[vulndb] internal/genericosv: add function to convert OSV to YAML
35 views
Skip to first unread message
Tatiana Bradley (Gerrit)
Aug 23, 2023, 10:45:30 AM8/23/23
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Damien Neil, Gopher Robot, golang-co...@googlegroups.com
Tatiana Bradley submitted this change.
Approvals:
Gopher Robot: TryBots succeeded
Damien Neil: Looks good to me, approved
Tatiana Bradley: Run TryBots
internal/genericosv: add function to convert OSV to Go Report
Add function ToReport which converts a generic OSV entry to a Report
(the representation for our YAML reports). To start, this function
simply translates between the formats and doesn't do anything clever.
This change also adds a number of real GHSAs that can be used as test
cases, and to see how the function behaves on real data as it evolves.
Lint errors are added as notes to generated reports, so that we can
more easily target areas for improvement.
For golang/go#61769
Change-Id: Ifd99796f96aa662e887a643276b3b2d7456e826b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/515399
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Damien Neil <dn...@google.com>
Run-TryBot: Tatiana Bradley <tatiana...@google.com>
---
A internal/genericosv/report.go
A internal/genericosv/report_test.go
A internal/genericosv/testdata/NOTICE
A internal/genericosv/testdata/osv/GHSA-28r2-q6m8-9hpx.json
A internal/genericosv/testdata/osv/GHSA-33m6-q9v5-62r7.json
A internal/genericosv/testdata/osv/GHSA-3hwm-922r-47hw.json
A internal/genericosv/testdata/osv/GHSA-3wq5-3f56-v5xc.json
A internal/genericosv/testdata/osv/GHSA-54q4-74p3-mgcw.json
A internal/genericosv/testdata/osv/GHSA-5m6c-jp6f-2vcv.json
A internal/genericosv/testdata/osv/GHSA-627p-rr78-99rj.json
A internal/genericosv/testdata/osv/GHSA-66p8-j459-rq63.json
A internal/genericosv/testdata/osv/GHSA-69v6-xc2j-r2jf.json
A internal/genericosv/testdata/osv/GHSA-6qfg-8799-r575.json
A internal/genericosv/testdata/osv/GHSA-6rg3-8h8x-5xfv.json
A internal/genericosv/testdata/osv/GHSA-7943-82jg-wmw5.json
A internal/genericosv/testdata/osv/GHSA-7fxj-fr3v-r9gj.json
A internal/genericosv/testdata/osv/GHSA-9689-rx4v-cqgc.json
A internal/genericosv/testdata/osv/GHSA-cf7g-cm7q-rq7f.json
A internal/genericosv/testdata/osv/GHSA-fv82-r8qv-ch4v.json
A internal/genericosv/testdata/osv/GHSA-g5gj-9ggf-9vmq.json
A internal/genericosv/testdata/osv/GHSA-g9wh-3vrx-r7hg.json
A internal/genericosv/testdata/osv/GHSA-hjv9-hm2f-rpcj.json
A internal/genericosv/testdata/osv/GHSA-hmfx-3pcx-653p.json
A internal/genericosv/testdata/osv/GHSA-hv53-vf5m-8q94.json
A internal/genericosv/testdata/osv/GHSA-jh36-q97c-9928.json
A internal/genericosv/testdata/osv/GHSA-jmp2-wc4p-wfh2.json
A internal/genericosv/testdata/osv/GHSA-pg5p-wwp8-97g8.json
A internal/genericosv/testdata/osv/GHSA-pmfr-63c2-jr5c.json
A internal/genericosv/testdata/osv/GHSA-vp35-85q5-9f25.json
A internal/genericosv/testdata/osv/GHSA-w4xh-w33p-4v29.json
A internal/genericosv/testdata/osv/GHSA-wx8q-rgfr-cf6v.json
A internal/genericosv/testdata/osv/GHSA-xmg8-99r8-jc2j.json
A internal/genericosv/testdata/osv/GHSA-xx9w-464f-7h6f.json
A internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
A internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
A internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
A internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
A internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
A internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
A internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
A internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
A internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
A internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
A internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
A internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
A internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
A internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
A internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
A internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
A internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
A internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
A internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
A internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
A internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
A internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
A internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
A internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
A internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
A internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
A internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
A internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
A internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
A internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
M internal/proxy/proxy.go
M internal/report/fix.go
M internal/report/lint.go
66 files changed, 4,794 insertions(+), 6 deletions(-)
diff --git a/internal/genericosv/report.go b/internal/genericosv/report.go
new file mode 100644
index 0000000..0b4e155
--- /dev/null
+++ b/internal/genericosv/report.go
@@ -0,0 +1,150 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package genericosv
+
+import (
+ "fmt"
+ "sort"
+ "strings"
+
+ osvschema "github.com/google/osv-scanner/pkg/models"
+ "golang.org/x/exp/slices"
+ "golang.org/x/vulndb/internal/cveschema5"
+ "golang.org/x/vulndb/internal/ghsa"
+ "golang.org/x/vulndb/internal/osv"
+ "golang.org/x/vulndb/internal/report"
+ "golang.org/x/vulndb/internal/version"
+)
+
+// ToReport converts OSV into a Go Report with the given ID.
+func (osv *Entry) ToReport(goID string) *report.Report {
+ r := &report.Report{
+ ID: goID,
+ Summary: osv.Summary,
+ Description: osv.Details,
+ }
+ addNote := func(note string) {
+ r.Notes = append(r.Notes, note)
+ }
+ addAlias := func(alias string) {
+ switch {
+ case cveschema5.IsCVE(alias):
+ r.CVEs = append(r.CVEs, alias)
+ case ghsa.IsGHSA(alias):
+ r.GHSAs = append(r.GHSAs, alias)
+ default:
+ addNote(fmt.Sprintf("create: found alias %s that is not a GHSA or CVE", alias))
+ }
+ }
+ addAlias(osv.ID)
+ for _, alias := range osv.Aliases {
+ addAlias(alias)
+ }
+ for _, ref := range osv.References {
+ r.References = append(r.References, convertRef(ref))
+ }
+ r.Modules = affectedToModules(osv.Affected, addNote)
+ r.Credits = convertCredits(osv.Credits)
+ r.Fix()
+ if lints := r.Lint(); len(lints) > 0 {
+ slices.Sort(lints)
+ for _, lint := range lints {
+ addNote(fmt.Sprintf("lint: %s", lint))
+ }
+ }
+ return r
+}
+
+type addNoteFunc func(string)
+
+func affectedToModules(as []osvschema.Affected, addNote addNoteFunc) []*report.Module {
+ var modules []*report.Module
+ for _, a := range as {
+ if a.Package.Ecosystem != osvschema.EcosystemGo {
+ continue
+ }
+
+ modules = append(modules, &report.Module{
+ Module: a.Package.Name,
+ Versions: convertVersions(a.Ranges, addNote),
+ })
+ }
+
+ for _, m := range modules {
+ m.FixVersions()
+ }
+
+ sortModules(modules)
+ return modules
+}
+
+func sortModules(ms []*report.Module) {
+ sort.Slice(ms, func(i, j int) bool {
+ m1, m2 := ms[i], ms[j]
+ // Break ties by lowest affected version, assuming the version list is sorted.
+ if m1.Module == m2.Module {
+ vr1, vr2 := m1.Versions, m2.Versions
+ if len(vr1) == 0 {
+ return true
+ } else if len(vr2) == 0 {
+ return false
+ }
+ return version.Before(first(vr1), first(vr2))
+ }
+ return m1.Module < m2.Module
+ })
+}
+
+func first(vrs []report.VersionRange) string {
+ for _, vr := range vrs {
+ for _, v := range []string{vr.Introduced, vr.Fixed} {
+ if v != "" {
+ return v
+ }
+ }
+ }
+ return ""
+}
+
+func convertVersions(rs []osvschema.Range, addNote addNoteFunc) []report.VersionRange {
+ var vrs []report.VersionRange
+ for _, r := range rs {
+ for _, e := range r.Events {
+ var vr report.VersionRange
+ switch {
+ case e.Introduced == "0":
+ continue
+ case e.Introduced != "":
+ vr.Introduced = e.Introduced
+ case e.Fixed != "":
+ vr.Fixed = e.Fixed
+ default:
+ addNote(fmt.Sprintf("create: unsupported version range event %#v", e))
+ continue
+ }
+ vrs = append(vrs, vr)
+ }
+ }
+ return vrs
+}
+
+func convertRef(ref osvschema.Reference) *report.Reference {
+ return &report.Reference{
+ Type: osv.ReferenceType(ref.Type),
+ URL: ref.URL,
+ }
+}
+
+func convertCredits(cs []osvschema.Credit) []string {
+ var credits []string
+ for _, c := range cs {
+ credit := c.Name
+ if len(c.Contact) != 0 {
+ credit = fmt.Sprintf("%s (%s)", c.Name, strings.Join(c.Contact, ","))
+ }
+ credits = append(credits, credit)
+ }
+ return credits
+}
diff --git a/internal/genericosv/report_test.go b/internal/genericosv/report_test.go
new file mode 100644
index 0000000..e2c02d5
--- /dev/null
+++ b/internal/genericosv/report_test.go
@@ -0,0 +1,258 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package genericosv
+
+import (
+ "flag"
+ "io/fs"
+ "path/filepath"
+ "strings"
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+ osvschema "github.com/google/osv-scanner/pkg/models"
+ "golang.org/x/vulndb/internal/report"
+)
+
+var update = flag.Bool("update", false, "if true, update test cases")
+
+var (
+ testdataDir = "testdata"
+ testOSVDir = filepath.Join(testdataDir, "osv")
+ testYAMLDir = filepath.Join(testdataDir, "yaml")
+)
+
+// To update test cases to reflect new expected behavior:
+// go test ./internal/genericosv/... -update -run TestToReport
+func TestToReport(t *testing.T) {
+ if err := filepath.WalkDir(testOSVDir, func(path string, f fs.DirEntry, err error) error {
+ if err != nil {
+ return err
+ }
+ if f.IsDir() || filepath.Ext(path) != ".json" {
+ return nil
+ }
+ ghsaID := strings.TrimSuffix(f.Name(), ".json")
+ t.Run(ghsaID, func(t *testing.T) {
+ t.Parallel()
+ osv := Entry{}
+ if err := report.UnmarshalFromFile(path, &osv); err != nil {
+ t.Fatal(err)
+ }
+ got := osv.ToReport("GO-TEST-ID")
+ yamlFile := filepath.Join(testYAMLDir, ghsaID+".yaml")
+ if *update {
+ if err := got.Write(yamlFile); err != nil {
+ t.Fatal(err)
+ }
+ }
+ want, err := report.Read(yamlFile)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if diff := cmp.Diff(want, got); diff != "" {
+ t.Errorf("ToReport() mismatch (-want +got)\n%s", diff)
+ }
+ })
+ return nil
+ }); err != nil {
+ t.Fatal(err)
+ }
+}
+
+// TODO(https://go.dev/issues/61769): unskip test cases as we add features.
+func TestAffectedToModules(t *testing.T) {
+ for _, tc := range []struct {
+ desc string
+ in []osvschema.Affected
+ want []*report.Module
+ skip bool
+ }{
+ {
+ desc: "find module from package",
+ in: []osvschema.Affected{{
+ Package: osvschema.Package{
+ Ecosystem: osvschema.EcosystemGo,
+ Name: "github.com/influxdata/influxdb/services/httpd",
+ },
+ Ranges: []osvschema.Range{{
+ Type: osvschema.RangeEcosystem,
+ Events: []osvschema.Event{
+ {
+ Introduced: "0.3.2",
+ },
+ {
+ Fixed: "1.7.6",
+ },
+ },
+ }},
+ }},
+ want: []*report.Module{{
+ Module: "github.com/influxdata/influxdb",
+ Versions: []report.VersionRange{
+ {
+ Introduced: "0.3.2",
+ Fixed: "1.7.6",
+ },
+ },
+ Packages: []*report.Package{
+ {
+ Package: "github.com/influxdata/influxdb/services/httpd",
+ },
+ },
+ }},
+ skip: true,
+ },
+ {
+ desc: "correct major version of module path",
+ in: []osvschema.Affected{{
+ Package: osvschema.Package{
+ Ecosystem: osvschema.EcosystemGo,
+ Name: "github.com/nats-io/nats-server",
+ },
+ Ranges: []osvschema.Range{{
+ Type: osvschema.RangeEcosystem,
+ Events: []osvschema.Event{
+ {
+ Introduced: "2.2.0",
+ },
+ {
+ Fixed: "2.8.3",
+ },
+ },
+ }},
+ }},
+ want: []*report.Module{{
+ Module: "github.com/nats-io/nats-server/v2",
+ Versions: []report.VersionRange{
+ {
+ Introduced: "2.2.0",
+ Fixed: "2.8.3",
+ },
+ },
+ }},
+ skip: true,
+ },
+ {
+ desc: "canonicalize module path",
+ in: []osvschema.Affected{{
+ Package: osvschema.Package{
+ Ecosystem: osvschema.EcosystemGo,
+ Name: "github.com/golang/vulndb",
+ },
+ Ranges: []osvschema.Range{{
+ Type: osvschema.RangeEcosystem,
+ Events: []osvschema.Event{
+ {
+ Fixed: "0.0.0-20230712151357-4fee11d0f8f9",
+ },
+ },
+ }},
+ }},
+ want: []*report.Module{{
+ Module: "golang.org/x/vulndb",
+ Versions: []report.VersionRange{
+ {
+ Fixed: "0.0.0-20230712151357-4fee11d0f8f9",
+ },
+ },
+ }},
+ skip: true,
+ },
+ {
+ desc: "add +incompatible",
+ in: []osvschema.Affected{{
+ Package: osvschema.Package{
+ Ecosystem: osvschema.EcosystemGo,
+ Name: "github.com/docker/docker",
+ },
+ Ranges: []osvschema.Range{{
+ Type: osvschema.RangeEcosystem,
+ Events: []osvschema.Event{
+ {
+ Fixed: "23.0.0",
+ },
+ },
+ }},
+ }},
+ want: []*report.Module{{
+ Module: "github.com/docker/docker",
+ Versions: []report.VersionRange{
+ {
+ Fixed: "23.0.0+incompatible",
+ },
+ },
+ }},
+ skip: true,
+ },
+ {
+ desc: "remove subtle duplicates",
+ in: []osvschema.Affected{{
+ Package: osvschema.Package{
+ Ecosystem: osvschema.EcosystemGo,
+ Name: "github.com/hashicorp/go-getter/v2",
+ },
+ Ranges: []osvschema.Range{{
+ Type: osvschema.RangeEcosystem,
+ Events: []osvschema.Event{
+ {
+ Introduced: "0",
+ },
+ {
+ Fixed: "2.1.0",
+ },
+ },
+ }},
+ },
+ {
+ Package: osvschema.Package{
+ Ecosystem: osvschema.EcosystemGo,
+ Name: "github.com/hashicorp/go-getter",
+ },
+ Ranges: []osvschema.Range{{
+ Type: osvschema.RangeEcosystem,
+ Events: []osvschema.Event{
+ {
+ Introduced: "2.0.0",
+ },
+ {
+ Fixed: "2.1.0",
+ },
+ },
+ }},
+ }},
+ want: []*report.Module{{
+ Module: "github.com/hashicorp/go-getter/v2",
+ Versions: []report.VersionRange{
+ {
+ Introduced: "2.0.0",
+ Fixed: "2.1.0",
+ },
+ },
+ }},
+ skip: true,
+ },
+ } {
+ tc := tc
+ t.Run(tc.desc, func(t *testing.T) {
+ t.Parallel()
+ if tc.skip {
+ t.Skip("skipping (not implemented yet)")
+ }
+ var gotNotes []string
+ addNote := func(note string) {
+ gotNotes = append(gotNotes, note)
+ }
+ got := affectedToModules(tc.in, addNote)
+ if diff := cmp.Diff(tc.want, got); diff != "" {
+ t.Errorf("affectedToModules() mismatch (-want +got)\n%s", diff)
+ }
+ if len(gotNotes) > 0 {
+ t.Errorf("affectedToModules() output unexpected notes = %s", gotNotes)
+ }
+ })
+
+ }
+}
diff --git a/internal/genericosv/testdata/NOTICE b/internal/genericosv/testdata/NOTICE
new file mode 100644
index 0000000..6b929d6
--- /dev/null
+++ b/internal/genericosv/testdata/NOTICE
@@ -0,0 +1,5 @@
+# NOTICE
+
+The `testdata/osv` folder contains unmodified data from the
+[Github Advisory Database](https://github.com/github/advisory-database),
+licensed under [CC-BY-4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md).
diff --git a/internal/genericosv/testdata/osv/GHSA-28r2-q6m8-9hpx.json b/internal/genericosv/testdata/osv/GHSA-28r2-q6m8-9hpx.json
new file mode 100644
index 0000000..c95871c
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-28r2-q6m8-9hpx.json
@@ -0,0 +1,167 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-28r2-q6m8-9hpx",
+ "modified": "2022-11-21T19:45:07Z",
+ "published": "2022-05-26T00:01:27Z",
+ "aliases": [
+ "CVE-2022-30323"
+ ],
+ "summary": "HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion",
+ "details": "HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/hashicorp/go-getter"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.6.1"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/hashicorp/go-getter"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.0.0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/hashicorp/go-getter/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/hashicorp/go-getter/s3/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/hashicorp/go-getter/gcs/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/hashicorp/go-getter/pull/359"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/hashicorp/go-getter/pull/361"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/hashicorp/go-getter"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/hashicorp/go-getter/releases"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2022-0586"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-06-01T21:21:26Z",
+ "nvd_published_at": "2022-05-25T12:15:00Z",
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-33m6-q9v5-62r7.json b/internal/genericosv/testdata/osv/GHSA-33m6-q9v5-62r7.json
new file mode 100644
index 0000000..585b072
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-33m6-q9v5-62r7.json
@@ -0,0 +1,104 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-33m6-q9v5-62r7",
+ "modified": "2023-02-07T22:57:53Z",
+ "published": "2023-02-07T22:57:53Z",
+ "aliases": [
+ "CVE-2021-3538"
+ ],
+ "summary": "github.com/satori/go.uuid has Predictable SIF UUID Identifiers",
+ "details": "### Impact\n\nThe siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.\n\n### Patches\n\nA patch is available in version \u003e= v1.2.1-0.20180404165556-75cca531ea76 of the module. Users are encouraged to upgrade.\n\nFixed by https://github.com/hpcng/sif/pull/90\n\n### Workarounds\n\nUsers passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:\n\n`go get -u github.com/satori/go....@v1.2.1-0.20180404165556-75cca531ea76`\n\n### References\n\nhttps://github.com/satori/go.uuid/issues/73\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/hpcng/sif/issues",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/satori/go.uuid"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.2.1-0.20180103161547-0ef6afb2f6cd"
+ },
+ {
+ "fixed": "1.2.1-0.20180404165556-75cca531ea76"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/apptainer/sif/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.2.1-0.20180103161547-0ef6afb2f6cd"
+ },
+ {
+ "fixed": "1.2.1-0.20180404165556-75cca531ea76"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/hpcng/sif/security/advisories/GHSA-33m6-q9v5-62r7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3538"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/satori/go.uuid/issues/73"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/satori/go.uuid/pull/75"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954376"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/satori/go.uuid"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2022-0244"
+ },
+ {
+ "type": "WEB",
+ "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-338"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-02-07T22:57:53Z",
+ "nvd_published_at": "2021-06-02T14:15:00Z",
+ "severity": "CRITICAL"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-3hwm-922r-47hw.json b/internal/genericosv/testdata/osv/GHSA-3hwm-922r-47hw.json
new file mode 100644
index 0000000..effa5de
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-3hwm-922r-47hw.json
@@ -0,0 +1,62 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-3hwm-922r-47hw",
+ "modified": "2023-04-25T23:06:52Z",
+ "published": "2023-03-31T19:33:44Z",
+ "summary": "Stud42 vulnerable to denial of service",
+ "details": "A security vulnerability has been identified in the GraphQL parser used by the API of s42.app. An attacker can overload the parser and cause the API pod to crash. With a bit of threading, the attacker can bring down the entire API, resulting in an unhealthy stream. This vulnerability can be exploited by sending a specially crafted request to the API with a large payload.\n\nAn attacker can exploit this vulnerability to cause a denial of service (DoS) attack on the s42.app API, resulting in unavailability of the API for legitimate users.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "atomys.codes/stud42"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.23.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/42Atomys/stud42/security/advisories/GHSA-3hwm-922r-47hw"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/42Atomys/stud42/issues/412"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/42Atomys/stud42"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-400"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-03-31T19:33:44Z",
+ "nvd_published_at": null,
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-3wq5-3f56-v5xc.json b/internal/genericosv/testdata/osv/GHSA-3wq5-3f56-v5xc.json
new file mode 100644
index 0000000..e8fcb35
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-3wq5-3f56-v5xc.json
@@ -0,0 +1,130 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-3wq5-3f56-v5xc",
+ "modified": "2023-04-07T21:02:25Z",
+ "published": "2023-03-31T12:30:16Z",
+ "aliases": [
+ "CVE-2023-1777"
+ ],
+ "summary": "Mattermost vulnerable to information disclosure",
+ "details": "Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mattermost/mattermost-server/v6"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.3.0"
+ },
+ {
+ "fixed": "7.1.6"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 6.7.2"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mattermost/mattermost-server"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "7.8.0"
+ },
+ {
+ "fixed": "7.8.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "7.8.0"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mattermost/mattermost-server"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "7.7.0"
+ },
+ {
+ "fixed": "7.7.2"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 7.7.1"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mattermost/mattermost-server"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "7.1.0"
+ },
+ {
+ "fixed": "7.1.6"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 7.1.5"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1777"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates/"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "github.com/mattermost/mattermost-server"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-668"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-04-07T21:02:25Z",
+ "nvd_published_at": "2023-03-31T12:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-54q4-74p3-mgcw.json b/internal/genericosv/testdata/osv/GHSA-54q4-74p3-mgcw.json
new file mode 100644
index 0000000..0190d9f
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-54q4-74p3-mgcw.json
@@ -0,0 +1,61 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-54q4-74p3-mgcw",
+ "modified": "2023-02-23T22:31:36Z",
+ "published": "2023-02-16T00:30:27Z",
+ "aliases": [
+ "CVE-2022-38867"
+ ],
+ "summary": "rttys SQL Injection vulnerability",
+ "details": "SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go, allows attackers to execute arbitrary code.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/zhaojh329/rttys"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "4.0.0"
+ },
+ {
+ "last_affected": "4.0.2"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38867"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/zhaojh329/rttys/issues/117"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/zhaojh329/rttys"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-89"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-02-23T22:31:36Z",
+ "nvd_published_at": "2023-02-15T22:15:00Z",
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-5m6c-jp6f-2vcv.json b/internal/genericosv/testdata/osv/GHSA-5m6c-jp6f-2vcv.json
new file mode 100644
index 0000000..03941e4
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-5m6c-jp6f-2vcv.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-5m6c-jp6f-2vcv",
+ "modified": "2021-05-24T20:58:18Z",
+ "published": "2021-12-20T17:58:59Z",
+ "aliases": [
+ "CVE-2020-4037"
+ ],
+ "summary": "Open Redirect in OAuth2 Proxy",
+ "details": "### Impact\nAs users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access.\nThis redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/oauth2-proxy/oauth2-proxy"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.1.1"
+ },
+ {
+ "fixed": "6.0.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4037"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-601"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-24T20:58:18Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-627p-rr78-99rj.json b/internal/genericosv/testdata/osv/GHSA-627p-rr78-99rj.json
new file mode 100644
index 0000000..7128d7e
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-627p-rr78-99rj.json
@@ -0,0 +1,130 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-627p-rr78-99rj",
+ "modified": "2021-05-24T17:56:03Z",
+ "published": "2021-12-20T17:56:03Z",
+ "aliases": [
+ "CVE-2020-5415"
+ ],
+ "summary": "GitLab auth uses full name instead of username as user ID, allowing impersonation",
+ "details": "### Impact\n\nInstallations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under `users` in the team configuration or given to the `--gitlab-user` flag.\n\nSee the [GitLab auth docs](https://concourse-ci.org/gitlab-auth.html) for details.\n\nConcourse installations which do not configure the GitLab auth connector are not affected.\n\n### Patches\n\nConcourse [v6.3.1](https://github.com/concourse/concourse/releases/tag/v6.3.1) and [v6.4.1](https://github.com/concourse/concourse/releases/tag/v6.4.1) were both released with a fix on August 4th, 2020.\n\nBoth versions change the GitLab connector to use the username, rather than the full name. This was always the intent, and the previous behavior was originally reported as a bug (concourse/dex#7) prior to being reported as a security issue.\n\nAny Concourse teams which configure GitLab users will have to switch each user from their full name to their username upon upgrading to these versions.\n\n### Workarounds\n\nGitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.\n\n### References\n\n* concourse/dex#12: PR with the fix\n\n### For more information\n\nIf you have any questions or comments about this advisory, you may reach us privately at [concoursete...@gmail.com](mailto:concoursete...@gmail.com).",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/concourse"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.4.0"
+ },
+ {
+ "fixed": "6.4.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "6.4.0"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/concourse"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.3.0"
+ },
+ {
+ "fixed": "6.3.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "6.3.0"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/dex"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.4.0"
+ },
+ {
+ "fixed": "6.4.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "6.4.0"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/dex"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.3.0"
+ },
+ {
+ "fixed": "6.3.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "6.3.0"
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5415"
+ },
+ {
+ "type": "WEB",
+ "url": "https://tanzu.vmware.com/security/cve-2020-5415"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-290"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-24T17:56:03Z",
+ "nvd_published_at": null,
+ "severity": "CRITICAL"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-66p8-j459-rq63.json b/internal/genericosv/testdata/osv/GHSA-66p8-j459-rq63.json
new file mode 100644
index 0000000..3c53df6
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-66p8-j459-rq63.json
@@ -0,0 +1,88 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-66p8-j459-rq63",
+ "modified": "2023-02-10T23:11:01Z",
+ "published": "2023-02-10T23:11:01Z",
+ "aliases": [
+ "CVE-2023-25168"
+ ],
+ "summary": "Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system",
+ "details": "### Impact\n\nThis vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5) to overwrite files on the host system.\n\nIn order to use this exploit, an attacker must have an existing \"server\" allocated and controlled by Wings. Information on how the exploitation of this vulnerability works will be released on February 24th, 2023 in North America.\n\n### Patches\n\nThis vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`.\n\nAnyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`.\n\n### Workarounds\n\nNone at this time.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pterodactyl/wings"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.7.4"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pterodactyl/wings"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.11.0"
+ },
+ {
+ "fixed": "1.11.4"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25168"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/pterodactyl/wings"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-59"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-02-10T23:11:01Z",
+ "nvd_published_at": "2023-02-09T00:16:00Z",
+ "severity": "CRITICAL"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-69v6-xc2j-r2jf.json b/internal/genericosv/testdata/osv/GHSA-69v6-xc2j-r2jf.json
new file mode 100644
index 0000000..d68d12f
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-69v6-xc2j-r2jf.json
@@ -0,0 +1,84 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-69v6-xc2j-r2jf",
+ "modified": "2021-05-21T21:51:49Z",
+ "published": "2021-06-29T21:13:01Z",
+ "aliases": [
+ "CVE-2020-26241"
+ ],
+ "summary": "Shallow copy bug in geth",
+ "details": "### Impact\nThis is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. \n\nGeth’s pre-compiled `dataCopy` (at `0x00...04`) contract did a shallow copy on invocation. An attacker could deploy a contract that \n\n- writes `X` to an EVM memory region `R`,\n- calls `0x00..04` with `R` as an argument,\n- overwrites `R` to `Y`,\n- and finally invokes the `RETURNDATACOPY` opcode.\n\nWhen this contract is invoked, a consensus-compliant node would push `X` on the EVM stack, whereas Geth would push `Y`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [secu...@ethereum.org](mailto:secu...@ethereum.org)",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/ethereum/go-ethereum"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.9.7"
+ },
+ {
+ "fixed": "1.9.17"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/ethereum/go-ethereum/core/vm"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.19.7"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26241"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ethereum/go-ethereum/commit/295693759e5ded05fec0b2fb39359965b60da785"
+ },
+ {
+ "type": "WEB",
+ "url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-682"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-21T21:51:49Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-6qfg-8799-r575.json b/internal/genericosv/testdata/osv/GHSA-6qfg-8799-r575.json
new file mode 100644
index 0000000..e3ce61d
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-6qfg-8799-r575.json
@@ -0,0 +1,104 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-6qfg-8799-r575",
+ "modified": "2021-05-17T21:58:06Z",
+ "published": "2021-05-18T15:30:07Z",
+ "aliases": [
+ "CVE-2019-11251"
+ ],
+ "summary": "Symlink Attack",
+ "details": "The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.13.10"
+ },
+ {
+ "fixed": "1.13.11"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.14.6"
+ },
+ {
+ "fixed": "1.14.7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.15.3"
+ },
+ {
+ "fixed": "1.16.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11251"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/issues/87773"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/pull/82143"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-59",
+ "CWE-61"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-17T21:58:06Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-6rg3-8h8x-5xfv.json b/internal/genericosv/testdata/osv/GHSA-6rg3-8h8x-5xfv.json
new file mode 100644
index 0000000..0dfd237
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-6rg3-8h8x-5xfv.json
@@ -0,0 +1,58 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-6rg3-8h8x-5xfv",
+ "modified": "2021-10-05T17:24:11Z",
+ "published": "2021-06-23T18:04:50Z",
+ "summary": "Unchecked hostname resolution could allow access to local network resources by users outside the local network",
+ "details": "### Impact\nA newly implemented route allowing users to download files from remote endpoints was not properly verifying the destination hostname for user provided URLs. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.\n\nThis vulnerability requires valid authentication credentials and is therefore **not exploitable by unauthenticated users**. If you are running an instance for yourself or other trusted individuals this impact is unlikely to be of major concern to you. However, you should still upgrade for security sake.\n\n### Patches\nUsers should upgrade to the latest version of Wings.\n\n### Workarounds\nThere is no workaround available that does not involve modifying Panel or Wings code.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pterodactyl/wings"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.2.0"
+ },
+ {
+ "fixed": "1.2.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "1.2.0"
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/pterodactyl/wings"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-284",
+ "CWE-441"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-06-23T18:04:30Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-7943-82jg-wmw5.json b/internal/genericosv/testdata/osv/GHSA-7943-82jg-wmw5.json
new file mode 100644
index 0000000..87449e2
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-7943-82jg-wmw5.json
@@ -0,0 +1,107 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-7943-82jg-wmw5",
+ "modified": "2022-07-21T15:54:19Z",
+ "published": "2022-07-12T22:05:11Z",
+ "aliases": [
+ "CVE-2022-31105"
+ ],
+ "summary": "Argo CD certificate verification is skipped for connections to OIDC providers",
+ "details": "### Impact\n\nAll versions of Argo CD starting with v0.4.0 are vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OIDC provider.\n\n(Note: external OIDC provider support was added in v0.11.0. Before that version, the notes below apply only to the bundled Dex instance.)\n\nYou are impacted if 1) have SSO enabled and 2) insecure mode is _not_ enabled on the API server. In this case, certificate verification is skipped when connecting to your OIDC provider for the following tasks: verifying auth tokens on API requests and handling SSO login flows. If you are using the bundled Dex instance but have _not_ set the `--dex-server` flag on the API server to an HTTPS address, then certificate verification is not being skipped (because [TLS is not enabled by default for the bundled Dex instance](https://github.com/argoproj/argo-cd/issues/9424)).\n\nArgo CD sends requests to the configured OIDC provider (either the bundled Dex instance or an external provider) to 1) retrieve the [OpenID configuration](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), 2) to retrieve the OIDC provider's key set (at the location determined by the [OIDC provider's configured `jwks_uri`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)), and 3) (during an SSO login) to exchange an authorization code for a token.\n\n(Note: Starting with v2.3.0, certificate verification is _not_ skipped when handling an SSO login flow if 1) you are not using the bundled Dex OIDC provider and 2) you have set `oidc.config.rootCA` in the `argocd-cm` ConfigMap. Certificate verification is still skipped when verifying tokens on API calls.)\n\nSkipping certificate verification when communicating with the OIDC provider opens Argo CD to a variety of risks. For example, if an attacker can successfully intercept, decrypt, and respond to requests bound for the configured OIDC provider (a machine-in-the-middle attack), they could theoretically issue a \"valid\" admin token. Verifying the OIDC provider's certificate provides an extra layer of protection against such an attack.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.4.5\n* v2.3.6\n* v2.2.11\n\n**Note:**\n\nTo preserve backwards compatibility, this patch adds a `oidc.tls.insecure.skip.verify` option to the `argocd-cm` ConfigMap. The default is `\"false\"`. Before resorting to setting this, you should try to get certificate verification to work. If you are using the bundled Dex instance, user your Argo CD API server's [TLS configuration](https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/) since the API server acts as a reverse proxy to Dex. If you are using an external OIDC provider, [set the `rootCA` config](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider).\n\nIf these fail, be sure you are aware of the risks before setting `oidc.tls.insecure.skip.verify: \"true\"`.\n\n### Workarounds\n\nThere is no complete workaround besides upgrading.\n\n#### Partial mitigation when using an external OIDC provider\n\nIf you are using an external OIDC provider (not the bundled Dex instance), then you can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. If your OIDC provider's certificate is self-signed or otherwise invalid, you must set the rootCA to a certificate that enables verification. If the OIDC provider's certificate passes _without_ an additional root CA, then you can set `oidc.config.rootCA` to a bogus non-empty string such as `\"force cert verification\"`. The API server will log a warning, but otherwise things should work fine.\n\nExample:\n\n```yaml\nmetadata:\n name: argocd-cm\ndata:\n oidc.config: |\n ...\n rootCA: |\n force cert verification\n```\n\nThis mitigation _only_ forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls. To fully resolve the vulnerability, you must upgrade.\n\n### References\n\n* [Argo CD SSO configuration documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sso)\n\n### Credits\n\n@jannfis and @crenshaw-dev discovered the vulnerability when reviewing notes from ADA Logics' security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.4.0"
+ },
+ {
+ "fixed": "2.2.11"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.3.0"
+ },
+ {
+ "fixed": "2.3.6"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.0"
+ },
+ {
+ "fixed": "2.4.5"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31105"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/argoproj/argo-cd"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-295"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-07-12T22:05:11Z",
+ "nvd_published_at": "2022-07-12T22:15:00Z",
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-7fxj-fr3v-r9gj.json b/internal/genericosv/testdata/osv/GHSA-7fxj-fr3v-r9gj.json
new file mode 100644
index 0000000..2d31727
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-7fxj-fr3v-r9gj.json
@@ -0,0 +1,88 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-7fxj-fr3v-r9gj",
+ "modified": "2022-11-24T01:13:44Z",
+ "published": "2022-11-04T19:01:17Z",
+ "aliases": [
+ "CVE-2022-3023"
+ ],
+ "summary": "TiDB vulnerable to Use of Externally-Controlled Format String",
+ "details": "TiDB server (importer CLI tool) prior to version 6.4.0 \u0026 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data into a database does not properly sanitize user input which can lead to arbitrary file reads.\"",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pingcap/tidb"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "6.1.2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pingcap/tidb"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.2.0"
+ },
+ {
+ "last_affected": "6.4.0-alpha1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3023"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pingcap/tidb/commit/d0376379d615cc8f263a0b17c031ce403c8dcbfb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://advisory.dw1.io/45"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/pingcap/tidb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-134"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-11-04T20:48:44Z",
+ "nvd_published_at": "2022-11-04T12:15:00Z",
+ "severity": "CRITICAL"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-9689-rx4v-cqgc.json b/internal/genericosv/testdata/osv/GHSA-9689-rx4v-cqgc.json
new file mode 100644
index 0000000..b61d71e
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-9689-rx4v-cqgc.json
@@ -0,0 +1,103 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-9689-rx4v-cqgc",
+ "modified": "2021-05-12T18:15:16Z",
+ "published": "2022-02-15T01:57:18Z",
+ "aliases": [
+ "CVE-2018-15798"
+ ],
+ "summary": "Open Redirect",
+ "details": "Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/concourse/skymarshal/skyserver"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "5.2.8"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/concourse/skymarshal/skyserver"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.3.0"
+ },
+ {
+ "fixed": "5.5.10"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/concourse/concourse/skymarshal/skyserver"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.6.0"
+ },
+ {
+ "fixed": "5.8.1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15798"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/concourse/concourse/pull/5350/commits/38cb4cc025e5ed28764b4adc363a0bbf41f3c7cb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pivotal.io/security/cve-2018-15798"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-601"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-12T18:15:16Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-cf7g-cm7q-rq7f.json b/internal/genericosv/testdata/osv/GHSA-cf7g-cm7q-rq7f.json
new file mode 100644
index 0000000..aa4a990
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-cf7g-cm7q-rq7f.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-cf7g-cm7q-rq7f",
+ "modified": "2022-09-23T17:07:44Z",
+ "published": "2022-09-20T21:22:55Z",
+ "aliases": [
+ "CVE-2022-39220"
+ ],
+ "summary": "SFTPGo WebClient vulnerable to Cross-site Scripting",
+ "details": "### Impact\nCross-site scripting (XSS) vulnerabilities have been reported to affect SFTPGo WebClient. If exploited, this vulnerability allows remote attackers to inject malicious code.\n\n### Patches\nFixed in v2.3.5.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/drakkan/sftpgo"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.5"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39220"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/drakkan/sftpgo"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-79"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-09-20T21:22:55Z",
+ "nvd_published_at": "2022-09-20T22:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-fv82-r8qv-ch4v.json b/internal/genericosv/testdata/osv/GHSA-fv82-r8qv-ch4v.json
new file mode 100644
index 0000000..044201c
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-fv82-r8qv-ch4v.json
@@ -0,0 +1,80 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-fv82-r8qv-ch4v",
+ "modified": "2021-05-20T20:47:18Z",
+ "published": "2021-05-21T16:24:22Z",
+ "aliases": [
+ "CVE-2021-29652"
+ ],
+ "summary": "pomerium_signature is not verified in middleware in github.com/pomerium/pomerium",
+ "details": "### Impact\nSome API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium. \n\nThe issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.\n\n### Patches\nPatched in v0.13.4\n\n### For more information\nIf you have any questions or comments about this advisory\n* Open an issue in [pomerium](http://github.com/pomerium/pomerium)\n* Email us at [secu...@pomerium.com](mailto:secu...@pomerium.com)",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pomerium/pomerium"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.10.0"
+ },
+ {
+ "fixed": "0.13.4"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/pomerium/pomerium/authenticate"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.10.0"
+ },
+ {
+ "fixed": "0.13.4"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-fv82-r8qv-ch4v"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29652"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pomerium/pomerium/pull/2048"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-601"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-20T20:47:18Z",
+ "nvd_published_at": null,
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-g5gj-9ggf-9vmq.json b/internal/genericosv/testdata/osv/GHSA-g5gj-9ggf-9vmq.json
new file mode 100644
index 0000000..74433f0
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-g5gj-9ggf-9vmq.json
@@ -0,0 +1,70 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-g5gj-9ggf-9vmq",
+ "modified": "2021-11-10T18:18:55Z",
+ "published": "2021-11-10T20:38:53Z",
+ "aliases": [
+ "CVE-2021-3908"
+ ],
+ "summary": "Infinite certificate chain depth results in OctoRPKI running forever",
+ "details": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.\n\n## Patches \n\n## For more information\nIf you have any questions or comments about this advisory email us at secu...@cloudflare.com \n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cloudflare/cfrpki/cmd/octorpki"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.4.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3908"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/cloudflare/cfrpki"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.debian.org/security/2022/dsa-5041"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-400",
+ "CWE-835"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-11-10T18:18:55Z",
+ "nvd_published_at": "2021-11-11T22:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-g9wh-3vrx-r7hg.json b/internal/genericosv/testdata/osv/GHSA-g9wh-3vrx-r7hg.json
new file mode 100644
index 0000000..264d21d
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-g9wh-3vrx-r7hg.json
@@ -0,0 +1,74 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-g9wh-3vrx-r7hg",
+ "modified": "2021-11-10T18:19:37Z",
+ "published": "2021-11-10T20:39:23Z",
+ "aliases": [
+ "CVE-2021-3912"
+ ],
+ "summary": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository",
+ "details": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). \n\n## Patches\n\n## For more information\nIf you have any questions or comments about this advisory email us at secu...@cloudflare.com\n\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cloudflare/cfrpki"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.4.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3912"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2022-0253"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.debian.org/security/2022/dsa-5041"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "github.com/cloudflare/cfrpki"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-400",
+ "CWE-770"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-11-10T18:19:37Z",
+ "nvd_published_at": "2021-11-11T22:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-hjv9-hm2f-rpcj.json b/internal/genericosv/testdata/osv/GHSA-hjv9-hm2f-rpcj.json
new file mode 100644
index 0000000..ad32df1
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-hjv9-hm2f-rpcj.json
@@ -0,0 +1,103 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-hjv9-hm2f-rpcj",
+ "modified": "2023-03-09T04:23:52Z",
+ "published": "2023-03-01T18:30:59Z",
+ "aliases": [
+ "CVE-2023-0507"
+ ],
+ "summary": "Grafana vulnerable to Cross-site Scripting",
+ "details": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/grafana/grafana"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "8.1.0"
+ },
+ {
+ "fixed": "8.5.21"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/grafana/grafana"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "9.0.0"
+ },
+ {
+ "fixed": "9.2.13"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/grafana/grafana"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "9.3.0"
+ },
+ {
+ "fixed": "9.3.8"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/grafana/grafana"
+ },
+ {
+ "type": "WEB",
+ "url": "https://grafana.com/security/security-advisories/cve-2023-0507/"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20230413-0001/"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-79"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-03-02T23:06:08Z",
+ "nvd_published_at": "2023-03-01T16:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-hmfx-3pcx-653p.json b/internal/genericosv/testdata/osv/GHSA-hmfx-3pcx-653p.json
new file mode 100644
index 0000000..674f035
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-hmfx-3pcx-653p.json
@@ -0,0 +1,117 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-hmfx-3pcx-653p",
+ "modified": "2023-02-16T17:38:22Z",
+ "published": "2023-02-16T14:11:33Z",
+ "aliases": [
+ "CVE-2023-25173"
+ ],
+ "summary": "Supplementary groups are not set up properly in github.com/containerd/containerd",
+ "details": "### Impact\n\nA bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.\n\nDownstream applications that use the containerd client library may be affected as well.\n\n### Patches\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.\n\n### Workarounds\n\nEnsure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.\n\n### References\n\n- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\n- Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18\n- CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0\n- Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0\n- Buildah: CVE-2022-2990, fixed in Buildah 1.27.1\n\nNote that CVE IDs apply to a particular implementation, even if an issue is common.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at [secu...@containerd.io](mailto:secu...@containerd.io)\n\nTo report a security issue in containerd:\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)\n* Email us at [secu...@containerd.io](mailto:secu...@containerd.io)",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/containerd/containerd"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.5.18"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/containerd/containerd"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.6.0"
+ },
+ {
+ "fixed": "1.6.18"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/containerd/containerd"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2023-1574"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-269",
+ "CWE-863"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-02-16T14:11:33Z",
+ "nvd_published_at": "2023-02-16T15:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-hv53-vf5m-8q94.json b/internal/genericosv/testdata/osv/GHSA-hv53-vf5m-8q94.json
new file mode 100644
index 0000000..3824234
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-hv53-vf5m-8q94.json
@@ -0,0 +1,50 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-hv53-vf5m-8q94",
+ "modified": "2022-09-19T22:53:33Z",
+ "published": "2022-02-11T23:28:20Z",
+ "summary": "personnummer/go vulnerable to Improper Input Validation",
+ "details": "This vulnerability was reported to the personnummer team in June 2020. The slow response was due to locked ownership of some of the affected packages, which caused delays to update packages prior to disclosure.\n\nThe vulnerability is determined to be low severity.\n\n### Impact\n\nThis vulnerability impacts users who rely on the for last digits of personnummer to be a _real_ personnummer. \n\n### Patches\n\nThe issue have been patched in all repositories. The following versions should be updated to as soon as possible:\n\n[C#](https://github.com/advisories/GHSA-qv8q-v995-72gr) 3.0.2 \nD 3.0.1 \n[Dart](https://github.com/advisories/GHSA-4xh4-v2pq-jvhm) 3.0.3 \nElixir 3.0.0 \n[Go](https://github.com/advisories/GHSA-hv53-vf5m-8q94) 3.0.1 \n[Java](https://github.com/advisories/GHSA-q3vw-4jx3-rrr2) 3.3.0 \n[JavaScript](https://github.com/advisories/GHSA-vpgc-7h78-gx8f) 3.1.0 \nKotlin 1.1.0 \nLua 3.0.1 \n[PHP](https://github.com/advisories/GHSA-2p6g-gjp8-ggg9) 3.0.2 \nPerl 3.0.0 \n[Python](https://github.com/advisories/GHSA-rxq3-5249-8hgg) 3.0.2 \n[Ruby](https://github.com/advisories/GHSA-vp9c-fpxx-744v) 3.0.1 \n[Rust](https://github.com/advisories/GHSA-28r9-pq4c-wp3c) 3.0.0 \nScala 3.0.1 \nSwift 1.0.1 \n\nIf you are using any of the earlier packages, please update to latest.\n\n### Workarounds\n\nThe issue arrieses from the regular expression allowing the first three digits in the last four digits of the personnummer to be\n000, which is invalid. To mitigate this without upgrading, a check on the last four digits can be made to make sure it's not\n000x.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Personnummer Meta](https://github.com/personnummer/meta/issues)\n* Email us at [Personnummer Email](mailto:secu...@personnummer.dev)",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/personnummer/go"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/personnummer/go/security/advisories/GHSA-hv53-vf5m-8q94"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/personnummer/go/"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/github.com/personnummer/go"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-24T17:26:30Z",
+ "nvd_published_at": null,
+ "severity": "LOW"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-jh36-q97c-9928.json b/internal/genericosv/testdata/osv/GHSA-jh36-q97c-9928.json
new file mode 100644
index 0000000..b5d988f
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-jh36-q97c-9928.json
@@ -0,0 +1,126 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-jh36-q97c-9928",
+ "modified": "2023-03-10T22:45:03Z",
+ "published": "2023-03-01T21:30:18Z",
+ "aliases": [
+ "CVE-2022-3294"
+ ],
+ "summary": "Kubernetes vulnerable to validation bypass",
+ "details": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.25.0"
+ },
+ {
+ "fixed": "1.25.4"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.24.0"
+ },
+ {
+ "fixed": "1.24.8"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.23.0"
+ },
+ {
+ "fixed": "1.23.14"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/kubernetes/kubernetes"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.22.0"
+ },
+ {
+ "fixed": "1.22.16"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3294"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/issues/113757"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/kubernetes/kubernetes"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20230505-0007/"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-20"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-03-10T22:45:03Z",
+ "nvd_published_at": "2023-03-01T19:15:00Z",
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-jmp2-wc4p-wfh2.json b/internal/genericosv/testdata/osv/GHSA-jmp2-wc4p-wfh2.json
new file mode 100644
index 0000000..475a930
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-jmp2-wc4p-wfh2.json
@@ -0,0 +1,108 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-jmp2-wc4p-wfh2",
+ "modified": "2023-05-05T02:25:00Z",
+ "published": "2023-05-05T02:25:00Z",
+ "aliases": [
+ "CVE-2023-30844"
+ ],
+ "summary": "Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints",
+ "details": "### Impact\n\nMutagen command line operations, as well as the log output from `mutagen daemon run`, are susceptible to control characters that could be provided by remote endpoints. This can cause terminal corruption, either intentional or unintentional, if these characters are present in error messages, file paths/names, and/or log output. This could be used as an attack vector if synchronizing with an untrusted remote endpoint, synchronizing files not under control of the user, or forwarding to/from an untrusted remote endpoint. On very old systems with terminals susceptible to issues such as [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069), the issue could theoretically cause code execution.\n\n\n### Patches\n\nThe problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.\n\nOne caveat is that the templating functionality of Mutagen's `list` and `monitor` commands has been only partially patched. In particular, the `json` template function already provided escaping and no patching was necessary. However, raw template output has been left unescaped because this raw output may be necessary for commands which embed Mutagen. To aid these commands, a new `shellSanitize` template function has been added which provides control character neutralization in strings.\n\n\n### Workarounds\n\nAvoiding synchronization of untrusted files or interaction with untrusted remote endpoints should mitigate any risk.\n\n\n### References\n\nA similar issue can be seen in kubernetes/kubernetes#101695.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mutagen-io/mutagen"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.16.6"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mutagen-io/mutagen-compose"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.17.1"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/mutagen-io/mutagen"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.17.0"
+ },
+ {
+ "fixed": "0.17.1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/mutagen-io/mutagen/security/advisories/GHSA-jmp2-wc4p-wfh2"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30844"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mutagen-io/mutagen"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mutagen-io/mutagen/releases/tag/v0.16.6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mutagen-io/mutagen/releases/tag/v0.17.1"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-116",
+ "CWE-150"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-05-05T02:25:00Z",
+ "nvd_published_at": null,
+ "severity": "LOW"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-pg5p-wwp8-97g8.json b/internal/genericosv/testdata/osv/GHSA-pg5p-wwp8-97g8.json
new file mode 100644
index 0000000..b23954c
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-pg5p-wwp8-97g8.json
@@ -0,0 +1,118 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-pg5p-wwp8-97g8",
+ "modified": "2023-04-19T18:16:51Z",
+ "published": "2023-04-19T18:16:51Z",
+ "aliases": [
+ "CVE-2023-29002"
+ ],
+ "summary": "Debug mode leaks confidential data in Cilium",
+ "details": "### Impact\n\nWhen run in debug mode, Cilium may log sensitive information.\n\nIn particular, Cilium running in debug mode will log the values of headers if they match HTTP network policy rules. This issue affects Cilium versions:\n\n- 1.7.* to 1.10.* inclusive\n- 1.11.* before 1.11.16\n- 1.12.* before 1.12.9\n- 1.13.* before 1.13.2\n\nIn addition, Cilium 1.12.* before 1.12.9 and 1.13.* before 1.13.2., when running in debug mode, might log secrets used by the Cilium agent. This includes TLS private keys for Ingress and GatewayAPI resources, depending on the configuration of the affected cluster. Output of the confidential data would occur at Cilium agent restart, when the secrets are modified, and on creation of Ingress or GatewayAPI resources.\n\n### Patches\n\nThis vulnerability is fixed in Cilium releases 1.11.16, 1.12.9, and 1.13.2.\n\n### Workarounds\nDisable debug mode.\n\n### Acknowledgements\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @meyskens for investigating and fixing the issue.\n\n### For more information\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nAs usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: [secu...@cilium.io](mailto:secu...@cilium.io) - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cilium/cilium"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.7.0"
+ },
+ {
+ "last_affected": "1.10.0"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cilium/cilium"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.11.0"
+ },
+ {
+ "fixed": "1.11.16"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cilium/cilium"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.12.0"
+ },
+ {
+ "fixed": "1.12.9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cilium/cilium"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.13.0"
+ },
+ {
+ "fixed": "1.13.2"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29002"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/cilium/cilium"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-532"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-04-19T18:16:51Z",
+ "nvd_published_at": null,
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-pmfr-63c2-jr5c.json b/internal/genericosv/testdata/osv/GHSA-pmfr-63c2-jr5c.json
new file mode 100644
index 0000000..6deb30c
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-pmfr-63c2-jr5c.json
@@ -0,0 +1,74 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-pmfr-63c2-jr5c",
+ "modified": "2023-01-20T22:02:58Z",
+ "published": "2021-12-20T18:24:30Z",
+ "aliases": [
+ "CVE-2020-13845"
+ ],
+ "summary": "Execution Control List (ECL) Is Insecure in Singularity",
+ "details": "### Impact\n\nThe Singularity Execution Control List (ECL) allows system administrators to set up a policy that defines rules about what signature(s) must be (or must not be) present on a SIF container image for it to be permitted to run.\n\nIn Singularity 3.x versions below 3.6.0, the following issues allow the ECL to be bypassed by a malicious user:\n\n * Image integrity is not validated when an ECL policy is enforced.\n * The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. Thus, it is trivial to craft an arbitrary payload which will be permitted to run, even if the attacker does not have access to the private key associated with the fingerprint(s) configured in the ECL.\n\n### Patches\n\nThese issues are addressed in Singularity 3.6.0.\n\nAll users are advised to upgrade to 3.6.0. Note that Singularity 3.6.0 uses a new signature format that is necessarily incompatible with Singularity \u003c 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.\n\nVersion 3.6.0 includes a `legacyinsecure` option that can be set to `legacyinsecure = true` in `ecl.toml` to allow the ECL to perform verification of the older, and insecure, legacy signatures for compatibility with existing containers. This does not guarantee that containers have not been modified since signing, due to other issues in the legacy signature format. The option should be used only to temporarily ease the transition to containers signed with the new 3.6.0 signature format.\n\n### Workarounds\n\nThis issue affects any installation of Singularity configured to use the Execution Control List (ECL) functionality. There is no workaround if ECL is required.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: secu...@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/sylabs/singularity"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "3.0.0"
+ },
+ {
+ "fixed": "3.6.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13845"
+ },
+ {
+ "type": "WEB",
+ "url": "https://medium.com/sylabs"
+ },
+ {
+ "type": "WEB",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html"
+ },
+ {
+ "type": "WEB",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html"
+ },
+ {
+ "type": "WEB",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-347",
+ "CWE-354"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-05-24T19:13:13Z",
+ "nvd_published_at": "2020-07-14T18:15:00Z",
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-vp35-85q5-9f25.json b/internal/genericosv/testdata/osv/GHSA-vp35-85q5-9f25.json
new file mode 100644
index 0000000..fcc469d
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-vp35-85q5-9f25.json
@@ -0,0 +1,63 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-vp35-85q5-9f25",
+ "modified": "2022-11-11T00:03:31Z",
+ "published": "2022-11-11T00:03:31Z",
+ "summary": "Container build can leak any path on the host into the container",
+ "details": "### Description\n\nMoby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime (formerly Docker EE), and Docker Desktop. Moby allows for building container images using a set of build instructions (usually named and referred to as a \"Dockerfile\"), and a build context, which is not unlike the CWD in which the Dockerfile instructions are executed.\n\nContainers may be built using a variety of tools and build backends available in the Moby ecosystem; in all cases, builds may not include files outside of the build context (such as using absolute or relative-parent paths). This is enforced through both checks in the build backends, and the containerization of the build process itself.\n\nVersions of Git where CVE-2022-39253 is present and exploited by a malicious repository, when used in combination with Moby, are subject to an unexpected inclusion of arbitrary filesystem paths in the build context, without any visible warning to the user.\n\nThis issue was originally reported by Wenxiang Qian of Tencent Blade Team, and the root-cause analysis was performed by Cory Snider of Mirantis, with assistance from Bjorn Neergaard of the same. The issue was then reported to the Git project, and Taylor Blau led the process resolving the root issue in Git.\n\n### Impact\n\nThis vulnerability originates in Git, but can be used to violate assumptions that may have security implications for users of Moby and related components. Users may rely on the fact that a build context ensures that outside files cannot be referenced or incorporated using multiple enforcement mechanisms, or expect a warning if this does not hold true. A maliciously crafted Git repository exploiting CVE-2022-39253 can violate this assumption, and potentially include sensitive files that are subsequently uploaded to a container image repository, or disclosed by code inside the resulting container image.\n\nAs this issue cannot be triggered remotely, except by users who already have full control over the daemon through the API, and it requires exploiting a vulnerability in Git by convincing a user to build a maliciously crafted repository, the impact in Moby is considered low.\n\n### Patches\n\nMoby 20.10.20, and Mirantis Container Runtime (formerly Docker Enterprise Edition) 20.10.14 will contain mitigations for CVE-2022-39253 when a Git clone is performed by Moby components (on either the daemon or API client side). However, as these mitigations only apply to certain scenarios (build of `git+\u003cprotocol\u003e://...` URL contexts) and cannot protect against a malicious repository already on disk, users should update to a version of Git containing patches for CVE-2022-39253 on all their systems running both API clients and daemons.\n\nSpecifically, patches in Moby (including patches incorporated from BuildKit) protect against the following:\n\n* `docker build` with the legacy builder (e.g. `DOCKER_BUILDKIT` unset or set to 0) of a Git URL context. Note that depending on available API versions and the CLI version, the Git clone operation can take place on either the client or the daemon side. Both must be updated (or have Git updated) to fully protect this build method.\n* `docker build` with the BuildKit builder (e.g. `DOCKER_BUILDKIT=1`) of a Git URL context.\n* `docker buildx build` with `BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` of a Git URL context.\n\nPatches in BuildKit incorporated into Docker Compose protect against CVE-2022-39253 during Compose-driven builds of Git URL contexts.\n\nPatches in Moby and related projects such as BuildKit, the Docker CLI, and Docker Compose **cannot** fully protect against CVE-2022-39253, as it may be triggered by a malicious repository already on disk that a unpatched Git client has interacted with (specifically, commands that check out submodules such as `git clone --recursive`, `git submodule update`, etc. may have already triggered the Git vulnerability).\n\n### Workarounds\n\nWhile this behavior is unexpected and undesirable, and has resulted in this security advisory, users should keep in mind that building a container entails arbitrary code execution. Users should not build a repository/build context they do not trust, as containerization cannot protect against all possible attacks.\n\nWhen building with BuildKit (e.g. `docker buildx build` or `docker build` with `DOCKER_BUILDKIT=1`), this issue cannot be exploited unless `--build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` was also passed, as by default BuildKit will discard the `.git` directory of a Git URL context immediately after cloning and checking out the repository.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Open an issue](https://github.com/moby/moby/issues/new)\n* Email us at [secu...@docker.com](mailto:secu...@docker.com)",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/moby/moby"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "20.10.20"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 20.10.19"
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/moby/moby/security/advisories/GHSA-vp35-85q5-9f25"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.blog/2022-10-17-git-security-vulnerabilities-announced/"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/moby/moby"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/moby/moby/releases/tag/v20.10.20"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-200"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-11-11T00:03:31Z",
+ "nvd_published_at": null,
+ "severity": "LOW"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-w4xh-w33p-4v29.json b/internal/genericosv/testdata/osv/GHSA-w4xh-w33p-4v29.json
new file mode 100644
index 0000000..69c84b5
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-w4xh-w33p-4v29.json
@@ -0,0 +1,112 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-w4xh-w33p-4v29",
+ "modified": "2023-02-08T00:28:40Z",
+ "published": "2022-05-14T00:55:16Z",
+ "aliases": [
+ "CVE-2017-17831"
+ ],
+ "summary": "GitHub Git LFS Improper Input Validation vulnerability",
+ "details": "GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a `url =` line in a `.lfsconfig` file within a repository.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/git-lfs/git-lfs/lfsapi"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.1-0.20170519163204-f913f5f9c7c6"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/git-lfs/git-lfs"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.1-0.20170519163204-f913f5f9c7c6"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17831"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/git-lfs/git-lfs/pull/2241"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/git-lfs/git-lfs/pull/2242"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
+ },
+ {
+ "type": "WEB",
+ "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/git-lfs/git-lfs"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2021-0073"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926"
+ },
+ {
+ "type": "WEB",
+ "url": "http://blog.recurity-labs.com/2017-08-10/scm-vulns"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.securityfocus.com/bid/102926"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-20"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-02-08T00:28:40Z",
+ "nvd_published_at": "2017-12-21T06:29:00Z",
+ "severity": "HIGH"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-wx8q-rgfr-cf6v.json b/internal/genericosv/testdata/osv/GHSA-wx8q-rgfr-cf6v.json
new file mode 100644
index 0000000..af5015f
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-wx8q-rgfr-cf6v.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-wx8q-rgfr-cf6v",
+ "modified": "2021-12-10T18:30:24Z",
+ "published": "2021-11-10T18:20:11Z",
+ "aliases": [
+ "CVE-2021-22565"
+ ],
+ "summary": "Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server",
+ "details": "### Impact\nUsers or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.\n\n### Patches\nv1.1.2+\n\n### Workarounds\nThere are no workarounds, and there are no indications this has been exploited in the wild. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time (thus the UUID rotates frequently).\n\n### For more information\nContact exposure-notifi...@google.com",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/google/exposure-notifications-verification-server"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.1.2"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22565"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/google/exposure-notifications-verification-server/"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-284"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2021-11-09T21:03:07Z",
+ "nvd_published_at": "2021-12-09T13:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-xmg8-99r8-jc2j.json b/internal/genericosv/testdata/osv/GHSA-xmg8-99r8-jc2j.json
new file mode 100644
index 0000000..8b7d4df
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-xmg8-99r8-jc2j.json
@@ -0,0 +1,133 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-xmg8-99r8-jc2j",
+ "modified": "2022-05-24T12:26:59Z",
+ "published": "2022-05-24T12:26:59Z",
+ "aliases": [
+ "CVE-2022-24905"
+ ],
+ "summary": "Login screen allows message spoofing if SSO is enabled",
+ "details": "### Impact\n\nA vulnerability was found in Argo CD that allows an attacker to spoof error messages on the login screen when SSO is enabled.\n\nIn order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed.\n\nAs far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message.\n\n### Patched versions\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.3.4\n* v2.2.9\n* v2.1.15\n\n### Workarounds\n\nNo workaround available.\n\n#### Mitigations\n\nIt is advised to update to an Argo CD version containing a fix for this issue (see *Patched versions* above).\n\n### Credits\n\nThis vulnerability was discovered by Naufal Septiadi (\u003c...@horangi.com\u003e) and reported to us in a responsible way. \n\n### For more information\n\n\u003c!-- Use only one of the paragraphs below. Remove all others. --\u003e\n\n\u003c!-- For Argo CD --\u003e\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.3.0"
+ },
+ {
+ "fixed": "2.3.4"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.2.0"
+ },
+ {
+ "fixed": "2.2.9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.0.0"
+ },
+ {
+ "fixed": "2.1.15"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/argoproj/argo-cd"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.15"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 1.8.7"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "github.com/argoproj/argo-cd"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-20"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-05-24T12:26:59Z",
+ "nvd_published_at": "2022-05-20T14:15:00Z",
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/osv/GHSA-xx9w-464f-7h6f.json b/internal/genericosv/testdata/osv/GHSA-xx9w-464f-7h6f.json
new file mode 100644
index 0000000..e46a727
--- /dev/null
+++ b/internal/genericosv/testdata/osv/GHSA-xx9w-464f-7h6f.json
@@ -0,0 +1,102 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-xx9w-464f-7h6f",
+ "modified": "2023-04-03T18:56:08Z",
+ "published": "2022-09-16T20:27:13Z",
+ "aliases": [
+ "CVE-2022-31667"
+ ],
+ "summary": " Harbor fails to validate the user permissions when updating a robot account",
+ "details": "### Impact\nHarbor fails to validate the user permissions when updating a robot account that\nbelongs to a project that the authenticated user doesn’t have access to. API call:\n\nPUT /robots/{robot_id}\n\nBy sending a request that attempts to update a robot account, and specifying a robot\naccount id and robot account name that belongs to a different project that the user\ndoesn’t have access to, it was possible to revoke the robot account permissions.\n\n### Patches\nThis and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.\n\n### Workarounds\nThere are no workarounds available.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)\n\n### Credits\nThanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/goharbor/harbor"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.0.0"
+ },
+ {
+ "fixed": "1.10.13"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 1.10.12"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/goharbor/harbor"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.0.0"
+ },
+ {
+ "fixed": "2.4.3"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 2.4.2"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/goharbor/harbor"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.5.0"
+ },
+ {
+ "fixed": "2.5.2"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "\u003c= 2.5.1"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/goharbor/harbor"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2022-09-16T20:27:13Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+}
\ No newline at end of file
diff --git a/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
new file mode 100644
index 0000000..1f08606
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
@@ -0,0 +1,49 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/hashicorp/go-getter
+ versions:
+ - fixed: 1.6.1
+ vulnerable_at: 1.6.0
+ - module: github.com/hashicorp/go-getter
+ versions:
+ - introduced: 2.0.0
+ fixed: 2.1.0
+ vulnerable_at: 1.7.2
+ - module: github.com/hashicorp/go-getter/gcs/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.0.2
+ - module: github.com/hashicorp/go-getter/s3/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.0.2
+ - module: github.com/hashicorp/go-getter/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.0.2
+summary: |-
+ HashiCorp go-getter unsafe downloads could lead to asymmetric resource
+ exhaustion
+description: |-
+ HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric
+ resource exhaustion could occur when go-getter processed malicious HTTP
+ responses.
+cves:
+ - CVE-2022-30323
+ghsas:
+ - GHSA-28r2-q6m8-9hpx
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-30323
+ - web: https://github.com/hashicorp/go-getter/pull/359
+ - web: https://github.com/hashicorp/go-getter/pull/361
+ - web: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48
+ - web: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
+ - web: https://discuss.hashicorp.com
+ - web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/
+ - web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
+ - package: https://github.com/hashicorp/go-getter
+ - web: https://github.com/hashicorp/go-getter/releases
+ - web: https://pkg.go.dev/vuln/GO-2022-0586
+notes:
+ - 'lint: github.com/hashicorp/go-getter: bad version "2.0.0": github.com/hashicorp/go-g...@v2.0.0: invalid version: should be v0 or v1, not v2'
+ - 'lint: github.com/hashicorp/go-getter: vulnerable_at version 1.7.2 is not inside vulnerable range'
diff --git a/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
new file mode 100644
index 0000000..49b6430
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
@@ -0,0 +1,62 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/apptainer/sif/v2
+ versions:
+ - introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd
+ fixed: 1.2.1-0.20180404165556-75cca531ea76
+ - module: github.com/satori/go.uuid
+ versions:
+ - introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd
+ fixed: 1.2.1-0.20180404165556-75cca531ea76
+ vulnerable_at: 1.2.0
+summary: github.com/satori/go.uuid has Predictable SIF UUID Identifiers
+description: |-
+ ### Impact
+
+ The siftool new command produces predictable UUID identifiers due to insecure
+ randomness in the version of the `github.com/satori/go.uuid` module used as a
+ dependency.
+
+ ### Patches
+
+ A patch is available in version >= v1.2.1-0.20180404165556-75cca531ea76 of the
+ module. Users are encouraged to upgrade.
+
+ Fixed by https://github.com/hpcng/sif/pull/90
+
+ ### Workarounds
+
+ Users passing CreateInfo struct should ensure the ID field is generated using a
+ version of github.com/satori/go.uuid that is not vulnerable to this issue.
+ Unfortunately, the latest tagged release is vulnerable to this issue. One way to
+ obtain a non-vulnerable version is:
+
+ `go get -u github.com/satori/go....@v1.2.1-0.20180404165556-75cca531ea76`
+
+ ### References
+
+ https://github.com/satori/go.uuid/issues/73
+
+ ### For more information
+
+ If you have any questions or comments about this advisory:
+
+ Open an issue in https://github.com/hpcng/sif/issues
+cves:
+ - CVE-2021-3538
+ghsas:
+ - GHSA-33m6-q9v5-62r7
+references:
+ - web: https://github.com/hpcng/sif/security/advisories/GHSA-33m6-q9v5-62r7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3538
+ - web: https://github.com/satori/go.uuid/issues/73
+ - web: https://github.com/satori/go.uuid/pull/75
+ - web: https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=1954376
+ - package: https://github.com/satori/go.uuid
+ - web: https://pkg.go.dev/vuln/GO-2022-0244
+ - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
+notes:
+ - 'lint: github.com/apptainer/sif/v2: bad version "1.2.1-0.20180103161547-0ef6afb2f6cd": github.com/apptainer/sif/v...@v1.2.1-0.20180103161547-0ef6afb2f6cd: invalid version: should be v2, not v1'
+ - 'lint: github.com/satori/go.uuid: vulnerable_at version 1.2.0 is not inside vulnerable range'
+ - 'lint: redundant non-advisory reference to GHSA-33m6-q9v5-62r7'
diff --git a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
new file mode 100644
index 0000000..820ad3d
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
@@ -0,0 +1,27 @@
+id: GO-TEST-ID
+modules:
+ - module: atomys.codes/stud42
+ versions:
+ - fixed: 0.23.0
+ vulnerable_at: 0.20.1
+summary: Stud42 vulnerable to denial of service
+description: |-
+ A security vulnerability has been identified in the GraphQL parser used by the
+ API of s42.app. An attacker can overload the parser and cause the API pod to
+ crash. With a bit of threading, the attacker can bring down the entire API,
+ resulting in an unhealthy stream. This vulnerability can be exploited by sending
+ a specially crafted request to the API with a large payload.
+
+ An attacker can exploit this vulnerability to cause a denial of service (DoS)
+ attack on the s42.app API, resulting in unavailability of the API for legitimate
+ users.
+ghsas:
+ - GHSA-3hwm-922r-47hw
+references:
+ - web: https://github.com/42Atomys/stud42/security/advisories/GHSA-3hwm-922r-47hw
+ - web: https://github.com/42Atomys/stud42/issues/412
+ - web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
+ - package: https://github.com/42Atomys/stud42
+notes:
+ - 'lint: atomys.codes/stud42: bad version "0.23.0": HTTP GET /atomys.codes/stud42/@v/v0.23.0.mod returned status 404 Not Found'
+ - 'lint: redundant non-advisory reference to GHSA-3hwm-922r-47hw'
diff --git a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
new file mode 100644
index 0000000..06fec23
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
@@ -0,0 +1,44 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 7.1.0
+ fixed: 7.1.6
+ vulnerable_at: 5.11.1+incompatible
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 7.7.0
+ fixed: 7.7.2
+ vulnerable_at: 5.11.1+incompatible
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 7.8.0
+ fixed: 7.8.1
+ vulnerable_at: 5.11.1+incompatible
+ - module: github.com/mattermost/mattermost-server/v6
+ versions:
+ - introduced: 6.3.0
+ fixed: 7.1.6
+ vulnerable_at: 6.7.2
+summary: Mattermost vulnerable to information disclosure
+description: |-
+ Mattermost allows an attacker to request a preview of an existing message when
+ creating a new message via the createPost API call, disclosing the contents of
+ the linked message.
+cves:
+ - CVE-2023-1777
+ghsas:
+ - GHSA-3wq5-3f56-v5xc
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-1777
+ - web: https://mattermost.com/security-updates/
+ - package: github.com/mattermost/mattermost-server
+notes:
+ - 'lint: "github.com/mattermost/mattermost-server" is not a valid URL'
+ - 'lint: github.com/mattermost/mattermost-server/v6: bad version "7.1.6": github.com/mattermost/mattermost-server/v...@v7.1.6: invalid version: should be v6, not v7'
+ - 'lint: github.com/mattermost/mattermost-server: bad version "7.1.0": github.com/mattermost/mattermo...@v7.1.0: invalid version: should be v0 or v1, not v7'
+ - 'lint: github.com/mattermost/mattermost-server: bad version "7.7.0": github.com/mattermost/mattermo...@v7.7.0: invalid version: should be v0 or v1, not v7'
+ - 'lint: github.com/mattermost/mattermost-server: bad version "7.8.0": github.com/mattermost/mattermo...@v7.8.0: invalid version: should be v0 or v1, not v7'
+ - 'lint: github.com/mattermost/mattermost-server: vulnerable_at version 5.11.1+incompatible is not inside vulnerable range'
+ - 'lint: github.com/mattermost/mattermost-server: vulnerable_at version 5.11.1+incompatible is not inside vulnerable range'
+ - 'lint: github.com/mattermost/mattermost-server: vulnerable_at version 5.11.1+incompatible is not inside vulnerable range'
diff --git a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
new file mode 100644
index 0000000..bf7f675
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
@@ -0,0 +1,22 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/zhaojh329/rttys
+ versions:
+ - introduced: 4.0.0
+ vulnerable_at: 1.1.0
+summary: rttys SQL Injection vulnerability
+description: |-
+ SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go,
+ allows attackers to execute arbitrary code.
+cves:
+ - CVE-2022-38867
+ghsas:
+ - GHSA-54q4-74p3-mgcw
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38867
+ - web: https://github.com/zhaojh329/rttys/issues/117
+ - package: https://github.com/zhaojh329/rttys
+notes:
+ - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"4.0.2", Limit:""}'
+ - 'lint: github.com/zhaojh329/rttys: bad version "4.0.0": github.com/zhaojh329/rt...@v4.0.0: invalid version: should be v0 or v1, not v4'
+ - 'lint: github.com/zhaojh329/rttys: vulnerable_at version 1.1.0 is not inside vulnerable range'
diff --git a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
new file mode 100644
index 0000000..f4d72a5
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
@@ -0,0 +1,27 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/oauth2-proxy/oauth2-proxy
+ versions:
+ - introduced: 5.1.1
+ fixed: 6.0.0
+ vulnerable_at: 3.2.0+incompatible
+summary: Open Redirect in OAuth2 Proxy
+description: |-
+ ### Impact As users can provide a redirect address for the proxy to send the
+ authenticated user to at the end of the authentication flow. This is expected to
+ be the original URL that the user was trying to access. This redirect URL is
+ checked within the proxy and validated before redirecting the user to prevent
+ malicious actors providing redirects to potentially harmful sites.
+cves:
+ - CVE-2020-4037
+ghsas:
+ - GHSA-5m6c-jp6f-2vcv
+references:
+ - web: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-4037
+ - web: https://github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2
+ - web: https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0
+notes:
+ - 'lint: github.com/oauth2-proxy/oauth2-proxy: bad version "5.1.1": github.com/oauth2-proxy/oauth2...@v5.1.1: invalid version: should be v0 or v1, not v5'
+ - 'lint: github.com/oauth2-proxy/oauth2-proxy: vulnerable_at version 3.2.0+incompatible is not inside vulnerable range'
+ - 'lint: redundant non-advisory reference to GHSA-5m6c-jp6f-2vcv'
diff --git a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
new file mode 100644
index 0000000..2679e5d
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
@@ -0,0 +1,85 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/concourse/concourse
+ versions:
+ - introduced: 6.3.0
+ fixed: 6.3.1
+ vulnerable_at: 4.2.3+incompatible
+ - module: github.com/concourse/concourse
+ versions:
+ - introduced: 6.4.0
+ fixed: 6.4.1
+ vulnerable_at: 4.2.3+incompatible
+ - module: github.com/concourse/dex
+ versions:
+ - introduced: 6.3.0
+ fixed: 6.3.1
+ vulnerable_at: 1.8.0
+ - module: github.com/concourse/dex
+ versions:
+ - introduced: 6.4.0
+ fixed: 6.4.1
+ vulnerable_at: 1.8.0
+summary: |-
+ GitLab auth uses full name instead of username as user ID, allowing
+ impersonation
+description: |-
+ ### Impact
+
+ Installations which use the GitLab auth connector are vulnerable to identity
+ spoofing by way of configuring a GitLab account with the same full name as
+ another GitLab user who is granted access to a Concourse team by having their
+ full name listed under `users` in the team configuration or given to the
+ `--gitlab-user` flag.
+
+ See the [GitLab auth docs](https://concourse-ci.org/gitlab-auth.html) for
+ details.
+
+ Concourse installations which do not configure the GitLab auth connector are not
+ affected.
+
+ ### Patches
+
+ Concourse [v6.3.1](https://github.com/concourse/concourse/releases/tag/v6.3.1)
+ and [v6.4.1](https://github.com/concourse/concourse/releases/tag/v6.4.1) were
+ both released with a fix on August 4th, 2020.
+
+ Both versions change the GitLab connector to use the username, rather than the
+ full name. This was always the intent, and the previous behavior was originally
+ reported as a bug (concourse/dex#7) prior to being reported as a security issue.
+
+ Any Concourse teams which configure GitLab users will have to switch each user
+ from their full name to their username upon upgrading to these versions.
+
+ ### Workarounds
+
+ GitLab groups do not have this vulnerability, so GitLab users may be moved into
+ groups which are then configured in the Concourse team.
+
+ ### References
+
+ * concourse/dex#12: PR with the fix
+
+ ### For more information
+
+ If you have any questions or comments about this advisory, you may reach us
+ privately at
+ [concoursete...@gmail.com](mailto:concoursete...@gmail.com).
+cves:
+ - CVE-2020-5415
+ghsas:
+ - GHSA-627p-rr78-99rj
+references:
+ - web: https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-5415
+ - web: https://tanzu.vmware.com/security/cve-2020-5415
+notes:
+ - 'lint: github.com/concourse/concourse: bad version "6.3.0": github.com/concourse/conc...@v6.3.0: invalid version: should be v0 or v1, not v6'
+ - 'lint: github.com/concourse/concourse: bad version "6.4.0": github.com/concourse/conc...@v6.4.0: invalid version: should be v0 or v1, not v6'
+ - 'lint: github.com/concourse/concourse: vulnerable_at version 4.2.3+incompatible is not inside vulnerable range'
+ - 'lint: github.com/concourse/concourse: vulnerable_at version 4.2.3+incompatible is not inside vulnerable range'
+ - 'lint: github.com/concourse/dex: bad version "6.3.0": github.com/concourse/d...@v6.3.0: invalid version: should be v0 or v1, not v6'
+ - 'lint: github.com/concourse/dex: bad version "6.4.0": github.com/concourse/d...@v6.4.0: invalid version: should be v0 or v1, not v6'
+ - 'lint: github.com/concourse/dex: vulnerable_at version 1.8.0 is not inside vulnerable range'
+ - 'lint: github.com/concourse/dex: vulnerable_at version 1.8.0 is not inside vulnerable range'
+ - 'lint: redundant non-advisory reference to GHSA-627p-rr78-99rj'
diff --git a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
new file mode 100644
index 0000000..3e69f08
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
@@ -0,0 +1,51 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/pterodactyl/wings
+ versions:
+ - fixed: 1.7.4
+ vulnerable_at: 1.7.3
+ - module: github.com/pterodactyl/wings
+ versions:
+ - introduced: 1.11.0
+ fixed: 1.11.4
+ vulnerable_at: 1.11.3
+summary: |-
+ Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in
+ deletion of files and directories on the host system
+description: |-
+ ### Impact
+
+ This vulnerability impacts anyone running the affected versions of Wings. The
+ vulnerability can be used to delete files and directories recursively on the
+ host system. This vulnerability can be combined with
+ [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5)
+ to overwrite files on the host system.
+
+ In order to use this exploit, an attacker must have an existing "server"
+ allocated and controlled by Wings. Information on how the exploitation of this
+ vulnerability works will be released on February 24th, 2023 in North America.
+
+ ### Patches
+
+ This vulnerability has been resolved in version `v1.11.4` of Wings, and has been
+ back-ported to the 1.7 release series in `v1.7.4`.
+
+ Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x`
+ should upgrade to `v1.7.4`.
+
+ ### Workarounds
+
+ None at this time.
+cves:
+ - CVE-2023-25168
+ghsas:
+ - GHSA-66p8-j459-rq63
+references:
+ - web: https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63
+ - web: https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-25168
+ - web: https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d
+ - package: https://github.com/pterodactyl/wings
+notes:
+ - 'lint: redundant non-advisory reference to GHSA-66p8-j459-rq63'
+ - 'lint: summary is too long: 131 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
new file mode 100644
index 0000000..f82ac24
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
@@ -0,0 +1,42 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/ethereum/go-ethereum
+ versions:
+ - introduced: 1.9.7
+ fixed: 1.9.17
+ vulnerable_at: 1.9.16
+ - module: github.com/ethereum/go-ethereum/core/vm
+ versions:
+ - fixed: 1.19.7
+summary: Shallow copy bug in geth
+description: |-
+ ### Impact This is a Consensus vulnerability, which can be used to cause a
+ chain-split where vulnerable nodes reject the canonical chain.
+
+ Geth’s pre-compiled `dataCopy` (at `0x00...04`) contract did a shallow copy on
+ invocation. An attacker could deploy a contract that
+
+ - writes `X` to an EVM memory region `R`,
+ - calls `0x00..04` with `R` as an argument,
+ - overwrites `R` to `Y`,
+ - and finally invokes the `RETURNDATACOPY` opcode.
+
+ When this contract is invoked, a consensus-compliant node would push `X` on the
+ EVM stack, whereas Geth would push `Y`.
+
+ ### For more information If you have any questions or comments about this
+ advisory:
+ * Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)
+ * Email us at [secu...@ethereum.org](mailto:secu...@ethereum.org)
+cves:
+ - CVE-2020-26241
+ghsas:
+ - GHSA-69v6-xc2j-r2jf
+references:
+ - web: https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-26241
+ - web: https://github.com/ethereum/go-ethereum/commit/295693759e5ded05fec0b2fb39359965b60da785
+ - web: https://blog.ethereum.org/2020/11/12/geth_security_release/
+notes:
+ - 'lint: github.com/ethereum/go-ethereum/core/vm: bad version "1.19.7": HTTP GET /github.com/ethereum/go-ethereum/core/vm/@v/v1.19.7.mod returned status 404 Not Found'
+ - 'lint: redundant non-advisory reference to GHSA-69v6-xc2j-r2jf'
diff --git a/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
new file mode 100644
index 0000000..2bc87a3
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
@@ -0,0 +1,35 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp
+ versions:
+ - introduced: 1.13.10
+ fixed: 1.13.11
+ - module: github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp
+ versions:
+ - introduced: 1.14.6
+ fixed: 1.14.7
+ - module: github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp
+ versions:
+ - introduced: 1.15.3
+ fixed: 1.16.0
+summary: Symlink Attack
+description: |-
+ The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to
+ 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar
+ output of a malicious container to place a file outside of the destination
+ directory specified in the kubectl cp invocation. This could be used to allow an
+ attacker to place a nefarious file using a symlink, outside of the destination
+ tree.
+cves:
+ - CVE-2019-11251
+ghsas:
+ - GHSA-6qfg-8799-r575
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-11251
+ - web: https://github.com/kubernetes/kubernetes/issues/87773
+ - web: https://github.com/kubernetes/kubernetes/pull/82143
+ - web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
+notes:
+ - 'lint: github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: bad version "1.13.10": HTTP GET /github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp/@v/v1.13.10.mod returned status 404 Not Found'
+ - 'lint: github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: bad version "1.14.6": HTTP GET /github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp/@v/v1.14.6.mod returned status 404 Not Found'
+ - 'lint: github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: bad version "1.15.3": HTTP GET /github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp/@v/v1.15.3.mod returned status 404 Not Found'
diff --git a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
new file mode 100644
index 0000000..b7dc411
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
@@ -0,0 +1,33 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/pterodactyl/wings
+ versions:
+ - introduced: 1.2.0
+ fixed: 1.2.1
+ vulnerable_at: 1.2.0
+summary: |-
+ Unchecked hostname resolution could allow access to local network resources by
+ users outside the local network
+description: |-
+ ### Impact A newly implemented route allowing users to download files from
+ remote endpoints was not properly verifying the destination hostname for user
+ provided URLs. This would allow malicious users to potentially access resources
+ on local networks that would otherwise be inaccessible.
+
+ This vulnerability requires valid authentication credentials and is therefore
+ **not exploitable by unauthenticated users**. If you are running an instance for
+ yourself or other trusted individuals this impact is unlikely to be of major
+ concern to you. However, you should still upgrade for security sake.
+
+ ### Patches Users should upgrade to the latest version of Wings.
+
+ ### Workarounds There is no workaround available that does not involve modifying
+ Panel or Wings code.
+ghsas:
+ - GHSA-6rg3-8h8x-5xfv
+references:
+ - web: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
+ - package: https://github.com/pterodactyl/wings
+notes:
+ - 'lint: redundant non-advisory reference to GHSA-6rg3-8h8x-5xfv'
+ - 'lint: summary is too long: 110 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
new file mode 100644
index 0000000..01da9ec
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
@@ -0,0 +1,141 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/argoproj/argo-cd
+ versions:
+ - introduced: 0.4.0
+ fixed: 2.2.11
+ vulnerable_at: 1.8.7
+ - module: github.com/argoproj/argo-cd
+ versions:
+ - introduced: 2.3.0
+ fixed: 2.3.6
+ vulnerable_at: 1.8.7
+ - module: github.com/argoproj/argo-cd
+ versions:
+ - introduced: 2.4.0
+ fixed: 2.4.5
+ vulnerable_at: 1.8.7
+summary: Argo CD certificate verification is skipped for connections to OIDC providers
+description: |-
+ ### Impact
+
+ All versions of Argo CD starting with v0.4.0 are vulnerable to an improper
+ certificate validation bug which could cause Argo CD to trust a malicious (or
+ otherwise untrustworthy) OIDC provider.
+
+ (Note: external OIDC provider support was added in v0.11.0. Before that version,
+ the notes below apply only to the bundled Dex instance.)
+
+ You are impacted if 1) have SSO enabled and 2) insecure mode is _not_ enabled on
+ the API server. In this case, certificate verification is skipped when
+ connecting to your OIDC provider for the following tasks: verifying auth tokens
+ on API requests and handling SSO login flows. If you are using the bundled Dex
+ instance but have _not_ set the `--dex-server` flag on the API server to an
+ HTTPS address, then certificate verification is not being skipped (because [TLS
+ is not enabled by default for the bundled Dex
+ instance](https://github.com/argoproj/argo-cd/issues/9424)).
+
+ Argo CD sends requests to the configured OIDC provider (either the bundled Dex
+ instance or an external provider) to 1) retrieve the [OpenID
+ configuration](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig),
+ 2) to retrieve the OIDC provider's key set (at the location determined by the
+ [OIDC provider's configured
+ `jwks_uri`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)),
+ and 3) (during an SSO login) to exchange an authorization code for a token.
+
+ (Note: Starting with v2.3.0, certificate verification is _not_ skipped when
+ handling an SSO login flow if 1) you are not using the bundled Dex OIDC provider
+ and 2) you have set `oidc.config.rootCA` in the `argocd-cm` ConfigMap.
+ Certificate verification is still skipped when verifying tokens on API calls.)
+
+ Skipping certificate verification when communicating with the OIDC provider
+ opens Argo CD to a variety of risks. For example, if an attacker can
+ successfully intercept, decrypt, and respond to requests bound for the
+ configured OIDC provider (a machine-in-the-middle attack), they could
+ theoretically issue a "valid" admin token. Verifying the OIDC provider's
+ certificate provides an extra layer of protection against such an attack.
+
+ ### Patches
+
+ A patch for this vulnerability has been released in the following Argo CD
+ versions:
+
+ * v2.4.5
+ * v2.3.6
+ * v2.2.11
+
+ **Note:**
+
+ To preserve backwards compatibility, this patch adds a
+ `oidc.tls.insecure.skip.verify` option to the `argocd-cm` ConfigMap. The default
+ is `"false"`. Before resorting to setting this, you should try to get
+ certificate verification to work. If you are using the bundled Dex instance,
+ user your Argo CD API server's [TLS
+ configuration](https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/)
+ since the API server acts as a reverse proxy to Dex. If you are using an
+ external OIDC provider, [set the `rootCA`
+ config](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider).
+
+ If these fail, be sure you are aware of the risks before setting
+ `oidc.tls.insecure.skip.verify: "true"`.
+
+ ### Workarounds
+
+ There is no complete workaround besides upgrading.
+
+ #### Partial mitigation when using an external OIDC provider
+
+ If you are using an external OIDC provider (not the bundled Dex instance), then
+ you can mitigate the issue by setting the `oidc.config.rootCA` field in the
+ `argocd-cm` ConfigMap. If your OIDC provider's certificate is self-signed or
+ otherwise invalid, you must set the rootCA to a certificate that enables
+ verification. If the OIDC provider's certificate passes _without_ an additional
+ root CA, then you can set `oidc.config.rootCA` to a bogus non-empty string such
+ as `"force cert verification"`. The API server will log a warning, but otherwise
+ things should work fine.
+
+ Example:
+
+ ```yaml metadata: name: argocd-cm data: oidc.config: | ... rootCA: | force cert
+ verification ```
+
+ This mitigation _only_ forces certificate validation when the API server handles
+ login flows. It does not force certificate verification when verifying tokens on
+ API calls. To fully resolve the vulnerability, you must upgrade.
+
+ ### References
+
+ * [Argo CD SSO configuration
+ documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sso)
+
+ ### Credits
+
+ @jannfis and @crenshaw-dev discovered the vulnerability when reviewing notes
+ from ADA Logics' security audit of the Argo project sponsored by CNCF and
+ facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their
+ work on the audit.
+
+ ### For more information
+
+ * Open an issue in [the Argo CD issue
+ tracker](https://github.com/argoproj/argo-cd/issues) or
+ [discussions](https://github.com/argoproj/argo-cd/discussions)
+ * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel
+ #argo-cd
+cves:
+ - CVE-2022-31105
+ghsas:
+ - GHSA-7943-82jg-wmw5
+references:
+ - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31105
+ - package: https://github.com/argoproj/argo-cd
+ - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.6
+ - web: https://github.com/argoproj/argo-cd/releases/tag/v2.4.5
+notes:
+ - 'lint: github.com/argoproj/argo-cd: bad version "2.2.11": github.com/argoproj/arg...@v2.2.11: invalid version: should be v0 or v1, not v2'
+ - 'lint: github.com/argoproj/argo-cd: bad version "2.3.0": github.com/argoproj/arg...@v2.3.0: invalid version: should be v0 or v1, not v2'
+ - 'lint: github.com/argoproj/argo-cd: bad version "2.4.0": github.com/argoproj/arg...@v2.4.0: invalid version: should be v0 or v1, not v2'
+ - 'lint: github.com/argoproj/argo-cd: vulnerable_at version 1.8.7 is not inside vulnerable range'
+ - 'lint: github.com/argoproj/argo-cd: vulnerable_at version 1.8.7 is not inside vulnerable range'
+ - 'lint: redundant non-advisory reference to GHSA-7943-82jg-wmw5'
diff --git a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
new file mode 100644
index 0000000..8d27143
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
@@ -0,0 +1,29 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/pingcap/tidb
+ vulnerable_at: 1.0.9
+ - module: github.com/pingcap/tidb
+ versions:
+ - introduced: 6.2.0
+ vulnerable_at: 1.0.9
+summary: TiDB vulnerable to Use of Externally-Controlled Format String
+description: |-
+ TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to
+ data source name injection. The database name for generating and inserting data
+ into a database does not properly sanitize user input which can lead to
+ arbitrary file reads."
+cves:
+ - CVE-2022-3023
+ghsas:
+ - GHSA-7fxj-fr3v-r9gj
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-3023
+ - web: https://github.com/pingcap/tidb/commit/d0376379d615cc8f263a0b17c031ce403c8dcbfb
+ - web: https://advisory.dw1.io/45
+ - package: https://github.com/pingcap/tidb
+ - web: https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540
+notes:
+ - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"6.1.2", Limit:""}'
+ - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"6.4.0-alpha1", Limit:""}'
+ - 'lint: github.com/pingcap/tidb: bad version "6.2.0": github.com/pingcap/ti...@v6.2.0: invalid version: should be v0 or v1, not v6'
+ - 'lint: github.com/pingcap/tidb: vulnerable_at version 1.0.9 is not inside vulnerable range'
diff --git a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
new file mode 100644
index 0000000..e8e4c1d
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
@@ -0,0 +1,32 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/concourse/concourse/skymarshal/skyserver
+ versions:
+ - fixed: 5.2.8
+ - module: github.com/concourse/concourse/skymarshal/skyserver
+ versions:
+ - introduced: 5.3.0
+ fixed: 5.5.10
+ - module: github.com/concourse/concourse/skymarshal/skyserver
+ versions:
+ - introduced: 5.6.0
+ fixed: 5.8.1
+summary: Open Redirect
+description: |-
+ Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows
+ redirects to untrusted websites. A remote unauthenticated attacker could
+ convince a user to click on a link using the oAuth redirect link with an
+ untrusted website and gain access to that user's access token in Concourse.
+cves:
+ - CVE-2018-15798
+ghsas:
+ - GHSA-9689-rx4v-cqgc
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-15798
+ - web: https://github.com/concourse/concourse/pull/5350/commits/38cb4cc025e5ed28764b4adc363a0bbf41f3c7cb
+ - web: https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md
+ - web: https://pivotal.io/security/cve-2018-15798
+notes:
+ - 'lint: github.com/concourse/concourse/skymarshal/skyserver: bad version "5.2.8": github.com/concourse/concourse/skymarshal/skys...@v5.2.8: invalid version: should be v0 or v1, not v5'
+ - 'lint: github.com/concourse/concourse/skymarshal/skyserver: bad version "5.3.0": github.com/concourse/concourse/skymarshal/skys...@v5.3.0: invalid version: should be v0 or v1, not v5'
+ - 'lint: github.com/concourse/concourse/skymarshal/skyserver: bad version "5.6.0": github.com/concourse/concourse/skymarshal/skys...@v5.6.0: invalid version: should be v0 or v1, not v5'
diff --git a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
new file mode 100644
index 0000000..20812d2
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
@@ -0,0 +1,25 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/drakkan/sftpgo
+ versions:
+ - fixed: 2.3.5
+ vulnerable_at: 1.2.2
+summary: SFTPGo WebClient vulnerable to Cross-site Scripting
+description: |-
+ ### Impact Cross-site scripting (XSS) vulnerabilities have been reported to
+ affect SFTPGo WebClient. If exploited, this vulnerability allows remote
+ attackers to inject malicious code.
+
+ ### Patches Fixed in v2.3.5.
+cves:
+ - CVE-2022-39220
+ghsas:
+ - GHSA-cf7g-cm7q-rq7f
+references:
+ - web: https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39220
+ - web: https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0
+ - package: https://github.com/drakkan/sftpgo
+notes:
+ - 'lint: github.com/drakkan/sftpgo: bad version "2.3.5": github.com/drakkan/sft...@v2.3.5: invalid version: should be v0 or v1, not v2'
+ - 'lint: redundant non-advisory reference to GHSA-cf7g-cm7q-rq7f'
diff --git a/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
new file mode 100644
index 0000000..b493c7b
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
@@ -0,0 +1,37 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/pomerium/pomerium
+ versions:
+ - introduced: 0.10.0
+ fixed: 0.13.4
+ vulnerable_at: 0.13.3
+ - module: github.com/pomerium/pomerium/authenticate
+ versions:
+ - introduced: 0.10.0
+ fixed: 0.13.4
+summary: pomerium_signature is not verified in middleware in github.com/pomerium/pomerium
+description: |-
+ ### Impact Some API endpoints under /.pomerium/ do not verify parameters with
+ pomerium_signature. This could allow modifying parameters intended to be trusted
+ to Pomerium.
+
+ The issue mainly affects routes responsible for sign in/out, but does not
+ introduce an authentication bypass.
+
+ ### Patches Patched in v0.13.4
+
+ ### For more information If you have any questions or comments about this
+ advisory
+ * Open an issue in [pomerium](http://github.com/pomerium/pomerium)
+ * Email us at [secu...@pomerium.com](mailto:secu...@pomerium.com)
+cves:
+ - CVE-2021-29652
+ghsas:
+ - GHSA-fv82-r8qv-ch4v
+references:
+ - web: https://github.com/pomerium/pomerium/security/advisories/GHSA-fv82-r8qv-ch4v
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-29652
+ - web: https://github.com/pomerium/pomerium/pull/2048
+notes:
+ - 'lint: github.com/pomerium/pomerium/authenticate: bad version "0.10.0": HTTP GET /github.com/pomerium/pomerium/authenticate/@v/v0.10.0.mod returned status 404 Not Found'
+ - 'lint: redundant non-advisory reference to GHSA-fv82-r8qv-ch4v'
diff --git a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
new file mode 100644
index 0000000..948a038
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
@@ -0,0 +1,27 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/cloudflare/cfrpki/cmd/octorpki
+ versions:
+ - fixed: 1.4.0
+summary: Infinite certificate chain depth results in OctoRPKI running forever
+description: |-
+ OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to
+ create children in an ad-hoc fashion, thereby making tree traversal never end.
+
+ ## Patches
+
+ ## For more information If you have any questions or comments about this
+ advisory email us at secu...@cloudflare.com
+cves:
+ - CVE-2021-3908
+ghsas:
+ - GHSA-g5gj-9ggf-9vmq
+references:
+ - web: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3908
+ - package: https://github.com/cloudflare/cfrpki
+ - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0
+ - web: https://www.debian.org/security/2022/dsa-5041
+notes:
+ - 'lint: github.com/cloudflare/cfrpki/cmd/octorpki: bad version "1.4.0": HTTP GET /github.com/cloudflare/cfrpki/cmd/octorpki/@v/v1.4.0.mod returned status 404 Not Found'
+ - 'lint: redundant non-advisory reference to GHSA-g5gj-9ggf-9vmq'
diff --git a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
new file mode 100644
index 0000000..d955628
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
@@ -0,0 +1,30 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/cloudflare/cfrpki
+ versions:
+ - fixed: 1.4.0
+ vulnerable_at: 1.3.0
+summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository
+description: |-
+ OctoRPKI tries to load the entire contents of a repository in memory, and in the
+ case of a GZIP bomb, unzip it in memory, making it possible to create a
+ repository that makes OctoRPKI run out of memory (and thus crash).
+
+ ## Patches
+
+ ## For more information If you have any questions or comments about this
+ advisory email us at secu...@cloudflare.com
+cves:
+ - CVE-2021-3912
+ghsas:
+ - GHSA-g9wh-3vrx-r7hg
+references:
+ - web: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3912
+ - web: https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad
+ - web: https://pkg.go.dev/vuln/GO-2022-0253
+ - web: https://www.debian.org/security/2022/dsa-5041
+ - package: github.com/cloudflare/cfrpki
+notes:
+ - 'lint: "github.com/cloudflare/cfrpki" is not a valid URL'
+ - 'lint: redundant non-advisory reference to GHSA-g9wh-3vrx-r7hg'
diff --git a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
new file mode 100644
index 0000000..5c48f35
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
@@ -0,0 +1,46 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/grafana/grafana
+ versions:
+ - introduced: 8.1.0
+ fixed: 8.5.21
+ vulnerable_at: 6.1.6+incompatible
+ - module: github.com/grafana/grafana
+ versions:
+ - introduced: 9.0.0
+ fixed: 9.2.13
+ vulnerable_at: 6.1.6+incompatible
+ - module: github.com/grafana/grafana
+ versions:
+ - introduced: 9.3.0
+ fixed: 9.3.8
+ vulnerable_at: 6.1.6+incompatible
+summary: Grafana vulnerable to Cross-site Scripting
+description: |-
+ Grafana is an open-source platform for monitoring and observability. Starting
+ with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core
+ plugin GeoMap. The stored XSS vulnerability was possible due to map attributions
+ weren't properly sanitized and allowed arbitrary JavaScript to be executed in
+ the context of the currently authorized user of the Grafana instance. An
+ attacker needs to have the Editor role in order to change a panel to include a
+ map attribution containing JavaScript. This means that vertical privilege
+ escalation is possible, where a user with Editor role can change to a known
+ password for a user having Admin role if the user with Admin role executes
+ malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21,
+ 9.2.13 and 9.3.8 to receive a fix.
+cves:
+ - CVE-2023-0507
+ghsas:
+ - GHSA-hjv9-hm2f-rpcj
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0507
+ - package: https://github.com/grafana/grafana
+ - web: https://grafana.com/security/security-advisories/cve-2023-0507/
+ - web: https://security.netapp.com/advisory/ntap-20230413-0001/
+notes:
+ - 'lint: github.com/grafana/grafana: bad version "8.1.0": github.com/grafana/gra...@v8.1.0: invalid version: should be v0 or v1, not v8'
+ - 'lint: github.com/grafana/grafana: bad version "9.0.0": github.com/grafana/gra...@v9.0.0: invalid version: should be v0 or v1, not v9'
+ - 'lint: github.com/grafana/grafana: bad version "9.3.0": github.com/grafana/gra...@v9.3.0: invalid version: should be v0 or v1, not v9'
+ - 'lint: github.com/grafana/grafana: vulnerable_at version 6.1.6+incompatible is not inside vulnerable range'
+ - 'lint: github.com/grafana/grafana: vulnerable_at version 6.1.6+incompatible is not inside vulnerable range'
+ - 'lint: github.com/grafana/grafana: vulnerable_at version 6.1.6+incompatible is not inside vulnerable range'
diff --git a/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
new file mode 100644
index 0000000..cff82fe
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
@@ -0,0 +1,80 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/containerd/containerd
+ versions:
+ - fixed: 1.5.18
+ vulnerable_at: 1.5.17
+ - module: github.com/containerd/containerd
+ versions:
+ - introduced: 1.6.0
+ fixed: 1.6.18
+ vulnerable_at: 1.6.17
+summary: Supplementary groups are not set up properly in github.com/containerd/containerd
+description: |-
+ ### Impact
+
+ A bug was found in containerd where supplementary groups are not set up properly
+ inside a container. If an attacker has direct access to a container and
+ manipulates their supplementary group access, they may be able to use
+ supplementary group access to bypass primary group restrictions in some cases,
+ potentially gaining access to sensitive information or gaining the ability to
+ execute code in that container.
+
+ Downstream applications that use the containerd client library may be affected
+ as well.
+
+ ### Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users
+ should update to these versions and recreate containers to resolve this issue.
+ Users who rely on a downstream application that uses containerd's client library
+ should check that application for a separate advisory and instructions.
+
+ ### Workarounds
+
+ Ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead,
+ set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-",
+ "user"]` to allow `su` to properly set up supplementary groups.
+
+ ### References
+
+ -
+ https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
+ - Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18
+ - CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0
+ - Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0
+ - Buildah: CVE-2022-2990, fixed in Buildah 1.27.1
+
+ Note that CVE IDs apply to a particular implementation, even if an issue is
+ common.
+
+ ### For more information
+
+ If you have any questions or comments about this advisory:
+
+ * Open an issue in
+ [containerd](https://github.com/containerd/containerd/issues/new/choose)
+ * Email us at [secu...@containerd.io](mailto:secu...@containerd.io)
+
+ To report a security issue in containerd:
+ * [Report a new
+ vulnerability](https://github.com/containerd/containerd/security/advisories/new)
+ * Email us at [secu...@containerd.io](mailto:secu...@containerd.io)
+cves:
+ - CVE-2023-25173
+ghsas:
+ - GHSA-hmfx-3pcx-653p
+references:
+ - web: https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
+ - web: https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-25173
+ - web: https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a
+ - advisory: https://github.com/advisories/GHSA-4wjj-jwc9-2x96
+ - advisory: https://github.com/advisories/GHSA-fjm8-m7m6-2fjp
+ - advisory: https://github.com/advisories/GHSA-phjr-8j92-w5v7
+ - package: https://github.com/containerd/containerd
+ - web: https://github.com/containerd/containerd/releases/tag/v1.5.18
+ - web: https://github.com/containerd/containerd/releases/tag/v1.6.18
+ - web: https://pkg.go.dev/vuln/GO-2023-1574
+ - web: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
+notes:
+ - 'lint: redundant non-advisory reference to GHSA-hmfx-3pcx-653p'
+ - 'lint: references should contain at most one advisory link'
diff --git a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
new file mode 100644
index 0000000..c3b422c
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
@@ -0,0 +1,59 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/personnummer/go
+ versions:
+ - fixed: 3.0.1
+ vulnerable_at: 1.1.0
+summary: personnummer/go vulnerable to Improper Input Validation
+description: |-
+ This vulnerability was reported to the personnummer team in June 2020. The slow
+ response was due to locked ownership of some of the affected packages, which
+ caused delays to update packages prior to disclosure.
+
+ The vulnerability is determined to be low severity.
+
+ ### Impact
+
+ This vulnerability impacts users who rely on the for last digits of personnummer
+ to be a _real_ personnummer.
+
+ ### Patches
+
+ The issue have been patched in all repositories. The following versions should
+ be updated to as soon as possible:
+
+ [C#](https://github.com/advisories/GHSA-qv8q-v995-72gr) 3.0.2 D 3.0.1
+ [Dart](https://github.com/advisories/GHSA-4xh4-v2pq-jvhm) 3.0.3 Elixir 3.0.0
+ [Go](https://github.com/advisories/GHSA-hv53-vf5m-8q94) 3.0.1
+ [Java](https://github.com/advisories/GHSA-q3vw-4jx3-rrr2) 3.3.0
+ [JavaScript](https://github.com/advisories/GHSA-vpgc-7h78-gx8f) 3.1.0 Kotlin
+ 1.1.0 Lua 3.0.1 [PHP](https://github.com/advisories/GHSA-2p6g-gjp8-ggg9) 3.0.2
+ Perl 3.0.0 [Python](https://github.com/advisories/GHSA-rxq3-5249-8hgg) 3.0.2
+ [Ruby](https://github.com/advisories/GHSA-vp9c-fpxx-744v) 3.0.1
+ [Rust](https://github.com/advisories/GHSA-28r9-pq4c-wp3c) 3.0.0 Scala 3.0.1
+ Swift 1.0.1
+
+ If you are using any of the earlier packages, please update to latest.
+
+ ### Workarounds
+
+ The issue arrieses from the regular expression allowing the first three digits
+ in the last four digits of the personnummer to be 000, which is invalid. To
+ mitigate this without upgrading, a check on the last four digits can be made to
+ make sure it's not 000x.
+
+ ### For more information
+
+ If you have any questions or comments about this advisory:
+ * Open an issue in [Personnummer
+ Meta](https://github.com/personnummer/meta/issues)
+ * Email us at [Personnummer Email](mailto:secu...@personnummer.dev)
+ghsas:
+ - GHSA-hv53-vf5m-8q94
+references:
+ - web: https://github.com/personnummer/go/security/advisories/GHSA-hv53-vf5m-8q94
+ - package: https://github.com/personnummer/go/
+ - web: https://pkg.go.dev/github.com/personnummer/go
+notes:
+ - 'lint: github.com/personnummer/go: bad version "3.0.1": github.com/personnummer/g...@v3.0.1: invalid version: should be v0 or v1, not v3'
+ - 'lint: redundant non-advisory reference to GHSA-hv53-vf5m-8q94'
diff --git a/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
new file mode 100644
index 0000000..1fbebce
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
@@ -0,0 +1,48 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/kubernetes/kubernetes
+ versions:
+ - introduced: 1.22.0
+ fixed: 1.22.16
+ vulnerable_at: 1.22.16-rc.0
+ - module: github.com/kubernetes/kubernetes
+ versions:
+ - introduced: 1.23.0
+ fixed: 1.23.14
+ vulnerable_at: 1.23.14-rc.0
+ - module: github.com/kubernetes/kubernetes
+ versions:
+ - introduced: 1.24.0
+ fixed: 1.24.8
+ vulnerable_at: 1.24.8-rc.0
+ - module: github.com/kubernetes/kubernetes
+ versions:
+ - introduced: 1.25.0
+ fixed: 1.25.4
+ vulnerable_at: 1.25.4-rc.0
+summary: Kubernetes vulnerable to validation bypass
+description: |-
+ Users may have access to secure endpoints in the control plane network.
+ Kubernetes clusters are only affected if an untrusted user can modify Node
+ objects and send proxy requests to them. Kubernetes supports node proxying,
+ which allows clients of kube-apiserver to access endpoints of a Kubelet to
+ establish connections to Pods, retrieve container logs, and more. While
+ Kubernetes already validates the proxying address for Nodes, a bug in
+ kube-apiserver made it possible to bypass this validation. Bypassing this
+ validation could allow authenticated requests destined for Nodes to to the API
+ server's private network.
+cves:
+ - CVE-2022-3294
+ghsas:
+ - GHSA-jh36-q97c-9928
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-3294
+ - web: https://github.com/kubernetes/kubernetes/issues/113757
+ - package: https://github.com/kubernetes/kubernetes
+ - web: https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
+ - web: https://security.netapp.com/advisory/ntap-20230505-0007/
+notes:
+ - 'lint: github.com/kubernetes/kubernetes: bad version "1.22.0": non-canonical path "github.com/kubernetes/kubernetes" (expected "k8s.io/kubernetes")'
+ - 'lint: github.com/kubernetes/kubernetes: bad version "1.23.0": non-canonical path "github.com/kubernetes/kubernetes" (expected "k8s.io/kubernetes")'
+ - 'lint: github.com/kubernetes/kubernetes: bad version "1.24.0": non-canonical path "github.com/kubernetes/kubernetes" (expected "k8s.io/kubernetes")'
+ - 'lint: github.com/kubernetes/kubernetes: bad version "1.25.0": non-canonical path "github.com/kubernetes/kubernetes" (expected "k8s.io/kubernetes")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
new file mode 100644
index 0000000..9cf984d
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
@@ -0,0 +1,67 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/mutagen-io/mutagen
+ versions:
+ - fixed: 0.16.6
+ vulnerable_at: 0.16.5
+ - module: github.com/mutagen-io/mutagen
+ versions:
+ - introduced: 0.17.0
+ fixed: 0.17.1
+ vulnerable_at: 0.17.0
+ - module: github.com/mutagen-io/mutagen-compose
+ versions:
+ - fixed: 0.17.1
+ vulnerable_at: 0.17.0
+summary: |-
+ Mutagen list and monitor operations do not neutralize control characters in text
+ controlled by remote endpoints
+description: |-
+ ### Impact
+
+ Mutagen command line operations, as well as the log output from `mutagen daemon
+ run`, are susceptible to control characters that could be provided by remote
+ endpoints. This can cause terminal corruption, either intentional or
+ unintentional, if these characters are present in error messages, file
+ paths/names, and/or log output. This could be used as an attack vector if
+ synchronizing with an untrusted remote endpoint, synchronizing files not under
+ control of the user, or forwarding to/from an untrusted remote endpoint. On very
+ old systems with terminals susceptible to issues such as
+ [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069), the issue could
+ theoretically cause code execution.
+
+ ### Patches
+
+ The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of
+ Mutagen are no longer supported and will not be patched. Versions of Mutagen
+ after v0.18.0 will also have the patch merged.
+
+ One caveat is that the templating functionality of Mutagen's `list` and
+ `monitor` commands has been only partially patched. In particular, the `json`
+ template function already provided escaping and no patching was necessary.
+ However, raw template output has been left unescaped because this raw output may
+ be necessary for commands which embed Mutagen. To aid these commands, a new
+ `shellSanitize` template function has been added which provides control
+ character neutralization in strings.
+
+ ### Workarounds
+
+ Avoiding synchronization of untrusted files or interaction with untrusted remote
+ endpoints should mitigate any risk.
+
+ ### References
+
+ A similar issue can be seen in kubernetes/kubernetes#101695.
+cves:
+ - CVE-2023-30844
+ghsas:
+ - GHSA-jmp2-wc4p-wfh2
+references:
+ - web: https://github.com/mutagen-io/mutagen/security/advisories/GHSA-jmp2-wc4p-wfh2
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-30844
+ - package: https://github.com/mutagen-io/mutagen
+ - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.16.6
+ - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.17.1
+notes:
+ - 'lint: redundant non-advisory reference to GHSA-jmp2-wc4p-wfh2'
+ - 'lint: summary is too long: 111 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
new file mode 100644
index 0000000..bf8d81d
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
@@ -0,0 +1,72 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/cilium/cilium
+ versions:
+ - introduced: 1.7.0
+ vulnerable_at: 1.14.0
+ - module: github.com/cilium/cilium
+ versions:
+ - introduced: 1.11.0
+ fixed: 1.11.16
+ vulnerable_at: 1.11.15
+ - module: github.com/cilium/cilium
+ versions:
+ - introduced: 1.12.0
+ fixed: 1.12.9
+ vulnerable_at: 1.12.8
+ - module: github.com/cilium/cilium
+ versions:
+ - introduced: 1.13.0
+ fixed: 1.13.2
+ vulnerable_at: 1.13.1
+summary: Debug mode leaks confidential data in Cilium
+description: |-
+ ### Impact
+
+ When run in debug mode, Cilium may log sensitive information.
+
+ In particular, Cilium running in debug mode will log the values of headers if
+ they match HTTP network policy rules. This issue affects Cilium versions:
+
+ - 1.7.* to 1.10.* inclusive
+ - 1.11.* before 1.11.16
+ - 1.12.* before 1.12.9
+ - 1.13.* before 1.13.2
+
+ In addition, Cilium 1.12.* before 1.12.9 and 1.13.* before 1.13.2., when running
+ in debug mode, might log secrets used by the Cilium agent. This includes TLS
+ private keys for Ingress and GatewayAPI resources, depending on the
+ configuration of the affected cluster. Output of the confidential data would
+ occur at Cilium agent restart, when the secrets are modified, and on creation of
+ Ingress or GatewayAPI resources.
+
+ ### Patches
+
+ This vulnerability is fixed in Cilium releases 1.11.16, 1.12.9, and 1.13.2.
+
+ ### Workarounds Disable debug mode.
+
+ ### Acknowledgements The Cilium community has worked together with members of
+ Isovalent to prepare these mitigations. Special thanks to @meyskens for
+ investigating and fixing the issue.
+
+ ### For more information If you have any questions or comments about this
+ advisory, please reach out on
+ [Slack](https://docs.cilium.io/en/latest/community/community/#slack).
+
+ As usual, if you think you found a related vulnerability, we strongly encourage
+ you to report security vulnerabilities to our private security mailing list:
+ [secu...@cilium.io](mailto:secu...@cilium.io) - first, before disclosing them
+ in any public forums. This is a private mailing list where only members of the
+ Cilium internal security team are subscribed to, and is treated as top priority.
+cves:
+ - CVE-2023-29002
+ghsas:
+ - GHSA-pg5p-wwp8-97g8
+references:
+ - web: https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-29002
+ - package: https://github.com/cilium/cilium
+notes:
+ - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"1.10.0", Limit:""}'
+ - 'lint: redundant non-advisory reference to GHSA-pg5p-wwp8-97g8'
diff --git a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
new file mode 100644
index 0000000..6c37cbe
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
@@ -0,0 +1,73 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/sylabs/singularity
+ versions:
+ - introduced: 3.0.0
+ fixed: 3.6.0
+ vulnerable_at: 3.1.1+incompatible
+summary: Execution Control List (ECL) Is Insecure in Singularity
+description: |-
+ ### Impact
+
+ The Singularity Execution Control List (ECL) allows system administrators to set
+ up a policy that defines rules about what signature(s) must be (or must not be)
+ present on a SIF container image for it to be permitted to run.
+
+ In Singularity 3.x versions below 3.6.0, the following issues allow the ECL to
+ be bypassed by a malicious user:
+
+ * Image integrity is not validated when an ECL policy is enforced.
+ * The fingerprint required by the ECL is compared against the signature object
+ descriptor(s) in the SIF file, rather than to a cryptographically validated
+ signature. Thus, it is trivial to craft an arbitrary payload which will be
+ permitted to run, even if the attacker does not have access to the private key
+ associated with the fingerprint(s) configured in the ECL.
+
+ ### Patches
+
+ These issues are addressed in Singularity 3.6.0.
+
+ All users are advised to upgrade to 3.6.0. Note that Singularity 3.6.0 uses a
+ new signature format that is necessarily incompatible with Singularity < 3.6.0 -
+ e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.
+
+ Version 3.6.0 includes a `legacyinsecure` option that can be set to
+ `legacyinsecure = true` in `ecl.toml` to allow the ECL to perform verification
+ of the older, and insecure, legacy signatures for compatibility with existing
+ containers. This does not guarantee that containers have not been modified since
+ signing, due to other issues in the legacy signature format. The option should
+ be used only to temporarily ease the transition to containers signed with the
+ new 3.6.0 signature format.
+
+ ### Workarounds
+
+ This issue affects any installation of Singularity configured to use the
+ Execution Control List (ECL) functionality. There is no workaround if ECL is
+ required.
+
+ ### For more information
+
+ General questions about the impact of the advisory / changes made in the 3.6.0
+ release can be asked in the:
+
+ * [Singularity Slack Channel](https://bit.ly/2m0g3lX)
+ * [Singularity Mailing
+ List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)
+
+ Any sensitive security concerns should be directed to: secu...@sylabs.io
+
+ See our Security Policy here: https://sylabs.io/security-policy
+cves:
+ - CVE-2020-13845
+ghsas:
+ - GHSA-pmfr-63c2-jr5c
+references:
+ - web: https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-13845
+ - web: https://medium.com/sylabs
+ - web: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
+ - web: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
+ - web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
+notes:
+ - 'lint: github.com/sylabs/singularity: bad version "3.0.0": github.com/sylabs/singu...@v3.0.0: invalid version: should be v0 or v1, not v3'
+ - 'lint: redundant non-advisory reference to GHSA-pmfr-63c2-jr5c'
diff --git a/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
new file mode 100644
index 0000000..72704b8
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
@@ -0,0 +1,114 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/moby/moby
+ versions:
+ - fixed: 20.10.20
+ vulnerable_at: 20.10.19+incompatible
+summary: Container build can leak any path on the host into the container
+description: |-
+ ### Description
+
+ Moby is the open source Linux container runtime and set of components used to
+ build a variety of downstream container runtimes, including Docker CE, Mirantis
+ Container Runtime (formerly Docker EE), and Docker Desktop. Moby allows for
+ building container images using a set of build instructions (usually named and
+ referred to as a "Dockerfile"), and a build context, which is not unlike the CWD
+ in which the Dockerfile instructions are executed.
+
+ Containers may be built using a variety of tools and build backends available in
+ the Moby ecosystem; in all cases, builds may not include files outside of the
+ build context (such as using absolute or relative-parent paths). This is
+ enforced through both checks in the build backends, and the containerization of
+ the build process itself.
+
+ Versions of Git where CVE-2022-39253 is present and exploited by a malicious
+ repository, when used in combination with Moby, are subject to an unexpected
+ inclusion of arbitrary filesystem paths in the build context, without any
+ visible warning to the user.
+
+ This issue was originally reported by Wenxiang Qian of Tencent Blade Team, and
+ the root-cause analysis was performed by Cory Snider of Mirantis, with
+ assistance from Bjorn Neergaard of the same. The issue was then reported to the
+ Git project, and Taylor Blau led the process resolving the root issue in Git.
+
+ ### Impact
+
+ This vulnerability originates in Git, but can be used to violate assumptions
+ that may have security implications for users of Moby and related components.
+ Users may rely on the fact that a build context ensures that outside files
+ cannot be referenced or incorporated using multiple enforcement mechanisms, or
+ expect a warning if this does not hold true. A maliciously crafted Git
+ repository exploiting CVE-2022-39253 can violate this assumption, and
+ potentially include sensitive files that are subsequently uploaded to a
+ container image repository, or disclosed by code inside the resulting container
+ image.
+
+ As this issue cannot be triggered remotely, except by users who already have
+ full control over the daemon through the API, and it requires exploiting a
+ vulnerability in Git by convincing a user to build a maliciously crafted
+ repository, the impact in Moby is considered low.
+
+ ### Patches
+
+ Moby 20.10.20, and Mirantis Container Runtime (formerly Docker Enterprise
+ Edition) 20.10.14 will contain mitigations for CVE-2022-39253 when a Git clone
+ is performed by Moby components (on either the daemon or API client side).
+ However, as these mitigations only apply to certain scenarios (build of
+ `git+<protocol>://...` URL contexts) and cannot protect against a malicious
+ repository already on disk, users should update to a version of Git containing
+ patches for CVE-2022-39253 on all their systems running both API clients and
+ daemons.
+
+ Specifically, patches in Moby (including patches incorporated from BuildKit)
+ protect against the following:
+
+ * `docker build` with the legacy builder (e.g. `DOCKER_BUILDKIT` unset or set to
+ 0) of a Git URL context. Note that depending on available API versions and the
+ CLI version, the Git clone operation can take place on either the client or the
+ daemon side. Both must be updated (or have Git updated) to fully protect this
+ build method.
+ * `docker build` with the BuildKit builder (e.g. `DOCKER_BUILDKIT=1`) of a Git
+ URL context.
+ * `docker buildx build` with `BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` of a Git URL
+ context.
+
+ Patches in BuildKit incorporated into Docker Compose protect against
+ CVE-2022-39253 during Compose-driven builds of Git URL contexts.
+
+ Patches in Moby and related projects such as BuildKit, the Docker CLI, and
+ Docker Compose **cannot** fully protect against CVE-2022-39253, as it may be
+ triggered by a malicious repository already on disk that a unpatched Git client
+ has interacted with (specifically, commands that check out submodules such as
+ `git clone --recursive`, `git submodule update`, etc. may have already triggered
+ the Git vulnerability).
+
+ ### Workarounds
+
+ While this behavior is unexpected and undesirable, and has resulted in this
+ security advisory, users should keep in mind that building a container entails
+ arbitrary code execution. Users should not build a repository/build context they
+ do not trust, as containerization cannot protect against all possible attacks.
+
+ When building with BuildKit (e.g. `docker buildx build` or `docker build` with
+ `DOCKER_BUILDKIT=1`), this issue cannot be exploited unless `--build-arg
+ BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` was also passed, as by default BuildKit will
+ discard the `.git` directory of a Git URL context immediately after cloning and
+ checking out the repository.
+
+ ### For more information
+
+ If you have any questions or comments about this advisory:
+
+ * [Open an issue](https://github.com/moby/moby/issues/new)
+ * Email us at [secu...@docker.com](mailto:secu...@docker.com)
+ghsas:
+ - GHSA-vp35-85q5-9f25
+references:
+ - web: https://github.com/moby/moby/security/advisories/GHSA-vp35-85q5-9f25
+ - web: https://github.blog/2022-10-17-git-security-vulnerabilities-announced/
+ - package: https://github.com/moby/moby
+ - web: https://github.com/moby/moby/releases/tag/v20.10.20
+ - web: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u
+notes:
+ - 'lint: github.com/moby/moby: bad version "20.10.20": github.com/moby/mo...@v20.10.20: invalid version: should be v0 or v1, not v20'
+ - 'lint: redundant non-advisory reference to GHSA-vp35-85q5-9f25'
diff --git a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
new file mode 100644
index 0000000..955456b
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
@@ -0,0 +1,33 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/git-lfs/git-lfs
+ versions:
+ - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6
+ vulnerable_at: 2.1.0+incompatible
+ - module: github.com/git-lfs/git-lfs/lfsapi
+ versions:
+ - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6
+summary: GitHub Git LFS Improper Input Validation vulnerability
+description: |-
+ GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary
+ commands via an ssh URL with an initial dash character in the hostname, located
+ on a `url =` line in a `.lfsconfig` file within a repository.
+cves:
+ - CVE-2017-17831
+ghsas:
+ - GHSA-w4xh-w33p-4v29
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2017-17831
+ - web: https://github.com/git-lfs/git-lfs/pull/2241
+ - web: https://github.com/git-lfs/git-lfs/pull/2242
+ - web: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
+ - web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
+ - package: https://github.com/git-lfs/git-lfs
+ - web: https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1
+ - web: https://pkg.go.dev/vuln/GO-2021-0073
+ - web: https://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926
+ - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
+ - web: http://www.securityfocus.com/bid/102926
+notes:
+ - 'lint: github.com/git-lfs/git-lfs/lfsapi: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/git-lfs/lfs...@v2.1.1-0.20170519163204-f913f5f9c7c6: invalid version: should be v0 or v1, not v2'
+ - 'lint: github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/git...@v2.1.1-0.20170519163204-f913f5f9c7c6: invalid version: should be v0 or v1, not v2'
diff --git a/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
new file mode 100644
index 0000000..b87b9f3
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
@@ -0,0 +1,33 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/google/exposure-notifications-verification-server
+ versions:
+ - fixed: 1.1.2
+ vulnerable_at: 1.1.1
+summary: |-
+ Insufficient Granularity of Access Control in
+ github.com/google/exposure-notifications-verification-server
+description: |-
+ ### Impact Users or API keys with permission to expire verification codes could
+ have expired codes that belonged to another realm if they guessed the UUID.
+
+ ### Patches v1.1.2+
+
+ ### Workarounds There are no workarounds, and there are no indications this has
+ been exploited in the wild. Verification codes can only be expired by providing
+ their 64-bit UUID, and verification codes are already valid for a very short
+ period of time (thus the UUID rotates frequently).
+
+ ### For more information Contact exposure-notifi...@google.com
+cves:
+ - CVE-2021-22565
+ghsas:
+ - GHSA-wx8q-rgfr-cf6v
+references:
+ - web: https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-22565
+ - package: https://github.com/google/exposure-notifications-verification-server/
+ - web: https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
+notes:
+ - 'lint: redundant non-advisory reference to GHSA-wx8q-rgfr-cf6v'
+ - 'lint: summary is too long: 106 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
new file mode 100644
index 0000000..b52fc06
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
@@ -0,0 +1,85 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/argoproj/argo-cd
+ versions:
+ - fixed: 2.1.15
+ vulnerable_at: 1.8.7
+ - module: github.com/argoproj/argo-cd/v2
+ versions:
+ - introduced: 2.0.0
+ fixed: 2.1.15
+ vulnerable_at: 2.1.14
+ - module: github.com/argoproj/argo-cd/v2
+ versions:
+ - introduced: 2.2.0
+ fixed: 2.2.9
+ vulnerable_at: 2.2.8
+ - module: github.com/argoproj/argo-cd/v2
+ versions:
+ - introduced: 2.3.0
+ fixed: 2.3.4
+ vulnerable_at: 2.3.3
+summary: Login screen allows message spoofing if SSO is enabled
+description: |-
+ ### Impact
+
+ A vulnerability was found in Argo CD that allows an attacker to spoof error
+ messages on the login screen when SSO is enabled.
+
+ In order to exploit this vulnerability, an attacker would have to trick the
+ victim to visit a specially crafted URL which contains the message to be
+ displayed.
+
+ As far as the research of the Argo CD team concluded, it is not possible to
+ specify any active content (e.g. Javascript) or other HTML fragments (e.g.
+ clickable links) in the spoofed message.
+
+ ### Patched versions
+
+ A patch for this vulnerability has been released in the following Argo CD
+ versions:
+
+ * v2.3.4
+ * v2.2.9
+ * v2.1.15
+
+ ### Workarounds
+
+ No workaround available.
+
+ #### Mitigations
+
+ It is advised to update to an Argo CD version containing a fix for this issue
+ (see *Patched versions* above).
+
+ ### Credits
+
+ This vulnerability was discovered by Naufal Septiadi (<nau...@horangi.com>) and
+ reported to us in a responsible way.
+
+ ### For more information
+
+ <!-- Use only one of the paragraphs below. Remove all others. -->
+
+ <!-- For Argo CD -->
+
+ * Open an issue in [the Argo CD issue
+ tracker](https://github.com/argoproj/argo-cd/issues) or
+ [discussions](https://github.com/argoproj/argo-cd/discussions)
+ * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel
+ #argo-cd
+cves:
+ - CVE-2022-24905
+ghsas:
+ - GHSA-xmg8-99r8-jc2j
+references:
+ - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-24905
+ - web: https://github.com/argoproj/argo-cd/releases/tag/v2.1.15
+ - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9
+ - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4
+ - package: github.com/argoproj/argo-cd
+notes:
+ - 'lint: "github.com/argoproj/argo-cd" is not a valid URL'
+ - 'lint: github.com/argoproj/argo-cd: bad version "2.1.15": github.com/argoproj/arg...@v2.1.15: invalid version: should be v0 or v1, not v2'
+ - 'lint: redundant non-advisory reference to GHSA-xmg8-99r8-jc2j'
diff --git a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
new file mode 100644
index 0000000..2d97e65
--- /dev/null
+++ b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
@@ -0,0 +1,56 @@
+id: GO-TEST-ID
+modules:
+ - module: github.com/goharbor/harbor
+ versions:
+ - introduced: 1.0.0
+ fixed: 1.10.13
+ vulnerable_at: 1.10.13-rc1
+ - module: github.com/goharbor/harbor
+ versions:
+ - introduced: 2.0.0
+ fixed: 2.4.3
+ vulnerable_at: 2.4.3-rc1+incompatible
+ - module: github.com/goharbor/harbor
+ versions:
+ - introduced: 2.5.0
+ fixed: 2.5.2
+ vulnerable_at: 2.5.2-rc1+incompatible
+summary: Harbor fails to validate the user permissions when updating a robot account
+description: |-
+ ### Impact Harbor fails to validate the user permissions when updating a robot
+ account that belongs to a project that the authenticated user doesn’t have
+ access to. API call:
+
+ PUT /robots/{robot_id}
+
+ By sending a request that attempts to update a robot account, and specifying a
+ robot account id and robot account name that belongs to a different project that
+ the user doesn’t have access to, it was possible to revoke the robot account
+ permissions.
+
+ ### Patches This and similar issues are fixed in Harbor v2.5.2 and later. Please
+ upgrade as soon as possible.
+
+ ### Workarounds There are no workarounds available.
+
+ ### For more information If you have any questions or comments about this
+ advisory:
+ * Open an issue in [the Harbor GitHub
+ repository](https://github.com/goharbor/harbor)
+
+ ### Credits Thanks to [Gal
+ Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel
+ Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye
+ Security](https://www.oxeye.io/) for reporting this issue.
+cves:
+ - CVE-2022-31667
+ghsas:
+ - GHSA-xx9w-464f-7h6f
+references:
+ - web: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f
+ - package: https://github.com/goharbor/harbor
+notes:
+ - 'lint: github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
+ - 'lint: github.com/goharbor/harbor: bad version "2.0.0": github.com/goharbor/har...@v2.0.0: invalid version: should be v0 or v1, not v2'
+ - 'lint: github.com/goharbor/harbor: bad version "2.5.0": github.com/goharbor/har...@v2.5.0: invalid version: should be v0 or v1, not v2'
+ - 'lint: redundant non-advisory reference to GHSA-xx9w-464f-7h6f'
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index f179ce5..0f404a2 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -65,7 +65,7 @@
if err != nil {
return nil, err
} else if resp.StatusCode != 200 {
- return nil, fmt.Errorf("http.Get(%q) returned status %v", url, resp.Status)
+ return nil, fmt.Errorf("HTTP GET /%s returned status %v", urlSuffix, resp.Status)
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
diff --git a/internal/report/fix.go b/internal/report/fix.go
index ac28649..75e4dce 100644
--- a/internal/report/fix.go
+++ b/internal/report/fix.go
@@ -22,7 +22,7 @@
ref.URL = fixURL(ref.URL)
}
for _, m := range r.Modules {
- m.fixVersions()
+ m.FixVersions()
}
fixLines := func(sp *string) {
*sp = fixLineLength(*sp, maxLineLength)
@@ -34,9 +34,9 @@
}
}
-// fixVersions replaces each version with its canonical form (if possible),
+// FixVersions replaces each version with its canonical form (if possible),
// sorts version ranges, and collects version ranges into a compact form.
-func (m *Module) fixVersions() {
+func (m *Module) FixVersions() {
fixVersion := func(v string) string {
if v == "" {
return ""
diff --git a/internal/report/lint.go b/internal/report/lint.go
index 423ad92..8061518 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -34,10 +34,10 @@
}
canonicalPath, err := proxy.CanonicalModulePath(modPath, vv)
if err != nil {
- return fmt.Errorf("unable to retrieve canonical module path from proxy: %s", err)
+ return err
}
if canonicalPath != modPath {
- return fmt.Errorf("invalid module path %q at version %q (canonical path is %q)", modPath, v, canonicalPath)
+ return fmt.Errorf("non-canonical path %q (expected %q)", modPath, canonicalPath)
}
return nil
}
To view, visit change 515399. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages