${prefix} which is a vulnerable (${v.artifact.type}) package installed in the container`; - } -} - -function dottedQuadFileVersion(version) { - // The dotted quad version requirements of the SARIF schema has some strict requirements. Because - // it is tied to the version which can be (optionally) set by the user, it isn't enough to blindly - // add a trailing ".0" - This function validates the end result, falling back to a version that would - // pass the schema while issuing a warning. - const pattern = /[0-9]+(\.[0-9]+){3}/; - // grype has some releases with dashes, ensure these are pruned - version = version.split("-")[0]; - - // None of the Grype versions will ever have version with four parts, add a trailing `.0` here - version = version + ".0"; - - if (!version.match(pattern)) { - // After prunning and adding a trailing .0 we still got a failure. Warn about this, and fallback to - // a made-up version guaranteed to work. - core.warning( - `Unable to produce an acceptable four-part dotted version: ${version} \n` + - `SARIF reporting requires pattern matching against "[0-9]+(\\.[0-9]+){3}" \n` + - "Will fallback to 0.0.0.0" - ); - return "0.0.0.0"; - } - return version; -} - -function get_fix_versions(v) { - if ( - v.vulnerability.fix && - v.vulnerability.fix.state === "fixed" && - v.vulnerability.fix.versions && - v.vulnerability.fix.versions.length > 0 - ) { - return v.vulnerability.fix.versions.join(","); - } - return ""; -} - -function make_subtitle(v) { - let subtitle = `${v.vulnerability.description}`; - if (subtitle != "undefined") { - return subtitle; - } - - const fixVersions = get_fix_versions(v); - if (fixVersions) { - return `Version ${v.artifact.version} is affected with an available fix in versions ${fixVersions}`; - } - - return `Version ${v.artifact.version} is affected with no fixes reported yet.`; -} - -function grype_render_rules(vulnerabilities, source) { - var ret = {}; - let scheme = sourceScheme(); - if (vulnerabilities) { - let ruleIDs = []; - // This uses .reduce() because there can be duplicate vulnerabilities which the SARIF schema complains about. - ret = vulnerabilities.reduce(function (result, v) { - let ruleID = `ANCHOREVULN_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - if (scheme == "docker") { - // include the container as part of the rule id so that users can sort by that - ruleID = `ANCHOREVULN_${source}_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - } - - if (!ruleIDs.includes(ruleID)) { - ruleIDs.push(ruleID); - // Entirely possible to not have any links whatsoever - let link = v.vulnerability.id; - if ("dataSource" in v.vulnerability) { - link = `[${v.vulnerability.id}](${v.vulnerability.dataSource})`; - } else if ( - "urls" in v.vulnerability && - v.vulnerability.urls.length > 0 - ) { - link = `[${v.vulnerability.id}](${v.vulnerability.urls[0]})`; - } - - result.push({ - id: ruleID, - // Title of the SARIF report - shortDescription: { - text: `${v.vulnerability.id} ${v.vulnerability.severity} vulnerability for ${v.artifact.name} package`, - }, - // Subtitle of the SARIF report - fullDescription: { - text: make_subtitle(v), - }, - help: { - text: - "Vulnerability " + - v.vulnerability.id + - "\n" + - "Severity: " + - v.vulnerability.severity + - "\n" + - "Package: " + - v.artifact.name + - "\n" + - "Version: " + - v.artifact.version + - "\n" + - "Fix Version: " + - (get_fix_versions(v) || "none") + - "\n" + - "Type: " + - v.artifact.type + - "\n" + - "Location: " + - v.artifact.locations[0].path + - "\n" + - //"Data Namespace: "+v.vulnerability.matched_by.matcher +"\n"+ - "Data Namespace: " + - "unknown" + - "\n" + - `Link: ${link}`, - markdown: - "**Vulnerability " + - v.vulnerability.id + - "**\n" + - "| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n" + - "| --- | --- | --- | --- | --- | --- | --- | --- |\n" + - "|" + - v.vulnerability.severity + - "|" + - v.artifact.name + - "|" + - v.artifact.version + - "|" + - (get_fix_versions(v) || "none") + - "|" + - v.artifact.type + - "|" + - v.artifact.locations[0].path + - "|" + - "unknown" + - "|" + - link + - "|\n", - }, - }); - } - return result; - }, []); - } - return ret; -} - -function grype_render_results(vulnerabilities, severity_cutoff_param, source) { - var ret = {}; - let scheme = sourceScheme(); - if (vulnerabilities) { - ret = vulnerabilities.map((v) => { - let ruleid = `ANCHOREVULN_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - if (scheme == "docker") { - // include the container as part of the rule id so that users can sort by that - ruleid = `ANCHOREVULN_${source}_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - } - return { - ruleId: ruleid, - ruleIndex: 0, - level: convert_severity_to_acs_level( - v.vulnerability.severity, - severity_cutoff_param - ), - message: { - text: textMessage(v), - id: "default", - }, - analysisTarget: { - uri: getLocation(v), - // XXX This is possibly a bug. The SARIF schema invalidates this when the index is present because there - // aren't any other elements present. - //"index": 0 - }, - locations: [ - { - physicalLocation: { - artifactLocation: { - uri: getLocation(v), - }, - // TODO: When grype starts reporting line numbers this will need to get updated - region: { - startLine: 1, - startColumn: 1, - endLine: 1, - endColumn: 1, - byteOffset: 1, - byteLength: 1, - }, - }, - logicalLocations: [ - { - fullyQualifiedName: "dockerfile", - }, - ], - }, - ], - suppressions: [ - { - kind: "external", - }, - ], - baselineState: "unchanged", - }; - }); - } - - return ret; -} - -function vulnerabilities_to_sarif( - grypeVulnerabilities, - severity_cutoff_param, - version, - source -) { - let vulnerabilities = grypeVulnerabilities.matches; - - const sarifOutput = { - $schema: - "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", - version: "2.1.0", - runs: [ - { - tool: { - driver: { - name: "Anchore Container Vulnerability Report (T0)", - fullName: "Anchore Container Vulnerability Report (T0)", - version: version, - semanticVersion: version, - dottedQuadFileVersion: dottedQuadFileVersion(version), - rules: grype_render_rules(vulnerabilities, source), - }, - }, - logicalLocations: [ - { - name: "dockerfile", - fullyQualifiedName: "dockerfile", - kind: "namespace", - }, - ], - results: grype_render_results( - vulnerabilities, - severity_cutoff_param, - source - ), - columnKind: "utf16CodeUnits", - }, - ], - }; - - return sarifOutput; -} +const grypeVersion = "0.34.1"; // Find all 'content-*.json' files in the directory. dirname should include the full path function findContent(searchDir) { @@ -383,17 +77,6 @@ async function installGrype(version) { core.addPath(grypePath); } -function sourceScheme() { - // This potentially can be removed once grype starts reporting what it used to perform the scan - // in the JSON output - // Any newer schemes like OCI need to be added here - if (core.getInput("image") != "") { - return "docker"; - } - // Only two options are currently supported - return "dir"; -} - function sourceInput() { var image = core.getInput("image"); var path = core.getInput("path"); @@ -408,7 +91,7 @@ function sourceInput() { ); } - if (image != "") { + if (image !== "") { return image; } @@ -454,22 +137,19 @@ async function runScan({ if (debug.toLowerCase() === "true") { debug = "true"; - cmdArgs = [`-vv`, `-o`, `json`]; + cmdArgs.push(`-vv`); } else { debug = "false"; - cmdArgs = [`-o`, `json`]; } - if (failBuild.toLowerCase() === "true") { - failBuild = true; - } else { - failBuild = false; - } + failBuild = failBuild.toLowerCase() === "true"; - if (acsReportEnable.toLowerCase() === "true") { - acsReportEnable = true; + acsReportEnable = acsReportEnable.toLowerCase() === "true"; + + if (acsReportEnable) { + cmdArgs.push("-o", "sarif"); } else { - acsReportEnable = false; + cmdArgs.push("-o", "json"); } if ( @@ -498,7 +178,7 @@ async function runScan({ // Run the grype analyzer let cmdOutput = ""; let cmd = `${grypeBinary}`; - if (severityCutoff != "") { + if (severityCutoff !== "") { cmdArgs.push("--fail-on"); cmdArgs.push(severityCutoff.toLowerCase()); } @@ -540,25 +220,10 @@ async function runScan({ core.debug(cmdOutput); } - let grypeVulnerabilities; - try { - grypeVulnerabilities = JSON.parse(cmdOutput); - } catch (e) { - core.error(`Unable to parse grype output: ${e}`); - core.error(cmdOutput); - } if (acsReportEnable) { - try { - const serifOut = sarifGrypeGeneration( - grypeVulnerabilities, - severityCutoff.toLowerCase(), - grypeVersion, - source - ); - Object.assign(out, serifOut); - } catch (err) { - throw new Error(err); - } + const SARIF_FILE = "./results.sarif"; + fs.writeFileSync(SARIF_FILE, cmdOutput); + out.sarif = SARIF_FILE; } if (failBuild === true && exitCode > 0) { @@ -586,27 +251,6 @@ async function runScan({ return out; } -function sarifGrypeGeneration( - grypeVulnerabilities, - severity_cutoff_param, - version, - source -) { - // sarif generate section - const SARIF_FILE = "./results.sarif"; - let sarifOutput = vulnerabilities_to_sarif( - grypeVulnerabilities, - severity_cutoff_param, - version, - source - ); - fs.writeFileSync(SARIF_FILE, JSON.stringify(sarifOutput, null, 2)); - return { - sarif: SARIF_FILE, - }; - // end sarif generate section -} - module.exports = { run, runScan, @@ -614,8 +258,6 @@ module.exports = { mergeResults, findContent, loadContent, - vulnerabilities_to_sarif, - convert_severity_to_acs_level, }; if (require.main === require.cache[eval('__filename')]) { diff --git a/index.js b/index.js index 45120547..2202b165 100644 --- a/index.js +++ b/index.js @@ -5,313 +5,7 @@ const fs = require("fs"); const stream = require("stream"); const grypeBinary = "grype"; -const grypeVersion = "0.27.3"; - -// sarif code -function convert_severity_to_acs_level(input_severity, severity_cutoff_param) { - // The `severity_cutoff_param` has been lowercased for case-insensitivity at this point, but the - // severity from the vulnerability will be capitalized, so this must be capitalized again to calculate - // using the same object - let param = - severity_cutoff_param[0].toUpperCase() + severity_cutoff_param.substring(1); - var ret = "error"; - const severityLevels = { - Unknown: 0, - Negligible: 1, - Low: 2, - Medium: 3, - High: 4, - Critical: 5, - }; - - if (severityLevels[input_severity] < severityLevels[param]) { - ret = "warning"; - } - - return ret; -} - -function getLocation(v) { - if (v.artifact.locations.length) { - // If the scan was against a directory, the location will be a string - var location = v.artifact.locations[0]; - if (typeof location === "string") { - return location; - } - // Otherwise it is an object with "path" and "layer" keys - return location["path"]; - } - // XXX there is room for improvement here, trying to mimick previous behavior - // If no `dockerfile-path` was provided, and in the improbable situation where there - // are no locations for the artifact, return 'Dockerfile' - return "Dockerfile"; -} - -function textMessage(v) { - const path = getLocation(v); - var scheme = sourceScheme(); - let prefix = `The path ${path} reports ${v.artifact.name} at version ${v.artifact.version} `; - - if (["dir", "tar"].includes(scheme)) { - return `${prefix} which would result in a vulnerable (${v.artifact.type}) package installed`; - } else { - return `${prefix} which is a vulnerable (${v.artifact.type}) package installed in the container`; - } -} - -function dottedQuadFileVersion(version) { - // The dotted quad version requirements of the SARIF schema has some strict requirements. Because - // it is tied to the version which can be (optionally) set by the user, it isn't enough to blindly - // add a trailing ".0" - This function validates the end result, falling back to a version that would - // pass the schema while issuing a warning. - const pattern = /[0-9]+(\.[0-9]+){3}/; - // grype has some releases with dashes, ensure these are pruned - version = version.split("-")[0]; - - // None of the Grype versions will ever have version with four parts, add a trailing `.0` here - version = version + ".0"; - - if (!version.match(pattern)) { - // After prunning and adding a trailing .0 we still got a failure. Warn about this, and fallback to - // a made-up version guaranteed to work. - core.warning( - `Unable to produce an acceptable four-part dotted version: ${version} \n` + - `SARIF reporting requires pattern matching against "[0-9]+(\\.[0-9]+){3}" \n` + - "Will fallback to 0.0.0.0" - ); - return "0.0.0.0"; - } - return version; -} - -function get_fix_versions(v) { - if ( - v.vulnerability.fix && - v.vulnerability.fix.state === "fixed" && - v.vulnerability.fix.versions && - v.vulnerability.fix.versions.length > 0 - ) { - return v.vulnerability.fix.versions.join(","); - } - return ""; -} - -function make_subtitle(v) { - let subtitle = `${v.vulnerability.description}`; - if (subtitle != "undefined") { - return subtitle; - } - - const fixVersions = get_fix_versions(v); - if (fixVersions) { - return `Version ${v.artifact.version} is affected with an available fix in versions ${fixVersions}`; - } - - return `Version ${v.artifact.version} is affected with no fixes reported yet.`; -} - -function grype_render_rules(vulnerabilities, source) { - var ret = {}; - let scheme = sourceScheme(); - if (vulnerabilities) { - let ruleIDs = []; - // This uses .reduce() because there can be duplicate vulnerabilities which the SARIF schema complains about. - ret = vulnerabilities.reduce(function (result, v) { - let ruleID = `ANCHOREVULN_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - if (scheme == "docker") { - // include the container as part of the rule id so that users can sort by that - ruleID = `ANCHOREVULN_${source}_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - } - - if (!ruleIDs.includes(ruleID)) { - ruleIDs.push(ruleID); - // Entirely possible to not have any links whatsoever - let link = v.vulnerability.id; - if ("dataSource" in v.vulnerability) { - link = `[${v.vulnerability.id}](${v.vulnerability.dataSource})`; - } else if ( - "urls" in v.vulnerability && - v.vulnerability.urls.length > 0 - ) { - link = `[${v.vulnerability.id}](${v.vulnerability.urls[0]})`; - } - - result.push({ - id: ruleID, - // Title of the SARIF report - shortDescription: { - text: `${v.vulnerability.id} ${v.vulnerability.severity} vulnerability for ${v.artifact.name} package`, - }, - // Subtitle of the SARIF report - fullDescription: { - text: make_subtitle(v), - }, - help: { - text: - "Vulnerability " + - v.vulnerability.id + - "\n" + - "Severity: " + - v.vulnerability.severity + - "\n" + - "Package: " + - v.artifact.name + - "\n" + - "Version: " + - v.artifact.version + - "\n" + - "Fix Version: " + - (get_fix_versions(v) || "none") + - "\n" + - "Type: " + - v.artifact.type + - "\n" + - "Location: " + - v.artifact.locations[0].path + - "\n" + - //"Data Namespace: "+v.vulnerability.matched_by.matcher +"\n"+ - "Data Namespace: " + - "unknown" + - "\n" + - `Link: ${link}`, - markdown: - "**Vulnerability " + - v.vulnerability.id + - "**\n" + - "| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n" + - "| --- | --- | --- | --- | --- | --- | --- | --- |\n" + - "|" + - v.vulnerability.severity + - "|" + - v.artifact.name + - "|" + - v.artifact.version + - "|" + - (get_fix_versions(v) || "none") + - "|" + - v.artifact.type + - "|" + - v.artifact.locations[0].path + - "|" + - "unknown" + - "|" + - link + - "|\n", - }, - }); - } - return result; - }, []); - } - return ret; -} - -function grype_render_results(vulnerabilities, severity_cutoff_param, source) { - var ret = {}; - let scheme = sourceScheme(); - if (vulnerabilities) { - ret = vulnerabilities.map((v) => { - let ruleid = `ANCHOREVULN_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - if (scheme == "docker") { - // include the container as part of the rule id so that users can sort by that - ruleid = `ANCHOREVULN_${source}_${v.vulnerability.id}_${v.artifact.type}_${v.artifact.name}_${v.artifact.version}`; - } - return { - ruleId: ruleid, - ruleIndex: 0, - level: convert_severity_to_acs_level( - v.vulnerability.severity, - severity_cutoff_param - ), - message: { - text: textMessage(v), - id: "default", - }, - analysisTarget: { - uri: getLocation(v), - // XXX This is possibly a bug. The SARIF schema invalidates this when the index is present because there - // aren't any other elements present. - //"index": 0 - }, - locations: [ - { - physicalLocation: { - artifactLocation: { - uri: getLocation(v), - }, - // TODO: When grype starts reporting line numbers this will need to get updated - region: { - startLine: 1, - startColumn: 1, - endLine: 1, - endColumn: 1, - byteOffset: 1, - byteLength: 1, - }, - }, - logicalLocations: [ - { - fullyQualifiedName: "dockerfile", - }, - ], - }, - ], - suppressions: [ - { - kind: "external", - }, - ], - baselineState: "unchanged", - }; - }); - } - - return ret; -} - -function vulnerabilities_to_sarif( - grypeVulnerabilities, - severity_cutoff_param, - version, - source -) { - let vulnerabilities = grypeVulnerabilities.matches; - - const sarifOutput = { - $schema: - "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", - version: "2.1.0", - runs: [ - { - tool: { - driver: { - name: "Anchore Container Vulnerability Report (T0)", - fullName: "Anchore Container Vulnerability Report (T0)", - version: version, - semanticVersion: version, - dottedQuadFileVersion: dottedQuadFileVersion(version), - rules: grype_render_rules(vulnerabilities, source), - }, - }, - logicalLocations: [ - { - name: "dockerfile", - fullyQualifiedName: "dockerfile", - kind: "namespace", - }, - ], - results: grype_render_results( - vulnerabilities, - severity_cutoff_param, - source - ), - columnKind: "utf16CodeUnits", - }, - ], - }; - - return sarifOutput; -} +const grypeVersion = "0.34.1"; // Find all 'content-*.json' files in the directory. dirname should include the full path function findContent(searchDir) { @@ -376,17 +70,6 @@ async function installGrype(version) { core.addPath(grypePath); } -function sourceScheme() { - // This potentially can be removed once grype starts reporting what it used to perform the scan - // in the JSON output - // Any newer schemes like OCI need to be added here - if (core.getInput("image") != "") { - return "docker"; - } - // Only two options are currently supported - return "dir"; -} - function sourceInput() { var image = core.getInput("image"); var path = core.getInput("path"); @@ -401,7 +84,7 @@ function sourceInput() { ); } - if (image != "") { + if (image !== "") { return image; } @@ -447,22 +130,19 @@ async function runScan({ if (debug.toLowerCase() === "true") { debug = "true"; - cmdArgs = [`-vv`, `-o`, `json`]; + cmdArgs.push(`-vv`); } else { debug = "false"; - cmdArgs = [`-o`, `json`]; } - if (failBuild.toLowerCase() === "true") { - failBuild = true; - } else { - failBuild = false; - } + failBuild = failBuild.toLowerCase() === "true"; - if (acsReportEnable.toLowerCase() === "true") { - acsReportEnable = true; + acsReportEnable = acsReportEnable.toLowerCase() === "true"; + + if (acsReportEnable) { + cmdArgs.push("-o", "sarif"); } else { - acsReportEnable = false; + cmdArgs.push("-o", "json"); } if ( @@ -491,7 +171,7 @@ async function runScan({ // Run the grype analyzer let cmdOutput = ""; let cmd = `${grypeBinary}`; - if (severityCutoff != "") { + if (severityCutoff !== "") { cmdArgs.push("--fail-on"); cmdArgs.push(severityCutoff.toLowerCase()); } @@ -533,25 +213,10 @@ async function runScan({ core.debug(cmdOutput); } - let grypeVulnerabilities; - try { - grypeVulnerabilities = JSON.parse(cmdOutput); - } catch (e) { - core.error(`Unable to parse grype output: ${e}`); - core.error(cmdOutput); - } if (acsReportEnable) { - try { - const serifOut = sarifGrypeGeneration( - grypeVulnerabilities, - severityCutoff.toLowerCase(), - grypeVersion, - source - ); - Object.assign(out, serifOut); - } catch (err) { - throw new Error(err); - } + const SARIF_FILE = "./results.sarif"; + fs.writeFileSync(SARIF_FILE, cmdOutput); + out.sarif = SARIF_FILE; } if (failBuild === true && exitCode > 0) { @@ -579,27 +244,6 @@ async function runScan({ return out; } -function sarifGrypeGeneration( - grypeVulnerabilities, - severity_cutoff_param, - version, - source -) { - // sarif generate section - const SARIF_FILE = "./results.sarif"; - let sarifOutput = vulnerabilities_to_sarif( - grypeVulnerabilities, - severity_cutoff_param, - version, - source - ); - fs.writeFileSync(SARIF_FILE, JSON.stringify(sarifOutput, null, 2)); - return { - sarif: SARIF_FILE, - }; - // end sarif generate section -} - module.exports = { run, runScan, @@ -607,8 +251,6 @@ module.exports = { mergeResults, findContent, loadContent, - vulnerabilities_to_sarif, - convert_severity_to_acs_level, }; if (require.main === module) { diff --git a/package.json b/package.json index ba597c81..f5b8219e 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "lint": "eslint index.js", "test": "eslint index.js && npm run download-pinned-grype-db && GRYPE_DB_AUTO_UPDATE=false GRYPE_DB_CACHE_DIR=./grype-db jest", "update-snapshots": "eslint index.js && npm run download-pinned-grype-db && GRYPE_DB_AUTO_UPDATE=false GRYPE_DB_CACHE_DIR=./grype-db jest --updateSnapshot", - "download-pinned-grype-db": "mkdir -p grype-db/3 && curl -sL https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2021-09-10T08:18:17Z.tar.gz | tar zxf - -C grype-db/3", + "download-pinned-grype-db": "mkdir -p grype-db/3 && curl -sL https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2022-03-16T08:14:11Z.tar.gz | tar zxf - -C grype-db/3", "build": "ncc build ./index.js", "precommit": "pretty-quick --staged && npm run build && git add dist/", "prettier": "prettier -w index.js" diff --git a/tests/__snapshots__/sarif_output.test.js.snap b/tests/__snapshots__/sarif_output.test.js.snap index e795bbfa..ef161fca 100644 --- a/tests/__snapshots__/sarif_output.test.js.snap +++ b/tests/__snapshots__/sarif_output.test.js.snap @@ -2,38 +2,24 @@ exports[`SARIF alpine 1`] = ` Object { - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", + "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": Array [ Object { - "columnKind": "utf16CodeUnits", - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - "kind": "namespace", - "name": "dockerfile", - }, - ], "results": Array [ Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -43,37 +29,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2014-6051_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2014-6051-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -83,37 +56,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2014-6052_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2014-6052-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -123,37 +83,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2014-6053_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2014-6053-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -163,37 +110,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2014-6054_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2014-6054-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -203,37 +137,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2014-6055_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2014-6055-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -243,37 +164,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2016-9941_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2016-9941-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -283,37 +191,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2016-9942_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2016-9942-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -323,37 +218,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2018-7225_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2018-7225-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -363,37 +245,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2019-15681_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2019-15681-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -403,37 +272,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2019-20839_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2019-20839-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -443,37 +299,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2019-20840_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2019-20840-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -483,37 +326,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14397_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14397-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -523,37 +353,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14399_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14399-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -563,37 +380,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14400_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14400-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -603,37 +407,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14401_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14401-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -643,37 +434,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14402_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14402-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -683,37 +461,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14403_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14403-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -723,37 +488,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14404_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14404-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -763,37 +515,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-14405_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-14405-libvncserver", }, Object { - "analysisTarget": Object { - "uri": "/lib/apk/db/installed", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/lib/apk/db/installed", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/lib/apk/db/installed", + "uri": "image//lib/apk/db/installed", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -803,23 +542,15 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which would result in a vulnerable (apk) package installed", + "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-25708_apk_libvncserver_0.9.9", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-25708-libvncserver", }, ], "tool": Object { "driver": Object { - "dottedQuadFileVersion": "0.27.3.0", - "fullName": "Anchore Container Vulnerability Report (T0)", - "name": "Anchore Container Vulnerability Report (T0)", + "informationUri": "https://github.com/anchore/grype", + "name": "Grype", "rules": Array [ Object { "fullDescription": Object { @@ -829,21 +560,26 @@ Object { "markdown": "**Vulnerability CVE-2014-6051** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|none|apk|/lib/apk/db/installed|unknown|[CVE-2014-6051](https://nvd.nist.gov/vuln/detail/CVE-2014-6051)| +| high | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd | [CVE-2014-6051](https://nvd.nist.gov/vuln/detail/CVE-2014-6051) | ", "text": "Vulnerability CVE-2014-6051 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 -Fix Version: none +Fix Version: Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: nvd Link: [CVE-2014-6051](https://nvd.nist.gov/vuln/detail/CVE-2014-6051)", }, - "id": "ANCHOREVULN_CVE-2014-6051_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2014-6051-libvncserver", + "name": "ApkMatcherCpeMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2014-6051 High vulnerability for libvncserver package", + "text": "CVE-2014-6051 high vulnerability for libvncserver package", }, }, Object { @@ -854,21 +590,26 @@ Link: [CVE-2014-6051](https://nvd.nist.gov/vuln/detail/CVE-2014-6051)", "markdown": "**Vulnerability CVE-2014-6052** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|none|apk|/lib/apk/db/installed|unknown|[CVE-2014-6052](https://nvd.nist.gov/vuln/detail/CVE-2014-6052)| +| high | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd | [CVE-2014-6052](https://nvd.nist.gov/vuln/detail/CVE-2014-6052) | ", "text": "Vulnerability CVE-2014-6052 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 -Fix Version: none +Fix Version: Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: nvd Link: [CVE-2014-6052](https://nvd.nist.gov/vuln/detail/CVE-2014-6052)", }, - "id": "ANCHOREVULN_CVE-2014-6052_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2014-6052-libvncserver", + "name": "ApkMatcherCpeMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2014-6052 High vulnerability for libvncserver package", + "text": "CVE-2014-6052 high vulnerability for libvncserver package", }, }, Object { @@ -879,21 +620,26 @@ Link: [CVE-2014-6052](https://nvd.nist.gov/vuln/detail/CVE-2014-6052)", "markdown": "**Vulnerability CVE-2014-6053** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|none|apk|/lib/apk/db/installed|unknown|[CVE-2014-6053](https://nvd.nist.gov/vuln/detail/CVE-2014-6053)| +| medium | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd | [CVE-2014-6053](https://nvd.nist.gov/vuln/detail/CVE-2014-6053) | ", "text": "Vulnerability CVE-2014-6053 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 -Fix Version: none +Fix Version: Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: nvd Link: [CVE-2014-6053](https://nvd.nist.gov/vuln/detail/CVE-2014-6053)", }, - "id": "ANCHOREVULN_CVE-2014-6053_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2014-6053-libvncserver", + "name": "ApkMatcherCpeMatch", + "properties": Object { + "security-severity": "5.000000", + }, "shortDescription": Object { - "text": "CVE-2014-6053 Medium vulnerability for libvncserver package", + "text": "CVE-2014-6053 medium vulnerability for libvncserver package", }, }, Object { @@ -904,21 +650,26 @@ Link: [CVE-2014-6053](https://nvd.nist.gov/vuln/detail/CVE-2014-6053)", "markdown": "**Vulnerability CVE-2014-6054** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|none|apk|/lib/apk/db/installed|unknown|[CVE-2014-6054](https://nvd.nist.gov/vuln/detail/CVE-2014-6054)| +| medium | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd | [CVE-2014-6054](https://nvd.nist.gov/vuln/detail/CVE-2014-6054) | ", "text": "Vulnerability CVE-2014-6054 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 -Fix Version: none +Fix Version: Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: nvd Link: [CVE-2014-6054](https://nvd.nist.gov/vuln/detail/CVE-2014-6054)", }, - "id": "ANCHOREVULN_CVE-2014-6054_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2014-6054-libvncserver", + "name": "ApkMatcherCpeMatch", + "properties": Object { + "security-severity": "4.300000", + }, "shortDescription": Object { - "text": "CVE-2014-6054 Medium vulnerability for libvncserver package", + "text": "CVE-2014-6054 medium vulnerability for libvncserver package", }, }, Object { @@ -929,21 +680,26 @@ Link: [CVE-2014-6054](https://nvd.nist.gov/vuln/detail/CVE-2014-6054)", "markdown": "**Vulnerability CVE-2014-6055** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|none|apk|/lib/apk/db/installed|unknown|[CVE-2014-6055](https://nvd.nist.gov/vuln/detail/CVE-2014-6055)| +| medium | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd | [CVE-2014-6055](https://nvd.nist.gov/vuln/detail/CVE-2014-6055) | ", "text": "Vulnerability CVE-2014-6055 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 -Fix Version: none +Fix Version: Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: nvd Link: [CVE-2014-6055](https://nvd.nist.gov/vuln/detail/CVE-2014-6055)", }, - "id": "ANCHOREVULN_CVE-2014-6055_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2014-6055-libvncserver", + "name": "ApkMatcherCpeMatch", + "properties": Object { + "security-severity": "6.500000", + }, "shortDescription": Object { - "text": "CVE-2014-6055 Medium vulnerability for libvncserver package", + "text": "CVE-2014-6055 medium vulnerability for libvncserver package", }, }, Object { @@ -954,21 +710,26 @@ Link: [CVE-2014-6055](https://nvd.nist.gov/vuln/detail/CVE-2014-6055)", "markdown": "**Vulnerability CVE-2016-9941** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Critical|libvncserver|0.9.9|0.9.11-r0|apk|/lib/apk/db/installed|unknown|[CVE-2016-9941](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941)| +| critical | libvncserver | 0.9.9 | 0.9.11-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2016-9941](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941) | ", "text": "Vulnerability CVE-2016-9941 -Severity: Critical +Severity: critical Package: libvncserver Version: 0.9.9 Fix Version: 0.9.11-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2016-9941](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941)", }, - "id": "ANCHOREVULN_CVE-2016-9941_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2016-9941-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "9.800000", + }, "shortDescription": Object { - "text": "CVE-2016-9941 Critical vulnerability for libvncserver package", + "text": "CVE-2016-9941 critical vulnerability for libvncserver package", }, }, Object { @@ -979,21 +740,26 @@ Link: [CVE-2016-9941](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-994 "markdown": "**Vulnerability CVE-2016-9942** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Critical|libvncserver|0.9.9|0.9.11-r0|apk|/lib/apk/db/installed|unknown|[CVE-2016-9942](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942)| +| critical | libvncserver | 0.9.9 | 0.9.11-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2016-9942](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942) | ", "text": "Vulnerability CVE-2016-9942 -Severity: Critical +Severity: critical Package: libvncserver Version: 0.9.9 Fix Version: 0.9.11-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2016-9942](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942)", }, - "id": "ANCHOREVULN_CVE-2016-9942_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2016-9942-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "9.800000", + }, "shortDescription": Object { - "text": "CVE-2016-9942 Critical vulnerability for libvncserver package", + "text": "CVE-2016-9942 critical vulnerability for libvncserver package", }, }, Object { @@ -1004,21 +770,26 @@ Link: [CVE-2016-9942](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-994 "markdown": "**Vulnerability CVE-2018-7225** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Critical|libvncserver|0.9.9|0.9.11-r2|apk|/lib/apk/db/installed|unknown|[CVE-2018-7225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225)| +| critical | libvncserver | 0.9.9 | 0.9.11-r2 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2018-7225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225) | ", "text": "Vulnerability CVE-2018-7225 -Severity: Critical +Severity: critical Package: libvncserver Version: 0.9.9 Fix Version: 0.9.11-r2 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2018-7225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225)", }, - "id": "ANCHOREVULN_CVE-2018-7225_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2018-7225-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "9.800000", + }, "shortDescription": Object { - "text": "CVE-2018-7225 Critical vulnerability for libvncserver package", + "text": "CVE-2018-7225 critical vulnerability for libvncserver package", }, }, Object { @@ -1029,21 +800,26 @@ Link: [CVE-2018-7225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-722 "markdown": "**Vulnerability CVE-2019-15681** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.12-r1|apk|/lib/apk/db/installed|unknown|[CVE-2019-15681](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681)| +| high | libvncserver | 0.9.9 | 0.9.12-r1 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2019-15681](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681) | ", "text": "Vulnerability CVE-2019-15681 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.12-r1 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2019-15681](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681)", }, - "id": "ANCHOREVULN_CVE-2019-15681_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2019-15681-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2019-15681 High vulnerability for libvncserver package", + "text": "CVE-2019-15681 high vulnerability for libvncserver package", }, }, Object { @@ -1054,21 +830,26 @@ Link: [CVE-2019-15681](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15 "markdown": "**Vulnerability CVE-2019-20839** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2019-20839](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839)| +| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2019-20839](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839) | ", "text": "Vulnerability CVE-2019-20839 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2019-20839](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839)", }, - "id": "ANCHOREVULN_CVE-2019-20839_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2019-20839-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2019-20839 High vulnerability for libvncserver package", + "text": "CVE-2019-20839 high vulnerability for libvncserver package", }, }, Object { @@ -1079,21 +860,26 @@ Link: [CVE-2019-20839](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20 "markdown": "**Vulnerability CVE-2019-20840** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2019-20840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20840)| +| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2019-20840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20840) | ", "text": "Vulnerability CVE-2019-20840 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2019-20840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20840)", }, - "id": "ANCHOREVULN_CVE-2019-20840_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2019-20840-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2019-20840 High vulnerability for libvncserver package", + "text": "CVE-2019-20840 high vulnerability for libvncserver package", }, }, Object { @@ -1104,21 +890,26 @@ Link: [CVE-2019-20840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20 "markdown": "**Vulnerability CVE-2020-14397** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397)| +| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397) | ", "text": "Vulnerability CVE-2020-14397 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397)", }, - "id": "ANCHOREVULN_CVE-2020-14397_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14397-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14397 High vulnerability for libvncserver package", + "text": "CVE-2020-14397 high vulnerability for libvncserver package", }, }, Object { @@ -1129,21 +920,26 @@ Link: [CVE-2020-14397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14399** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14399](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399)| +| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14399](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399) | ", "text": "Vulnerability CVE-2020-14399 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14399](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399)", }, - "id": "ANCHOREVULN_CVE-2020-14399_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14399-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14399 High vulnerability for libvncserver package", + "text": "CVE-2020-14399 high vulnerability for libvncserver package", }, }, Object { @@ -1154,21 +950,26 @@ Link: [CVE-2020-14399](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14400** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14400](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400)| +| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14400](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400) | ", "text": "Vulnerability CVE-2020-14400 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14400](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400)", }, - "id": "ANCHOREVULN_CVE-2020-14400_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14400-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14400 High vulnerability for libvncserver package", + "text": "CVE-2020-14400 high vulnerability for libvncserver package", }, }, Object { @@ -1179,21 +980,26 @@ Link: [CVE-2020-14400](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14401** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14401](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401)| +| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14401](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401) | ", "text": "Vulnerability CVE-2020-14401 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14401](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401)", }, - "id": "ANCHOREVULN_CVE-2020-14401_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14401-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "6.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14401 Medium vulnerability for libvncserver package", + "text": "CVE-2020-14401 medium vulnerability for libvncserver package", }, }, Object { @@ -1204,21 +1010,26 @@ Link: [CVE-2020-14401](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14402** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14402](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402)| +| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14402](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402) | ", "text": "Vulnerability CVE-2020-14402 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14402](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402)", }, - "id": "ANCHOREVULN_CVE-2020-14402_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14402-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "5.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14402 Medium vulnerability for libvncserver package", + "text": "CVE-2020-14402 medium vulnerability for libvncserver package", }, }, Object { @@ -1229,21 +1040,26 @@ Link: [CVE-2020-14402](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14403** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403)| +| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403) | ", "text": "Vulnerability CVE-2020-14403 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403)", }, - "id": "ANCHOREVULN_CVE-2020-14403_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14403-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "5.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14403 Medium vulnerability for libvncserver package", + "text": "CVE-2020-14403 medium vulnerability for libvncserver package", }, }, Object { @@ -1254,21 +1070,26 @@ Link: [CVE-2020-14403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14404** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404)| +| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404) | ", "text": "Vulnerability CVE-2020-14404 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404)", }, - "id": "ANCHOREVULN_CVE-2020-14404_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14404-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "5.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14404 Medium vulnerability for libvncserver package", + "text": "CVE-2020-14404 medium vulnerability for libvncserver package", }, }, Object { @@ -1279,21 +1100,26 @@ Link: [CVE-2020-14404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-14405** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-14405](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405)| +| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-14405](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405) | ", "text": "Vulnerability CVE-2020-14405 -Severity: Medium +Severity: medium Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-14405](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405)", }, - "id": "ANCHOREVULN_CVE-2020-14405_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-14405-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "6.500000", + }, "shortDescription": Object { - "text": "CVE-2020-14405 Medium vulnerability for libvncserver package", + "text": "CVE-2020-14405 medium vulnerability for libvncserver package", }, }, Object { @@ -1304,26 +1130,30 @@ Link: [CVE-2020-14405](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14 "markdown": "**Vulnerability CVE-2020-25708** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|libvncserver|0.9.9|0.9.13-r0|apk|/lib/apk/db/installed|unknown|[CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25708)| +| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:3.12 | [CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25708) | ", "text": "Vulnerability CVE-2020-25708 -Severity: High +Severity: high Package: libvncserver Version: 0.9.9 Fix Version: 0.9.13-r0 Type: apk Location: /lib/apk/db/installed -Data Namespace: unknown +Data Namespace: alpine:3.12 Link: [CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25708)", }, - "id": "ANCHOREVULN_CVE-2020-25708_apk_libvncserver_0.9.9", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-25708-libvncserver", + "name": "ApkMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2020-25708 High vulnerability for libvncserver package", + "text": "CVE-2020-25708 high vulnerability for libvncserver package", }, }, ], - "semanticVersion": "0.27.3", - "version": "0.27.3", + "version": "0.34.1", }, }, }, @@ -1334,38 +1164,24 @@ Link: [CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25 exports[`SARIF debian 1`] = ` Object { - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", + "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": Array [ Object { - "columnKind": "utf16CodeUnits", - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - "kind": "namespace", - "name": "dockerfile", - }, - ], "results": Array [ Object { - "analysisTarget": Object { - "uri": "/var/lib/dpkg/status", - }, - "baselineState": "unchanged", - "level": "warning", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/var/lib/dpkg/status", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/var/lib/dpkg/status", + "uri": "image//var/lib/dpkg/status", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1375,37 +1191,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /var/lib/dpkg/status reports apt at version 1.8.2 which would result in a vulnerable (deb) package installed", + "text": "The path /var/lib/dpkg/status reports apt at version 1.8.2 which is a vulnerable (deb) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2011-3374_deb_apt_1.8.2", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2011-3374-apt", }, Object { - "analysisTarget": Object { - "uri": "/ruby/specifications/bundler.gemspec", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/ruby/specifications/bundler.gemspec", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/ruby/specifications/bundler.gemspec", + "uri": "image//ruby/specifications/bundler.gemspec", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1415,37 +1218,24 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which would result in a vulnerable (gem) package installed", + "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", }, - "ruleId": "ANCHOREVULN_CVE-2020-36327_gem_bundler_2.1.4", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-36327-bundler", }, Object { - "analysisTarget": Object { - "uri": "/python/dist-info/METADATA", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/ruby/specifications/bundler.gemspec", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/python/dist-info/METADATA", + "uri": "image//ruby/specifications/bundler.gemspec", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1455,37 +1245,28 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which would result in a vulnerable (python) package installed", + "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", }, - "ruleId": "ANCHOREVULN_GHSA-9w8r-397f-prfh_python_Pygments_2.6.1", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2021-43809-bundler", }, Object { - "analysisTarget": Object { - "uri": "/ruby/specifications/bundler.gemspec", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/python/dist-info/METADATA", + }, + Object { + "fullyQualifiedName": "", + "name": "/python/dist-info/top_level.txt", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/ruby/specifications/bundler.gemspec", + "uri": "image//python/dist-info/METADATA", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1495,37 +1276,51 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which would result in a vulnerable (gem) package installed", + "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which is a vulnerable (python) package installed in the container", }, - "ruleId": "ANCHOREVULN_GHSA-fp4w-jxhp-m23p_gem_bundler_2.1.4", - "ruleIndex": 0, - "suppressions": Array [ + "ruleId": "GHSA-9w8r-397f-prfh-Pygments", + }, + Object { + "locations": Array [ Object { - "kind": "external", + "logicalLocations": Array [ + Object { + "fullyQualifiedName": "", + "name": "/ruby/specifications/bundler.gemspec", + }, + ], + "physicalLocation": Object { + "artifactLocation": Object { + "uri": "image//ruby/specifications/bundler.gemspec", + }, + "region": Object { + "endColumn": 1, + "endLine": 1, + "startColumn": 1, + "startLine": 1, + }, + }, }, ], + "message": Object { + "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", + }, + "ruleId": "GHSA-fj7f-vq84-fh43-bundler", }, Object { - "analysisTarget": Object { - "uri": "/python/dist-info/METADATA", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { "logicalLocations": Array [ Object { - "fullyQualifiedName": "dockerfile", + "fullyQualifiedName": "", + "name": "/ruby/specifications/bundler.gemspec", }, ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "/python/dist-info/METADATA", + "uri": "image//ruby/specifications/bundler.gemspec", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1535,23 +1330,46 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which would result in a vulnerable (python) package installed", + "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", }, - "ruleId": "ANCHOREVULN_GHSA-pq64-v7f5-gqh8_python_Pygments_2.6.1", - "ruleIndex": 0, - "suppressions": Array [ + "ruleId": "GHSA-fp4w-jxhp-m23p-bundler", + }, + Object { + "locations": Array [ Object { - "kind": "external", + "logicalLocations": Array [ + Object { + "fullyQualifiedName": "", + "name": "/python/dist-info/METADATA", + }, + Object { + "fullyQualifiedName": "", + "name": "/python/dist-info/top_level.txt", + }, + ], + "physicalLocation": Object { + "artifactLocation": Object { + "uri": "image//python/dist-info/METADATA", + }, + "region": Object { + "endColumn": 1, + "endLine": 1, + "startColumn": 1, + "startLine": 1, + }, + }, }, ], + "message": Object { + "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which is a vulnerable (python) package installed in the container", + }, + "ruleId": "GHSA-pq64-v7f5-gqh8-Pygments", }, ], "tool": Object { "driver": Object { - "dottedQuadFileVersion": "0.27.3.0", - "fullName": "Anchore Container Vulnerability Report (T0)", - "name": "Anchore Container Vulnerability Report (T0)", + "informationUri": "https://github.com/anchore/grype", + "name": "Grype", "rules": Array [ Object { "fullDescription": Object { @@ -1561,21 +1379,26 @@ Object { "markdown": "**Vulnerability CVE-2011-3374** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Negligible|apt|1.8.2|none|deb|/var/lib/dpkg/status|unknown|[CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374)| +| low | apt | 1.8.2 | | deb | /var/lib/dpkg/status | debian:8 | [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374) | ", "text": "Vulnerability CVE-2011-3374 -Severity: Negligible +Severity: low Package: apt Version: 1.8.2 -Fix Version: none +Fix Version: Type: deb Location: /var/lib/dpkg/status -Data Namespace: unknown +Data Namespace: debian:8 Link: [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374)", }, - "id": "ANCHOREVULN_CVE-2011-3374_deb_apt_1.8.2", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2011-3374-apt", + "name": "DpkgMatcherExactDirectMatch", + "properties": Object { + "security-severity": "4.300000", + }, "shortDescription": Object { - "text": "CVE-2011-3374 Negligible vulnerability for apt package", + "text": "CVE-2011-3374 low vulnerability for apt package", }, }, Object { @@ -1586,21 +1409,56 @@ Link: [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374) "markdown": "**Vulnerability CVE-2020-36327** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|bundler|2.1.4|none|gem|/ruby/specifications/bundler.gemspec|unknown|[CVE-2020-36327](https://nvd.nist.gov/vuln/detail/CVE-2020-36327)| +| high | bundler | 2.1.4 | | gem | /ruby/specifications/bundler.gemspec | nvd | [CVE-2020-36327](https://nvd.nist.gov/vuln/detail/CVE-2020-36327) | ", "text": "Vulnerability CVE-2020-36327 -Severity: High +Severity: high Package: bundler Version: 2.1.4 -Fix Version: none +Fix Version: Type: gem Location: /ruby/specifications/bundler.gemspec -Data Namespace: unknown +Data Namespace: nvd Link: [CVE-2020-36327](https://nvd.nist.gov/vuln/detail/CVE-2020-36327)", }, - "id": "ANCHOREVULN_CVE-2020-36327_gem_bundler_2.1.4", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-36327-bundler", + "name": "RubyGemMatcherCpeMatch", + "properties": Object { + "security-severity": "9.300000", + }, + "shortDescription": Object { + "text": "CVE-2020-36327 high vulnerability for bundler package", + }, + }, + Object { + "fullDescription": Object { + "text": "\`Bundler\` is a package for managing application dependencies in Ruby. In \`bundler\` versions before 2.2.33, when working with untrusted and apparently harmless \`Gemfile\`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the \`Gemfile\` itself. However, if the \`Gemfile\` includes \`gem\` entries that use the \`git\` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as \`git clone\`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (\`-\`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the \`Gemfile\` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a \`Gemfile\` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of \`-u./payload\`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as \`bundle lock\`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting \`--\` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred \`Gemfile\`'s before running any \`bundler\` commands that may read them, since they can contain arbitrary ruby code.", + }, + "help": Object { + "markdown": "**Vulnerability CVE-2021-43809** +| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | +| --- | --- | --- | --- | --- | --- | --- | --- | +| high | bundler | 2.1.4 | | gem | /ruby/specifications/bundler.gemspec | nvd | [CVE-2021-43809](https://nvd.nist.gov/vuln/detail/CVE-2021-43809) | +", + "text": "Vulnerability CVE-2021-43809 +Severity: high +Package: bundler +Version: 2.1.4 +Fix Version: +Type: gem +Location: /ruby/specifications/bundler.gemspec +Data Namespace: nvd +Link: [CVE-2021-43809](https://nvd.nist.gov/vuln/detail/CVE-2021-43809)", + }, + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2021-43809-bundler", + "name": "RubyGemMatcherCpeMatch", + "properties": Object { + "security-severity": "9.300000", + }, "shortDescription": Object { - "text": "CVE-2020-36327 High vulnerability for bundler package", + "text": "CVE-2021-43809 high vulnerability for bundler package", }, }, Object { @@ -1611,21 +1469,56 @@ Link: [CVE-2020-36327](https://nvd.nist.gov/vuln/detail/CVE-2020-36327)", "markdown": "**Vulnerability GHSA-9w8r-397f-prfh** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|Pygments|2.6.1|2.7.4|python|/python/dist-info/METADATA|unknown|[GHSA-9w8r-397f-prfh](https://github.com/advisories/GHSA-9w8r-397f-prfh)| +| high | Pygments | 2.6.1 | 2.7.4 | python | /python/dist-info/METADATA | github:python | [GHSA-9w8r-397f-prfh](https://github.com/advisories/GHSA-9w8r-397f-prfh) | ", "text": "Vulnerability GHSA-9w8r-397f-prfh -Severity: High +Severity: high Package: Pygments Version: 2.6.1 Fix Version: 2.7.4 Type: python Location: /python/dist-info/METADATA -Data Namespace: unknown +Data Namespace: github:python Link: [GHSA-9w8r-397f-prfh](https://github.com/advisories/GHSA-9w8r-397f-prfh)", }, - "id": "ANCHOREVULN_GHSA-9w8r-397f-prfh_python_Pygments_2.6.1", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-9w8r-397f-prfh-Pygments", + "name": "PythonMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "GHSA-9w8r-397f-prfh High vulnerability for Pygments package", + "text": "GHSA-9w8r-397f-prfh high vulnerability for Pygments package", + }, + }, + Object { + "fullDescription": Object { + "text": "Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.", + }, + "help": Object { + "markdown": "**Vulnerability GHSA-fj7f-vq84-fh43** +| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | +| --- | --- | --- | --- | --- | --- | --- | --- | +| medium | bundler | 2.1.4 | 2.2.33 | gem | /ruby/specifications/bundler.gemspec | github:gem | [GHSA-fj7f-vq84-fh43](https://github.com/advisories/GHSA-fj7f-vq84-fh43) | +", + "text": "Vulnerability GHSA-fj7f-vq84-fh43 +Severity: medium +Package: bundler +Version: 2.1.4 +Fix Version: 2.2.33 +Type: gem +Location: /ruby/specifications/bundler.gemspec +Data Namespace: github:gem +Link: [GHSA-fj7f-vq84-fh43](https://github.com/advisories/GHSA-fj7f-vq84-fh43)", + }, + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-fj7f-vq84-fh43-bundler", + "name": "RubyGemMatcherExactDirectMatch", + "properties": Object { + "security-severity": "9.300000", + }, + "shortDescription": Object { + "text": "GHSA-fj7f-vq84-fh43 medium vulnerability for bundler package", }, }, Object { @@ -1636,21 +1529,26 @@ Link: [GHSA-9w8r-397f-prfh](https://github.com/advisories/GHSA-9w8r-397f-prfh)", "markdown": "**Vulnerability GHSA-fp4w-jxhp-m23p** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|bundler|2.1.4|2.2.10|gem|/ruby/specifications/bundler.gemspec|unknown|[GHSA-fp4w-jxhp-m23p](https://github.com/advisories/GHSA-fp4w-jxhp-m23p)| +| high | bundler | 2.1.4 | 2.2.10 | gem | /ruby/specifications/bundler.gemspec | github:gem | [GHSA-fp4w-jxhp-m23p](https://github.com/advisories/GHSA-fp4w-jxhp-m23p) | ", "text": "Vulnerability GHSA-fp4w-jxhp-m23p -Severity: High +Severity: high Package: bundler Version: 2.1.4 Fix Version: 2.2.10 Type: gem Location: /ruby/specifications/bundler.gemspec -Data Namespace: unknown +Data Namespace: github:gem Link: [GHSA-fp4w-jxhp-m23p](https://github.com/advisories/GHSA-fp4w-jxhp-m23p)", }, - "id": "ANCHOREVULN_GHSA-fp4w-jxhp-m23p_gem_bundler_2.1.4", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-fp4w-jxhp-m23p-bundler", + "name": "RubyGemMatcherExactDirectMatch", + "properties": Object { + "security-severity": "9.300000", + }, "shortDescription": Object { - "text": "GHSA-fp4w-jxhp-m23p High vulnerability for bundler package", + "text": "GHSA-fp4w-jxhp-m23p high vulnerability for bundler package", }, }, Object { @@ -1661,26 +1559,30 @@ Link: [GHSA-fp4w-jxhp-m23p](https://github.com/advisories/GHSA-fp4w-jxhp-m23p)", "markdown": "**Vulnerability GHSA-pq64-v7f5-gqh8** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|Medium|Pygments|2.6.1|2.7.4|python|/python/dist-info/METADATA|unknown|[GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8)| +| medium | Pygments | 2.6.1 | 2.7.4 | python | /python/dist-info/METADATA | github:python | [GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8) | ", "text": "Vulnerability GHSA-pq64-v7f5-gqh8 -Severity: Medium +Severity: medium Package: Pygments Version: 2.6.1 Fix Version: 2.7.4 Type: python Location: /python/dist-info/METADATA -Data Namespace: unknown +Data Namespace: github:python Link: [GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8)", }, - "id": "ANCHOREVULN_GHSA-pq64-v7f5-gqh8_python_Pygments_2.6.1", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-pq64-v7f5-gqh8-Pygments", + "name": "PythonMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "GHSA-pq64-v7f5-gqh8 Medium vulnerability for Pygments package", + "text": "GHSA-pq64-v7f5-gqh8 medium vulnerability for Pygments package", }, }, ], - "semanticVersion": "0.27.3", - "version": "0.27.3", + "version": "0.34.1", }, }, }, @@ -1691,38 +1593,18 @@ Link: [GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8)", exports[`SARIF npm 1`] = ` Object { - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", + "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": Array [ Object { - "columnKind": "utf16CodeUnits", - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - "kind": "namespace", - "name": "dockerfile", - }, - ], "results": Array [ Object { - "analysisTarget": Object { - "uri": "package-lock.json", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "package-lock.json", + "uri": "tests/fixtures/npm-project/package-lock.json", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1732,37 +1614,18 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_CVE-2021-32803_npm_tar_6.1.0", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2021-32803-tar", }, Object { - "analysisTarget": Object { - "uri": "package-lock.json", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "package-lock.json", + "uri": "tests/fixtures/npm-project/package-lock.json", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1772,37 +1635,18 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_GHSA-3jfq-g458-7qm9_npm_tar_6.1.0", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2021-37701-tar", }, Object { - "analysisTarget": Object { - "uri": "package-lock.json", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "package-lock.json", + "uri": "tests/fixtures/npm-project/package-lock.json", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1812,37 +1656,18 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_GHSA-5955-9wpr-37jh_npm_tar_6.1.0", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2021-37712-tar", }, Object { - "analysisTarget": Object { - "uri": "package-lock.json", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "package-lock.json", + "uri": "tests/fixtures/npm-project/package-lock.json", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1852,37 +1677,39 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_GHSA-9r2w-394v-53qc_npm_tar_6.1.0", - "ruleIndex": 0, - "suppressions": Array [ + "ruleId": "CVE-2021-37713-tar", + }, + Object { + "locations": Array [ Object { - "kind": "external", + "physicalLocation": Object { + "artifactLocation": Object { + "uri": "tests/fixtures/npm-project/package-lock.json", + }, + "region": Object { + "endColumn": 1, + "endLine": 1, + "startColumn": 1, + "startLine": 1, + }, + }, }, ], + "message": Object { + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + }, + "ruleId": "GHSA-3jfq-g458-7qm9-tar", }, Object { - "analysisTarget": Object { - "uri": "package-lock.json", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "package-lock.json", + "uri": "tests/fixtures/npm-project/package-lock.json", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1892,37 +1719,39 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_GHSA-qq89-hq3f-393p_npm_tar_6.1.0", - "ruleIndex": 0, - "suppressions": Array [ + "ruleId": "GHSA-5955-9wpr-37jh-tar", + }, + Object { + "locations": Array [ Object { - "kind": "external", + "physicalLocation": Object { + "artifactLocation": Object { + "uri": "tests/fixtures/npm-project/package-lock.json", + }, + "region": Object { + "endColumn": 1, + "endLine": 1, + "startColumn": 1, + "startLine": 1, + }, + }, }, ], + "message": Object { + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + }, + "ruleId": "GHSA-9r2w-394v-53qc-tar", }, Object { - "analysisTarget": Object { - "uri": "package-lock.json", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "package-lock.json", + "uri": "tests/fixtures/npm-project/package-lock.json", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -1932,23 +1761,36 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_GHSA-r628-mhmh-qjhw_npm_tar_6.1.0", - "ruleIndex": 0, - "suppressions": Array [ + "ruleId": "GHSA-qq89-hq3f-393p-tar", + }, + Object { + "locations": Array [ Object { - "kind": "external", + "physicalLocation": Object { + "artifactLocation": Object { + "uri": "tests/fixtures/npm-project/package-lock.json", + }, + "region": Object { + "endColumn": 1, + "endLine": 1, + "startColumn": 1, + "startLine": 1, + }, + }, }, ], + "message": Object { + "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + }, + "ruleId": "GHSA-r628-mhmh-qjhw-tar", }, ], "tool": Object { "driver": Object { - "dottedQuadFileVersion": "0.27.3.0", - "fullName": "Anchore Container Vulnerability Report (T0)", - "name": "Anchore Container Vulnerability Report (T0)", + "informationUri": "https://github.com/anchore/grype", + "name": "Grype", "rules": Array [ Object { "fullDescription": Object { @@ -1958,21 +1800,116 @@ Object { "markdown": "**Vulnerability CVE-2021-32803** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|tar|6.1.0|none|npm|package-lock.json|unknown|[CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803)| +| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803) | ", "text": "Vulnerability CVE-2021-32803 -Severity: High +Severity: high Package: tar Version: 6.1.0 -Fix Version: none +Fix Version: Type: npm -Location: package-lock.json -Data Namespace: unknown +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: nvd Link: [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803)", }, - "id": "ANCHOREVULN_CVE-2021-32803_npm_tar_6.1.0", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2021-32803-tar", + "name": "JavascriptMatcherCpeMatch", + "properties": Object { + "security-severity": "8.100000", + }, "shortDescription": Object { - "text": "CVE-2021-32803 High vulnerability for tar package", + "text": "CVE-2021-32803 high vulnerability for tar package", + }, + }, + Object { + "fullDescription": Object { + "text": "The npm package \\"tar\\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\\\` and \`/\` characters as path separators, however \`\\\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + }, + "help": Object { + "markdown": "**Vulnerability CVE-2021-37701** +| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | +| --- | --- | --- | --- | --- | --- | --- | --- | +| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-37701](https://nvd.nist.gov/vuln/detail/CVE-2021-37701) | +", + "text": "Vulnerability CVE-2021-37701 +Severity: high +Package: tar +Version: 6.1.0 +Fix Version: +Type: npm +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: nvd +Link: [CVE-2021-37701](https://nvd.nist.gov/vuln/detail/CVE-2021-37701)", + }, + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2021-37701-tar", + "name": "JavascriptMatcherCpeMatch", + "properties": Object { + "security-severity": "8.600000", + }, + "shortDescription": Object { + "text": "CVE-2021-37701 high vulnerability for tar package", + }, + }, + Object { + "fullDescription": Object { + "text": "The npm package \\"tar\\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \\"short path\\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", + }, + "help": Object { + "markdown": "**Vulnerability CVE-2021-37712** +| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | +| --- | --- | --- | --- | --- | --- | --- | --- | +| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-37712](https://nvd.nist.gov/vuln/detail/CVE-2021-37712) | +", + "text": "Vulnerability CVE-2021-37712 +Severity: high +Package: tar +Version: 6.1.0 +Fix Version: +Type: npm +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: nvd +Link: [CVE-2021-37712](https://nvd.nist.gov/vuln/detail/CVE-2021-37712)", + }, + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2021-37712-tar", + "name": "JavascriptMatcherCpeMatch", + "properties": Object { + "security-severity": "8.600000", + }, + "shortDescription": Object { + "text": "CVE-2021-37712 high vulnerability for tar package", + }, + }, + Object { + "fullDescription": Object { + "text": "The npm package \\"tar\\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\\\path\`. If the drive letter does not match the extraction target, for example \`D:\\\\extraction\\\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + }, + "help": Object { + "markdown": "**Vulnerability CVE-2021-37713** +| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | +| --- | --- | --- | --- | --- | --- | --- | --- | +| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-37713](https://nvd.nist.gov/vuln/detail/CVE-2021-37713) | +", + "text": "Vulnerability CVE-2021-37713 +Severity: high +Package: tar +Version: 6.1.0 +Fix Version: +Type: npm +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: nvd +Link: [CVE-2021-37713](https://nvd.nist.gov/vuln/detail/CVE-2021-37713)", + }, + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2021-37713-tar", + "name": "JavascriptMatcherCpeMatch", + "properties": Object { + "security-severity": "8.600000", + }, + "shortDescription": Object { + "text": "CVE-2021-37713 high vulnerability for tar package", }, }, Object { @@ -1983,21 +1920,26 @@ Link: [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803)", "markdown": "**Vulnerability GHSA-3jfq-g458-7qm9** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|tar|6.1.0|6.1.1|npm|package-lock.json|unknown|[GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9)| +| high | tar | 6.1.0 | 6.1.1 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9) | ", "text": "Vulnerability GHSA-3jfq-g458-7qm9 -Severity: High +Severity: high Package: tar Version: 6.1.0 Fix Version: 6.1.1 Type: npm -Location: package-lock.json -Data Namespace: unknown +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: github:npm Link: [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9)", }, - "id": "ANCHOREVULN_GHSA-3jfq-g458-7qm9_npm_tar_6.1.0", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-3jfq-g458-7qm9-tar", + "name": "JavascriptMatcherExactDirectMatch", + "properties": Object { + "security-severity": "8.100000", + }, "shortDescription": Object { - "text": "GHSA-3jfq-g458-7qm9 High vulnerability for tar package", + "text": "GHSA-3jfq-g458-7qm9 high vulnerability for tar package", }, }, Object { @@ -2008,21 +1950,26 @@ Link: [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9)", "markdown": "**Vulnerability GHSA-5955-9wpr-37jh** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|tar|6.1.0|6.1.9|npm|package-lock.json|unknown|[GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh)| +| high | tar | 6.1.0 | 6.1.9 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh) | ", "text": "Vulnerability GHSA-5955-9wpr-37jh -Severity: High +Severity: high Package: tar Version: 6.1.0 Fix Version: 6.1.9 Type: npm -Location: package-lock.json -Data Namespace: unknown +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: github:npm Link: [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh)", }, - "id": "ANCHOREVULN_GHSA-5955-9wpr-37jh_npm_tar_6.1.0", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-5955-9wpr-37jh-tar", + "name": "JavascriptMatcherExactDirectMatch", + "properties": Object { + "security-severity": "8.600000", + }, "shortDescription": Object { - "text": "GHSA-5955-9wpr-37jh High vulnerability for tar package", + "text": "GHSA-5955-9wpr-37jh high vulnerability for tar package", }, }, Object { @@ -2033,21 +1980,26 @@ Link: [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh)", "markdown": "**Vulnerability GHSA-9r2w-394v-53qc** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|tar|6.1.0|6.1.7|npm|package-lock.json|unknown|[GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc)| +| high | tar | 6.1.0 | 6.1.7 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc) | ", "text": "Vulnerability GHSA-9r2w-394v-53qc -Severity: High +Severity: high Package: tar Version: 6.1.0 Fix Version: 6.1.7 Type: npm -Location: package-lock.json -Data Namespace: unknown +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: github:npm Link: [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc)", }, - "id": "ANCHOREVULN_GHSA-9r2w-394v-53qc_npm_tar_6.1.0", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-9r2w-394v-53qc-tar", + "name": "JavascriptMatcherExactDirectMatch", + "properties": Object { + "security-severity": "8.600000", + }, "shortDescription": Object { - "text": "GHSA-9r2w-394v-53qc High vulnerability for tar package", + "text": "GHSA-9r2w-394v-53qc high vulnerability for tar package", }, }, Object { @@ -2058,21 +2010,26 @@ Link: [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc)", "markdown": "**Vulnerability GHSA-qq89-hq3f-393p** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|tar|6.1.0|6.1.9|npm|package-lock.json|unknown|[GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p)| +| high | tar | 6.1.0 | 6.1.9 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p) | ", "text": "Vulnerability GHSA-qq89-hq3f-393p -Severity: High +Severity: high Package: tar Version: 6.1.0 Fix Version: 6.1.9 Type: npm -Location: package-lock.json -Data Namespace: unknown +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: github:npm Link: [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p)", }, - "id": "ANCHOREVULN_GHSA-qq89-hq3f-393p_npm_tar_6.1.0", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-qq89-hq3f-393p-tar", + "name": "JavascriptMatcherExactDirectMatch", + "properties": Object { + "security-severity": "8.600000", + }, "shortDescription": Object { - "text": "GHSA-qq89-hq3f-393p High vulnerability for tar package", + "text": "GHSA-qq89-hq3f-393p high vulnerability for tar package", }, }, Object { @@ -2083,26 +2040,30 @@ Link: [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p)", "markdown": "**Vulnerability GHSA-r628-mhmh-qjhw** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|tar|6.1.0|6.1.2|npm|package-lock.json|unknown|[GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw)| +| high | tar | 6.1.0 | 6.1.2 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw) | ", "text": "Vulnerability GHSA-r628-mhmh-qjhw -Severity: High +Severity: high Package: tar Version: 6.1.0 Fix Version: 6.1.2 Type: npm -Location: package-lock.json -Data Namespace: unknown +Location: tests/fixtures/npm-project/package-lock.json +Data Namespace: github:npm Link: [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw)", }, - "id": "ANCHOREVULN_GHSA-r628-mhmh-qjhw_npm_tar_6.1.0", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-r628-mhmh-qjhw-tar", + "name": "JavascriptMatcherExactDirectMatch", + "properties": Object { + "security-severity": "8.100000", + }, "shortDescription": Object { - "text": "GHSA-r628-mhmh-qjhw High vulnerability for tar package", + "text": "GHSA-r628-mhmh-qjhw high vulnerability for tar package", }, }, ], - "semanticVersion": "0.27.3", - "version": "0.27.3", + "version": "0.34.1", }, }, }, @@ -2113,38 +2074,18 @@ Link: [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw)", exports[`SARIF yarn 1`] = ` Object { - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", + "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": Array [ Object { - "columnKind": "utf16CodeUnits", - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - "kind": "namespace", - "name": "dockerfile", - }, - ], "results": Array [ Object { - "analysisTarget": Object { - "uri": "yarn.lock", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "yarn.lock", + "uri": "tests/fixtures/yarn-project/yarn.lock", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -2154,37 +2095,18 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/yarn-project/yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_CVE-2020-7753_npm_trim_0.0.2", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "CVE-2020-7753-trim", }, Object { - "analysisTarget": Object { - "uri": "yarn.lock", - }, - "baselineState": "unchanged", - "level": "error", "locations": Array [ Object { - "logicalLocations": Array [ - Object { - "fullyQualifiedName": "dockerfile", - }, - ], "physicalLocation": Object { "artifactLocation": Object { - "uri": "yarn.lock", + "uri": "tests/fixtures/yarn-project/yarn.lock", }, "region": Object { - "byteLength": 1, - "byteOffset": 1, "endColumn": 1, "endLine": 1, "startColumn": 1, @@ -2194,23 +2116,15 @@ Object { }, ], "message": Object { - "id": "default", - "text": "The path yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", + "text": "The path tests/fixtures/yarn-project/yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", }, - "ruleId": "ANCHOREVULN_GHSA-w5p7-h5w8-2hfq_npm_trim_0.0.2", - "ruleIndex": 0, - "suppressions": Array [ - Object { - "kind": "external", - }, - ], + "ruleId": "GHSA-w5p7-h5w8-2hfq-trim", }, ], "tool": Object { "driver": Object { - "dottedQuadFileVersion": "0.27.3.0", - "fullName": "Anchore Container Vulnerability Report (T0)", - "name": "Anchore Container Vulnerability Report (T0)", + "informationUri": "https://github.com/anchore/grype", + "name": "Grype", "rules": Array [ Object { "fullDescription": Object { @@ -2220,21 +2134,26 @@ Object { "markdown": "**Vulnerability CVE-2020-7753** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|trim|0.0.2|none|npm|yarn.lock|unknown|[CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753)| +| high | trim | 0.0.2 | | npm | tests/fixtures/yarn-project/yarn.lock | nvd | [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753) | ", "text": "Vulnerability CVE-2020-7753 -Severity: High +Severity: high Package: trim Version: 0.0.2 -Fix Version: none +Fix Version: Type: npm -Location: yarn.lock -Data Namespace: unknown +Location: tests/fixtures/yarn-project/yarn.lock +Data Namespace: nvd Link: [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753)", }, - "id": "ANCHOREVULN_CVE-2020-7753_npm_trim_0.0.2", + "helpUri": "https://github.com/anchore/grype", + "id": "CVE-2020-7753-trim", + "name": "JavascriptMatcherCpeMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "CVE-2020-7753 High vulnerability for trim package", + "text": "CVE-2020-7753 high vulnerability for trim package", }, }, Object { @@ -2245,26 +2164,30 @@ Link: [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753)", "markdown": "**Vulnerability GHSA-w5p7-h5w8-2hfq** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -|High|trim|0.0.2|0.0.3|npm|yarn.lock|unknown|[GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq)| +| high | trim | 0.0.2 | 0.0.3 | npm | tests/fixtures/yarn-project/yarn.lock | github:npm | [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq) | ", "text": "Vulnerability GHSA-w5p7-h5w8-2hfq -Severity: High +Severity: high Package: trim Version: 0.0.2 Fix Version: 0.0.3 Type: npm -Location: yarn.lock -Data Namespace: unknown +Location: tests/fixtures/yarn-project/yarn.lock +Data Namespace: github:npm Link: [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq)", }, - "id": "ANCHOREVULN_GHSA-w5p7-h5w8-2hfq_npm_trim_0.0.2", + "helpUri": "https://github.com/anchore/grype", + "id": "GHSA-w5p7-h5w8-2hfq-trim", + "name": "JavascriptMatcherExactDirectMatch", + "properties": Object { + "security-severity": "7.500000", + }, "shortDescription": Object { - "text": "GHSA-w5p7-h5w8-2hfq High vulnerability for trim package", + "text": "GHSA-w5p7-h5w8-2hfq high vulnerability for trim package", }, }, ], - "semanticVersion": "0.27.3", - "version": "0.27.3", + "version": "0.34.1", }, }, }, diff --git a/tests/grype_command.test.js b/tests/grype_command.test.js index fb743d0b..26f3e519 100644 --- a/tests/grype_command.test.js +++ b/tests/grype_command.test.js @@ -25,12 +25,12 @@ const mockExec = async (args) => { describe("Grype command", () => { it("is invoked with defaults", async () => { let cmd = await mockExec({ source: "python:3.8" }); - expect(cmd).toBe("grype -o json --fail-on medium python:3.8"); + expect(cmd).toBe("grype -o sarif --fail-on medium python:3.8"); }); it("is invoked with dir", async () => { let cmd = await mockExec({ source: "dir:.", severityCutoff: "high" }); - expect(cmd).toBe("grype -o json --fail-on high dir:."); + expect(cmd).toBe("grype -o sarif --fail-on high dir:."); }); it("is invoked with values", async () => { diff --git a/tests/sarif_output.test.js b/tests/sarif_output.test.js index 11529252..b786642c 100644 --- a/tests/sarif_output.test.js +++ b/tests/sarif_output.test.js @@ -27,6 +27,16 @@ const testSource = async (source, vulnerabilities) => { const sarif = JSON.parse(sarifFile); expect(sarif).toBeValidSarifLog(); + for (let run of sarif.runs || []) { + for (let result of run.results || []) { + for (let loc of result.locations || []) { + for (let l of loc.logicalLocations || []) { + l.fullyQualifiedName = ""; + } + } + } + } + // expect to find some known error-level vulnerability if (vulnerabilities.length === 0) { expect(sarif.runs[0].results.length).toBe(0); @@ -43,7 +53,7 @@ describe("SARIF", () => { it("alpine", async () => { const sarif = await testSource( "localhost:5000/match-coverage/alpine:latest", - ["ANCHOREVULN_CVE-2014-6051_apk_libvncserver_0.9.9"] + ["CVE-2014-6051-libvncserver"] ); expect(sarif).toMatchSnapshot(); }); @@ -53,22 +63,19 @@ describe("SARIF", () => { it("debian", async () => { const sarif = await testSource( "localhost:5000/match-coverage/debian:latest", - [ - "ANCHOREVULN_CVE-2020-36327_gem_bundler_2.1.4", - "ANCHOREVULN_GHSA-9w8r-397f-prfh_python_Pygments_2.6.1", - ] + ["CVE-2020-36327-bundler", "GHSA-9w8r-397f-prfh-Pygments"] ); expect(sarif).toMatchSnapshot(); }); it("npm", async () => { const sarif = await testSource("dir:tests/fixtures/npm-project", [ - "ANCHOREVULN_GHSA-3jfq-g458-7qm9_npm_tar_6.1.0", + "GHSA-3jfq-g458-7qm9-tar", ]); expect(sarif).toMatchSnapshot(); }); it("yarn", async () => { const sarif = await testSource("dir:tests/fixtures/yarn-project", [ - "ANCHOREVULN_GHSA-w5p7-h5w8-2hfq_npm_trim_0.0.2", + "GHSA-w5p7-h5w8-2hfq-trim", ]); expect(sarif).toMatchSnapshot(); });